[Forgot Password]
Login  Register Subscribe

30389

 
 

423868

 
 

241641

 
 

909

 
 

192372

 
 

277

Paid content will be excluded from the download.


Download | Alert*


CCE-4390-1
Prompt for password on resume from hibernate/suspend should be set correctly.

CCE-2387-9
The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.

CCE-3176-5
Domain Profile: Allow UPnP framework exception (SP2 only)

CCE-3130-2
The correct service permissions for the Terminal Services service should be assigned.

CCE-2692-2
The "Disconnect clients when logon hours expire" policy should be set correctly.

CCE-2800-1
The required permissions for the file %SystemRoot%\System32\CONFIG\*.evt should be assigned.

CCE-8445-9
Access to registry editing tools should be set correctly.

CCE-2726-8
The required permissions for the file %SystemRoot%\System32\cacls.exe should be assigned.

CCE-3274-8
The TCP/IP NetBIOS Helper service should be enabled or disabled as appropriate.

CCE-2352-3
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt should be assigned.

CCE-3141-9
Domain Profile: Allow ICMP exceptions (SP2 only)

CCE-1937-2
The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned.

CCE-2857-1
The required permissions for the file %SystemRoot%\System32\wmimgmt.msc should be assigned.

CCE-2968-6
The "Allow Server Operators to Schedule Tasks" policy should be set correctly.

CCE-2759-9
Auditing of "policy change" events on failure should be enabled or disabled as appropriate..

CCE-1815-0
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log should be assigned.

CCE-4270-5
The "Turn off shell protocol protected mode" setting should be configured correctly.

CCE-3198-9
The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile.

CCE-3208-6
The "Maximum tolerance for computer clock synchronization" policy should be set correctly.

CCE-1924-0
The required permissions for the file %SystemRoot%\System32\Com\comexp.msc should be assigned.

CCE-2824-1
ICMP Redirects should be properly configured.

CCE-2702-9
The required permissions for the file %SystemDrive%\AUTOEXEC.BAT should be assigned.

CCE-2472-9
The "Message text for users attempting to log on" policy should be set correctly.

CCE-2933-0
Auditing of "directory service access" events on success should be enabled or disabled as appropriate..

CCE-2374-7
The "add workstations to domain" user right should be assigned to the correct accounts.

CCE-2178-2
The required permissions for the file %SystemRoot%\System32\net.exe should be assigned.

CCE-2343-2
Auditing of "logon" events on failure should be enabled or disabled as appropriate..

CCE-2739-1
The required permissions for the directory %SystemRoot%\security should be assigned.

CCE-2802-7
The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.

CCE-3174-0
The log file path and name for the Windows Firewall should be configured correctly for the Standard Profile.

CCE-2957-9
The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.

CCE-2728-4
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\HTML Help should be assigned.

CCE-2911-6
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security should be assigned.

CCE-2354-9
The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services.

CCE-2859-7
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security should be assigned.

CCE-2683-1
The automatic generation of 8.3 file names for NTFS should be enabled or disabled as appropriate.

CCE-2813-4
The required permissions for the directory %SystemRoot%\System32\ias should be assigned.

CCE-3304-3
Domain Profile: Allow Remote Desktop exception (SP2 only)

CCE-2826-6
The "Disable Media Player for automatic updates" policy should be set correctly.

CCE-2935-5
The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.

CCE-2704-5
The required permissions for the file %SystemRoot%\System32\eventvwr.msc should be assigned.

CCE-3108-8
The correct service permissions for the Telnet service should be assigned.

CCE-2145-1
The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned.

CCE-2890-2
The "Anonymous access to the system event log" policy should be set correctly.

CCE-2561-9
The required permissions for the directory %AllUsersProfile%\DRM should be assigned.

CCE-3161-7
The "Password protect the screen saver" setting should be configured correctly for the default user.

CCE-2598-1
The required permissions for the file %SystemRoot%\System32\compmgmt.msc should be assigned.

CCE-2794-6
The "restrict guest access to security log" policy should be set correctly.

CCE-2902-5
Auditing of "account management" events on success should be enabled or disabled as appropriate..

CCE-2345-7
The "restrict guest access to system log" policy should be set correctly.

CCE-3134-4
The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile.

CCE-2696-3
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security should be assigned.

CCE-2913-2
Auditing of "privilege use" events on success should be enabled or disabled as appropriate..

