[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

244625

 
 

909

 
 

193379

 
 

277

Paid content will be excluded from the download.


Download | Alert*


oval:org.secpod.oval:def:85551
Hides the Preview Pane in File Explorer. If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user. Fix: (1) GPO: ...

oval:org.secpod.oval:def:85548
To ensure secure DoD websites and DoD-signed code are properly validated, the system must trust the DoD Root Certificate Authorities (CAs). The DoD root certificates will ensure that the trust chain is established for server certificates issued from the DoD CAs.

oval:org.secpod.oval:def:85535
Some protocols and services do not support required security features, such as encrypting passwords or traffic.

oval:org.secpod.oval:def:85536
Local volumes must be formatted using NTFS.

oval:org.secpod.oval:def:85557
This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this policy setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download fo ...

oval:org.secpod.oval:def:85554
This policy setting allows you to audit events generated by validation tests on user account logon credentials. Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the loc ...

oval:org.secpod.oval:def:85524
Simple TCP/IP Services must not be installed on the system.

oval:org.secpod.oval:def:85549
Run as different user must be removed from context menus.

oval:org.secpod.oval:def:85542
Domain-joined systems must use Windows 10 Enterprise Edition 64-bit version.

oval:org.secpod.oval:def:85541
Windows 10 is maintained by Microsoft at servicing levels for specific periods of time to support Windows as a Service. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities which leaves them subject to exploitation. New versions with feature ...

oval:org.secpod.oval:def:85523
"SNMP" is not installed by default. Verify it has not been installed. Navigate to the Windows\System32 directory. If the "SNMP" application exists, this is a finding.

oval:org.secpod.oval:def:85530
The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.

oval:org.secpod.oval:def:85525
The system must be configured to audit Logon/Logoff - Account Lockout failures.

oval:org.secpod.oval:def:85526
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Th ...

oval:org.secpod.oval:def:85519
This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Microsoft Outlook? Express with information about their zone of origin (such as restricted, Internet, intranet, or local). This policy setting requires that files be downloaded to NTFS disk part ...

oval:org.secpod.oval:def:85522
Basic authentication uses plain text passwords that could be used to compromise a system.

oval:org.secpod.oval:def:85539
Accounts must be configured to require password expiration.

oval:org.secpod.oval:def:85545
Structured Exception Handling Overwrite Protection (SEHOP) must be turned on.

oval:org.secpod.oval:def:85520
Specifies whether Remote Desktop Services retains a users per-session temporary folders at logoff. You can use this setting to maintain a users session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a users temp ...

oval:org.secpod.oval:def:85546
The Server Message Block (SMB) v1 protocol must be disabled on the system.

oval:org.secpod.oval:def:85538
The system must be configured to audit Detailed Tracking - Process Creation successes.

oval:org.secpod.oval:def:85558
This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireles ...

oval:org.secpod.oval:def:85518
This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can ...

oval:org.secpod.oval:def:85553
A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. If you enable this policy setting, only devices with a usable TPM provision Microsoft Passport for Work. If you disable this policy setting, al ...

oval:org.secpod.oval:def:85531
Internet Information System (IIS) or its subcomponents must not be installed on a workstation.

oval:org.secpod.oval:def:85532
The system must be configured to audit Privilege Use - Sensitive Privilege Use failures.

oval:org.secpod.oval:def:85543
The External CA Root Certificate must be installed into the Trusted Root Store.

oval:org.secpod.oval:def:85540
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Th ...

oval:org.secpod.oval:def:85521
Local Administrator Password Solution (LAPS) tool is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and member servers. The passwords are stored in a confidential attribute of th ...

oval:org.secpod.oval:def:85550
Some protocols and services do not support required security features, such as encrypting passwords or traffic.

oval:org.secpod.oval:def:85556
Enables or disables the retrieval of online tips and help for the Settings app. If disabled, Settings will not contact Microsoft content services to retrieve tips and help content. Fix: (1) GPO: Computer Configuration\Administrative Templates\Control Panel\Allow Online Tips (2) REG: HKEY_LOCAL_ ...

oval:org.secpod.oval:def:85547
BitLocker must be enabled on all fixed drives.

oval:org.secpod.oval:def:85533
Data Execution Prevention (DEP) must be configured to at least Opt Out.

oval:org.secpod.oval:def:85552
When WDigest authentication is enabled, Lsass.exe retains a copy of the users plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. If this setting is not configured, WDigest authentication is disabled in Windo ...

oval:org.secpod.oval:def:85528
Maintaining an audit trail of system activity logs can help identify configuration errors, troubleshoot service disruptions, and analyze compromises that have occurred, as well as detect attacks. Audit logs are necessary to provide a trail of evidence in case the system or network is compromised. Th ...

oval:org.secpod.oval:def:85527
The US DoD CCEB Interoperability Root CA cross-certificates must be installed in the Untrusted Certificate Store on unclassified systems.

oval:org.secpod.oval:def:38614
When you shutdown a PC with Fast Startup turned on, Windows saves the current system state and the contents of memory to a file called hiberfil.sys and then it shuts down the computer. Later, when you turn on the computer, rather than performing a full load of the entire system, Windows reads only t ...

oval:org.secpod.oval:def:85517
Determines if an anonymous user can request security identifier (SID) attributes for another user.

oval:org.secpod.oval:def:85555
This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or unde ...

oval:org.secpod.oval:def:85537
The maximum age for machine account passwords must be set to requirements.

oval:org.secpod.oval:def:95626
This policy setting controls whether computers will show a warning and a security elevation prompt when users are updating drivers for an existing connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Enabling Windows User Account ...

oval:org.secpod.oval:def:95628
This policy setting specifies whether Windows apps can be activated by voice while the system is locked. If you choose the "User is in control" option, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > ...

oval:org.secpod.oval:def:95629
This policy setting lets you control the redirection of location data to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of location data. If you enable this policy setting, users cannot redirect their location data to the remote com ...

oval:org.secpod.oval:def:95630
This policy setting allows you to audit when plug and play detects an external device. The recommended state for this setting is to include: Success . Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy. Fix: (1) GPO: Computer Configuration\ ...

oval:org.secpod.oval:def:95631
This policy setting controls whether Windows records attempts to connect with the OneSettings service to the EventLog. If you enable this policy, Windows will record attempts to connect with the OneSettings service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel. If you disa ...

oval:org.secpod.oval:def:95632
This policy setting controls whether user have access to the Windows Package Manager. Windows Package Manager is a package manager solution that consists of a command line tool and set of services for installing applications on Microsoft Windows Server 2019 (or newer).The recommended state for this ...

oval:org.secpod.oval:def:95633
This policy setting controls whether winlogon sends Multiple Provider Router (MPR)notifications. MPR handles communication between the Windows operating system and the installed network providers. MPR checks the registry to determine which providers are installed on the system and the order they are ...

oval:org.secpod.oval:def:95634
This policy setting controls which protocol and protocol settings to use for outgoing Remote Procedure Call (RPC) connections to a remote print spooler.The recommended state for this setting is: Enabled: RPC over TCP Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Conf ...

oval:org.secpod.oval:def:95636
This policy setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing connections to remote print spoolers.The recommended state for this setting is: Enabled: 0.Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Config ...

oval:org.secpod.oval:def:95637
This policy setting enables or disables clipboard sharing with the sandbox. If you enable this policy setting, copy and paste between the host and Windows Sandbox are permitted. If you disable this policy setting, copy and paste in and out of Sandbox will be restricted. If you do not configure t ...

oval:org.secpod.oval:def:95638
This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters. The recommended state for this setting is: Enabled . Note: This setting only affects local accounts on the computer. Domain accounts are only affected by se ...

oval:org.secpod.oval:def:95639
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings di ...

oval:org.secpod.oval:def:95640
This policy setting controls whether or not users can override the SHA256 security validation in the Windows Package Manager settings. Users should not have the ability to override SHA256 security validation. The recommended state for this setting is: Disabled .Fix:(1) GPO: Computer Configuration\Po ...

oval:org.secpod.oval:def:95641
This policy setting lets you turn off cloud optimized content in all Windows experiences. If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content. If you disable or do not configure this policy, Windows ...

oval:org.secpod.oval:def:95642
This policy setting lets you turn off cloud consumer account state content in all Windows experiences. If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content. If you disable or do not co ...

oval:org.secpod.oval:def:95643
Enable or disable file hash computation feature. Enabled: When this feature is enabled Microsoft Defender will compute hash value for files it scans. Disabled: File hash value is not computed Not configured: Same as Disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Win ...

oval:org.secpod.oval:def:95644
This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. By enabling this policy setting, diagnostic logs ...

oval:org.secpod.oval:def:95645
This policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the print spooler are allowed to use.The recommended state for this setting is: Enabled: RPC over TCP.Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC listener ...

oval:org.secpod.oval:def:95646
This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. The recommended state for this setting is: Enabled. By enabling this setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps. If ...

oval:org.secpod.oval:def:95647
This policy setting controls whether computers will show a warning and a security elevation prompt when users create a new printer connection using Point and Print. The recommended state for this setting is: Enabled: Show warning and elevation prompt. Enabling Windows User Account Control (UAC) fo ...

oval:org.secpod.oval:def:95648
This policy setting determines whether Redirection Guard is enabled for the print spooler. Redirection Guard can prevent file redirections from being used within the print spooler.The recommended state for this setting is: Enabled: Redirection Guard Enabled Fix:(1) GPO: Computer Configuration\Polici ...

oval:org.secpod.oval:def:95649
This policy specifies whether the widgets feature is allowed on the device. Widgets will be turned on by default unless you change this in your settings. If you turned this feature on before, it will stay on automatically unless you turn it off. Fix: (1) GPO: Computer Configuration\Administrative ...

oval:org.secpod.oval:def:95650
This policy setting controls the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g. Windows Hello for Business, se ...

oval:org.secpod.oval:def:95651
Disabling this setting turns off search highlights in the taskbar search box and in search home. Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home.Fix:(1) GPO: Computer Configuration/Administrative Templates/Windows Components/Search/Al ...

oval:org.secpod.oval:def:95652
Manages non-Administrator users' ability to install Windows app packages. If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Admin ...

oval:org.secpod.oval:def:95653
This policy setting controls which protocol and protocol settings to use for outgoing Remote Procedure Call (RPC) connections to a remote print spooler.The recommended state for this setting is: Enabled: Default Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Configure ...

oval:org.secpod.oval:def:95654
This policy setting controls which protocols incoming Remote Procedure Call (RPC) connections to the print spooler are allowed to use.The recommended state for this setting is: Enabled: Negotiate or higher.Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\Printers\Configure RPC l ...

oval:org.secpod.oval:def:95655
This policy setting controls the configuration under which the Local Security AuthoritySubsystem Service (LSASS) will load custom Security Support Provider/Authentication Package (SSP/AP).The recommended state for this setting is: Disabled .Fix:(1) GPO: Computer Configuration\Policies\Administrative ...

oval:org.secpod.oval:def:95656
This policy setting manages how queue-specific files are processed during printer installation. At printer installation time, a vendor-supplied installation application can specify a set of files, of any type, to be associated with a particular print queue. The files are downloaded to each client th ...

oval:org.secpod.oval:def:95658
By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data collected under this policy impacts the operating system an ...

oval:org.secpod.oval:def:95659
This policy setting allows you to configure script scanning. If you enable or do not configure this setting, script scanning will be enabled. If you disable this setting, script scanning will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Microso ...

oval:org.secpod.oval:def:95660
This policy setting controls whether Windows attempts to connect with the OneSettings service. If you enable this policy, Windows will not attempt to connect with the OneSettings Service. If you disable or don't configure this policy setting, Windows will periodically attempt to connect with the O ...

oval:org.secpod.oval:def:95661
This policy setting specifies if the Domain Name System (DNS) client will perform name resolution over Network Basic Input-Output System (NetBIOS). NetBIOS is a legacy name resolution method for internal Microsoft networking that predates the use of DNS for that purpose (Pre-Active Directory). Some ...

