Download
| Alert*
|
oval:org.secpod.oval:def:28919
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is disabled and no one is logged on interactively, the CD-ROM ca ... oval:org.secpod.oval:def:22387 This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can access the server for administration and end-use ... oval:org.secpod.oval:def:22386 This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. If you disable this policy setting, the user is not pr ... oval:org.secpod.oval:def:22382 This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. Important This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manager tools on these computers. Fix: (1) GPO: ... oval:org.secpod.oval:def:22499 This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Remote Shell!Allow Remote Shell Access (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Pol ... oval:org.secpod.oval:def:22498 The registry value entry Hidden was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\ registry key. The entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the SCE. ... oval:org.secpod.oval:def:22377 The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\ registry key. The entry appears as MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic in the SCE. The default exemptions to ... oval:org.secpod.oval:def:22376 This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. ... oval:org.secpod.oval:def:22375 This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an adminis ... oval:org.secpod.oval:def:22495 This security setting determines whether the system shuts down if it is unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full an ... oval:org.secpod.oval:def:22494 This policy setting allows you to set the encryption types that Kerberos is allowed to use. If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted. This policy is supporte ... oval:org.secpod.oval:def:22373 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy ... oval:org.secpod.oval:def:22493 This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the opera ... oval:org.secpod.oval:def:22359 This security setting determines whether a different account name is associated with the security identifier (SID) for the account "Guest." Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. The ... oval:org.secpod.oval:def:22367 This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications ... oval:org.secpod.oval:def:22486 This policy setting controls the behavior of the elevation prompt for administrators. The options are: * Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constraine ... oval:org.secpod.oval:def:22364 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... oval:org.secpod.oval:def:22363 For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security (TLS) protocols as a client and as a server (if applicable). If this setting is enabled, Transport Layer Security/Secure Soc ... oval:org.secpod.oval:def:22360 This security setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum passw ... oval:org.secpod.oval:def:22475 This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box fo ... oval:org.secpod.oval:def:22596 This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in t ... oval:org.secpod.oval:def:22474 This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut or .lnk fi ... oval:org.secpod.oval:def:22472 This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. If you disable this policy setting, the user is not pr ... oval:org.secpod.oval:def:22592 This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the sy ... oval:org.secpod.oval:def:22591 This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Remote Deskt ... oval:org.secpod.oval:def:22613 This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. The Deny log on as a batch job user right ov ... oval:org.secpod.oval:def:22612 This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Default: 7 on domain controllers. 0 on sta ... oval:org.secpod.oval:def:22619 Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category le ... oval:org.secpod.oval:def:22618 This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy set ... oval:org.secpod.oval:def:22620 This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)?based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). When configuring a user right i ... oval:org.secpod.oval:def:22600 This policy setting allows users to shut down Windows Vista based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, Microsoft recom ... oval:org.secpod.oval:def:22608 This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends to disable this policy setting to restrict the ability to shut down the computer to ... oval:org.secpod.oval:def:22607 This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused ... oval:org.secpod.oval:def:22392 This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to another computer. The compute ... oval:org.secpod.oval:def:22390 The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to Do ... oval:org.secpod.oval:def:22398 This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials ... oval:org.secpod.oval:def:22393 By default, all administrator accounts are displayed when you attempt to elevate a running application. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface!Enumerate administrator accounts on elevation (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Mic ... oval:org.secpod.oval:def:22539 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configur ... oval:org.secpod.oval:def:22538 The registry value entry TCPMaxDataRetransmissions for IPv6 was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 re ... oval:org.secpod.oval:def:22415 This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and st ... oval:org.secpod.oval:def:22543 This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setti ... oval:org.secpod.oval:def:22541 This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows adminis ... oval:org.secpod.oval:def:22404 This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Cl ... oval:org.secpod.oval:def:22403 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reach ... oval:org.secpod.oval:def:22523 This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrat ... oval:org.secpod.oval:def:22644 Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on ... oval:org.secpod.oval:def:22643 This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connect ... oval:org.secpod.oval:def:22409 This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings!Turn off Search Companion ... oval:org.secpod.oval:def:22653 This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges. Fix: (1) GPO: Computer Configurati ... oval:org.secpod.oval:def:22530 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and ... oval:org.secpod.oval:def:22518 This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local ... oval:org.secpod.oval:def:22513 Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable this policy setting unless there is a strong business case to enable it. If this ... oval:org.secpod.oval:def:22512 This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, lo ... oval:org.secpod.oval:def:22506 Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specified ... oval:org.secpod.oval:def:22503 The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) in the Security Configuration Editor. This settin ... oval:org.secpod.oval:def:22624 This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller w ... oval:org.secpod.oval:def:22621 This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Even ... oval:org.secpod.oval:def:22509 This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. Default: This policy is not de ... oval:org.secpod.oval:def:22510 This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channe ... oval:org.secpod.oval:def:22631 This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used. This informat ... oval:org.secpod.oval:def:22630 The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes in the SCE. Internet Control M ... oval:org.secpod.oval:def:22579 The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locke ... oval:org.secpod.oval:def:22587 This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one will be able to log o ... oval:org.secpod.oval:def:22465 This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. Th ... oval:org.secpod.oval:def:22462 Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (instal ... oval:org.secpod.oval:def:22461 Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they are able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a use ... oval:org.secpod.oval:def:22581 This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ... oval:org.secpod.oval:def:22569 This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system st ... oval:org.secpod.oval:def:22568 When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. When enabled, this policy setting restricts anonymous acces ... oval:org.secpod.oval:def:22566 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... oval:org.secpod.oval:def:22575 This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this policy se ... oval:org.secpod.oval:def:22571 Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If the status is ... oval:org.secpod.oval:def:22439 This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. ... oval:org.secpod.oval:def:22438 This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. If you enable this setting, Credential Manager does not store passwords and credentials on the computer. If you disable or do not configure this policy sett ... oval:org.secpod.oval:def:22437 Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options!Inter ... oval:org.secpod.oval:def:22558 This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If ... oval:org.secpod.oval:def:22678 This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: None: The LDAP BIND request is issued with the options that are specified by the caller. Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS ... oval:org.secpod.oval:def:22677 This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ... oval:org.secpod.oval:def:22556 This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to gr ... oval:org.secpod.oval:def:22555 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configur ... oval:org.secpod.oval:def:22685 This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the us ... oval:org.secpod.oval:def:22564 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configur ... oval:org.secpod.oval:def:22561 The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 ... oval:org.secpod.oval:def:22440 The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ registry key. The entry appears as MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serv ... oval:org.secpod.oval:def:22560 This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the s ... oval:org.secpod.oval:def:22428 By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. If you disable or do not configure this policy s ... oval:org.secpod.oval:def:22546 This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ?\Program Files\, including subfolders - ?\Windows\system32\ - ? ... oval:org.secpod.oval:def:22545 This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in ... oval:org.secpod.oval:def:22424 This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on a computer. Instead, file sharing should be acc ... oval:org.secpod.oval:def:22666 This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. ... oval:org.secpod.oval:def:22544 This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microso ... oval:org.secpod.oval:def:29986 Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest vers ... oval:org.secpod.oval:def:22430 The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not be able to convince a client to connect for ... oval:org.secpod.oval:def:22672 The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is ... oval:org.secpod.oval:def:22550 This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - Be at l ... oval:org.secpod.oval:def:22670 This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to th ... oval:org.secpod.oval:def:22381 This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can ... oval:org.secpod.oval:def:29690 This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. Fix: ( ... oval:org.secpod.oval:def:22369 This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be ... oval:org.secpod.oval:def:22370 This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity. Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, t ... oval:org.secpod.oval:def:22490 This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. This policy setting works in conjunction with the following Do not adjust default option to ?Install Updates and Shut Down? in Shut Down Windows Dialog box sett ... oval:org.secpod.oval:def:22599 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notification ... oval:org.secpod.oval:def:22357 This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will begin after a specified number of minutes when you next start the ... oval:org.secpod.oval:def:22485 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reach ... oval:org.secpod.oval:def:22362 This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users& ... oval:org.secpod.oval:def:22468 This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. When configuring a user right in the SCM enter a comma ... oval:org.secpod.oval:def:22356 This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. When configuring a user right in the SCM enter a comma deli ... oval:org.secpod.oval:def:22355 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Fix: (1) GPO: Comput ... oval:org.secpod.oval:def:22351 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this pol ... oval:org.secpod.oval:def:22350 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not configure t ... oval:org.secpod.oval:def:22616 This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the operating system but might be r ... oval:org.secpod.oval:def:22604 This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be eit ... oval:org.secpod.oval:def:22609 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows ... oval:org.secpod.oval:def:29116 This policy setting configures the time in minutes before a detection in the 'completed' state moves to the 'cleared' state. Input Values Enable : 1 - 4294967295 minutes Disable: 0 minutes Default: Disable Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows C ... oval:org.secpod.oval:def:28941 Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Configur ... oval:org.secpod.oval:def:29117 This policy setting configures the time in minutes before a detection in the 'additional action' state moves to the 'cleared' state. Input Values Enable : 1 - 4294967295 minutes Disable: 0 minutes Default: Disable Fix: (1) GPO: Computer Configuration\Administrative Templates\W ... oval:org.secpod.oval:def:29114 This policy setting configures the time in minutes before a detection in the ?critically failed? state to moves to either the ?additional action? state or the ?cleared? state. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Reporting!Configure time ... oval:org.secpod.oval:def:29115 This policy setting configures the time in minutes before a detection in the 'non-critically failed' state moves to the 'cleared' state. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Reporting!Configure time out for detections ... oval:org.secpod.oval:def:29105 This policy setting allows you to configure network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, the network protection will be enabled. If you disable this setting, the network protection will be disabled. Fix: (1) GPO: Computer Confi ... oval:org.secpod.oval:def:29104 This policy setting allows you to configure Information Protection Control (IPC). If you enable this setting, IPC will be enabled. If you disable or do not configure this setting, IPC will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows D ... oval:org.secpod.oval:def:22396 This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server ... oval:org.secpod.oval:def:22394 This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in enterprise environments. However, its use should be restricted in high security environments to prevent misuse of system resources ... oval:org.secpod.oval:def:22659 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Ad ... oval:org.secpod.oval:def:22537 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall wi ... oval:org.secpod.oval:def:22657 This security setting allows a security principal to log on as a service. Services can be configured to run under the Local System, Local Service, or Network Service accounts, which have a built in right to log on as a service. Any service that runs under a separate user account must be assigned the ... oval:org.secpod.oval:def:22535 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM is configured to use HTTP transport, then the user name and password are sent over the ... oval:org.secpod.oval:def:22533 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable or do not configure this poli ... oval:org.secpod.oval:def:22412 This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-m ... oval:org.secpod.oval:def:29731 Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting allows text to be specified in the title bar of the window that users see when they log on to the system. De ... oval:org.secpod.oval:def:29976 Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock screen ... oval:org.secpod.oval:def:29977 Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users will no longer be able to modify slide show settings in ... oval:org.secpod.oval:def:29295 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reach ... oval:org.secpod.oval:def:22663 This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. When configuring a user right in the SCM enter a comma delimited list of accounts ... oval:org.secpod.oval:def:22421 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall wi ... oval:org.secpod.oval:def:22661 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows ... oval:org.secpod.oval:def:22408 This policy setting determines which users or processes can generate audit records in the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Fix: (1 ... oval:org.secpod.oval:def:22649 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not configure this policy setting, the WinRM client will us ... oval:org.secpod.oval:def:22645 This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of servic ... oval:org.secpod.oval:def:22532 This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. When configuring a user right in the SCM enter a comma ... oval:org.secpod.oval:def:22531 This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. When configu ... oval:org.secpod.oval:def:22410 This policy setting determines which users can change the auditing options for files and directories and clear the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, ... oval:org.secpod.oval:def:22652 This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. When configuring a user right in the SCM enter a comma delimited list of ... oval:org.secpod.oval:def:22651 This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer drivers in Windows Vista. When ... oval:org.secpod.oval:def:29168 This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Fo ... oval:org.secpod.oval:def:22517 This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that server agrees to sign SMB packets. In mixed environments with legacy ... oval:org.secpod.oval:def:22636 