CCE-2959-5
The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services.

CCE-1846-5
The required permissions for the file %SystemRoot%\System32\CONFIG\AppEvent.evt should be assigned.

CCE-5059-1
Notify antivirus programs when opening attachments should be set correcly.

CCE-2815-9
The correct service permissions for the ClipBook service should be assigned.

CCE-3012-2
The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.

CCE-2881-1
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security should be assigned.

CCE-1966-1
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security should be assigned.

CCE-2619-5
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be assigned.

CCE-2828-2
Domain Profile: Allow local program exceptions

CCE-2116-2
The "restrict guest access to application log" policy should be set correctly.

CCE-2672-4
The required permissions for the file %SystemRoot%\System32\net1.exe should be assigned.

CCE-2706-0
The required permissions for the directory %ProgramFiles% should be assigned.

CCE-2563-5
The correct service permissions for the IIS Admin service should be assigned.

CCE-2105-5
The required permissions for the directory %SystemRoot%\Debug\UserMode\userenv.log should be assigned.

CCE-2990-0
The correct service permissions for the Remote Desktop Help Session Manager service should be assigned.

CCE-2476-0
Domain Profile: Allow remote administration

CCE-1833-3
The required permissions for the directory %SystemRoot%\Registration\CRMLog should be assigned.

CCE-2904-1
The application log maximum size should be configured correctly..

CCE-3132-8
IP Source Routing should be properly configured.

CCE-2750-8
The required permissions for the file %SystemDrive%\System Volume Information should be assigned.

CCE-2796-1
The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled.

CCE-4500-5
The "Password protect the screen saver" setting should be configured correctly for the current user.

CCE-2234-3
The required permissions for the file %SystemDrive%\NTLDR should be assigned.

CCE-2652-6
IRDP should be properly configured.

CCE-2312-7
The required permissions for the file %SystemRoot%\System32\attrib.exe should be assigned.

CCE-3010-6
The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.

CCE-3154-2
Domain Profile: Protect all network connections (SP2 only)

CCE-2674-0
The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.

CCE-3021-3
The correct service permissions for the Remote Registry service should be assigned.

CCE-2939-7
Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..

CCE-2334-1
The required permissions for the file %SystemRoot%\System32\fsmgmt.msc should be assigned.

CCE-2992-6
The "System cryptography: Force strong key protection for user keys stored on the computer" setting should be configured correctly.

CCE-2565-0
The required permissions for the file %SystemDrive%\Documents and Settings should be assigned.

CCE-2894-4
The required permissions for the file %SystemRoot%\System32\regsvr32.exe should be assigned.

CCE-2172-5
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network should be assigned.

CCE-2982-7
The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts.

CCE-2775-5
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\clone should be assigned.

CCE-3247-4
Domain Profile: Allow file and printer sharing exception (SP2 only)

CCE-2119-6
The correct service permissions for the NetMeeting service should be assigned.

CCE-1842-4
The required permissions for the file %SystemRoot%\System32\CONFIG should be assigned.

CCE-2206-1
Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..

CCE-2764-9
The "Screen Saver Timeout" setting should be configured correctly for the default user.

CCE-2993-4
The "Do not store LAN Manager hash value on next password change" policy should be set correctly.

CCE-3103-9
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile.

CCE-2568-4
The correct service permissions for the Computer Browser service should be assigned.

CCE-2620-3
The required permissions for the directory %AllUsersProfile%\Application Data should be assigned.

CCE-2862-1
Membership in the Power Users group should be assigned to the appropriate accounts.

CCE-2699-7
The required permissions for the file %SystemRoot%\System32\debug.exe should be assigned.

CCE-2797-9
The required permissions for the file %SystemRoot%\System32\systeminfo.exe should be assigned.

CCE-3114-6
The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly .

CCE-2907-4
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache should be assigned.

CCE-2555-1
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security should be assigned.

CCE-2809-2
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC should be assigned.

CCE-1909-1
The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned.

CCE-2185-7
The required permissions for the file %SystemRoot%\System32\secpol.msc should be assigned.

CCE-3258-1
Domain Profile: Allow local port exceptions (SP2 only)

CCE-2740-9
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots should be assigned.

CCE-2918-1
Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..

CCE-2313-5
The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.

CCE-2052-9
The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.