oval:org.secpod.oval:def:95662
This policy setting controls whether user have access to the Windows Package Manager. Windows Package Manager is a package manager solution that consists of a command line tool and set of services for installing applications on Microsoft Windows Server 2019 (or newer).The recommended state for this ...

oval:org.secpod.oval:def:95663
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. <br><br>If you enable this policy sett ...

oval:org.secpod.oval:def:95664
This policy setting controls whether users can install packages from a website that is using the ms-appinstaller protocol. The ms-appinstaller protocol allows users to install an application by clicking a link on a website.The recommended state for this setting is: Disabled .Fix:(1) GPO: Computer Co ...

oval:org.secpod.oval:def:95665
This policy setting specifies whether news and interests is allowed on the device. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\News and interests\Enable news and interests on the taskbar (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows ...

oval:org.secpod.oval:def:95666
This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server. UI Automation gives programs access to most UI elements, which lets you use assistive technology products like Magnifier and Narrator that ne ...

oval:org.secpod.oval:def:95667
This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. If you enable this policy setting, networking is done by creating a virtual switch on the host, and connects the Windows Sandbox to it via a virtu ...

oval:org.secpod.oval:def:95668
This policy controls whether the print spooler will accept client connections. When the policy is unconfigured or enabled, the spooler will always accept client connections. When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers ...

oval:org.secpod.oval:def:95714
This policy setting controls whether users who aren't Administrators can install print drivers on the system. The recommended state for this setting is: Enabled. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driv ...

oval:org.secpod.oval:def:95713
This policy setting controls whether the Local Security Authority Subservice Service (LSASS) runs in protected mode and also has the option to lock in protected mode with Unified Extensible Firmware Interface (UEFI). The Local Security Authority (LSA), which includes the LSASS process, validates use ...

oval:org.secpod.oval:def:95712
If you turn this policy setting on, local users won't be able to set up and use security questions to reset their passwords. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Prevent the use of security questions for local accounts (2) REG ...

oval:org.secpod.oval:def:95711
This policy setting prevents disables Internet explorer. If you enable this policy setting, Internet explorer will be disabled If you disable this policy setting, Internet explorer will be Enabled Fix: (1) GPO: Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Ex ...

oval:org.secpod.oval:def:95710
This policy setting removes the Spotlight collection setting in Personalization, rendering the user unable to select and subsequently download daily images from Microsoft to desktop. If you enable this policy, Spotlight collection will not be available as an option in Personalization settings. If ...

oval:org.secpod.oval:def:80719
Allow Windows Ink Workspace Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace\Allow Windows Ink Workspace (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace!AllowWindowsInkWorkspace

oval:org.secpod.oval:def:80717
Windows Game Recording and Broadcasting. This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be a ...

oval:org.secpod.oval:def:80718
Allow suggested apps in Windows Ink Workspace Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace\Allow suggested apps in Windows Ink Workspace (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace!AllowSuggestedAppsInWindo ...

oval:org.secpod.oval:def:80711
This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remo ...

oval:org.secpod.oval:def:80712
This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services does not allow redirection of supported Plug and Play and Rem ...

oval:org.secpod.oval:def:80710
If you enable this setting, users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Push To Install\Turn off Push To Install service (2) REG: HKEY_LOCAL_MACHI ...

oval:org.secpod.oval:def:80715
This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don't configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to ...

oval:org.secpod.oval:def:80716
Denies access to the retail catalog in the Microsoft Store, but displays the private store. If you enable this setting, users will not be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. If you disable or don't configure this setting, ...

oval:org.secpod.oval:def:80713
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download ...

oval:org.secpod.oval:def:80714
Allow search and Cortana to search cloud sources like OneDrive and SharePoint Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cloud Search (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCloudSearch

oval:org.secpod.oval:def:80708
Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: Specify the mode in the Options section: -Blo ...

oval:org.secpod.oval:def:80709
This policy setting allows you to configure whether or not Watson events are sent. If you enable or do not configure this setting, Watson events will be sent. If you disable this setting, Watson events will not be sent. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Com ...

oval:org.secpod.oval:def:80706
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detec ...

oval:org.secpod.oval:def:80707
Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: - Block: the rule will be applied - Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not ac ...

oval:org.secpod.oval:def:80700
This policy setting allow the use of Camera devices on the machine. If you enable or do not configure this policy setting, Camera devices will be enabled. If you disable this property setting, Camera devices will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windo ...

oval:org.secpod.oval:def:80701
This policy setting allows you to require a pin for pairing. If you set this to 'Never', a pin isn't required for pairing. If you set this to 'First Time', the pairing ceremony for new devices will always require a PIN. If you set this to 'Always', all pairings will require PIN. Fix: (1) GPO: ...

oval:org.secpod.oval:def:80704
This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Messaging\Allow Message Service Cloud Sync (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Messa ...

oval:org.secpod.oval:def:80705
This setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. This applies both to existing users of a device ...

oval:org.secpod.oval:def:80702
This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically ...

oval:org.secpod.oval:def:80703
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The following list shows the supported values: 0 = HTTP only, no peering. 1 = HTTP blended with peering behind the same NAT. 2 = HTTP blended with peering across a private grou ...

oval:org.secpod.oval:def:35052
This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. If you enable thi ...

oval:org.secpod.oval:def:35294
This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file r ...

oval:org.secpod.oval:def:35295
This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in ...

oval:org.secpod.oval:def:35050
Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Counter Measure: Configure this policy setting to &amp;quot;Y ...

oval:org.secpod.oval:def:35292
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. If you enable this policy setting, all local administrator a ...

oval:org.secpod.oval:def:35293
This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to gr ...

oval:org.secpod.oval:def:35290
Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. If you disable this policy or do not configure it, users can see and c ...

oval:org.secpod.oval:def:35291
This policy setting allows you to manage the installation of app packages that do not originate from the Windows Store. Counter Measure: Organizations that develop their own line-of-business app packages or acquire then directly from vendors may want to enable this policy setting, however if y ...

oval:org.secpod.oval:def:35058
This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The object identifier is specified in the enhanced key usage (EKU) of a certificate. BitLocker can identify ...

oval:org.secpod.oval:def:35059
This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery. If you enable this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery. If you di ...

oval:org.secpod.oval:def:35298
This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, ...

oval:org.secpod.oval:def:35056
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure this setting to block inbound connections by default. Poten ...

oval:org.secpod.oval:def:35057
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1.0) is used to secure communicat ...

oval:org.secpod.oval:def:35299
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection ...

oval:org.secpod.oval:def:35054
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) Counter Measure: Configure the MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) ent ...

oval:org.secpod.oval:def:35296
Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the default value of &amp;quot;%SYSTEMROOT%\System32\logfiles\firewall\publicfw.l ...

oval:org.secpod.oval:def:35055
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Counter Measure: Configure the MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) entry to a value of 0. The possible ...

oval:org.secpod.oval:def:35283
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. If you enable this ...

oval:org.secpod.oval:def:35284
This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an adminis ...

oval:org.secpod.oval:def:35042
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ...

oval:org.secpod.oval:def:35281
This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file r ...

oval:org.secpod.oval:def:35282
This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. If you enable this setting, the proxy server will be bypassed for the specified addresses. If you ...

oval:org.secpod.oval:def:35280
This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Power Users Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. Counter Mea ...

oval:org.secpod.oval:def:35049
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Counter Measure: Configure the MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) entry to a value of Disabled. The po ...

oval:org.secpod.oval:def:35047
This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications ...

oval:org.secpod.oval:def:35289
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality includ ...

oval:org.secpod.oval:def:35048
MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended) Counter Measure: Enable this setting. Potential Impact: Users will need to retype their password each time a dial-up connection is made. Fix: (1) GPO: Computer Configuration\Administrative Templates\M ...

oval:org.secpod.oval:def:35287
This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on ...

oval:org.secpod.oval:def:35045
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) entry to a value of Highest protection, source routing is compl ...

oval:org.secpod.oval:def:35046
This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Special profiles are the following user profiles, where changes are discarded after the user signs off: Roaming user profiles to which the &amp;quot;Delete cached co ...

oval:org.secpod.oval:def:35285
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for an ...

oval:org.secpod.oval:def:35286
This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM & ...

oval:org.secpod.oval:def:35044
This policy setting allows you to configure definition updates on startup when there is no antimalware engine present. If you enable or do not configure this setting, definition updates will be initiated on startup when there is no antimalware engine present. If you disable this setting, d ...

oval:org.secpod.oval:def:35272
This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled. If you disable this setting, protocol recognition will be disabled. Cou ...

oval:org.secpod.oval:def:35273
This policy setting allows you to configure the antimalware service to receive notifications to disable individual definitions in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable definitions that are causing false positive reports. You must have conf ...

oval:org.secpod.oval:def:35270
This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: Automat ...

oval:org.secpod.oval:def:35271
This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. If you enable this policy setting, Windows is prevented from installing, or updating the device driver for, any device that is not described by either the &amp; ...

oval:org.secpod.oval:def:35038
This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrat ...

oval:org.secpod.oval:def:35039
This policy setting determines whether the account name of the last user to log on to the client computers in your organization can display in each computer&amp;apos;s respective Windows logon screen. If you enable this policy setting, intruders cannot collect account names visually from the screens ...

oval:org.secpod.oval:def:35278
This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: * None: The LDAP BIND request is issued with the options that are specified by the caller. * Negotiate signing: If Transport Layer Security/Secure Sockets Layer ...

oval:org.secpod.oval:def:35036
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) entry to a value of Highest protection, source routing is ...

oval:org.secpod.oval:def:35279
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: T ...

oval:org.secpod.oval:def:35034
This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory object ...

oval:org.secpod.oval:def:35276
This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: * Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operation that requires elevation of privilege will prompt the user to approve the o ...

oval:org.secpod.oval:def:35277
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in t ...

oval:org.secpod.oval:def:35035
This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple connections are allowed, it then determines how network traffic will be routed. If this policy setting is set to 0, a computer can have simultaneous connections to the inte ...

oval:org.secpod.oval:def:35032
This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ...

oval:org.secpod.oval:def:35033
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. Counter Me ...

oval:org.secpod.oval:def:35029
This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers ...

oval:org.secpod.oval:def:35261
This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as rea ...

oval:org.secpod.oval:def:35020
This security setting determines if users&amp;apos; private keys require a password to be used. The options are: User input is not required when new keys are stored and used User is prompted when the key is first used User must enter a password each time they use a key For more information, see Pu ...

oval:org.secpod.oval:def:35262
This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows l ...

oval:org.secpod.oval:def:35260
This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. I ...

oval:org.secpod.oval:def:35027
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Counter Measure: Configure the MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning entry to a value of 90. The possibl ...

oval:org.secpod.oval:def:35269
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time. If you enable this ...

oval:org.secpod.oval:def:35028
This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull-down menu in this policy sett ...

oval:org.secpod.oval:def:35025
This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer&amp;apos;s keyboard. Default: ...

oval:org.secpod.oval:def:35267
This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking ...

oval:org.secpod.oval:def:35026
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Counter Measure: Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes entry to a value of Disabled. The possible values for this registry entry are: ? 1 or 0. The ...

oval:org.secpod.oval:def:35023
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. If you enable this policy setting, Windows uses standby states to put the computer in a sleep state. If you disable or do not configure this policy setting, the only slee ...

oval:org.secpod.oval:def:35265
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall poli ...

oval:org.secpod.oval:def:35266
This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. This setting applies to scheduled scans as well as the command line &amp;quot;mpcmdrun -SigUpdate&amp;quot;, but it has no effect on scans initiated manually from the ...

oval:org.secpod.oval:def:35024
This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This policy setting is applied when you turn on BitLocker. If you enable this ...

oval:org.secpod.oval:def:35021
This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services ...

oval:org.secpod.oval:def:35263
This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not ...

oval:org.secpod.oval:def:35022
This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channe ...

oval:org.secpod.oval:def:35264
This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Counter Measure: Enable this policy setting to ensure that Windows Messenger does not collect usage information and to prevent display of the ...

oval:org.secpod.oval:def:35019
This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secure channel with a domain controller that is not capable of signing or encr ...