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Fix: (1) GPO: Comput ... oval:org.secpod.oval:def:22635 This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Compute ... oval:org.secpod.oval:def:22511 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall wi ... oval:org.secpod.oval:def:22400 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Fix: (1) GPO: Comput ... oval:org.secpod.oval:def:22626 This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality includin ... oval:org.secpod.oval:def:22500 This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setting, remote connections to the Plug and Pl ... oval:org.secpod.oval:def:29942 This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. If ... oval:org.secpod.oval:def:28730 This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers b ... oval:org.secpod.oval:def:22459 This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for scheduled Automatic Updates installations setting, Automatic Updates does not restart comput ... oval:org.secpod.oval:def:22458 This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or c ... oval:org.secpod.oval:def:29655 This policy setting allows you to audit NTLM authentication in a domain from this domain controller. If you select "Disable" or do not configure this policy setting, the domain controller will not log events for NTLM authentication in this domain. If you select "Enable for domain ac ... oval:org.secpod.oval:def:29776 This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. If you select "Allow all" or do not configure this policy setting, the client computer can authenticate identities to a remote se ... oval:org.secpod.oval:def:29653 This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the "Network Security: Restrict NTLM: Deny NTLM authentication in this domain" is set. If you configure this policy setting, you can ... oval:org.secpod.oval:def:29652 This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting is configured. If you configure this policy setting, you c ... oval:org.secpod.oval:def:22580 This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. Note that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Windows Upd ... oval:org.secpod.oval:def:22448 This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. When configuring a user right in the SCM enter a comma delimited l ... oval:org.secpod.oval:def:22446 This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user ... oval:org.secpod.oval:def:22445 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Ad ... oval:org.secpod.oval:def:22576 This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a ... oval:org.secpod.oval:def:22452 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notification ... oval:org.secpod.oval:def:22573 This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack. When configuring a user ri ... oval:org.secpod.oval:def:22692 This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication request ... oval:org.secpod.oval:def:22450 This security setting determines whether to audit the access of global system objects. If this policy is enabled, it causes system objects, such as mutexes, events, semaphores and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACL; SACLs ... oval:org.secpod.oval:def:22570 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Ad ... oval:org.secpod.oval:def:22690 This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. When configuring a user right in the SCM ent ... oval:org.secpod.oval:def:22559 This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure cha ... oval:org.secpod.oval:def:22679 This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users can set valid security principa ... oval:org.secpod.oval:def:22676 This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they c ... oval:org.secpod.oval:def:22434 This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If you enable this policy setting and specify the new location, the files in that location will be used ... oval:org.secpod.oval:def:29754 This policy setting allows you to deny or allow incoming NTLM traffic. If you select "Allow all" or do not configure this policy setting, the server will allow all NTLM authentication requests. If you select "Deny all domain accounts," the server will deny NTLM authentication r ... oval:org.secpod.oval:def:29752 This policy setting determines whether the account name of the last user to log on to the client computers in your organization can display in each computer's respective Windows logon screen. If you enable this policy setting, intruders cannot collect account names visually from the screens of ... oval:org.secpod.oval:def:22565 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reach ... oval:org.secpod.oval:def:22441 This policy setting specifies whether the tasks "Publish this file to the Web," "Publish this folder to the Web," and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders. The Web Publishing Wizard is used to download a li ... oval:org.secpod.oval:def:22681 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notification ... oval:org.secpod.oval:def:22427 This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ... oval:org.secpod.oval:def:22669 This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, t ... oval:org.secpod.oval:def:22668 This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or IIS also require ... oval:org.secpod.oval:def:29983 This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. If you enable or do not ... oval:org.secpod.oval:def:29185 For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. If this setting is enabled, only Administrators can install ... oval:org.secpod.oval:def:22433 This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured ... oval:org.secpod.oval:def:22432 This privilege determines which user accounts can increase or decrease the size of a process's working set. Default: Users The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an applicatio ... oval:org.secpod.oval:def:22431 Determines how far in advance (in days) users are warned that their password is about to expire. With this advance warning, the user has time to construct a password that is sufficiently strong. Default: 5 days. Fix: (1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policie ... oval:org.secpod.oval:def:22671 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not configure ... oval:org.secpod.oval:def:29980 This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that typically require a Microsoft account to ... |
