Download
| Alert*
|
oval:org.secpod.oval:def:36559
Determines which users can log on to the computer. Important Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (http://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft websit ... oval:org.secpod.oval:def:35051 Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously. If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the specified number of minutes afte ... oval:org.secpod.oval:def:35288 This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, t ... oval:org.secpod.oval:def:36489 This user right determines which users can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. This user right is defined in the Default Domain Co ... oval:org.secpod.oval:def:35018 MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Configure the MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. The possib ... oval:org.secpod.oval:def:35090 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ... oval:org.secpod.oval:def:35193 This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to ... oval:org.secpod.oval:def:35192 This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Win ... oval:org.secpod.oval:def:35183 MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Configure the MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. ... oval:org.secpod.oval:def:36545 This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. Defau ... oval:org.secpod.oval:def:35212 This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. Counter Measure: Enable this setting Potential Impact: If this policy setting is enabled, Windows is prevented from downloading providers; only the service pr ... oval:org.secpod.oval:def:35213 This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. Note: See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which governs whether an administrator is prompted b ... oval:org.secpod.oval:def:36543 This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is sim ... oval:org.secpod.oval:def:35207 This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned. If you disable or do not configure this setting, a default siz ... oval:org.secpod.oval:def:36536 This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. Default: Non ... oval:org.secpod.oval:def:36533 This privilege determines which user accounts can increase or decrease the size of a process's working set. Default: Users The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an applic ... oval:org.secpod.oval:def:36529 This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. Default: Guest Counter Measure: Assign the Deny access ... oval:org.secpod.oval:def:35314 This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve freque ... oval:org.secpod.oval:def:35306 This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a ... oval:org.secpod.oval:def:35305 This policy setting allows you to configure network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, the network protection will be enabled. If you disable this setting, the network protection will be disabled. Counter Measure: Con ... oval:org.secpod.oval:def:35302 This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a w ... oval:org.secpod.oval:def:36508 This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. Counter Measure: Assign the Deny ... oval:org.secpod.oval:def:35254 This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting ... oval:org.secpod.oval:def:35360 This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule i ... oval:org.secpod.oval:def:35363 This security setting determines which network shares can accessed by anonymous users. Default: None specified. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. Note: It can be ... oval:org.secpod.oval:def:35116 Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the ... oval:org.secpod.oval:def:35351 This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time ... oval:org.secpod.oval:def:35349 This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule ... oval:org.secpod.oval:def:34989 Enabling this security option makes the Recovery Console SET command available, which allows you to set the following Recovery Console environment variables: AllowWildCards: Enable wildcard support for some commands (such as the DEL command). AllowAllPaths: Allow access to all files and folders on ... oval:org.secpod.oval:def:35294 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file r ... oval:org.secpod.oval:def:35295 This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in ... oval:org.secpod.oval:def:35050 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Counter Measure: Configure this policy setting to "Y ... oval:org.secpod.oval:def:35292 This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. If you enable this policy setting, all local administrator a ... oval:org.secpod.oval:def:35171 This entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the Local Group Policy Editor. You can configure a computer so that it does not send announcements to browsers on the domain. If you do, you hide the computer from the Ne ... oval:org.secpod.oval:def:35293 This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to gr ... oval:org.secpod.oval:def:35290 Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. If you disable this policy or do not configure it, users can see and c ... oval:org.secpod.oval:def:35291 This policy setting allows you to manage the installation of app packages that do not originate from the Windows Store. Counter Measure: Organizations that develop their own line-of-business app packages or acquire then directly from vendors may want to enable this policy setting, however if y ... oval:org.secpod.oval:def:35056 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure this setting to block inbound connections by default. Poten ... oval:org.secpod.oval:def:35298 This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, ... oval:org.secpod.oval:def:35057 This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communicat ... oval:org.secpod.oval:def:35299 This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection ... oval:org.secpod.oval:def:35178 Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (in ... oval:org.secpod.oval:def:35296 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the default value of "%SYSTEMROOT%\System32\logfiles\firewall\publicfw.l ... oval:org.secpod.oval:def:35055 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Counter Measure: Configure the MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) entry to a value