oval:org.secpod.oval:def:35097
This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The &amp;quot;Allow data recovery agent&amp;quot; check box is used to specify whether a data ...

oval:org.secpod.oval:def:35094
Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to &amp;quot;16384&amp;quot;. Potential Impact: The log file size will be limited to the specified size, old events will be overwr ...

oval:org.secpod.oval:def:35095
Disables help tips that Windows shows to the user. By default, Windows will show the user help tips until the user has successfully completed the scenarios. If this setting is enabled, Windows will not show any help tips to the user. Counter Measure: Configure this setting depending ...

oval:org.secpod.oval:def:35092
Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of c ...

oval:org.secpod.oval:def:35093
This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. Counter Measure: Enable this setting to prevent p ...

oval:org.secpod.oval:def:35091
Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ...

oval:org.secpod.oval:def:35098
This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the &amp;quot;Users can&amp;apos;t add Microsoft accounts&amp;quot; option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft accou ...

oval:org.secpod.oval:def:35099
This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impac ...

oval:org.secpod.oval:def:35085
This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. Counter Measure: Configure this policy setting to Enabled to prevent Search Companion from downloading content updates during searches. Potential Impact: ...

oval:org.secpod.oval:def:35086
Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. If you disable this policy or do not configure it, users can see and c ...

oval:org.secpod.oval:def:35083
This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. Default: No message. Microsoft recommends that you use this setting, if appropriate to your environment and your orga ...

oval:org.secpod.oval:def:35084
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ ...

oval:org.secpod.oval:def:35081
This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Cl ...

oval:org.secpod.oval:def:35082
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not configure this policy setting, the WinRM client ...

oval:org.secpod.oval:def:35080
This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ...

oval:org.secpod.oval:def:35089
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Counter Measure: Configure the MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (Only recommended for servers) entry t ...

oval:org.secpod.oval:def:35087
This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setting, a system restore point will be created. If you disable or do not configure this setting, a system restore point will not be created. Counter Mea ...

oval:org.secpod.oval:def:35088
MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments) Counter Measure: Disable this setting. Potential Impact: Remote administrative users may not be able to perform administrative tasks. Fix: (1) GPO: Computer Configuration\Administrati ...

oval:org.secpod.oval:def:35074
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames Counter Measure: Configure the MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) entry to a value of Enabled. The possible values for th ...

oval:org.secpod.oval:def:35075
MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged Counter Measure: Enable and configure this setting. Potential Impact: Incorrect configuration can lead to DoS attacks having a larger affect on the server. Fix: (1) GPO: Comp ...

oval:org.secpod.oval:def:35073
This setting lets you configure how domain joined computers become registered as devices. When you enable this setting, domain joined computers automatically and silently get registered as devices with Azure Active Directory. Note: Additional requirements may apply on certain Windows SKUs. ...

oval:org.secpod.oval:def:35070
This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Even ...

oval:org.secpod.oval:def:35071
This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy setting, users can choose which apps display notifications ...

oval:org.secpod.oval:def:35078
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic Counter Measure: Do not configure the MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) entry except on computers that use IPsec filters, where this entry should be configured t ...

oval:org.secpod.oval:def:35079
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Counter Measure: Configure the MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) entry to a value of Enabled. The possible values for this registry entry are: - 1 or 0. The default configuration for W ...

oval:org.secpod.oval:def:35076
This policy setting allows you to configure whether or not to display AM UI to the users. If you enable this setting AM UI won&amp;apos;t be available to users. Counter Measure: Configure this setting depending on your organization&amp;apos;s requirements. Potential Impact: Users are ...

oval:org.secpod.oval:def:35077
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Counter Measure: Do not configure the MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) entry except on highly secure computers, where it should be configured to a value of Disabled. The possible values for this r ...

oval:org.secpod.oval:def:35063
This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 prot ...

oval:org.secpod.oval:def:35061
This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box fo ...

oval:org.secpod.oval:def:35069
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconn ...

oval:org.secpod.oval:def:35067
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) Counter Measure: Enable this setting. Potential Impact: The automatic detection Fix: (1) GPO: Computer Configuration\Administrative Templates\MSS (Legacy)\MSS: (EnableDeadGWDetect) Allow aut ...

oval:org.secpod.oval:def:35068
Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. If you disable or do not configure this setting, access to the Store application is allowed. Counter Measure: Enable this policy setting. Potential Impact: If ...

oval:org.secpod.oval:def:35066
This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitLocker protection is enabled. If ...

oval:org.secpod.oval:def:35335
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2, Autoplay is disabled ...

oval:org.secpod.oval:def:35336
This policy setting ignores the customized run list. You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs are added to the standard run list of ...

oval:org.secpod.oval:def:35334
Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. Counter Measure: Configure this policy setting to 900 seconds (15 minutes) so that the risk of a user&amp ...

oval:org.secpod.oval:def:35331
Maximum PIN length configures the maximum number of characters allowed for the work PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, which ...

oval:org.secpod.oval:def:35332
This security setting determines if digital certificates are processed when a user or process attempts to run software with an .exe file name extension. This security settings is used to enable or disable certificate rules, a type of software restriction policies rule. With software restriction poli ...

oval:org.secpod.oval:def:35329
This policy setting allows the administrator to assign a specified credential provider as the default credential provider. If you enable this policy setting, the specified credential provider is selected on other user tile. If you disable or do not configure this policy setting, the system ...

oval:org.secpod.oval:def:35326
Disable turns off the launch of all apps from the Windows Store that came pre-installed or were downloaded. Apps will not be updated. Your Store will be also be disabled. Enable turns all of it back on. Counter Measure: Configure this setting depending on your organization&amp;apos;s requireme ...

oval:org.secpod.oval:def:35327
This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. Counter Measure: Enable the Turn off the &amp;quot;Publish to Web&amp;quot; task ...

oval:org.secpod.oval:def:35324
This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. If you disable or do not configure this policy, we will always use software encoding. If you ...

oval:org.secpod.oval:def:35325
This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP server, the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and server can use H.264/AVC 444. Counter Measure: Configur ...

oval:org.secpod.oval:def:35322
This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be set to expire after any number of days between 1 and 730, or PINs can be set to never expire if the policy is set to 0. Default: 0. Counter Measure: ...

oval:org.secpod.oval:def:35320
This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools. Counter Measure: Configure th ...

oval:org.secpod.oval:def:35321
This setting lets you decide whether employees can browse using InPrivate website browsing. Turning this setting on, or not configuring it, lets employees use InPrivate browsing on the corporate network. Turning this setting off stops employees from using InPrivate website browsing. Coun ...

oval:org.secpod.oval:def:35319
This setting lets you decide whether employees can override the SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops employees from ignoring the SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, ...

oval:org.secpod.oval:def:35317
This setting lets you configure your corporate Home pages for domain-joined devices. Your employees can change this setting. Turning this setting on lets you configure one or more corporate Home pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pa ...

oval:org.secpod.oval:def:35318
This setting lets you decide whether employees can override the SmartScreen Filter warnings about potentially malicious websites. Turning this setting on stops employees from ignoring the SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not c ...

oval:org.secpod.oval:def:35315
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If yo ...

oval:org.secpod.oval:def:35316
This policy setting allows you to manage installing Windows apps on additional volumes such as secondary partitions, USB drives, or SD cards. If you enable this setting, you can&amp;apos;t move or install Windows apps on volumes that are not the system volume. If you disable or do not conf ...

oval:org.secpod.oval:def:35311
This policy setting allows you to enable real-time definition updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest definition update has definitions for a threat involving that file, the service will receive all o ...

oval:org.secpod.oval:def:35310
This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. Note: For a domain controller to request compound authentication, the policies &amp;quot;KDC support for claims, compound authentication, and Kerbero ...

oval:org.secpod.oval:def:35307
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop- ...

oval:org.secpod.oval:def:35304
This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group P ...

oval:org.secpod.oval:def:35301
This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to run by adding certificates to the Trusted Publishers certificate store on local ...

oval:org.secpod.oval:def:35371
This policy setting allows you to configure Information Protection Control (IPC). If you enable this setting, IPC will be enabled. If you disable or do not configure this setting, IPC will be disabled. Counter Measure: Configure this setting depending on your organization&amp;apos;s ...

oval:org.secpod.oval:def:35130
This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can&amp;apos;t be in lockdown mode). If you enable this setting AM UI won&amp;apos;t show reboot notifications. Counter Measure: Configure this setting depending on your organization&amp;a ...

oval:org.secpod.oval:def:35372
This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type of scan. If you ...

oval:org.secpod.oval:def:35370
This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group ...

oval:org.secpod.oval:def:35379
This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not confi ...

oval:org.secpod.oval:def:35137
This policy setting prevents Windows Tips from being shown to users. If you enable this policy setting, users will no longer see Windows tips. If you disable or do not configure this policy setting, users may see contextual popups explaining how to use Windows. Microsoft uses diagnostic an ...

oval:org.secpod.oval:def:35138
This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. If you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do ...

oval:org.secpod.oval:def:35377
This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. If you enable this policy setting, queries won&amp;apos;t be performed on the web and web results won&amp;apos;t be displayed when a user performs a qu ...

oval:org.secpod.oval:def:35135
This policy setting determines whether users can enable the following WLAN settings: &amp;quot;Connect to suggested open hotspots,&amp;quot; &amp;quot;Connect to networks shared by my contacts,&amp;quot; and &amp;quot;Enable paid services&amp;quot;. &amp;quot;Connect to suggested open hotspots& ...

oval:org.secpod.oval:def:35133
This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods. When enabled, it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing method. If this policy setting is disabled or is ...

oval:org.secpod.oval:def:35375
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that typically require a Microsoft account t ...

oval:org.secpod.oval:def:35134
This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is required rather than optional. Conversely it means that Push Button is NOT allowed. If this policy setting is disabled or is not configured, by default Pu ...

oval:org.secpod.oval:def:35376
Forces the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. If this setting is set to zero or not configured, then Start uses the default background, and users can change it. If this setting is set to a nonzero value, then Start us ...

oval:org.secpod.oval:def:35131
Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. Counter Measure: Configure this setting depending on your organization&amp;apos;s requirements. Potential Impact: Automatic exclusions are delivered to Windows Server 2016. Fix: (1) ...

oval:org.secpod.oval:def:35373
Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the default value of &amp;quot;%SYSTEMROOT%\System32\logfiles\firewall\privatefw. ...

oval:org.secpod.oval:def:35374
This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To pre ...

oval:org.secpod.oval:def:35128
Minimum PIN length configures the minimum number of characters required for the work PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, which ...

oval:org.secpod.oval:def:35129
This policy setting specifies whether Cortana is allowed on the device. If you enable or don&amp;apos;t configure this setting, Cortana will be allowed on the device. If you disable this setting, Cortana will be turned off. When Cortana is off, users will still be able to use search to fi ...

oval:org.secpod.oval:def:35361
This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting, monitoring for file and program activity will be enabled. If you disable this setting, monitoring for file and program activity will be disabled. Counter ...

oval:org.secpod.oval:def:35368
This policy setting allows you to control whether or not Search can perform queries on the web over metered connections, and if the web results are displayed in Search. If you enable this policy setting, queries won&amp;apos;t be performed on the web over metered connections and web results won ...

oval:org.secpod.oval:def:35369
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PC&amp;apos;s network connectivity state cannot be changed without signing into Windows. If you disable or don&amp;apos;t configure t ...

oval:org.secpod.oval:def:35366
This policy setting allows you to configure scanning mapped network drives. If you enable this setting, mapped network drives will be scanned. If you disable or do not configure this setting, mapped network drives will not be scanned. Counter Measure: Configure this setting depending ...

oval:org.secpod.oval:def:35124
This policy setting specifies whether search and Cortana can provide location aware search and Cortana results. If this is enabled, search and Cortana can access location information. Counter Measure: Configure this setting depending on your organization&amp;apos;s requirements. Potentia ...

oval:org.secpod.oval:def:35367
This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified def ...

oval:org.secpod.oval:def:35364
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the dr ...

