Download
| Alert*
oval:org.secpod.oval:def:8738
The User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop setting should be configured correctly. This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevat ... oval:org.secpod.oval:def:8825 The 'Network access: Remotely accessible registry paths' setting should be configured correctly. oval:org.secpod.oval:def:8836 The Network security: LAN Manager authentication level setting should be configured correctly. LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sh ... oval:org.secpod.oval:def:8839 The System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) setting should be configured correctly. This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be l ... oval:org.secpod.oval:def:8789 The Network security: Allow LocalSystem NULL session fallback setting should be configured correctly. Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Fix: (1) GPO: Computer Configuration\Windows Settings\Security ... oval:org.secpod.oval:def:8782 The User Account Control: Detect application installations and prompt for elevation setting should be configured correctly. This policy setting controls the behavior of application installation detection for the computer. The options are: * Enabled: (Default for home) When an application installati ... oval:org.secpod.oval:def:8762 The User Account Control: Run all administrators in Admin Approval Mode setting should be configured correctly. This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The option ... oval:org.secpod.oval:def:8777 The Domain member: Disable machine account password changes setting should be configured correctly. This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its ... oval:org.secpod.oval:def:8898 The Maximum Log Size (KB) machine setting should be configured correctly for the setup log. maximum size (in bytes) of setup log" Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Maximum Log Size (KB) (2) KEY: HKLM\SOFTWARE\Policies\Mi ... oval:org.secpod.oval:def:8774 The MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) setting should be configured correctly. The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\T ... oval:org.secpod.oval:def:8878 The Enumerate administrator accounts on elevation machine setting should be configured correctly. By default administrator accounts are not displayed when attempting to elevate a running application. If you enable this policy setting, all local administrator accounts on the machine will be displaye ... oval:org.secpod.oval:def:8853 The Turn off Internet download for Web publishing and online ordering wizards machine setting should be configured correctly. Specifies whether Windows should download a list of providers for the Web publishing and online ordering wizards. These wizards allow users to select from a list of companie ... oval:org.secpod.oval:def:8776 The MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) setting should be configured correctly. The registry value entry SafeDllSearchMode was added to the template file in the HKEY_LOCAL_MACHINE\\ SYSTEM\\CurrentControlSet\\Control\\Session Manager\\ registry key. The entry appears ... oval:org.secpod.oval:def:8926 The Accounts: Limit local account use of blank passwords to console logon only setting should be configured correctly. This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable t ... oval:org.secpod.oval:def:8899 The Solicited Remote Assistance machine setting should be configured correctly. This policy setting allows you to enable or disable Solicited (Ask for) Remote Assistance on this computer. If you enable this policy, users on this computer can use e-mail or file transfer to ask someone for help. Also ... oval:org.secpod.oval:def:8877 The Default behavior for AutoRun machine setting should be configured correctly. Sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an ... oval:org.secpod.oval:def:8874 The Turn off printing over HTTP machine setting should be configured correctly. Specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Note: This setting affects the client side of Internet pri ... oval:org.secpod.oval:def:8858 The Maximum Log Size (KB) machine setting should be configured correctly for the system log. This policy requires Windows Vista or later versions of Windows. This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum ... oval:org.secpod.oval:def:8757 The MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers setting should be configured correctly. The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\ ... oval:org.secpod.oval:def:8895 The Set client connection encryption level machine setting should be configured correctly. Specifies whether to require the use of a specific encryption level to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this se ... oval:org.secpod.oval:def:8754 The Audit: Audit the use of Backup and Restore privilege setting should be configured correctly. This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit eve ... oval:org.secpod.oval:def:8866 The Always prompt for password upon connection machine setting should be configured correctly. Specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, e ... oval:org.secpod.oval:def:8780 The System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing setting should be configured correctly. This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA ci ... oval:org.secpod.oval:def:8796 The Network Security: Allow PKU2U authentication requests to this computer to use online identities setting should be configured correctly. Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate dec ... oval:org.secpod.oval:def:8808 The MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) setting should be configured correctly. This entry appears as MSS: (DisableIPSourceRouting) IPv6 source routing protection level (protects against packet spoofing) in the SCE. IP source rout ... oval:org.secpod.oval:def:8766 The RPC Endpoint Mapper Client Authentication machine setting should be configured correctly. Enabling this setting directs RPC Clients that need to communicate with the Endpoint Mapper Service to authenticate as long as the RPC call for which the endpoint needs to be resolved has authentication in ... oval:org.secpod.oval:def:8747 The Interactive logon: Smart card removal behavior setting should be configured correctly. This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: * No Action * Lock Workstation * Force Logoff * Disconnect if a r ... oval:org.secpod.oval:def:8894 The Require a Password When a Computer Wakes (Plugged In) machine setting should be configured correctly. Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when ... oval:org.secpod.oval:def:8818 The User Account Control: Only elevate executables that are signed and validated setting should be configured correctly. This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can ... oval:org.secpod.oval:def:8710 The MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. setting should be configured correctly. The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\IPSEC\\ registry key. The entry ... oval:org.secpod.oval:def:8908 The Turn off the Windows Messenger Customer Experience Improvement Program machine setting should be configured correctly. Specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. With the Customer Experience Improvement program, u ... oval:org.secpod.oval:def:8767 The MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) setting should be configured correctly. The registry value entry DisableIPSourceRouting was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Param ... oval:org.secpod.oval:def:8723 The Network access: Do not allow storage of passwords and credentials for network authentication setting should be configured correctly. This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentica ... oval:org.secpod.oval:def:8737 The MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes setting should be configured correctly. The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\ registry key. T ... oval:org.secpod.oval:def:8769 The MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) setting should be configured correctly. The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ registry key. The entry appears as ... oval:org.secpod.oval:def:8916 The Turn off Data Execution Prevention for Explorer machine setting should be configured correctly. This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on Windows Server 2008, Windows Vista SP1 and Windows XP SP3. If you enable this policy setting, ... oval:org.secpod.oval:def:8850 The Set time limit for disconnected sessions machine setting should be configured correctly. This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session ... oval:org.secpod.oval:def:8809 The Turn off Search Companion content file updates machine setting should be configured correctly. Specifies whether Search Companion should automatically download content updates during local and Internet searches. When the user searches the local machine or the Internet, Search Companion occasion ... oval:org.secpod.oval:def:8814 The Enable user control over installs machine setting should be configured correctly. Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer. It permits installations to comple ... oval:org.secpod.oval:def:8840 The MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning setting should be configured correctly. The registry value entry WarningLevel was added to the template file in the HKEY_LOCAL_MACHINE\\ SYSTEM\\CurrentControlSet\\Services\\Eventlog\ ... oval:org.secpod.oval:def:8792 The Network access: Sharing and security model for local accounts setting should be configured correctly. This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign ... oval:org.secpod.oval:def:8823 The MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) setting should be configured correctly. The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Serv ... oval:org.secpod.oval:def:8715 The User Account Control: Switch to the secure desktop when prompting for elevation setting should be configured correctly. This policy setting controls whether the elevation request prompt is displayed on the interactive users desktop or the secure desktop. The options are: * Enabled: (Default) Al ... oval:org.secpod.oval:def:8763 The Prevent the computer from joining a homegroup machine setting should be configured correctly. By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting ... oval:org.secpod.oval:def:8815 Administrators may create symbolic links oval:org.secpod.oval:def:8746 The User Account Control: Only elevate UIAccess applications that are installed in secure locations setting should be configured correctly. This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure lo ... oval:org.secpod.oval:def:8756 The Recovery console: Allow floppy copy and access to all drives and all folders setting should be configured correctly. This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables: * AllowWildCards. Enables wild ... oval:org.secpod.oval:def:8731 The Shutdown: Allow system to be shut down without having to log on setting should be configured correctly. This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon scre ... oval:org.secpod.oval:def:8915 The Require a Password When a Computer Wakes (On Battery) machine setting should be configured correctly. Specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable this policy, or if it is not configured, the user is prompted for a password when ... oval:org.secpod.oval:def:8785 The MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) setting should be configured correctly. The registry value entry TCPMaxDataRetransmissions for IPv6 was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentCo ... oval:org.secpod.oval:def:8819 The Interactive logon: Number of previous logons to cache (in case domain controller is not available) setting should be configured correctly. This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be ... oval:org.secpod.oval:def:8855 The Maximum Log Size (KB) machine setting should be configured correctly for the application log. This policy requires Windows Vista or later versions of Windows. This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the ma ... oval:org.secpod.oval:def:8803 The User Account Control: Virtualize file and registry write failures to per-user locations setting should be configured correctly. This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates application ... oval:org.secpod.oval:def:8876 The Turn off Autoplay for non-volume devices machine setting should be configured correctly. If this policy is enabled, autoplay will not be enabled for non-volume devices like MTP devices. If you disable or not configure this policy, autoplay will continue to be enabled for non-volume devices. F ... oval:org.secpod.oval:def:8845 The System cryptography: Force strong key protection for user keys stored on the computer setting should be configured