of 0. The possible ... oval:org.secpod.oval:def:36494 This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user ri ... oval:org.secpod.oval:def:35162 This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature. If you disable or do not configure thi ... oval:org.secpod.oval:def:36493 This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other user ... oval:org.secpod.oval:def:35284 This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an adminis ... oval:org.secpod.oval:def:35163 Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest ... oval:org.secpod.oval:def:35042 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ... oval:org.secpod.oval:def:36492 This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time ... oval:org.secpod.oval:def:35281 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file r ... oval:org.secpod.oval:def:36491 This privilege determines if the user can create a symbolic link from the computer he is logged on to. Default: Administrator WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle th ... oval:org.secpod.oval:def:36490 This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users. For information about how to ... oval:org.secpod.oval:def:35280 This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Power Users Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. Counter Mea ... oval:org.secpod.oval:def:35049 MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Counter Measure: Configure the MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) entry to a value of Disabled. The po ... oval:org.secpod.oval:def:35047 This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications ... oval:org.secpod.oval:def:35289 This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality includ ... oval:org.secpod.oval:def:36499 This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy ... oval:org.secpod.oval:def:35045 MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) entry to a value of Highest protection, source routing is compl ... oval:org.secpod.oval:def:36497 This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an ... oval:org.secpod.oval:def:36496 This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer's system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone. This user right is ... oval:org.secpod.oval:def:35165 This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after service startup. If you enable this setting, a check for new definitions will occur after service startup. If you disable this setting or do not configure this settin ... oval:org.secpod.oval:def:35286 This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM & ... oval:org.secpod.oval:def:35393 This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique use ... oval:org.secpod.oval:def:35394 Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to "16384". Potential Impact: The log file size will be limited to the specified size, old events will be overwr ... oval:org.secpod.oval:def:35392 This policy setting controls Event Log behavior when the log file reaches its maximum size. Counter Measure: Configure this setting to Disabled. Potential Impact: If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. ... oval:org.secpod.oval:def:35159 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you co ... oval:org.secpod.oval:def:35038 This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrat ... oval:org.secpod.oval:def:35036 MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) entry to a value of Highest protection, source routing is ... oval:org.secpod.oval:def:35278 This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: * None: The LDAP BIND request is issued with the options that are specified by the caller. * Negotiate signing: If Transport Layer Security/Secure Sockets Layer ... oval:org.secpod.oval:def:36488 This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password co ... oval:org.secpod.oval:def:35034 This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory object ... oval:org.secpod.oval:def:35276 This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: * Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the o ... oval:org.secpod.oval:def:36486 This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default on workstations and ser ... oval:org.secpod.oval:def:35156 Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a computer may enter is hibernate. Counter Measure: During hibernat ... oval:org.secpod.oval:def:35277 This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in t ... oval:org.secpod.oval:def:35032 This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ... oval:org.secpod.oval:def:35396 This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled. If you enable this setting, the antimalware service will always remain running even if ... oval:org.secpod.oval:def:35140 Enables or disables the automatic download and update of map data. If you enable this setting the automatic download and update of map data is turned off. If you disable this setting the automatic download and update of map data is turned on. If you don't configure this setti ... oval:org.secpod.oval:def:35382 This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ... oval:org.secpod.oval:def:35262 This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows l ... oval:org.secpod.oval:def:35020 This security setting determines if users' private keys require a password to be used. The options are: User input is not required when new keys are stored and used User is prompted when the key is first used User must enter a password each time they use a key For more information, see Pu ... oval:org.secpod.oval:def:35027 MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Counter Measure: Configure the MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning entry to a value of 90. The possibl ... oval:org.secpod.oval:def:36479 This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Default: On workstation and servers: Administrators, Remote Desktop Users. On domain controllers: Administrators. Important This setting does not have any effect on Windows 2000 ... oval:org.secpod.oval:def:35388 Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. Counter Measure: We recommend that you disable this policy setting unless you have to support legacy business applications that do not support it. Potential Impact: ... oval:org.secpod.oval:def:35025 This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard. Default: ... oval:org.secpod.oval:def:35026 MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Counter Measure: Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes entry to a value of Disabled. The possible values for this registry entry are: ? 