CCE-2971-0
Auditing of "policy change" events on success should be enabled or disabled as appropriate..

CCE-2873-8
The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.

CCE-2688-0
The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.

CCE-2524-7
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security should be assigned.

CCE-3136-9
Membership in the Remote Desktop Users group should be assigned to the appropriate accounts.

CCE-2731-8
The required permissions for the file %SystemRoot%\System32\tftp.exe should be assigned.

CCE-2777-1
The "when maximum log size is reached" property should be set correctly for the System log.

CCE-1840-8
The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled.

CCE-2392-9
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit should be assigned.

CCE-2766-4
Auditing of "object access" events on failure should be enabled or disabled as appropriate..

CCE-8375-8
The "No auto-restart for scheduled Automatic Updates installations" policy should be set correctly.

CCE-1973-7
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security should be assigned.

CCE-4952-8
The required permissions for the file %SystemRoot%\System32\mshta.exe should be assigned.

CCE-2851-4
The "Shut Down system immediately if unable to log security audits" policy should be set correctly.

CCE-2753-2
The required permissions for the directory %SystemRoot%\System32\spool\Printers should be assigned.

CCE-2085-9
The required permissions for the directory %SystemDrive% should be assigned.

CCE-1960-4
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg should be assigned.

CCE-3014-8
The "when maximum log size is reached" property should be set correctly for the Application log.

CCE-2788-8
The required permissions for the file %SystemRoot%\System32\subst.exe should be assigned.

CCE-3123-7
The "Refuse machine account password change" policy should be set correctly.

CCE-2973-6
The behavior surrounding Anonymous SID/Name translation should be correct.

CCE-2546-0
The required permissions for the file %SystemRoot%\System32\route.exe should be assigned.

CCE-2050-3
If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.

CCE-2428-1
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security should be assigned.

CCE-2176-6
The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned.

CCE-4838-9
The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly.

CCE-3051-0
The correct service permissions for the WWW Publishing service should be assigned.

CCE-2590-8
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security should be assigned.

CCE-3097-3
The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.

CCE-2842-3
The "Default owner for objects created by members of the Administrators group" policy should be set correctly.

CCE-2537-9
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security should be assigned.

CCE-4262-2
The "Prevent IIS Installation" setting should be configured correctly.

CCE-2951-2
The required permissions for the registry key HKEY_USERS\.DEFAULT should be assigned.

CCE-2768-0
The required permissions for the directory %AllUsersProfile%\Documents\desktop.ini should be assigned.

CCE-2899-3
The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.

CCE-3280-5
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Standard Profile.

CCE-3118-7
TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.

CCE-2502-3
The correct service permissions for the Net Logon service should be assigned.

CCE-2559-3
The TCP/IP KeepAlive Time should be set correctly .

CCE-2866-2
Domain Profile: Define port exceptions (SP2 only)

CCE-3129-4
The "Limit Number of Connections" policy should be set correctly for Terminal Services.

CCE-4849-6
The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.

CCE-2287-1
The required permissions for the file %SystemDrive%\MSDOS.SYS should be assigned.

CCE-3084-1
The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.

CCE-2174-1
The screen saver should be enabled or disabled as appropriate for the current user.

CCE-2844-9
The required permissions for the file %SystemRoot%\System32\devmgmt.msc should be assigned.

CCE-2483-6
The required permissions for the directory %ALL% should be assigned.

CCE-2690-6
Membership in the Backup Operators group should be assigned to the appropriate accounts.

CCE-2076-8
The correct service permissions for the Alerter service should be assigned.

CCE-2396-0
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security should be assigned.

CCE-1916-6
The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned.

CCE-2855-5
The required permissions for the file %SystemRoot%\System32\regini.exe should be assigned.

CCE-2626-0
The correct service permissions for the Automatic Updates service should be assigned.

CCE-2198-0
The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.

CCE-2966-0
If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.

CCE-2757-3
The required permissions for the file %SystemRoot%\Offline Web Pages should be assigned.

CCE-2711-0
The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler.

CCE-3116-1
The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.

CCE-2613-8
The required permissions for the file %SystemRoot%\System32\nslookup.exe should be assigned.

CCE-3018-9
The "Maximum machine account password age" policy should be set correctly.

CCE-2250-9
The required permissions for the file %SystemRoot%\System32\ciadv.msc should be assigned.

CCE-3071-8
The correct service permissions for the Fax service should be assigned.