oval:org.secpod.oval:def:35365
Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock sc ...

oval:org.secpod.oval:def:35362
This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. If you enable or do not con ...

oval:org.secpod.oval:def:35120
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both &amp;quot;configure log access&amp;quot; policy settings for this log in order to affect the both modern and legacy tools. If you enable th ...

oval:org.secpod.oval:def:35121
This policy setting lets you configure Protected Event Logging. If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Me ...

oval:org.secpod.oval:def:35119
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both &amp;quot;configure log access&amp;quot; policy settings for this log in order to affect the both modern and legacy tools. If you enable th ...

oval:org.secpod.oval:def:35117
Manages a Windows app&amp;apos;s ability to share data between users who have installed the app. If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. ...

oval:org.secpod.oval:def:35118
This policy setting controls whether Windows Store apps with Windows Runtime API access directly from web content can be launched. If you enable this policy setting, Windows Store apps with Windows Runtime API access directly from web content cannot be launched; Windows Store apps without Windo ...

oval:org.secpod.oval:def:35350
This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an e ...

oval:org.secpod.oval:def:35115
This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. If you enable this policy setting, ECC curves are prioritized in the order specified.(Enter one Curve name per line) If you disable or do not configure this policy setting, the default ECC curve ...

oval:org.secpod.oval:def:35355
This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. Note: Use this option only in the most co ...

oval:org.secpod.oval:def:35113
When you enable this setting, planned password expiration longer than password age dictated by &amp;quot;Password Settings&amp;quot; policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or n ...

oval:org.secpod.oval:def:35356
This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in ...

oval:org.secpod.oval:def:35111
Configures password parameters Password complexity: which characters are used when generating a new password Default: Large letters + small letters + numbers + special characters Password length Minimum: 8 characters Maximum: 64 characters Default: 14 characters Passw ...

oval:org.secpod.oval:def:35353
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. If you enable this policy setting, you can define a ...

oval:org.secpod.oval:def:35112
Administrator account name: name of the local account you want to manage password for. DO NOT configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID, even when renamed DO configure when you use custom local admin account Counter Measure: ...

oval:org.secpod.oval:def:35354
Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automatic download and installation of app updates is turned on. If you don&am ...

oval:org.secpod.oval:def:35352
This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ...

oval:org.secpod.oval:def:35110
This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana ...

oval:org.secpod.oval:def:80599
Provides network access translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Internet Connection Sharing (ICS) is a feature that allows someone to "share" their Internet connection with other machines on the network - it was designed for ...

oval:org.secpod.oval:def:35108
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. If you disable this policy sett ...

oval:org.secpod.oval:def:35109
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. If you enable this policy setting, only those users whose security descriptor matches the configured spe ...

oval:org.secpod.oval:def:35106
This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x2) Send all samples automatically Counter Measure: Configure this setting depending on you ...

oval:org.secpod.oval:def:35107
This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will be forced. By default, the value of this setting is 2 consecutive scheduled scans. If you enable this setting, a catch-up scan will occur after the specified nu ...

oval:org.secpod.oval:def:80593
The Bluetooth service supports discovery and association of remote Bluetooth devices. Default: Manual. Counter Measure: The recommended state for this setting is Disabled. Potential Impact: Already installed Bluetooth devices may fail to operate properly and new devices may be prevented ...

oval:org.secpod.oval:def:80594
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. Note: In Windows 8.1 and Windows 10, this service is bundled with the SMB 1.0/CIFS File Sharing Support optional feature. As a result, removing that feature (highly recommended unless b ...

oval:org.secpod.oval:def:80592
Service supporting the audio gateway role of the Bluetooth Handsfree Profile. Note: This service was first introduced in Windows 10 Release 1803. It appears to have replaced the older Bluetooth Handsfree Service (BthHFSrv), which was removed from Windows in that release (it is not simply a rename, ...

oval:org.secpod.oval:def:80597
Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An ...

oval:org.secpod.oval:def:80598
Detects other Infrared devices that are in range and launches the file transfer application. Infrared connections can potentially be a source of data compromise - especially via the automatic "file transfer application" functionality. Enterprise-managed systems should utilize a more secure method o ...

oval:org.secpod.oval:def:80595
Windows service for application access to downloaded maps. This service is started on- demand by application accessing downloaded maps. Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data ...

oval:org.secpod.oval:def:80596
This service monitors the current location of the system and manages geofences (a geographical location with associated events). This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it is not a good idea to reveal your location to software in ...

oval:org.secpod.oval:def:35346
Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Counter Measure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL s ...

oval:org.secpod.oval:def:35104
Allows or denies development of Windows Store applications and installing them directly from an IDE. If you enable this setting and enable the &amp;quot;Allow all trusted apps to install&amp;quot; Group Policy, you can develop Windows Store apps and install them directly from an IDE. If yo ...

oval:org.secpod.oval:def:35347
This policy setting configures whether or not locations on removable drives can be added to libraries. If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. If you disable or do not con ...

oval:org.secpod.oval:def:35102
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Active session limit drop-down list. Remote Desktop ...

oval:org.secpod.oval:def:35344
This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabilities. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable ...

oval:org.secpod.oval:def:35103
System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms For the Schannel Security Service Provider (SSP), this security setting disables the weaker Secure Sockets Layer (SSL) protocols and supports only the Transport Layer Security ...

oval:org.secpod.oval:def:35100
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy s ...

oval:org.secpod.oval:def:35343
This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. If you enable this policy setting, the advertising ID is turned off. Apps can&amp;apos;t use the ID for experiences across apps. If you disable or do not configure this policy s ...

oval:org.secpod.oval:def:35101
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to requi ...

oval:org.secpod.oval:def:35341
Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Counter Measure: Configure this policy setting to &amp;quot;Yes&amp;qu ...

oval:org.secpod.oval:def:35339
Enable LSA protection. For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx Counter Measure: Enable and configure this setting. Potential Impact: Some unprotected LSA processes will be unable to function. Fix: (1) GPO: Computer Configuration\Administrative T ...

oval:org.secpod.oval:def:88025
This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account access ...

oval:org.secpod.oval:def:88024
This policy allows you to audit the group membership information in the user logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a ne ...

oval:org.secpod.oval:def:81850
Internet Protocol version 6 (IPv6) is a set of protocols that computers use to exchange information over the Internet and over home and business networks. IPv6 allows for many more IP addresses to be assigned than IPv4 did. Older networking, hosts and operating systems may not support IPv6 natively. ...

oval:org.secpod.oval:def:81829
This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. If you enable or don't configure this setting, employees can use Adobe Flash. If you disable this setting, employees can't use Adobe Flash. Fix: (1) GPO: Computer Configuration\Administrative Templates\Wind ...

oval:org.secpod.oval:def:81828
This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. Note: Disabling this setting turns off the Address bar drop ...

oval:org.secpod.oval:def:81823
This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. If you disable this policy setting, network connectivity in standby is not guaranteed. This ...

oval:org.secpod.oval:def:81822
This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems. If you enable this policy setting, network connectivity will be maintained in standby. If you disable this policy setting, network connectivity in standby is not guaranteed. This ...

oval:org.secpod.oval:def:81821
This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exi ...

oval:org.secpod.oval:def:81827
This policy setting allows you to decide how the clipboard behaves while in Microsoft Defender Application Guard. If you enable this setting, you must choose from the following behaviors: - Disable clipboard functionality completely between the host and Application Guard - Enable the clipboard to ...

oval:org.secpod.oval:def:81826
This policy setting turns off Microsoft Defender Antivirus. If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software. If you disable this policy setting, Microsoft Defender Antivirus will run regar ...

oval:org.secpod.oval:def:81825
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes), in kilobyte increments. If you disable or do not configure t ...

oval:org.secpod.oval:def:81824
This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches i ...

oval:org.secpod.oval:def:80728
This policy setting specifies whether to enable or disable tracking of responsiveness events. If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM. if you disable this policy setting, responsiveness ...

oval:org.secpod.oval:def:80729
This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. If you enable this policy setting, users are not gi ...

oval:org.secpod.oval:def:80722
Prevent users from making changes to the Exploit protection settings area in Windows Security. Enabled: Local users can not make changes in the Exploit protection settings area. Disabled: Local users are allowed to make changes in the Exploit protection settings area. Not configured: Same as D ...

oval:org.secpod.oval:def:80723
Enable this policy to manage which updates you receive prior to the update being released to the world. Dev Channel Ideal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that is earliest in a development cycle. These builds are not matc ...

oval:org.secpod.oval:def:80720
This policy setting allows Web-based programs to install software on the computer without notifying the user. If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows t ...

oval:org.secpod.oval:def:80721
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. If you enable this policy setting, the WinRM service automatically listens on the network for requests o ...

oval:org.secpod.oval:def:80726
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only op ...

oval:org.secpod.oval:def:80727
Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. Enabled: Specify the mode in the Options section: -Block: Potentially unwanted software ...

oval:org.secpod.oval:def:80724
Enable this policy to specify when to receive Feature Updates. Defer Updates | This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from ...

oval:org.secpod.oval:def:35514
This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: Trusted Platform Module (TPM) configuration changes. Kernel-mode cryptographic self tests. Cryptographic provider operation ...

oval:org.secpod.oval:def:80725
Enable this policy to specify when to receive quality updates. You can defer receiving quality updates for up to 30 days. To prevent quality updates from being received on their scheduled time, you can temporarily pause quality updates. The pause will remain in effect for 35 days or until you clea ...

oval:org.secpod.oval:def:35512
This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to aut ...

oval:org.secpod.oval:def:81845
This policy setting sets the Attack Surface Reduction rules. Attack surface reduction helps prevent actions and apps that are typically used by exploit- seeking malware to infect machines. Fix: (1) GPO: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender An ...

oval:org.secpod.oval:def:35508
This policy setting allows you to audit events generated by changes to the authentication policy such as the following: Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Confi ...

oval:org.secpod.oval:def:81844
This policy setting lets you turn off all Windows Spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimi ...

oval:org.secpod.oval:def:81843
This policy setting lets you prevent Windows from using diagnostic data to provide tailored experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device (this data may include browser, app and feature usage, depending on the "diagnostic data" set ...

oval:org.secpod.oval:def:81842
If you enable this policy, Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers. Users may still see suggestions and tips to make them more productive with Microsoft features a ...

oval:org.secpod.oval:def:35504
This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting, an audit event is ...

oval:org.secpod.oval:def:81849
System-wide Structured Exception Handler Overwrite Protection setting Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\EMET\System SEHOP (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings!SEHOP

oval:org.secpod.oval:def:81848
This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to shar ...

oval:org.secpod.oval:def:35502
This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited. If you configure this policy setting, an audit event is generated when a process is created. Success audits record successful a ...

oval:org.secpod.oval:def:81847
This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. If you enable this policy setting, users cannot participate in ...

oval:org.secpod.oval:def:81846
This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: ? 4715: The audit policy (SACL) on an object was changed. ? 4719: System audit policy was changed. ? 4902: The Per-user audit policy table was created. ? 4904: An attempt was made to registe ...

oval:org.secpod.oval:def:81841
This policy setting lets you configure Windows spotlight on the lock screen. If you enable this policy setting, "Windows spotlight" will be set as the lock screen provider and users will not be able to modify their lock screen. "Windows spotlight" will display daily images from Microsoft on the loc ...

oval:org.secpod.oval:def:81840
This policy setting allows you to configure required actions and validations that enable users to trust files that open in Application Guard. Upon successful completion, the files will open on the host. If you enable this setting, you must select one or more of the following: 0. Do not allow users ...

oval:org.secpod.oval:def:35501
This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. If this policy setting is defined, the administrator can specify whether to audit only successes, only fai ...

oval:org.secpod.oval:def:81839
Sets the NetBIOS node type. When WINS servers are used, the default is hybrid (h), otherwise broadcast (b).This policy settings allows you to manage the computer's NetBIOS node type. The selected NetBIOS node type determines what methods NetBT will use to register and resolve names. If you enable t ...

oval:org.secpod.oval:def:81834
Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. If enabled, overriding certificate errors ar ...