1 or 0. The ... oval:org.secpod.oval:def:35147 This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast responses. Potential Impact: If you enable this setting and thi ... oval:org.secpod.oval:def:35023 This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. If you enable this policy setting, Windows uses standby states to put the computer in a sleep state. If you disable or do not configure this policy setting, the only slee ... oval:org.secpod.oval:def:35265 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall poli ... oval:org.secpod.oval:def:35266 This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the ... oval:org.secpod.oval:def:35021 This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services ... oval:org.secpod.oval:def:35022 This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channe ... oval:org.secpod.oval:def:35385 Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (On Battery) to Enabled. Potential Impact: If you enable this policy, or if it is not configured, the user is prompted for a ... oval:org.secpod.oval:def:35264 This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Counter Measure: Enable this policy setting to ensure that Windows Messenger does not collect usage information and to prevent display of the ... oval:org.secpod.oval:def:35094 Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to "16384". Potential Impact: The log file size will be limited to the specified size, old events will be overwr ... oval:org.secpod.oval:def:35093 This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. Counter Measure: Enable this setting to prevent p ... oval:org.secpod.oval:def:35091 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ... oval:org.secpod.oval:def:35098 This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the "Users can't add Microsoft accounts" option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft accou ... oval:org.secpod.oval:def:35085 This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. Counter Measure: Configure this policy setting to Enabled to prevent Search Companion from downloading content updates during searches. Potential Impact: ... oval:org.secpod.oval:def:35086 Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. If you disable this policy or do not configure it, users can see and c ... oval:org.secpod.oval:def:35084 This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ ... oval:org.secpod.oval:def:35081 This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Cl ... oval:org.secpod.oval:def:35080 This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ... oval:org.secpod.oval:def:35089 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Counter Measure: Configure the MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (Only recommended for servers) entry t ... oval:org.secpod.oval:def:35087 This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setting, a system restore point will be created. If you disable or do not configure this setting, a system restore point will not be created. Counter Mea ... oval:org.secpod.oval:def:35195 Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specifie ... oval:org.secpod.oval:def:35196 This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. Th ... oval:org.secpod.oval:def:35070 This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Even ... oval:org.secpod.oval:def:35191 This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ... oval:org.secpod.oval:def:35190 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ... oval:org.secpod.oval:def:35078 MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic Counter Measure: Do not configure the MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) entry except on computers that use IPsec filters, where this entry should be configured t ... oval:org.secpod.oval:def:35079 MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Counter Measure: Configure the MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) entry to a value of Enabled. The possible values for this registry entry are: - 1 or 0. The default configuration for W ... oval:org.secpod.oval:def:35077 MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Counter Measure: Do not configure the MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) entry except on highly secure computers, where it should be configured to a value of Disabled. The possible values for this r ... oval:org.secpod.oval:def:35063 This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 prot ... oval:org.secpod.oval:def:35185 This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or rest ... oval:org.secpod.oval:def:35061 This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box fo ... oval:org.secpod.oval:def:35182 This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the us ... oval:org.secpod.oval:def:35069 This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconn ... oval:org.secpod.oval:def:35189 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the default value of %SYSTEMROOT%\System32\logfiles\firewall\domainfw.log. Poten ... oval:org.secpod.oval:def:35335 This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2, Autoplay is disabled ... oval:org.secpod.oval:def:36546 This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can ... oval:org.secpod.oval:def:35214 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Counter Measure: Configure this policy setting to "Y ... oval:org.secpod.oval:def:35215 This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. If you enable this setting, Credential Manager does not store passwords and credentials on the computer. If you disable or do not configure this policy sett ... oval:org.secpod.oval:def:35455 This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the Bit ... oval:org.secpod.oval:def:35452 This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the Bit ... oval:org.secpod.oval:def:36542 This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution Assigning this user right can be a security risk. Since owners of objects have full ... oval:org.secpod.oval:def:35210 Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category le ... oval:org.secpod.oval:def:35211 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ... oval:org.secpod.oval:def:36541 This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. Default on Workstations: Administrators, Backup