CCE-2141-0
The correct service permissions for the Routing and Remote Access service should be assigned.

CCE-2833-2
The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.

CCE-3029-6
The correct service permissions for the Universal Plug and Play service should be assigned.

CCE-3055-1
The log file size limit for the Windows Firewall should be configured correctly for the Standard Profile.

CCE-2921-5
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib should be assigned.

CCE-1925-7
The required permissions for the directory %SystemRoot%\System32\NTMSData should be assigned.

CCE-3066-8
Dr. Watson Crash Dumps should be properly configured.

CCE-2749-0
The required permissions for the file %SystemRoot%\System32\ntmsmgr.msc should be assigned.

CCE-2100-6
Auditing of "logon" events on success should be enabled or disabled as appropriate..

CCE-3284-7
Standard Profile: Protect all network connections (SP2 only)

CCE-2736-7
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony should be assigned.

CCE-8400-4
The "Do not display 'Install Updates and Shut Down' option in the Shut Down Windows dialog box" setting should be configured correctly.

CCE-2945-4
The correct service permissions for the SNMP Trap service should be assigned.

CCE-2638-5
The required permissions for the directory %SystemRoot%\Temp should be assigned.

CCE-2484-4
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security should be assigned.

CCE-2691-4
The required permissions for the file %SystemRoot%\System32\telnet.exe should be assigned.

CCE-3077-5
The correct service permissions for the Task Scheduler service should be assigned.

CCE-2956-1
RPC Endpiont Mapper Client Authentication (SP2 only)

CCE-3088-2
The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.

CCE-3099-9
The "Screen Saver Executable Name" setting should be configured correctly for the default user.

CCE-2969-4
The correct service permissions for the File Shares service should be assigned.

CCE-2716-9
The IMAPI CD-Burning COM Service should be enabled or disabled as appropriate.

CCE-2573-4
The "Message title for users attempting to log on" policy should be set correctly.

CCE-3151-8
The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.

CCE-1849-9
The required permissions for the directory %AllUsersProfile% should be assigned.

CCE-2057-8
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security should be assigned.

CCE-2836-5
The correct service permissions for the Indexing service should be assigned.

CCE-3162-5
The "Audit the access of global system objects" policy should be set correctly.

CCE-2475-2
The required permissions for the directory %SystemRoot%\Driver Cache\I386\Driver.cab should be assigned.

CCE-2660-9
The required permissions for the directory %SystemRoot%\System32 should be assigned.

CCE-2738-3
The required permissions for the directory %SystemRoot%\Tasks should be assigned.

CCE-2901-7
The screen saver should be enabled or disabled as appropriate for the default user.

CCE-2595-7
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers should be assigned.

CCE-2693-0
The security log maximum size should be configured correctly..

CCE-2912-4
The required permissions for the file %SystemRoot%\System32\perfmon.msc should be assigned.

CCE-2727-6
The required permissions for the file %SystemRoot%\System32\ntmsoprq.msc should be assigned.

CCE-2780-5
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries should be assigned.

CCE-2682-3
The required auditing for %SystemDrive% directory should be enabled.

CCE-2220-2
The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned.

CCE-2925-6
CD-ROM Autorun should be properly configured.

CCE-2718-5
TCP/IP Dead Gateway Detection should be properly configured.

CCE-3013-0
The "Delete Cached Copies of Roaming Profiles" policy should be set correctly.

CCE-3157-5
The amount of idle time required before disconnecting a session should be set correctly.

CCE-2771-4
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned.

CCE-3111-2
The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.

CCE-2115-4
The required permissions for the directory %SystemDrive%\Documents and Settings\Administrator should be assigned.

CCE-2259-0
Auditing of "object access" events on success should be enabled or disabled as appropriate..

CCE-2673-2
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys should be assigned.

CCE-2707-8
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Standard Profile.

CCE-2891-0
The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.

CCE-2760-7
The required permissions for the file %SystemRoot%\System32\drwatson.exe should be assigned.

CCE-2070-1
The required permissions for the file %SystemRoot%\System32\RSoP.msc should be assigned.

CCE-2202-0
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security should be assigned.

CCE-2662-5
The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.

CCE-3179-9
Standard Profile: Do not allow exceptions (SP2 only)

CCE-2551-0
The "LDAP server signing requirements" policy should be set correctly.