oval:org.secpod.oval:def:81833
This policy settings lets you decide whether employees can access the about:flags page, which is used to change developer settings and to enable experimental features. If you enable this policy setting, employees can't access the about:flags page. If you disable or don't configure this setting, em ...

oval:org.secpod.oval:def:81832
If you enable or don't configure the Adobe Flash Click-to-Run setting, Microsoft Edge will require a user to click the Click-to-Run button, to click the content, or for the site to appear on the auto-allowed list, before loading and running the content. Sites get onto the auto-allowed list based on ...

oval:org.secpod.oval:def:81831
This policy setting lets you decide whether employees can save their passwords locally, using Password Manager. By default, Password Manager is turned on. If you enable this setting, employees can use Password Manager to save their passwords locally. If you disable this setting, employees can't us ...

oval:org.secpod.oval:def:81838
Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.) Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.) Changes to this setting require a reboot to take effect. For more information, see https://support.microsoft.com/kb/2 ...

oval:org.secpod.oval:def:81837
Configures the SMB v1 client driver's start type. To disable client-side processing of the SMBv1 protocol, select the "Enabled" radio button, then select "Disable driver" from the dropdown. WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES! For Windows 7 and Servers 2008, ...

oval:org.secpod.oval:def:81836
This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate tem ...

oval:org.secpod.oval:def:81835
This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to ...

oval:org.secpod.oval:def:81830
Sideloading installs and runs unverified extensions in Microsoft Edge. With this policy, you can specify whether unverified extensions can be sideloaded in Microsoft Edge. If enabled or not configured, sideloading of unverified extensions in Microsoft Edge is allowed. If disabled, sideloading of u ...

oval:org.secpod.oval:def:35173
This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, standard users will ...

oval:org.secpod.oval:def:35171
This entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the Local Group Policy Editor. You can configure a computer so that it does not send announcements to browsers on the domain. If you do, you hide the computer from the Ne ...

oval:org.secpod.oval:def:35172
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If the s ...

oval:org.secpod.oval:def:35179
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users will no longer be able to modify slide show settings ...

oval:org.secpod.oval:def:35178
Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (in ...

oval:org.secpod.oval:def:35175
This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (O ...

oval:org.secpod.oval:def:35162
This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature. If you disable or do not configure thi ...

oval:org.secpod.oval:def:36494
This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user ri ...

oval:org.secpod.oval:def:35163
Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this setting the Store application will offer updates to the latest ...

oval:org.secpod.oval:def:36493
This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other user ...

oval:org.secpod.oval:def:35160
This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. If you disable or do n ...

oval:org.secpod.oval:def:36492
This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time ...

oval:org.secpod.oval:def:35161
This security setting determines which subsystems can optionally be started up to support your applications. With this security setting, you can specify as many subsystems to support your applications as your environment demands. Default: POSIX. Note: When you configure this setting you specif ...

oval:org.secpod.oval:def:36491
This privilege determines if the user can create a symbolic link from the computer he is logged on to. Default: Administrator WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren&amp;apos;t designed to handle th ...

oval:org.secpod.oval:def:36490
This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users. For information about how to ...

oval:org.secpod.oval:def:35169
This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and configure a minimum length for the password. For ...

oval:org.secpod.oval:def:36499
This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy ...

oval:org.secpod.oval:def:36497
This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an ...

oval:org.secpod.oval:def:36496
This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computer&amp;apos;s system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone. This user right is ...

oval:org.secpod.oval:def:35165
This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after service startup. If you enable this setting, a check for new definitions will occur after service startup. If you disable this setting or do not configure this settin ...

oval:org.secpod.oval:def:36495
Specifies how much user idle time must elapse before the screen saver is launched. When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started. This setting has no effect under any of the fo ...

oval:org.secpod.oval:def:35393
This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique use ...

oval:org.secpod.oval:def:35151
Enables management of password for local administrator account If you enable this setting, local administrator password is managed If you disable or not configure this setting, local administrator password is NOT managed Counter Measure: Enable this setting. Potential Impact: Lo ...

oval:org.secpod.oval:def:35394
Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to &amp;quot;16384&amp;quot;. Potential Impact: The log file size will be limited to the specified size, old events will be overwr ...

oval:org.secpod.oval:def:35152
This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. If you disable or do not configure this policy setting, KMS client activation data w ...

oval:org.secpod.oval:def:35391
This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure cha ...

oval:org.secpod.oval:def:35150
This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under &amp;quot;Get Insider builds,&amp;quot; and enable users to make their devices available for downloading and installing Windows preview soft ...

oval:org.secpod.oval:def:35392
This policy setting controls Event Log behavior when the log file reaches its maximum size. Counter Measure: Configure this setting to Disabled. Potential Impact: If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. ...

oval:org.secpod.oval:def:35390
This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do not configure this policy setting, connected users will be ...

oval:org.secpod.oval:def:35159
This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you co ...

oval:org.secpod.oval:def:35157
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not con ...

oval:org.secpod.oval:def:35399
This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. If you enable this setting, archive files will be scanned to the directory depth level specified. ...

oval:org.secpod.oval:def:35158
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to requi ...

oval:org.secpod.oval:def:36488
This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password co ...

oval:org.secpod.oval:def:36487
If the Password protect the screen saver setting is enabled, then all screen savers are password protected, if it is disabled then password protection cannot be set on any screen saver. Counter Measure: Configure this policy setting to Enabled so that when the other screen saver settings are i ...

oval:org.secpod.oval:def:35156
Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a computer may enter is hibernate. Counter Measure: During hibernat ...

oval:org.secpod.oval:def:35398
This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not ...

oval:org.secpod.oval:def:36486
This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default on workstations and ser ...

oval:org.secpod.oval:def:35153
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcription for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the ...

oval:org.secpod.oval:def:35395
This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users can&amp;apos;t access OneDrive from the OneDrive app and file picker. * Windows Store apps can&amp;apos;t access OneDrive using the WinRT API. * ...

oval:org.secpod.oval:def:36485
This security setting determines which users can use performance monitoring tools to monitor the performance of system processes. Default: Administrators. Counter Measure: Ensure that only the local Administrators group is assigned the Profile system performance user right. Potential Impact: ...

oval:org.secpod.oval:def:35154
MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) Counter Measure: Do not configure the MSS: (AutoShareWks) Enable Administrative Shares (not recommended except for highly secure environments) entry except on computers in highly secured enviro ...

oval:org.secpod.oval:def:35396
This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled. If you enable this setting, the antimalware service will always remain running even if ...

oval:org.secpod.oval:def:35382
This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevati ...

oval:org.secpod.oval:def:35140
Enables or disables the automatic download and update of map data. If you enable this setting the automatic download and update of map data is turned off. If you disable this setting the automatic download and update of map data is turned on. If you don&amp;apos;t configure this setti ...

oval:org.secpod.oval:def:35383
This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly ...

oval:org.secpod.oval:def:36471
This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share ...

oval:org.secpod.oval:def:35380
This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use. If you disable this setting, scheduled scans will run at ...

oval:org.secpod.oval:def:35148
This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client&amp; ...

oval:org.secpod.oval:def:36479
This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Default: On workstation and servers: Administrators, Remote Desktop Users. On domain controllers: Administrators. Important This setting does not have any effect on Windows 2000 ...

oval:org.secpod.oval:def:35388
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. Counter Measure: We recommend that you disable this policy setting unless you have to support legacy business applications that do not support it. Potential Impact: ...

oval:org.secpod.oval:def:36478
This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. Note: This security setting does not apply to the System, Local Service, or ...

oval:org.secpod.oval:def:35389
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not co ...

oval:org.secpod.oval:def:35147
This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast responses. Potential Impact: If you enable this setting and thi ...

oval:org.secpod.oval:def:36477
This security setting determines whether the local Administrator account is enabled or disabled. Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In ...

oval:org.secpod.oval:def:35386
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (i ...

oval:org.secpod.oval:def:35144
This setting specifies the number of past PINs that can be associated to a user account that can&amp;apos;t be reused. This policy enables administrators to enhance security by ensuring that old PINs are not reused continually. PIN history is not preserved through PIN reset. The value must be b ...

oval:org.secpod.oval:def:36476
This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the user&amp;apos;s password for authentication purposes. Storing passwords using reversible encrypt ...

oval:org.secpod.oval:def:35387
Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Conf ...

oval:org.secpod.oval:def:35145
This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. If you enalbe this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hard ...

oval:org.secpod.oval:def:36475
If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options. If you do not configure it, this setting has no effect o ...

oval:org.secpod.oval:def:35142
This setting lets you decide whether an employee&amp;apos;s LocalHost IP address shows while making phone calls using the WebRTC protocol. Turning this setting on hides an employee&amp;apos;s LocalHost IP address while making phone calls using WebRTC. Turning this setting off, or not confi ...

oval:org.secpod.oval:def:35143
This policy setting specifies what happens when Microsoft Edge opens a new tab. By default, a new tab page appears. If you disable this policy setting, Microsoft Edge opens a new, empty tab. Employees can&amp;apos;t change this option. If you enable or don&amp;apos;t configure this policy ...

oval:org.secpod.oval:def:35385
Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (On Battery) to Enabled. Potential Impact: If you enable this policy, or if it is not configured, the user is prompted for a ...

oval:org.secpod.oval:def:36473
This subcategory reports events generated by the Kerberos Authentication Server. These events occur on the computer that is authoritative for the credentials. Events for this subcategory include: - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authentication failed ...

oval:org.secpod.oval:def:35139
This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. If you disable or do not configure this policy setting, use ...

oval:org.secpod.oval:def:35195
Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specifie ...

oval:org.secpod.oval:def:35196
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software. Th ...

oval:org.secpod.oval:def:35194
Enable auditing of Lsass.exe to evaluate feasibility of enabling LSA protection. For more information, see http://technet.microsoft.com/en-us/library/dn408187.aspx Counter Measure: Enable and configure this setting. Potential Impact: Some unprotected LSA processes will be unable to functio ...

oval:org.secpod.oval:def:35191
This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ...

oval:org.secpod.oval:def:35190
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ...

oval:org.secpod.oval:def:35199
This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a max ...

oval:org.secpod.oval:def:35184
This security setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If this policy is enabled, it allows only the interactively logged-on user to access removable CD-ROM media. If this policy is enabled and no one is logged on interactively, the CD-ROM can ...

oval:org.secpod.oval:def:35185
This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or rest ...

oval:org.secpod.oval:def:35182
This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the us ...

oval:org.secpod.oval:def:35180
This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. If you enable or do not configure this setting, unique items defined in Group Policy and in ...

oval:org.secpod.oval:def:35188
This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. If you enable or do not configure this policy setting, the device securely saves the user&amp;apos;s credentials (including the user name, domain and encr ...

oval:org.secpod.oval:def:35189
Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the default value of %SYSTEMROOT%\System32\logfiles\firewall\domainfw.log. Poten ...

oval:org.secpod.oval:def:35456
This setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should only be used if there are known compatibility problems with Microsoft Edge. Turning this setting on automatically opens all intranet sites using Internet Explorer 11. Tu ...

oval:org.secpod.oval:def:35214
Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Counter Measure: Configure this policy setting to &amp;quot;Y ...

oval:org.secpod.oval:def:36546
This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can ...

oval:org.secpod.oval:def:35215
This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. If you enable this setting, Credential Manager does not store passwords and credentials on the computer. If you disable or do not configure this policy sett ...

oval:org.secpod.oval:def:35457
This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. Turning this setting on, or not configuring it, lets your employees see search suggestions in the Address bar. Turning this setting off stops employees from seeing search suggestions ...

oval:org.secpod.oval:def:35454
This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. Turning this setting on lets your employees send Do Not Track headers. Turning this setting off, or not configuring it, stops your employees from sending Do Not Track header ...

oval:org.secpod.oval:def:35455
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the Bit ...

oval:org.secpod.oval:def:35210
Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category le ...

oval:org.secpod.oval:def:35452
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the Bit ...

oval:org.secpod.oval:def:36542
This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution Assigning this user right can be a security risk. Since owners of objects have full ...