correctly. This policy setting determines whether users private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users m ... oval:org.secpod.oval:def:8822 The Network access: Restrict anonymous access to Named Pipes and Shares setting should be configured correctly. When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network ... oval:org.secpod.oval:def:8880 The Set time limit for active but idle Remote Desktop Services sessions machine setting should be configured correctly. This policy setting allows you to specify the maximum amount of time that an active Terminal Services session can be idle (without user input) before it is automatically disconnec ... oval:org.secpod.oval:def:8768 The Deny access to this computer from the network user right should be assigned to the appropriate accounts. This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environmen ... oval:org.secpod.oval:def:8844 The Maximum Log Size (KB) machine setting should be configured correctly for the secirity log. This policy requires Windows Vista or later versions of Windows. This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maxim ... oval:org.secpod.oval:def:8797 The Network Security: Configure encryption types allowed for Kerberos setting should be configured correctly. Certain encryption types are no longer considered secure. This setting configures a minimum encryption type for Kerberos, preventing the use of the DES encryption suites. This policy is sup ... oval:org.secpod.oval:def:8773 The Minimum password age setting should be configured correctly. The Minimum password age policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or ... oval:org.secpod.oval:def:8842 The User Account Control: Admin Approval Mode for the Built-in Administrator account setting should be configured correctly. This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: * Enabled: The built-in Administrator account uses A ... oval:org.secpod.oval:def:8729 The Recovery console: Allow automatic administrative logon setting should be configured correctly. The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery ... oval:org.secpod.oval:def:8861 The Allow remote access to the Plug and Play interface machine setting should be configured correctly. This policy setting allows you to allow or deny remote access to the Plug and Play interface. Fix: (1) GPO: Computer Configuration\Administrative Templates\System\Device Installation\Allow remot ... oval:org.secpod.oval:def:8925 The Accounts: Guest account status setting should be configured correctly. This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to ... oval:org.secpod.oval:def:7902 The Maximum password age setting should be configured correctly. This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this polic ... oval:org.secpod.oval:def:7899 This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon at ... oval:org.secpod.oval:def:7897 The Enforce password history setting should be configured correctly. This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The ... oval:org.secpod.oval:def:7901 The Password must meet complexity requirements policy should be set correctly. This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: * Not contain the users ... oval:org.secpod.oval:def:7706 The time in seconds before the screen saver grace period expires (ScreenSaverGracePeriod) setting should be configured correctly. The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\\SYSTEM\\Software\\Microsoft\\ Windows NT\\CurrentVersion\\Winlo ... oval:org.secpod.oval:def:18960 The Retain old events machine setting should be configured correctly for the application log. This policy setting controls Event Log behavior when the log file reaches its maximum size. Old events may or may not be retained according to the Backup log automatically when full policy setting. Fix: ... oval:org.secpod.oval:def:7900 The Minimum password length setting should be configured correctly. This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps pass phras ... oval:org.secpod.oval:def:18942 The Deny log on through Remote Desktop Services user right should be assigned to the appropriate accounts. This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts ... oval:org.secpod.oval:def:8755 The Devices: Allowed to format and eject removable media setting should be configured correctly. This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on anothe ... oval:org.secpod.oval:def:8772 The Deny log on locally user right should be assigned to the appropriate accounts. This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:I ... oval:org.secpod.oval:def:8841 The User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode setting should be configured correctly. This policy setting controls the behavior of the elevation prompt for administrators. The options are: * Elevate without prompting: Allows privileged accounts ... oval:org.secpod.oval:def:8787 The User Account Control: Behavior of the elevation prompt for standard users setting should be configured correctly. This policy setting controls the behavior of the elevation prompt for standard users. The options are: * Prompt for credentials: When an operation requires elevation of privilege, t ... oval:org.secpod.oval:def:8793 The Network security: Do not store LAN Manager hash value on next password change setting should be configured correctly. This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to a ... oval:org.secpod.oval:def:8837 The System objects: Require case insensitivity for non-Windows subsystems setting should be configured correctly. This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivit ... oval:org.secpod.oval:def:8716 The Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting should be configured correctly. This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy setti ... oval:org.secpod.oval:def:8788 The Interactive logon: Do not require CTRL+ALT+DEL setting should be configured correctly. This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, u ... oval:org.secpod.oval:def:8848 The Reset account lockout counter after setting should be configured correctly. This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset ti ... oval:org.secpod.oval:def:8751 The Network security: LDAP client signing requirements setting should be configured correctly. This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: * None. The LDAP BIND request is issued with the caller-specified ... oval:org.secpod.oval:def:8724 The Network access: Let Everyone