CCE-2597-3
The required permissions for the directory %SystemRoot%\System32\lusrmgr.msg should be assigned.

CCE-2793-8
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer should be assigned.

CCE-2903-3
The required permissions for the file %SystemRoot%\System32\Ntbackup.exe should be assigned.

CCE-3133-6
The "Smart Card Removal Behavior" policy should be set correctly.

CCE-1943-0
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey should be assigned.

CCE-2938-9
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum should be assigned.

CCE-2139-4
The required permissions for the file %SystemRoot%\System32\nbstat.exe should be assigned.

CCE-5025-2
The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.

CCE-2805-0
The required permissions for the directory %SystemRoot%\repair should be assigned.

CCE-3000-7
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.

CCE-2453-9
The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly .

CCE-2816-7
Auditing of "process tracking" events on success should be enabled or disabled as appropriate..

CCE-2782-1
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys should be assigned.

CCE-3231-8
Standard Profile: Define port exceptions (SP2 only)

CCE-3011-4
The "Enable User to Use Media Source While Elevated" policy should be set correctly.

CCE-2980-1
The "Screen Saver Timeout" setting should be configured correctly for the current user.

CCE-2773-0
The correct service permissions for the SMTP service should be assigned.

CCE-3057-7
The correct service permissions for the FTP Publishing service should be assigned.

CCE-3022-1
The correct service permissions for the Background Intelligent Transfer service should be assigned.

CCE-2991-8
The "LDAP client signing requirements" policy should be set correctly.

CCE-2762-3
The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned.

CCE-2893-6
Background Refresh of Group Policy should be properly configured.

CCE-8406-1
The "Reschedule Automatic Updates scheduled installations" setting should be enabled or disabled as appropriate.

CCE-2300-2
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class should be assigned.

CCE-2599-9
The Windows Time service should be enabled or disabled as appropriate.

CCE-2871-2
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security should be assigned.

CCE-3044-5
Kerberos and RSVP Traffic Protected by IPSec should be properly configured.

CCE-8515-9
The "Windows Firewall: Define program exceptions" policy should be configured correctly for the Domain Profile.

CCE-2784-7
The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.

CCE-3188-0
The "Enforce user logon restrictions" policy should be set correctly.

CCE-3017-1
TCP/IP PMTU Discovery should be properly configured.

CCE-2401-8
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands should be assigned.

CCE-2798-7
The required permissions for the file %SystemDrive%\NTBOOTDD.SYS should be assigned.

CCE-2906-6
Auditing of "account management" events on failure should be enabled or disabled as appropriate..

CCE-2752-4
The required permissions for the file %SystemRoot%\Installer should be assigned.

CCE-2808-4
The "Remote Control Settings" policy should be set correctly for Terminal Services.

CCE-2293-9
The "Enable User to Patch Elevated Products" policy should be set correctly.

CCE-2229-3
The required permissions for the file %SystemRoot%\System32\ftp.exe should be assigned.

CCE-2872-0
The required permissions for the directory %SystemRoot%\System32\Setup should be assigned.

CCE-2741-7
The required permissions for the directory %SystemDrive%\Documents and Settings\Default User should be assigned.

CCE-2458-8
The required permissions for the file %SystemRoot%\System32\services.msc should be assigned.

CCE-2184-0
The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.

CCE-2917-3
The "Display user information when the session is locked" setting should be configured correctly.

CCE-2787-0
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft should be assigned.

CCE-5055-9
Turn off Search Companion content file updates

CCE-3213-6
Standard Profile: Allow Remote Desktop exception (SP2 only)

CCE-2643-5
The "Anonymous access to the security event log" policy should be set correctly.

CCE-2630-2
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be assigned.

CCE-2676-5
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson should be assigned.

CCE-2983-5
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.

CCE-2578-3
The required permissions for the file %SystemDrive%\NTDETECT.COM should be assigned.

CCE-3092-4
Always Wait for the Network at Computer Startup and Logon should be properly configured.

CCE-2325-9
The required permissions for the directory %SystemRoot%\Registration should be assigned.

CCE-2885-2
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip should be assigned.

CCE-8374-1
CD Burning features in Windows Explorer should be enabled or disabled as appropriate.

CCE-2207-9
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies should be assigned.

CCE-2336-6
The "when maximum log size is reached" property should be set correctly for the Security log.