oval:org.secpod.oval:def:35453
This setting lets you decide whether to turn on SmartScreen Filter. SmartScreen Filter provides warning messages to help protect your employees from potential phishing scams and malicious software. Turning this setting on, or not configuring it, turns on SmartScreen Filter. Turning this se ...

oval:org.secpod.oval:def:35211
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ...

oval:org.secpod.oval:def:36541
This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. Default on Workstations: Administrators, Backup Operators, Users. Default on Servers: ...

oval:org.secpod.oval:def:36540
This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overvie ...

oval:org.secpod.oval:def:35450
This setting lets you decide whether employees can save their passwords locally, using Password Manager. Turning this setting on, or not configuring it, lets your employees use Password Manager. Turning this setting off stops your employees from using Password Manager. Counter Measure: ...

oval:org.secpod.oval:def:35451
This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer configuration\Administrative ...

oval:org.secpod.oval:def:35209
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as op ...

oval:org.secpod.oval:def:35449
This policy setting determines whether enhanced anti-spoofing is configured for devices which support it. If you do not configure this policy setting, users will be able to choose whether or not to use enhanced anti-spoofing on supported devices. If you enable this policy setting, Windows ...

oval:org.secpod.oval:def:36539
This security setting determines which users can use performance monitoring tools to monitor the performance of non system processes. Default: Administrators, Power users. Counter Measure: Ensure that only the local Administrators group is assigned the Profile single process user right. Pote ...

oval:org.secpod.oval:def:35208
This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents users from choosing not to use Work Folder ...

oval:org.secpod.oval:def:35205
This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent &amp;quot;man-in-t ...

oval:org.secpod.oval:def:35447
This policy setting specifies whether Windows apps have access to control radios. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps have access to control radios by using Settings &amp;gt; Privacy on the device. ...

oval:org.secpod.oval:def:35448
This policy setting specifies whether Windows apps can sync with devices. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can sync with devices by using Settings &amp;gt; Privacy on the device. If you choose th ...

oval:org.secpod.oval:def:35206
This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. If you enable or do not configure this setting, a process scan will be initiated when real-time protection ...

oval:org.secpod.oval:def:35445
This policy setting specifies whether Windows apps can access the microphone. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access the microphone by using Settings &amp;gt; Privacy on the device. If you c ...

oval:org.secpod.oval:def:36535
This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If ...

oval:org.secpod.oval:def:35446
This policy setting specifies whether Windows apps can access trusted devices. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access trusted devices by using Settings &amp;gt; Privacy on the device. If you ...

oval:org.secpod.oval:def:35204
This policy setting allows you to configure the automatic scan which starts after a definition update has occurred. If you enable or do not configure this setting, a scan will start following a definition update. If you disable this setting, a scan will not start following a definition upd ...

oval:org.secpod.oval:def:36534
This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution Assigning this user right can be a ...

oval:org.secpod.oval:def:35443
This policy setting specifies whether Windows apps can access the calendar. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access the calendar by using Settings &amp;gt; Privacy on the device. If you choos ...

oval:org.secpod.oval:def:36532
This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers ...

oval:org.secpod.oval:def:35444
This policy setting specifies whether Windows apps can access the camera. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access the camera by using Settings &amp;gt; Privacy on the device. If you choose th ...

oval:org.secpod.oval:def:35202
This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for scheduled Automatic Updates installations setting, Automatic Updates does not restart c ...

oval:org.secpod.oval:def:35441
This policy setting specifies whether Windows apps can read or send messages (text or MMS). If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can read or send messages by using Settings &amp;gt; Privacy on the device. ...

oval:org.secpod.oval:def:35442
This policy setting specifies whether Windows apps can access motion data. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access motion data by using Settings &amp;gt; Privacy on the device. If you choose ...

oval:org.secpod.oval:def:35440
This policy setting specifies whether Windows apps can access location. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access location by using Settings &amp;gt; Privacy on the device. If you choose the &a ...

oval:org.secpod.oval:def:35438
This policy setting specifies whether Windows apps can access contacts. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access contacts by using Settings &amp;gt; Privacy on the device. If you choose the &a ...

oval:org.secpod.oval:def:35439
This policy setting specifies whether Windows apps can access email. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access email by using Settings &amp;gt; Privacy on the device. If you choose the &amp;quo ...

oval:org.secpod.oval:def:36527
Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a serv ...

oval:org.secpod.oval:def:35436
This policy setting specifies whether Windows apps can access account information. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access account information by using Settings &amp;gt; Privacy on the device. ...

oval:org.secpod.oval:def:36526
This security setting determines if the Guest account is enabled or disabled. Default: Disabled. Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microso ...

oval:org.secpod.oval:def:35437
This policy setting specifies whether Windows apps can access call history. If you choose the &amp;quot;User is in control&amp;quot; option, employees in your organization can decide whether Windows apps can access call history by using Settings &amp;gt; Privacy on the device. If you choos ...

oval:org.secpod.oval:def:35434
This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server. ...

oval:org.secpod.oval:def:35435
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. If you disable this policy setting, the SMB client will reject ...

oval:org.secpod.oval:def:35432
This policy setting allows you to configure whether or not to display notifications to clients when they need to perform the following actions: Run a full scan Download the latest virus and spyware definitions Download Standalone System Sweeper If you enable or do not configure ...

oval:org.secpod.oval:def:35433
If you enable this policy setting, users are required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. This means that before entering account and password information to authorize an elevation request, a user first need to press CTRL+ALT+DEL. Counter Meas ...

oval:org.secpod.oval:def:35430
This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the ...

oval:org.secpod.oval:def:35431
This policy setting allows you to manage whether the &amp;apos;Install Updates and Shut Down&amp;apos; option is allowed to be the default choice in the Shut Down Windows dialog. Note: that this policy setting has no impact if the Computer Configuration\Administrative Templates\Windows Components\Wi ...

oval:org.secpod.oval:def:35427
This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this settin ...

oval:org.secpod.oval:def:35428
This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. If you enable this setting, network files will be scanned. If you disable or do not configure this setting, network files will not be scanned. Counter Measure: ...

oval:org.secpod.oval:def:35426
This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group ...

oval:org.secpod.oval:def:35423
This policy setting configures access to remote shells. If you enable this policy setting and set it to False, new remote shell connections are rejected by the server. If you disable or do not configure this policy setting, new remote shell connections are allowed. Counter Measure: Configure ...

oval:org.secpod.oval:def:36512
This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access mem ...

oval:org.secpod.oval:def:35421
Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, ...

oval:org.secpod.oval:def:36511
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer&amp;apos;s email serv ...

oval:org.secpod.oval:def:35422
This security setting determines whether the virtual memory pagefile is cleared when the system is shut down. Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and i ...

oval:org.secpod.oval:def:36510
This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player tab in the Player is not ...

oval:org.secpod.oval:def:35420
This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system st ...

oval:org.secpod.oval:def:36509
This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Default: 7 on domain controllers. 0 on sta ...

oval:org.secpod.oval:def:35418
This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (including non-Microsoft components) are expec ...

oval:org.secpod.oval:def:35419
This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. ...

oval:org.secpod.oval:def:36507
This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kerne ...

oval:org.secpod.oval:def:35416
This policy setting allows you to manage whether the &amp;apos;Install Updates and Shut Down&amp;apos; option is displayed in the Shut Down Windows dialog box. If you enable this policy setting, &amp;apos;Install Updates and Shut Down&amp;apos; will not appear as a choice in the Shut Down Windows d ...

oval:org.secpod.oval:def:36506
This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operat ...

oval:org.secpod.oval:def:35417
This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. Microso ...

oval:org.secpod.oval:def:35414
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Compute ...

oval:org.secpod.oval:def:36504
This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the user&amp;apos;s account name or parts of the user&amp;apos;s full name that exceed two consecutive characters * B ...

oval:org.secpod.oval:def:35415
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM is configured to use HTTP transport, then the user name and password are sent over ...

oval:org.secpod.oval:def:35250
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ...

oval:org.secpod.oval:def:35493
This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out. If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful ...

oval:org.secpod.oval:def:35490
This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the &amp;quot;Authentication Policy Change&amp;quot; subcategory. Remova ...

oval:org.secpod.oval:def:35491
This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows ...

oval:org.secpod.oval:def:35258
This policy setting determines which users or groups might access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this policy setting to specify access permissions to all the computers to particular user ...

oval:org.secpod.oval:def:35016
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall poli ...

oval:org.secpod.oval:def:35259
This security setting determines whether to audit the access of global system objects. If this policy is enabled, it causes system objects, such as mutexes, events, semaphores and DOS devices, to be created with a default system access control list (SACL). Only named objects are given a SACL; SACLs ...

oval:org.secpod.oval:def:35017
This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability. The Windows on-screen touch keyboard (such as used by slates) is not available in the pre-boot environment wh ...

oval:org.secpod.oval:def:35014
This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresses and routes. If you disable this polic ...

oval:org.secpod.oval:def:35256
This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disable this setting, users will not be able to p ...

oval:org.secpod.oval:def:35498
This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group. If you configure this policy setting, an audit event is generated when an ...

oval:org.secpod.oval:def:35257
This policy setting allows you to enable download of definition updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. If you enable this setting, definition updates will be downloaded from Microsoft Update. ...

oval:org.secpod.oval:def:35015
Specifies whether &amp;quot;Events.asp&amp;quot; hyperlinks are available for events within the Event Viewer application. The Event Viewer normally makes all HTTP(S) URLs into hot links that activate the Internet browser when clicked. In addition, &amp;quot;More Information&amp;quot; is placed ...

oval:org.secpod.oval:def:35012
This policy setting determines when registry policies are updated. This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when i ...

oval:org.secpod.oval:def:35013
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable or do not configure t ...

oval:org.secpod.oval:def:35010
This policy setting controls whether the elevation request prompt is displayed on the interactive user&amp;apos;s desktop or the secure desktop. The options are: * Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators an ...

oval:org.secpod.oval:def:35252
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If you enable or do not configure this setting, archive files will be scanned. If you disable this setting, archive files will not be scanned. Count ...

oval:org.secpod.oval:def:35494
This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: Startup and shutdown of the computer. Change of system time. Recovering the system from CrashOnAuditFail, which is logged after a system restarts when t ...

oval:org.secpod.oval:def:35011
This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can&amp;apos;t set up or sign in with a picture password. If you disable or don&amp;apos;t configure this policy setting, a domain user can ...

oval:org.secpod.oval:def:35253
This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group ...

oval:org.secpod.oval:def:80698
This policy setting allows you to specify whether the Windows NTP Server is enabled. If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. If you disable or do not configure this policy setting, your computer cannot service NTP ...

oval:org.secpod.oval:def:80699
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. The recommended state for this setting is: Enabled. Note: Some PCs may not be compatible with this policy if the system firmware enables DMA for newl ...

oval:org.secpod.oval:def:35009
This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. If you enable or do not configure this setting, the antimalware service will load as a normal priority task. If you di ...

oval:org.secpod.oval:def:35007
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. If you disable this policy setting, the user is not pr ...

oval:org.secpod.oval:def:35249
This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent mu ...

oval:org.secpod.oval:def:35008
Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Counter Measure: Configure this policy setting to &amp;quot;Yes&amp;qu ...

oval:org.secpod.oval:def:80692
This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the availability of user input methods on the lock screen or with t ...

oval:org.secpod.oval:def:80693
This policy prevents the user from showing account details (email address or user name) on the sign-in screen. If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. If you disable or do not configure this policy setting, the user may choose to sho ...

oval:org.secpod.oval:def:80690
Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the dev ...

oval:org.secpod.oval:def:80691
Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. Note: this policy does not apply to 1394, PCMCIA or ExpressCard devices. Fix: (1) GPO: Computer Configuration\Admin ...

oval:org.secpod.oval:def:80696
This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support pro ...

oval:org.secpod.oval:def:80697
This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. If you enable this policy ...

oval:org.secpod.oval:def:80694
This policy setting determines whether Clipboard contents can be synchronized across devices. If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account. If you disable this policy setting, Clipbo ...