Operators, Users. Default on Servers: ... oval:org.secpod.oval:def:36540 This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overvie ... oval:org.secpod.oval:def:35209 Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as op ... oval:org.secpod.oval:def:36539 This security setting determines which users can use performance monitoring tools to monitor the performance of non system processes. Default: Administrators, Power users. Counter Measure: Ensure that only the local Administrators group is assigned the Profile single process user right. Pote ... oval:org.secpod.oval:def:35205 This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-t ... oval:org.secpod.oval:def:35327 This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. Counter Measure: Enable the Turn off the "Publish to Web" task ... oval:org.secpod.oval:def:36535 This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If ... oval:org.secpod.oval:def:36534 This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution Assigning this user right can be a ... oval:org.secpod.oval:def:35202 This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for scheduled Automatic Updates installations setting, Automatic Updates does not restart c ... oval:org.secpod.oval:def:36532 This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers ... oval:org.secpod.oval:def:36527 Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a serv ... oval:org.secpod.oval:def:36526 This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microso ... oval:org.secpod.oval:def:35434 This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server. ... oval:org.secpod.oval:def:35430 This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the ... oval:org.secpod.oval:def:35431 This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. Note: that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Wi ... oval:org.secpod.oval:def:35307 This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop- ... oval:org.secpod.oval:def:35423 This policy setting configures access to remote shells. If you enable this policy setting and set it to False, new remote shell connections are rejected by the server. If you disable or do not configure this policy setting, new remote shell connections are allowed. Counter Measure: Configure ... oval:org.secpod.oval:def:35421 Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, ... oval:org.secpod.oval:def:35301 This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local ... oval:org.secpod.oval:def:35422 This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and i ... oval:org.secpod.oval:def:35420 This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system st ... oval:org.secpod.oval:def:36509 This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Default: 7 on domain controllers. 0 on sta ... oval:org.secpod.oval:def:35419 This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. ... oval:org.secpod.oval:def:35416 This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box. If you enable this policy setting, 'Install Updates and Shut Down' will not appear as a choice in the Shut Down Windows d ... oval:org.secpod.oval:def:36506 This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operat ... oval:org.secpod.oval:def:36504 This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user's account name or parts of the user's full name that exceed two consecutive characters * B ... oval:org.secpod.oval:def:35414 This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Compute ... oval:org.secpod.oval:def:35250 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ... oval:org.secpod.oval:def:35016 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall poli ... oval:org.secpod.oval:def:35259 This security setting determines whether to audit the access of global system objects. If this policy is enabled, it causes system objects, such as mutexes, events, semaphores and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACL; SACLs ... oval:org.secpod.oval:def:35256 This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disable this setting, users will not be able to p ... oval:org.secpod.oval:def:35373 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the default value of "%SYSTEMROOT%\System32\logfiles\firewall\privatefw. ... oval:org.secpod.oval:def:35010 This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: * Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators an ... oval:org.secpod.oval:def:35253 This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group ... oval:org.secpod.oval:def:35374 This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To pre ... oval:org.secpod.oval:def:35128 Minimum PIN length configures the minimum number of characters required for the work PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, which ... oval:org.secpod.oval:def:35007 This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. If you disable this policy setting, the user is not pr ... oval:org.secpod.oval:def:35008 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Counter Measure: Configure this policy setting to "Yes&qu ... oval:org.secpod.oval:def:35240 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impac ... oval:org.secpod.oval:def:35005 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you co ... oval:org.secpod.oval:def:35004 This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast responses. Potential Impact: If you enable this setting and thi ... oval:org.secpod.oval:def:35243 This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Window ... oval:org.secpod.oval:def:35001 This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to requi ... oval:org.secpod.oval:def:35002 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impac ... oval:org.secpod.oval:def:35000 MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Counter Measure: Configure the MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) entry to a value of 300000 or 5 minutes. The possible values for this registry entry ... oval:org.secpod.oval:def:35242 This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to ... oval:org.secpod.oval:def:36560 This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders ... oval:org.secpod.oval:def:35113 When you enable this setting, planned password expiration longer than password age dictated by "Password Settings" policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or n ... oval:org.secpod.oval:def:35355 This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ... oval:org.secpod.oval:def:35111 Configures password parameters Password complexity: which characters are used when generating a new password Default: Large letters + small letters + numbers + special characters Password length Minimum: 8 characters Maximum: 64 characters Default: 14 characters Passw ... oval:org.secpod.oval:def:35232 When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. Counter Measure: Configure the Network access: Restr ... oval:org.secpod.oval:def:35354 Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automatic download and installation of app updates is turned on. If you don&am ... oval:org.secpod.oval:def:35352 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... oval:org.secpod.oval:def:35231 This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setting, remote connections to the Plug and Play in ... oval:org.secpod.oval:def:36558 This privilege determines who can change the maximum memory that can be consumed by a process. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Note: This privilege is useful for system tuning, but i ... oval:org.secpod.oval:def:35346 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Counter Measure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL s ... oval:org.secpod.oval:def:36557 This security setting determines whether a different account name is associated with the security identifier (SID) for the account ;amp;quot;Guest.;amp;quot; Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combinati ... oval:org.secpod.oval:def:35225 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block the connection. Counter Measure: Configure this setting to allow outbound connect ... oval:org.secpod.oval:def:35102 This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Active session limit drop-down list. Remote Desktop ... oval:org.secpod.oval:def:36555 This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator exp ... oval:org.secpod.oval:def:35224 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure this setting to block inbound connections by default. Poten ... oval:org.secpod.oval:def:35103 System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security ... oval:org.secpod.oval:def:35100 This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy s ... oval:org.secpod.oval:def:35222 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: * Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy ... oval:org.secpod.oval:def:36552 This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are ... oval:org.secpod.oval:def:36551 This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. Count ... oval:org.secpod.oval:def:35220 This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast responses. Potential Impact: If you enable this setting and thi ... oval:org.secpod.oval:def:36550 This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causi ... oval:org.secpod.oval:def:35341 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Counter Measure: Configure this policy setting to "Yes&qu ... oval:org.secpod.oval:def:36549 This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. Important If you apply this security policy to the Everyone group, no one will be able to lo ... oval:org.secpod.oval:def:35216 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this ... oval:org.secpod.oval:def:36548 This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be ena ... oval:org.secpod.oval:def:36547 This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused ... oval:org.secpod.oval:def:34999 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure this setting to block inbound connections by default. Poten ... oval:org.secpod.oval:def:34996 This policy setting allows you to manage BitLocker's use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent rea ... oval:org.secpod.oval:def:34997 This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication request ... oval:org.secpod.oval:def:34994 Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to "16384". Potential Impact: The log file size will be limited to the specified size, old events will be overwr ... oval:org.secpod.oval:def:34992 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ... oval:org.secpod.oval:def:34993 By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. If you disable or do not configure this ... oval:org.secpod.oval:def:34990 This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Logon Screen. ". If this policy is disabled, the name o ... oval:org.secpod.oval:def:34991 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Counter Measure: Configure this policy setting to "Y ... oval:org.secpod.oval:def:34987 If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled Counter Measure: ... oval:org.secpod.oval:def:34983 This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you co ... oval:org.secpod.oval:def:34982 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ... oval:org.secpod.oval:def:34978 This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system will automat ... oval:org.secpod.oval:def:34979 This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire. Determines how far in advance (in days) users are warned that their ... oval:org.secpod.oval:def:34975 This policy setting turns off the Windows Location Provider feature for this computer. Counter Measure: Enable this policy setting. Potential Impact: If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be ... oval:org.secpod.oval:def:34972 This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller w ... oval:org.secpod.oval:def:34973 This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. Default: This policy is not de ... oval:org.secpod.oval:def:36502 This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated ... oval:org.secpod.oval:def:35413 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Counter Measure: Configure this policy setting to "Yes&qu ... oval:org.secpod.oval:def:36501 This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon at ... oval:org.secpod.oval:def:35407 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ... oval:org.secpod.oval:def:35408 This security setting determines whether the system shuts down if it is unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full an ... oval:org.secpod.oval:def:35405 This policy setting allows you to disable the client computer's ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. Counter Measure: Enable this setting to prevent users from submitting print jobs via HTTP. Potential Imp ... oval:org.secpod.oval:def:35403 This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted du ... |