CCE-2763-1
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\MediaIndex should be assigned.

CCE-2850-6
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles should be assigned.

CCE-2896-9
The startup type of the NetMeeting Remote Desktop Sharing service should be correct.

CCE-2109-7
The required permissions for the file %SystemRoot%\System32\dfrg.msc should be assigned.

CCE-2238-4
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities should be assigned.

CCE-2961-1
The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.

CCE-2789-6
The "Prevent Users from Installing Printer Drivers" policy should be set correctly.

CCE-3124-5
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.

CCE-1863-0
The required permissions for the directory %SystemRoot%\System32\dllcache should be assigned.

CCE-2425-7
The required permissions for the file %SystemRoot%\System32\drwtsn32.exe should be assigned.

CCE-2776-3
Automatic Logon should be properly configured.

CCE-3135-1
The built-in Administrator account should be correctly named.

CCE-2841-5
Safe DLL Search Mode should be properly configured.

CCE-2621-1
The required permissions for the file %SystemRoot%\System32\gpedit.msc should be assigned.

CCE-2436-4
The required permissions for the file %SystemRoot%\System32\eventtriggers.exe should be assigned.

CCE-2160-0
The required permissions for the directory %SystemRoot% should be assigned.

CCE-2996-7
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.

CCE-3119-5
The "Anonymous access to the application event log" policy should be set correctly.

CCE-3172-4
The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.

CCE-7528-3
The "Configure Automatic Updates" setting should be configured correctly.

CCE-2612-0
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE should be assigned.

CCE-2745-8
The required permissions for the file %SystemDrive%\IO.SYS should be assigned.

CCE-2514-8
The required permissions for the file %SystemRoot%\System32\diskmgmt.msc should be assigned.

CCE-2974-4
The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.

CCE-2647-6
The required permissions for the directory %SystemRoot%\CSC should be assigned.

CCE-2876-1
The required permissions for the directory %SystemRoot%\System32\GroupPolicy should be assigned.

CCE-3085-8
The "Unsigned Driver Installation Behavior" policy should be set correctly.

CCE-2732-6
The required permissions for the file %SystemRoot%\System32\netstat.exe should be assigned.

CCE-2941-3
The correct service permissions for the SNMP service should be assigned.

CCE-2987-6
The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.

CCE-2480-2
The correct service permissions for the Messenger service should be assigned.

CCE-3194-8
Domain Profile: Do not allow exceptions (SP2 only)

CCE-2329-1
The required permissions for the directory %SystemRoot%\Debug\UserMode should be assigned.

CCE-2634-4
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdd\Security should be assigned.

CCE-2889-4
The "store password using reversible encryption for all users in the domain" policy should be set correctly.

CCE-2843-1
Auditing of "system" events on failure should be enabled or disabled as appropriate..

CCE-3106-2
The "Number of Previous Logons to Cache" policy should be set correctly.

CCE-2623-7
The required permissions for the file %SystemDrive%\CONFIG.SYS should be assigned.

CCE-3061-9
Security Audit log warning level should be properly configured.

CCE-3008-0
Auditing of "account logon" events on failure should be enabled or disabled as appropriate..

CCE-2264-0
The required permissions for the file %SystemRoot%\Prefetch should be assigned.

CCE-3117-9
The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer.

CCE-2758-1
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host should be assigned.

CCE-3170-8
The "Screen Saver Executable Name" setting should be configured correctly for the current user.

CCE-2867-0
Auditing of "account logon" events on success should be enabled or disabled as appropriate..

CCE-3019-7
If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.

CCE-2976-9
The correct service permissions for the Printer service should be assigned.

CCE-2418-2
The required permissions for the directory %SystemRoot%\Debug should be assigned.

CCE-3128-6
The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.

CCE-2747-4
The required permissions for the directory %SystemRoot%\System32\MSDTC should be assigned.

CCE-2930-6
Display Last User Name in Logon Screen should be properly configured.

CCE-2878-7
Auditing of "system" events on success should be enabled or disabled as appropriate..

CCE-2603-9
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess should be assigned.

CCE-2284-8
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography/Calais should be assigned.

CCE-2943-9
Use of the built-in Administrator account should be enabled or disabled as appropriate.

CCE-3094-0
The "Enable User Control Over Installs" policy should be set correctly.

CCE-2845-6
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\NetDDE should be assigned.