oval:org.secpod.oval:def:80695
This policy setting determines whether published User Activities can be uploaded. If you enable this policy setting, activities of type User Activity are allowed to be uploaded. If you disable this policy setting, activities of type User Activity are not allowed to be uploaded. Deletion of activitie ...

oval:org.secpod.oval:def:35240
This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impac ...

oval:org.secpod.oval:def:35482
This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record suc ...

oval:org.secpod.oval:def:35480
This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: Events that could not be written to the event log because of a problem with the auditing system. A process that uses a local procedure call (LPC) port that is not vali ...

oval:org.secpod.oval:def:35247
This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or ...

oval:org.secpod.oval:def:35005
This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you co ...

oval:org.secpod.oval:def:35489
This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user account&amp;apos;s password is set or changed. A security identifier (SID) is added to ...

oval:org.secpod.oval:def:35006
This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secure Boot ensures that the PC&amp;apos;s pre-boot environment only loads firmware that is digitally signed by authorized software publisher ...

oval:org.secpod.oval:def:35245
This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled. Counter Measure: Configure this setting depending on your organizat ...

oval:org.secpod.oval:def:35246
This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not ...

oval:org.secpod.oval:def:35004
This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast responses. Potential Impact: If you enable this setting and thi ...

oval:org.secpod.oval:def:35488
This policy setting allows you to audit any of the following events: Startup and shutdown of the Windows Firewall service and driver. Security policy processing by the Windows Firewall Service. Cryptography key file and migration operations. Volume: Low. Default: Success, Failure. Co ...

oval:org.secpod.oval:def:35243
This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Window ...

oval:org.secpod.oval:def:35001
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to requi ...

oval:org.secpod.oval:def:35002
This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impac ...

oval:org.secpod.oval:def:35483
This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Speci ...

oval:org.secpod.oval:def:35000
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds Counter Measure: Configure the MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (300,000 is recommended) entry to a value of 300000 or 5 minutes. The possible values for this registry entry ...

oval:org.secpod.oval:def:35242
This security setting determines whether to disconnect users who are connected to the local computer outside their user account&amp;apos;s valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to ...

oval:org.secpod.oval:def:80689
This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect yo ...

oval:org.secpod.oval:def:80687
Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error rep ...

oval:org.secpod.oval:def:80688
This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. If you disabl ...

oval:org.secpod.oval:def:35238
This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. If you enable or do no ...

oval:org.secpod.oval:def:35239
This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. If you enable or do not configure this setting, packed executables will be scanned. If you disable this setting, packed executables will not be scanned. ...

oval:org.secpod.oval:def:80681
Encryption Oracle Remediation This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable ...

oval:org.secpod.oval:def:80682
Remote host allows delegation of non-exportable credentials When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host s ...

oval:org.secpod.oval:def:80680
This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications fr ...

oval:org.secpod.oval:def:80685
This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers. If you enable this policy setting, the system waits until the current user logs off the system before updating the com ...

oval:org.secpod.oval:def:80686
Turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples wi ...

oval:org.secpod.oval:def:80683
Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require ...

oval:org.secpod.oval:def:80684
This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device ex ...

oval:org.secpod.oval:def:36560
This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders ...

oval:org.secpod.oval:def:35236
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other than memory dumps. If you enable or do not configure this poli ...

oval:org.secpod.oval:def:35478
This policy setting allows you to audit other logon/logoff-related events that are not covered in the &amp;quot;Logon/Logoff&amp;quot; policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. ...

oval:org.secpod.oval:def:35234
Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store. Enabling thi ...

oval:org.secpod.oval:def:35235
This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, ...

oval:org.secpod.oval:def:35232
When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. Counter Measure: Configure the Network access: Restr ...

oval:org.secpod.oval:def:35474
This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: Job created. Job deleted. Job enabled. Job disabled. Job updated. For COM+ objects, the following are audited: Ca ...

oval:org.secpod.oval:def:35233
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded f ...

oval:org.secpod.oval:def:35475
This policy setting allows you to audit events generated by user account logon attempts on the computer. Events in this subcategory are related to the creation of logon sessions and occur on the computer which was accessed. For an interactive logon, the security audit event is generated on the compu ...

oval:org.secpod.oval:def:35230
Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communications between clients and RD Session Host servers during remote conne ...

oval:org.secpod.oval:def:35472
This policy setting allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to. If you configure this policy setting, ...

oval:org.secpod.oval:def:35473
This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. ...

oval:org.secpod.oval:def:35231
This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setting, remote connections to the Plug and Play in ...

oval:org.secpod.oval:def:35229
If you enable (or do not configure) this policy setting, the Windows Biometric Service will be available, and users will be able to run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also configure the &amp;quot;Allow users to log o ...

oval:org.secpod.oval:def:35227
This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. ...

oval:org.secpod.oval:def:35228
This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. ...

oval:org.secpod.oval:def:36558
This privilege determines who can change the maximum memory that can be consumed by a process. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers. Note: This privilege is useful for system tuning, but i ...

oval:org.secpod.oval:def:35460
This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. If you enable this setting, employees can use Autofill to automatically fill in forms while using Microsoft Edge. If you disable this setting, employees can't u ...

oval:org.secpod.oval:def:35225
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block the connection. Counter Measure: Configure this setting to allow outbound connect ...

oval:org.secpod.oval:def:35467
This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped ...

oval:org.secpod.oval:def:36557
This security setting determines whether a different account name is associated with the security identifier (SID) for the account ;amp;quot;Guest.;amp;quot; Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combinati ...

oval:org.secpod.oval:def:35226
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to s ...

oval:org.secpod.oval:def:36556
This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies. Default: None Counter Measure: Assign the Deny log on as a batch job u ...

oval:org.secpod.oval:def:35223
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. Counter Measure: Disable this setting depending on your organization&amp;apos;s requirements. ...

oval:org.secpod.oval:def:36555
This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator exp ...

oval:org.secpod.oval:def:35224
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure this setting to block inbound connections by default. Poten ...

oval:org.secpod.oval:def:36554
This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less ...

oval:org.secpod.oval:def:36553
This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separ ...

oval:org.secpod.oval:def:35222
This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: * Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy ...

oval:org.secpod.oval:def:36552
This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are ...

oval:org.secpod.oval:def:35461
This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. Turning this setting on lets Microsoft Edge look for the Enterprise Mode Site List XML file. This file includes the sites an ...

oval:org.secpod.oval:def:36551
This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. Count ...

oval:org.secpod.oval:def:35220
This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Counter Measure: Disable this setting to prevent the client from receiving unicast responses. Potential Impact: If you enable this setting and thi ...

oval:org.secpod.oval:def:36550
This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causi ...

oval:org.secpod.oval:def:35218
This policy setting allows you to configure a domain controller to request compound authentication. Note: For a domain controller to request compound authentication, the policy &amp;quot;KDC support for claims, compound authentication, and Kerberos armoring&amp;quot; must be configured and enab ...

oval:org.secpod.oval:def:36549
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. Important If you apply this security policy to the Everyone group, no one will be able to lo ...

oval:org.secpod.oval:def:35216
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this ...

oval:org.secpod.oval:def:35458
This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. Turning this setting on, or not configuring it, turns on the Pop-up Blocker, which stops pop-ups from appearing. Turning this setting off turns off Pop-up Blocker and ...

oval:org.secpod.oval:def:36548
This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be ena ...

oval:org.secpod.oval:def:35459
This setting lets you configure how your company deals with cookies. Turning this setting on lets you decide to: Allow all cookies (default). Allows all cookies from all websites. Block only 3rd-party cookies. Blocks only cookies from 3rd-party websites. Block all cookies. Blocks ...

oval:org.secpod.oval:def:35217
This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vul ...

oval:org.secpod.oval:def:36547
This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused ...

oval:org.secpod.oval:def:80656
This policy setting allows you to manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading ...

oval:org.secpod.oval:def:80657
This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a minimum length. For the complexity requirement setting t ...

oval:org.secpod.oval:def:80654
This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent readin ...

oval:org.secpod.oval:def:80655
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the ...

oval:org.secpod.oval:def:34998
This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The &amp;quot;Allow data recovery agent&amp;quot; check box is used to specify whether a d ...

oval:org.secpod.oval:def:34999
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. Counter Measure: Configure this setting to block inbound connections by default. Poten ...

oval:org.secpod.oval:def:34996
This policy setting allows you to manage BitLocker&amp;apos;s use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent rea ...

oval:org.secpod.oval:def:80658
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLock ...

oval:org.secpod.oval:def:34997
This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication request ...

oval:org.secpod.oval:def:80659
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through a ...

oval:org.secpod.oval:def:80652
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this ...

oval:org.secpod.oval:def:80653
This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this policy sett ...

oval:org.secpod.oval:def:80650
This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. Specify hardened network paths. In the name field, type a fully-qualified UNC path for each network resour ...

oval:org.secpod.oval:def:80651
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. By default, this policy setting takes precedence over any other policy setting that allows Windows to install a device. NOTE: To enable the "Allow ...

oval:org.secpod.oval:def:34994
Use this option to specify the size limit of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to &amp;quot;16384&amp;quot;. Potential Impact: The log file size will be limited to the specified size, old events will be overwr ...

oval:org.secpod.oval:def:34995
This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2) operating systems. If this pol ...

oval:org.secpod.oval:def:34992
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ...

oval:org.secpod.oval:def:34993
By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. If you disable or do not configure this ...

oval:org.secpod.oval:def:34990
This security setting determines whether the name of the last user to log on to the computer is displayed in the Windows logon screen. If this policy is enabled, the name of the last user to successfully log on is not displayed in the Logon Screen. &amp;quot;. If this policy is disabled, the name o ...

oval:org.secpod.oval:def:34991
Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Counter Measure: Configure this policy setting to &amp;quot;Y ...

oval:org.secpod.oval:def:80645
This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. Default: Non ...

oval:org.secpod.oval:def:80646
This security setting determines whether to disconnect users who are connected to the local computer outside their user accounts valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibl ...

oval:org.secpod.oval:def:80643
This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. Counter Measure: Assign the Deny ...

oval:org.secpod.oval:def:80644
This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. Default: Guest Counter Measure: Assign the Deny access ...

oval:org.secpod.oval:def:34987
If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled Counter Measure: ...

oval:org.secpod.oval:def:80649
Determines which users can log on to the computer. Important Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (http://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft websit ...

oval:org.secpod.oval:def:34988
The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locke ...

oval:org.secpod.oval:def:80647
This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is sim ...

oval:org.secpod.oval:def:34986
This policy setting allows you to specify the search server that Windows uses to find updates for device drivers. If you enable this policy setting, you can select whether Windows searches Windows Update (WU), searches a Managed Server, or a combination of both. Note: that if both are spec ...

oval:org.secpod.oval:def:80648
This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. Defau ...

oval:org.secpod.oval:def:80641
This security setting determines which network shares can accessed by anonymous users. Default: None specified. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. Note: It can be ...

oval:org.secpod.oval:def:80642
This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. Counter Measure: Configure this user right so that no account ...

oval:org.secpod.oval:def:80640
This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, t ...

oval:org.secpod.oval:def:34983
This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you co ...

oval:org.secpod.oval:def:34982
Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ...

oval:org.secpod.oval:def:34980
This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the &amp;quot;Network Security: Restrict NTLM: Deny NTLM authentication in this domain&amp;quot; is set. If you configure this policy setting, ...

oval:org.secpod.oval:def:80678
This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. If you disable or do not configure this policy setting, domain users can set a network's loca ...

oval:org.secpod.oval:def:80679
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. Additional ...

oval:org.secpod.oval:def:80676
Determines whether a user can install and configure the Network Bridge. Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS do ...

oval:org.secpod.oval:def:34978
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system will automat ...

oval:org.secpod.oval:def:34979
This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire. Determines how far in advance (in days) users are warned that their ...

oval:org.secpod.oval:def:80677
Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, ...

oval:org.secpod.oval:def:34976
This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the &amp;quot;Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers&amp;quot; policy setting is configured. If you configure this policy settin ...

