Download
| Alert*
|
CCE-41763-4
Disable: 'System cryptography: Force strong key protection for user keys stored on the computer' for ForceKeyProtection This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users must provi ... CCE-42314-5 Specify the 'Turn Off the Display (On Battery)' (DCSettingIndex Min:0 Max:4294967295) Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off th ... CCE-41782-4 Disable: 'Allow Standby States (S1-S3) When Sleeping (On Battery)' Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep st ... CCE-42172-7 Disable: 'Turn off app notifications on the lock screen' This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy se ... CCE-43849-9 Disable: 'Do not process the legacy run list' This policy setting causes the run list, which is a list of programs that Windows runs automatically when it starts, to be ignored. The customized run lists for Windows Vista are stored in the registry at the following locations: - HKEY_LOCAL_MACHIN ... CCE-44292-1 Disable: 'Do not process the run once list' This policy setting causes the run once list, which is the list of programs that Windows Vista runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list ... CCE-41676-8 Disable: 'Require a Password When a Computer Wakes (Plugged In)' Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (Plugged In) to Enabled. Potential Impact: If you e ... CCE-42589-2 Disable: 'Allow Standby States (S1-S3) When Sleeping (Plugged In)' Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a c ... CCE-43844-0 Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Countermeasure: Configure this policy setting to 900 seconds (15 minutes) so that the risk of a user's desktop session being hijac ... CCE-43700-4 Disable: 'Always prompt for password upon connection' This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they alrea ... CCE-44126-1 Disable: 'Do not enumerate connected users on domain-joined computers' This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you di ... CCE-42362-4 Disable: 'Devices: Prevent users from installing printer drivers' for AddPrinterDrivers It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your comp ... CCE-44085-9 Disable: 'Turn off Data Execution Prevention' for Explorer Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. Counter Measure: We recommend that you disable this policy setting unless you have to support legacy busine ... CCE-41561-2 Disable: 'Interactive logon: Machine account lockout threshold' for MaxDevicePasswordFailedAttempts The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. ... CCE-43568-5 Specify the 'Turn Off the Display (Plugged In)' in seconds (max: 4294967295) Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display ... CCE-44052-9 Disable: 'Require a Password When a Computer Wakes (On Battery)' Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (On Battery) to Enabled. Potential Impact: If you e ... CCE-43546-1 LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ... CCE-42995-1 This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC pol ... CCE-42311-1 Disable: 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' for EnableSecureUIAPaths This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location i ... CCE-91207-1 "Turn On Fast Startup" When you shutdown a PC with Fast Startup turned on, Windows saves the current system state and the contents of memory to a file called hiberfil.sys and then it shuts down the computer. Later, when you turn on the computer, rather than performing a full load of the entire syst ... CCE-43744-2 Disable: 'User Account Control: Only elevate executables that are signed and validated' for ValidateAdminCodeSignatures This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can c ... CCE-43913-3 This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name ... CCE-43456-3 Disable: 'Enable RPC Endpoint Mapper Client Authentication' This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service p ... CCE-42996-9 Disable: 'Turn off heap termination on corruption' Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. Counter Measure: Disable this setting de ... CCE-42894-6 Select the 'Set client connection encryption level' to low_level This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session. Counter Measure: Con ... CCE-42459-8 Disable: 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing' for Enabled This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although ... CCE-42872-2 Password must meet complexity requirements This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's ... CCE-44419-0 Disable: 'Enable insecure guest logons' This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. If you disable this ... CCE-43894-5 Account lockout threshold This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to an ... CCE-42575-1 Disable: 'Honor cipher suite order' This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client. If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cip ... CCE-43472-0 Disable: 'Control Event Log behavior when the log file reaches its maximum size' for Retention This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the ... CCE-43848-1 Select the 'Turn off Autoplay' for NoDriveTypeAutoRun to cd-rom_and_removable_media_drives Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a prog ... CCE-42505-8 Specify the 'Configure log access (legacy) - Event Log Service\Setup (SDDL String)' value This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this log i ... CCE-42491-1 Specify the 'Configure log access (legacy) - Event Log Service\Security' (SDDL String) value This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. If you enab ... CCE-41679-2 Minimum password length This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Mic ... CCE-41953-1 Minimum password age This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this sett ... CCE-42504-1 Specify the 'Configure log access (legacy) - Event Log Service\Application' (SDDL String) value This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You must set both "configure log access" policy settings for this ... CCE-43655-0 Disable: 'Control System Event Log behavior when the log file reaches its maximum size' This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log an ... CCE-41972-1 'Specify the maximum log file size (KB) (Application Log)' for MaxSize (Min:1024 Max:2147483647 kb) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobyte ... CCE-41528-1 Accounts: Guest account status This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to the domain controller organizational unit v ... CCE-42136-2 Enforce password history This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwor ... CCE-42490-3 Specify the 'Configure log access (legacy) - Event Log Service\System' (SDDL String) value This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only users whose security descr ... CCE-44139-4 Disable: 'Control Security Event Log behavior when the log file reaches its maximum size' This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log ... CCE-43960-4 Disable: 'Prevent installation of removable devices' This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial ... CCE-43535-4 Maximum password age This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can ... CCE-43086-8 Disable: 'Allow remote access to the Plug and Play interface' This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not c ... CCE-43657-6 Disable: 'Network security: Do not store LAN Manager hash value on next password change' for NoLMHash This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to th ... CCE-43671-7 Disable: 'User Account Control: Behavior of the elevation prompt for standard users' for ConsentPromptBehaviorUser This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privile ... CCE-42160-2 Specify the 'Network access: Remotely accessible registry paths and sub-paths' for Machine This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this sett ... CCE-43517-2 Disable: 'Network access: Do not allow anonymous enumeration of SAM accounts' for RestrictAnonymousSAM This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections ca ... CCE-41948-1 Disable: 'Network access: Let Everyone permissions apply to anonymous users' for EveryoneIncludesAnonymous This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to per ... CCE-41762-6 Disable: 'Domain member: Digitally encrypt or sign secure channel data (always)' for requiresignorseal This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel da ... CCE-43034-8 Disable: 'Require user authentication for remote connections by using Network Level Authentication' This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhanc ... CCE-42710-4 Disable: 'Require secure RPC communication' Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authent ... CCE-41504-2 Disable: 'Interactive logon: Prompt user to change password before expiration' for passwordexpirywarning This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn us ... CCE-43080-1 Select the 'Require use of specific security layer for remote (RDP) connections' to rdp Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this set ... CCE-42884-7 Disable: 'Microsoft network server: Digitally sign communications (always)' for requiresecuritysignature This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from usin ... CCE-41773-3 Disable: 'Domain member: Digitally sign secure channel data (when possible)' for signsecurechannel This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic ... CCE-43628-7 Disable: 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' for RestrictAnonymous This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate do ... CCE-41772-5 Disable: 'Allow users to connect remotely by using Remote Desktop Services' This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer ... CCE-43105-6 Disable: 'Network access: Restrict anonymous access to Named Pipes and Shares' for restrictnullsessaccess When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access ... CCE-41840-0 Disable: 'Microsoft network client: Digitally sign communications (always)' for RequireSecuritySignature This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a ... CCE-42970-4 Accounts: Rename administrator account The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change th ... CCE-43748-3 Account lockout duration This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy sett ... |
