[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244411

 
 

909

 
 

193363

 
 

277

Paid content will be excluded from the download.


Download | Alert*


oval:org.secpod.oval:def:40308
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two ...

oval:org.secpod.oval:def:40306
This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. When configuring a user right in the SCM enter a comma delimited list of ...

oval:org.secpod.oval:def:40263
This policy setting allows users to shut down Windows Vista -based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, Microsoft reco ...

oval:org.secpod.oval:def:40214
This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured ...

oval:org.secpod.oval:def:40314
This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server ...

oval:org.secpod.oval:def:40235
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. Th ...

oval:org.secpod.oval:def:40215
This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users& ...

oval:org.secpod.oval:def:40305
This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of servic ...

oval:org.secpod.oval:def:40309
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall policy ...

oval:org.secpod.oval:def:40248
The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not be able to convince a client to connect -fo ...

oval:org.secpod.oval:def:40282
This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they c ...

oval:org.secpod.oval:def:40329
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. Vulnerability: Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware. Counter Measure: ...

oval:org.secpod.oval:def:40317
This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to ...

oval:org.secpod.oval:def:40276
This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the operating system but might be r ...

oval:org.secpod.oval:def:40202
This policy setting determines which users can change the auditing options for files and directories and clear the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, ...

oval:org.secpod.oval:def:40299
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system3 ...

oval:org.secpod.oval:def:40318
This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ If local drives are shared they are le ...

oval:org.secpod.oval:def:40251
This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut or .lnk fi ...

oval:org.secpod.oval:def:40207
This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user ...

oval:org.secpod.oval:def:40225
This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can ...

oval:org.secpod.oval:def:40277
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block the connection. Vulnerability: Some people believe that it is prudent to block all ou ...

oval:org.secpod.oval:def:40222
This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or c ...

oval:org.secpod.oval:def:40218
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall policy ...

oval:org.secpod.oval:def:40270
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Vulnerability: If the firewall allows all traffic to access the system then an attacker may ...

oval:org.secpod.oval:def:40236
This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable this policy setting, the domain member can change its compu ...

oval:org.secpod.oval:def:40279
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Vulnerability: An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes. C ...

oval:org.secpod.oval:def:40241
This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. ...

oval:org.secpod.oval:def:40330
This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connecti ...

oval:org.secpod.oval:def:40272
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Vulnerability: If the firewall allows all traffic to access the system then an attacker may ...

oval:org.secpod.oval:def:40304
Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Vulnerability: NULL sessions are less secure because by definition they are unauthenticated. Counter Measure: Configure Network security: Allow LocalSystem NULL se ...

oval:org.secpod.oval:def:40259
LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ...

oval:org.secpod.oval:def:40331
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Vulnerability: This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed proper ...

oval:org.secpod.oval:def:40195
This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. Vulnerability: If Terminal Server client connections are allowed that use low level encryptio ...

oval:org.secpod.oval:def:40204
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Vulnerability: If the firewall allows all traffic to access the system then an attacker may ...

oval:org.secpod.oval:def:40238
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ...

oval:org.secpod.oval:def:40201
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ...

oval:org.secpod.oval:def:40245
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Vulnerability: An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet take ...

oval:org.secpod.oval:def:40217
Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Turn off Autoplay set ...

oval:org.secpod.oval:def:40292
This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ...

oval:org.secpod.oval:def:40249
This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and ...

oval:org.secpod.oval:def:40290
This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or IIS also require ...

oval:org.secpod.oval:def:40229
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the opera ...

oval:org.secpod.oval:def:40226
This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. Vulner ...

oval:org.secpod.oval:def:40301
When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Vulnerability: When connecting to computers running vers ...

oval:org.secpod.oval:def:40242
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ...

oval:org.secpod.oval:def:40232
This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. Vulnerability: Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smar ...

oval:org.secpod.oval:def:40278
This policy setting determines which users can connect to the computer from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). Users, co ...