CCE-2175-8
The required permissions for the file %SystemRoot%\regedit.exe should be assigned.

CCE-2723-5
the "System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices" setting should be configured correctly.

CCE-2954-6
Standard Profile: Allow remote administration exception (SP2 only)

CCE-2625-2
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings should be assigned.

CCE-2810-0
The "synchronize directory service data" user right should be assigned to the correct accounts.

CCE-2856-3
Restricted Groups have been set on the system

CCE-3006-4
The system log maximum size should be configured correctly..

CCE-3107-0
This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right Users who can create global objects could affect processes that run under other users' ...

CCE-2944-7
This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the operating system but might be r ...

CCE-2948-8
This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be carefully evaluated ...

CCE-7583-8
This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Block (default) .

CCE-2344-0
This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote clien ...

CCE-8440-0
This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. Countermeasure: Disable this setting to override firewall rules created locally by administrators. Potential Impact: If you conf ...

CCE-2949-6
This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connecti ...

CCE-2786-2
This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. Countermeasure: Restrict the Create a page file user right to members of the Administrators ...

CCE-8364-2
This policy setting causes the run list, which is a list of programs that Windows runs automatically when it starts, to be ignored. The customized run lists for Windows Vista are stored in the registry at the following locations: - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru ...

CCE-2799-5
This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ...

CCE-2547-8
This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack. Countermeasure: Restri ...

CCE-7598-6
This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all secure channel traffic. If you disable this policy setting, the domain m ...

CCE-2213-7
MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged Countermeasure: Enable and configure this setting. Potential Impact: Incorrect configuration can lead to DoS attacks having a larger affect on the server.

CCE-5032-8
This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system st ...

CCE-3009-8
This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. Enable this policy setting to eliminate a Logon requirement and allow use of an external hardware eject button to undock the computer. If you disable this policy setting, a user must ...

CCE-2792-0
This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.Note: This security setting does not apply to the System, Local Service, or N ...

CCE-2807-6
This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured ...

CCE-2814-2
This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can access the server for administration and end-use ...

CCE-3040-3
This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note: that this setting will have no impact when applied to the domain controller organizational unit via group policy because domain ...

CCE-2882-9
This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in enterprise environments. However, its use should be restricted in high security environments to prevent misuse of system resources ...

CCE-1978-6
This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on a computer. Instead, file sharing should be acc ...

CCE-3139-3
This policy setting, which determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours, affects the SMB component. If you enable this policy setting, client sessions with the SMB server will be disconnected when the client's logon hou ...

CCE-2846-4
This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer's time setting is changed, logged events reflect the new time ...

CCE-2737-5
The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not be able to convince a client to connect-for ...

CCE-3273-0
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality includ ...

CCE-3186-4
The "Interactive logon: Requre smart card" setting should be configured correctly.

CCE-2916-5
This entry appears as MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) in the Group Policy Object Editor. This entry causes TCP to adjust retransmission of SYN-ACKs. When you configure this entry, the overhead of incomplete transmissions in a connect request (SYN) attack is ...

CCE-3004-9
This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. ...

CCE-2167-5
This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. Countermeasure: Restrict the Act as part of the operating system user right to as few accounts as possible-it should not even be assigned to the A ...

CCE-2239-2
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Countermeasure: Configure the MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. The possible ...

CCE-2735-9
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two consecutive chara ...

CCE-2994-2
This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default settin ...

CCE-2952-0
This entry appears as MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) in the Local Group Policy Editor. You can configure a computer so that it does not send announcements to browsers on the domain. If you do, you hide the computer from the Ne ...

CCE-2864-7
This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user ...

CCE-2886-0
This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, Microsoft recom ...

CCE-2920-7
This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can crack passwords, the m ...

CCE-2021-4
This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. Countermeasure: Ensure that only the local Administrators group has ...

CCE-2923-1
Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Countermeasure: Configure this policy setting to a value suitable for your organization, such as the default value of "%SYSTEMROOT%\System32\LogFiles\firewall\domainfw.log. P ...

CCE-2958-7
Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state ...

CCE-2829-0
This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or IIS also require ...

CCE-2898-5
This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. The Deny log on as a batch job user right ov ...

CCE-2379-6
This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). Countermeasure: Restrict th ...

CCE-2335-8
This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer. Countermeasure: Ensure that only the local Administrators group and the user account to which the computer is allocated are assigned the Remove computer from docking station us ...