oval:org.secpod.oval:def:34977
This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SM ...

oval:org.secpod.oval:def:34975
This policy setting turns off the Windows Location Provider feature for this computer. Counter Measure: Enable this policy setting. Potential Impact: If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be ...

oval:org.secpod.oval:def:80670
This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. Counter Measure: Enable this setting Potential Impact: If this policy setting is enabled, Windows is prevented from downloading providers; only the service pr ...

oval:org.secpod.oval:def:80671
This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow . Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note 2: If your organiza ...

oval:org.secpod.oval:def:80674
This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Ser ...

oval:org.secpod.oval:def:80675
This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. If you enable this settin ...

oval:org.secpod.oval:def:80672
Specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet ...

oval:org.secpod.oval:def:80673
This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysi ...

oval:org.secpod.oval:def:34972
This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller w ...

oval:org.secpod.oval:def:34973
This security setting determines if the password for the Administrator account must be given before access to the system is granted. If this option is enabled, the Recovery Console does not require you to provide a password, and it automatically logs on to the system. Default: This policy is not de ...

oval:org.secpod.oval:def:80660
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Note: This policy does not apply to Windows RT. This setting lets you specify whether automatic updates are enabled on this computer. If the service is enable ...

oval:org.secpod.oval:def:80663
This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The "Allow certificate-based data recovery agent" check box is used to specify w ...

oval:org.secpod.oval:def:80661
This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authenti ...

oval:org.secpod.oval:def:80662
This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user access to the drive. You can require a smart card authenti ...

oval:org.secpod.oval:def:36502
This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated ...

oval:org.secpod.oval:def:35413
Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Counter Measure: Configure this policy setting to &amp;quot;Yes&amp;qu ...

oval:org.secpod.oval:def:36501
This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon at ...

oval:org.secpod.oval:def:35410
This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Po ...

oval:org.secpod.oval:def:80618
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access inc ...

oval:org.secpod.oval:def:80619
Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc)) The Sim ...

oval:org.secpod.oval:def:80612
Remote Desktop Configuration service (RDCS) is responsible for all Remote Desktop related configuration and session maintenance activities that require SYSTEM context. These include per-session temporary folders, RD themes, and RD certificates In a high security environment, Remote Desktop access i ...

oval:org.secpod.oval:def:80613
Allows users to connect interactively to a remote computer. Remote Desktop and Remote Desktop Session Host Server depend on this service. In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted. Def ...

oval:org.secpod.oval:def:35407
Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ...

oval:org.secpod.oval:def:80610
This service provides support for viewing, sending and deletion of system-level problem reports for the Problem Reports and Solutions control panel. This service is involved in the process of displaying/reporting issues and solutions to/from Microsoft. In a high security environment, preventing thi ...

oval:org.secpod.oval:def:35408
This security setting determines whether the system shuts down if it is unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full an ...

oval:org.secpod.oval:def:80611
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address The function of this service is to provide a "demand dial" type of functionality. In a high security environment, it is preferred that any remote "dial" connections (whether they be legacy ...

oval:org.secpod.oval:def:35405
This policy setting allows you to disable the client computer&amp;apos;s ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. Counter Measure: Enable this setting to prevent users from submitting print jobs via HTTP. Potential Imp ...

oval:org.secpod.oval:def:80616
Enables remote users to modify registry settings on this computer In a high security environment, exposing the registry to remote access is an increased security risk. Default: Disabled Counter Measure: The recommended state for this setting is Disabled. Potential Impact: The registry ...

oval:org.secpod.oval:def:35406
This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, scanning for all downloaded files and attachments w ...

oval:org.secpod.oval:def:80617
Offers routing services to businesses in local area and wide area network environments. This services main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment Default: Disabled Counter Measure: The recommen ...

oval:org.secpod.oval:def:35403
This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted du ...

oval:org.secpod.oval:def:80614
Allows the redirection of Printers/Drives/Ports for RDP connections. In a security-sensitive environment, it is desirable to reduce the possible attack surface - preventing the redirection of COM, LPT and PnP ports will reduce the number of unexpected avenues for data exfiltration and/or malicious ...

oval:org.secpod.oval:def:80615
In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and newer versions of Windows, this service does not provide any functionality and is present for application compatibility. This is a legacy servic ...

oval:org.secpod.oval:def:35401
This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. If you disable or do not configure this setting, items will be ...

oval:org.secpod.oval:def:80609
This service publishes a machine name using the Peer Name Resolution Protocol. Configuration is managed via the netsh context p2p pnrp peer. Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environmen ...

oval:org.secpod.oval:def:80607
Enables multi-party communication using Peer-to-Peer Grouping. Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained ...

oval:org.secpod.oval:def:35400
This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the valu ...

oval:org.secpod.oval:def:80608
Provides identity services for the Peer Name Resolution Protocol (PNRP) and Peer-to-Peer Grouping services. Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on c ...

oval:org.secpod.oval:def:80601
The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsyst ...

oval:org.secpod.oval:def:80602
Enables the server to be a File Transfer Protocol (FTP) server Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - FTP Server). Hosting an FTP server (especially a non-secure FTP serv ...

oval:org.secpod.oval:def:80600
Creates a Network Map, consisting of PC and device topology (connectivity) information, and metadata describing each PC and device. The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent re ...

oval:org.secpod.oval:def:80605
SSH protocol based service to provide secure encrypted communications between two untrusted hosts over an insecure network. Note: This service is not installed by default. It is supplied with Windows, but it is installed by enabling an optional Windows feature (OpenSSH Server) Hosting an SSH serve ...

oval:org.secpod.oval:def:80606
Enables serverless peer name resolution over the Internet using the Peer Name Resolution Protocol (PNRP) Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on cent ...

oval:org.secpod.oval:def:80603
Manages Internet SCSI (iSCSI) sessions from this computer to remote target devices. This service is critically necessary in order to directly attach to an iSCSI device. However, iSCSI itself uses a very weak authentication protocol (CHAP), which means that the passwords for iSCSI communic ...

oval:org.secpod.oval:def:80604
This service provides infrastructure support for the Microsoft Store. In a high security managed environment, application installations should be managed centrally by IT staff, not by end users. Default: Manual. Counter Measure: The recommended state for this setting is Disabled. Potential I ...

oval:org.secpod.oval:def:81729
This setting allows to remove access to "Pause updates" feature. Once enabled user access to pause updates is removed. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Remove access to "Pause updates" feature (2) REG: HK ...

oval:org.secpod.oval:def:81724
This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard. If you enable this setting, Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host. If you di ...

oval:org.secpod.oval:def:80634
This service syncs save data for Xbox Live save enabled games. Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company). Default: Manual (Trigger Start) Counter Measure: The recommended state for this setting is Disabled. Po ...

oval:org.secpod.oval:def:81723
This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. Note: Only one of the additi ...

oval:org.secpod.oval:def:80635
This service supports the Windows.Networking.XboxLive application programming interface. Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company). Default: Manual. Counter Measure: The recommended state for this setting is Di ...

oval:org.secpod.oval:def:81722
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" ...

oval:org.secpod.oval:def:80632
This service manages connected Xbox Accessories. Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company) Default: Manual. Counter Measure: The recommended state for this setting is Disabled. Potential Impact: Connected ...

oval:org.secpod.oval:def:80633
Provides authentication and authorization services for interacting with Xbox Live. Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company). Default: Manual. Counter Measure: The recommended state for this setting is Disabled. ...

oval:org.secpod.oval:def:81728
This policy setting enables application isolation through Microsoft Defender Application Guard. Application Guard uses Windows Hypervisor to create a virtualized environment for apps that are configured to use virtualization-based security isolation. While in isolation, improper user interactions a ...

oval:org.secpod.oval:def:80638
This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ...

oval:org.secpod.oval:def:80639
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Configure the MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. ...

oval:org.secpod.oval:def:81727
This policy setting determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container. If you enable this setting, people can save downloaded files from the Microsoft Defender Application Guard container to the host operating system. I ...

oval:org.secpod.oval:def:80636
This policy setting allows you to set the encryption types that Kerberos is allowed to use. If not selected, the encryption type will not be allowed. This setting may affect compatibility with client computers or services and applications. Multiple selections are permitted. This policy is supporte ...

oval:org.secpod.oval:def:81726
This policy setting allows you to decide whether data should persist across different sessions in Microsoft Defender Application Guard. If you enable this setting, Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Gu ...

oval:org.secpod.oval:def:80637
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Configure the MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. The possib ...

oval:org.secpod.oval:def:81725
The policy allows you to determine whether applications inside Microsoft Defender Application Guard can access the device's camera and microphone when these settings are enabled on the user's device. If you enable this policy, applications inside Microsoft Defender Application Guard will be able to ...

oval:org.secpod.oval:def:80630
Windows Remote Management (WinRM) service implements the WS-Management protocol for remote management. WS-Management is a standard web services protocol used for remote software and hardware management. The WinRM service listens on the network for WS-Management requests and processes them. Features ...

oval:org.secpod.oval:def:80631
Provides Web connectivity and administration through the Internet Information Services Manager. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - World Wide Web Services). Note #2: ...

oval:org.secpod.oval:def:80629
This service manages Apps that are pushed to the device from the Microsoft Store App running on other devices or the web. In a high security managed environment, application installations should be managed centrally by IT staff, not by end users. Default: Manual (Trigger Start) Counter Measure: ...

oval:org.secpod.oval:def:80623
The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on the machine. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windo ...

oval:org.secpod.oval:def:80624
Allows errors to be reported when programs stop working or responding and allows existing solutions to be delivered. Also allows logs to be generated for diagnostic and repair services If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT ...

oval:org.secpod.oval:def:80621
Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes ...

oval:org.secpod.oval:def:80622
Allows UPnP devices to be hosted on this computer. Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automati ...

oval:org.secpod.oval:def:80627
Provides the ability to share a cellular data connection with another device. The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers Default: Manual (Trigger Start) Counter Measure: The recommended state ...

oval:org.secpod.oval:def:80628
This service runs in session 0 and hosts the notification platform and connection provider which handles the connection between the device and WNS server. Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a h ...

oval:org.secpod.oval:def:80625
This service manages persistent subscriptions to events from remote sources that support WS-Management protocol. This includes Windows Vista event logs, hardware and IPMI- enabled event sources. The service stores forwarded events in a local Event Log In a high security environment, remote connecti ...

oval:org.secpod.oval:def:80626
Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. Network sharing of media from Media Player has no place in an enterprise managed environment. Default: Manual Counter Measure: The recommended state for this setting is Disable ...

oval:org.secpod.oval:def:80620
Enables Simple Network Management Protocol (SNMP) requests to be processed by this computer. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple Network Management Protocol (SNMP)). Features that enable inbo ...

oval:org.secpod.oval:def:85529
The Windows PowerShell 2.0 feature must be disabled on the system.

oval:org.secpod.oval:def:85534
If Enhanced diagnostic data is enabled, it must be limited to the minimum required to support Windows Analytics.

oval:org.secpod.oval:def:85544
The Secondary Logon service must be disabled on Windows 10.

oval:org.secpod.oval:def:95657
This policy setting controls packet level privacy for Remote Procedure Call (RPC)incoming connections.The recommended state for this setting is: Enabled.Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure RPC packet level privacy setting for incoming con ...

oval:org.secpod.oval:def:95635
Allows administrators to remotely access a command prompt using Emergency Management Services. Allowing the use of a remotely accessible command prompt that provides the ability to perform remote management tasks on a computer is a security risk.The recommended state for this setting is: Disabled or ...

oval:org.secpod.oval:def:95627
Loads files to memory for later printing<br><br>Recommended value for Member Server: Disabled<br>Recommended value for Domain Controller: Disabled<br><br>Potential Impact: Domain Controllers will not be able to prune published printers from Active Directory. By default, Domain Controllers prune prin ...

CPE    1
cpe:/o:microsoft:windows_10
CCE    673
CCE-15113-4
CCE-44430-7
CCE-42887-0
CCE-43567-7
...
*XCCDF
xccdf_org.secpod_benchmark_general_Windows_10

© SecPod Technologies