oval:org.secpod.oval:def:40307
This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote clien ...

oval:org.secpod.oval:def:40300
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system ...

oval:org.secpod.oval:def:43777
This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon at ...

oval:org.secpod.oval:def:40294
This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "pass phrase" is a better term than "password.&q ...

oval:org.secpod.oval:def:40257
This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default settin ...

oval:org.secpod.oval:def:40208
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy ...

oval:org.secpod.oval:def:40227
This policy setting determines which users or processes can generate audit records in the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Vulnerabi ...

oval:org.secpod.oval:def:40253
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure th ...

oval:org.secpod.oval:def:40234
This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on a computer. Instead, file sharing should be acc ...

oval:org.secpod.oval:def:40256
This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its default configuration strengthens the DACL, because it allows users who are not administrators to r ...

oval:org.secpod.oval:def:40320
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Vulnerability: The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the ...

oval:org.secpod.oval:def:40297
This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, t ...

oval:org.secpod.oval:def:40221
Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (instal ...

oval:org.secpod.oval:def:40293
This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. When configuring a user right in the SCM enter a comma delimited list of accounts ...

oval:org.secpod.oval:def:40211
This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. When configuring a user right in the SCM enter a comma ...

oval:org.secpod.oval:def:40250
This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the oper ...

oval:org.secpod.oval:def:40302
This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users can set valid security principa ...

oval:org.secpod.oval:def:40216
This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most constraine ...

oval:org.secpod.oval:def:40230
This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT * hash. Note Older operating systems and some third ...

oval:org.secpod.oval:def:40246
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one will be able to log o ...

oval:org.secpod.oval:def:40213
This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. When configuring a user right in the SCM enter a comma delimited l ...

oval:org.secpod.oval:def:40268
This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer drivers in Windows Vista. When ...

oval:org.secpod.oval:def:40283
This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be ...

oval:org.secpod.oval:def:40240
This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Di ...

oval:org.secpod.oval:def:40269
This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ...

oval:org.secpod.oval:def:40220
This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the ...

oval:org.secpod.oval:def:40266
This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, lo ...

oval:org.secpod.oval:def:40291
This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified options. - Negotiate signing. If Transport Layer Security/Secure Sockets Layer (TLS/SSL) has no ...

oval:org.secpod.oval:def:40219
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Vulnerability: If th ...

oval:org.secpod.oval:def:40237
This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing pol ...

oval:org.secpod.oval:def:40271
This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. Microsoft recommen ...

oval:org.secpod.oval:def:40206
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Vulnerability: If th ...

oval:org.secpod.oval:def:40274
This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 * subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case ...

oval:org.secpod.oval:def:40264
This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows -based networks helps to prevent sessions from being hijacked. If you enable this policy setting, the Microsoft network client will use signing only if ...

oval:org.secpod.oval:def:40273
This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setti ...

oval:org.secpod.oval:def:40289
When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all domain controllers in the domain must be able to encrypt secure channel dat ...

oval:org.secpod.oval:def:40252
When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to sha ...

oval:org.secpod.oval:def:40212
This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumerate the names of domain accounts and network shares. An unauthorized ...

oval:org.secpod.oval:def:40210
This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. Vulnerability: Session hijacking uses tools that allow attackers ...

oval:org.secpod.oval:def:40295
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Vulnerability: If th ...

oval:org.secpod.oval:def:40280
This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that server agrees to sign SMB packets. In mixed environments with legacy ...

oval:org.secpod.oval:def:40265
Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable this policy setting unless there is a strong business case to enable it. If this ...

oval:org.secpod.oval:def:40267
This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment.The Network access: Do n ...

CPE    1
cpe:/o:microsoft:windows_server_2016
CCE    90
CCE-47309-0
CCE-44499-2
CCE-45276-3
CCE-46761-3
...
*XCCDF
xccdf_org.secpod_benchmark_NIST_800_53_r4_Windows_Server_2016

© SecPod Technologies