CCE-2791-2
This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. Countermeasure: Restrict the Create a page file user right to members of the Administrators ...

CCE-2657-5
This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of servic ...

CCE-2926-4
LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, th ...

CCE-2247-5
This policy setting determines which users can change the auditing options for files and directories and clear the Security log. Countermeasure: Ensure that only the local Administrators group has the Manage auditing and security log user right. Potential Impact: None. This is the default ...

CCE-2366-3
This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. Countermeasure: Ensure that only Administrators and Bac ...

CCE-2986-8
This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to another computer. The compute ...

CCE-5014-6
This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. Note: See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which governs whether an administrator is prompted b ...

CCE-2439-8
This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. Counte ...

CCE-2710-2
Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Turn off Autoplay set ...

CCE-2965-2
Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Countermeasure: Configure this policy setting to "Yes&quo ...

CCE-8147-1
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default) .

CCE-2675-7
This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer. Countermeasure: Ensure that only the loca ...

CCE-2972-8
This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. Countermeasure: Disable this setting to prevent the client from receiving unicast responses. Potential Impact: If you enable this setting and this ...

CCE-2806-8
This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. Countermeasure: Organizations that are e ...

CCE-2767-2
This policy setting determines which users or processes can generate audit records in the Security log. Countermeasure: Ensure that only the Service and Network Service accounts have the Generate security audits user right assigned to them. Potential Impact: None. This is the default confi ...

CCE-3058-5
This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Cl ...

CCE-2407-5
Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from making changes to the user groups on the Permissions tab in the Remote Desktop Session Host Conf ...

CCE-2444-8
MSS: (DisableSavePassword) Prevent the dial-up password from being saved (recommended) Countermeasure: Enable this setting. Potential Impact: Users will need to retype their password each time a dial-up connection is made.

CCE-2955-3
This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is backed up or restored. If the Audit: Audit the us ...

CCE-2419-0
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) Countermeasure: Configure the MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) entry ...

CCE-3090-8
Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Countermeasure: Configure this policy setting to "Yes". Pote ...

CCE-2981-9
This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Microsoft Windows 2000 or la ...

CCE-2847-2
This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users can set valid security principa ...

CCE-2299-6
This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, t ...

CCE-2446-3
This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer drivers in Windows Vista. Coun ...

CCE-2700-3
This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one will be able to log o ...

CCE-1969-5
This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. Countermeasure: Do not assign the Create permanent ...

CCE-2609-6
This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. Countermeasure: Do not assign the Lock pages in memory user ri ...

CCE-2860-5
This security setting determines which user accounts can call the CreateProcessAsUser() application programming interface (API) so that one service can start another. An example of a process that uses this user right is Task Scheduler. For information about Task Scheduler, see Task Scheduler overvie ...

CCE-2960-3
This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. Countermeasure: Ensure that only the local Administrators group is assigned the Perform volume maintena ...

CCE-3025-4
The built-in local guest account is another well-known name to attackers. Microsoft recommends to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. Note: This policy setting is n ...

CCE-2804-3
This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the workstations in your environment. The Network access ...

CCE-3053-6
This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent "man-in-the-m ...

CCE-2701-1
This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire. Countermeasure: Configure the Interactive logon: Prompt user to ...

CCE-3049-4
Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable this policy setting unless there is a strong business case to enable it. If this ...

CCE-2928-0
This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, lo ...

CCE-2147-7
This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections cannot enumerate domain account user names on the workstations in your environment. This policy setting al ...

CCE-3156-7
This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ...

CCE-3036-1
This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. Note: It can be very dangerous to add oth ...

CCE-3155-9
This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this setting is called "Network access: Remotely accessible registry paths," the setting w ...

CCE-2834-0
When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to sha ...

CCE-3110-4
This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrat ...

CCE-3027-0
This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ...

CCE-2466-1
This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setti ...

CCE-3150-0
This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, ...

CPE    1
cpe:/o:microsoft:windows_xp
*XCCDF
xccdf_org.secpod_benchmark_nerc_cip_Windows_XP
OVAL    425
oval:gov.nist.usgcb.xp:def:6121
oval:gov.nist.usgcb.xp:def:6122
oval:gov.nist.usgcb.xp:def:6596
oval:gov.nist.usgcb.xp:def:6119
...

© SecPod Technologies