permissions apply to anonymous users setting should be configured correctly. This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to ... oval:org.secpod.oval:def:8812 The Domain member: Maximum machine account password age setting should be configured correctly. This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interv ... oval:org.secpod.oval:def:8711 The Network access: Do not allow anonymous enumeration of SAM accounts setting should be configured correctly. This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connec ... oval:org.secpod.oval:def:8791 The Network access: Shares that can be accessed anonymously setting should be configured correctly. This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated ... oval:org.secpod.oval:def:8744 The Network access: Do not allow anonymous enumeration of SAM accounts and shares setting should be configured correctly. This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to e ... oval:org.secpod.oval:def:18793 The Configure use of passwords for removable data drives machine setting should be configured correctly. This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, ... oval:org.secpod.oval:def:19537 The Choose how BitLocker-protected operating system drives can be recovered machine setting should be configured correctly. This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy set ... oval:org.secpod.oval:def:19090 The Deny write access to removable drives not protected by BitLocker machine setting should be configured correctly. This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all remo ... oval:org.secpod.oval:def:19627 The Require 128-bit encryption option for the Network security: Minimum session security for NTLM SSP based (including secure RPC) servers setting should be enabled or disabled as appropriate. This security setting allows a server to require the negotiation of message confidentiality (encryption), ... oval:org.secpod.oval:def:18895 The Devices: Restrict CD-ROM access to locally logged-on user only setting should be configured correctly. This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed ... oval:org.secpod.oval:def:19624 The Require 128-bit encryption option for the Network security: Minimum session security for NTLM SSP based (including secure RPC) clients setting should be enabled or disabled as appropriate. This policy setting determines which behaviors are allowed for applications using the NTLM Security Suppor ... oval:org.secpod.oval:def:18773 The Retain old events machine setting should be configured correctly for the setup log. This policy setting controls Event Log behavior when the log file reaches its maximum size. Old events may or may not be retained according to the Backup log automatically when full policy setting. Fix: (1) GP ... oval:org.secpod.oval:def:19198 The Turn off Data Execution Prevention for HTML Help Executible machine setting should be configured correctly. This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced DEP. DEP is designed to block malicious code that takes advantage of exception-han ... oval:org.secpod.oval:def:19508 The Do not process the run once list machine setting should be configured correctly. Ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added ... oval:org.secpod.oval:def:19441 The Server Authentication Certificate Template machine setting should be configured correctly. This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is neede ... oval:org.secpod.oval:def:19444 The Allow Standby States (S1-S3) When Sleeping (On Battery) machine setting should be configured correctly. Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy ... oval:org.secpod.oval:def:19456 The Allow users to connect remotely using Remote Desktop Services machine setting should be configured correctly. This policy setting allows you to configure remote access to computers using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop User ... oval:org.secpod.oval:def:19210 The Configure minimum PIN length for startup machine setting should be configured correctly. This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum l ... oval:org.secpod.oval:def:19452 The Allow Remote Shell Access machine setting should be configured correctly. Configures access to remote shells. If you enable this policy setting and set it to False, new remote shell connections will be rejected by the server. If you disable or do not configure this policy setting, new remote sh ... oval:org.secpod.oval:def:19439 The Choose drive encryption method and cipher strength machine setting should be configured correctly. This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption ... oval:org.secpod.oval:def:19433 The Configure TPM platform validation profile machine setting should be configured correctly. This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer ... oval:org.secpod.oval:def:18836 The Deny log on as a batch job user right should be assigned to the appropriate accounts. This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Sc ... oval:org.secpod.oval:def:19366 The Allow access to BitLocker-protected removable data drives from earlier versions of Windows machine setting should be configured correctly. This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windo ... oval:org.secpod.oval:def:19361 The Deny write access to fixed drives not protected by BitLocker machine setting should be configured correctly. This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If ... oval:org.secpod.oval:def:19483 The Require additional authentication at startup machine setting should be configured correctly. This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authentication method that is required each time the computer starts. T ... oval:org.secpod.oval:def:19480 The Prevent memory overwrite on restart machine setting should be configured correctly. This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encr ... oval:org.secpod.oval:def:19255 The Validate smart card certificate usage rule compliance machine setting should be configured correctly. This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The obj ... oval:org.secpod.oval:def:19499 The Choose how BitLocker-protected removable drives can be recovered machine setting should be configured correctly. This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when ... oval:org.secpod.oval:def:18839 The Allow enhanced PINs for startup machine setting should be configured correctly. This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, number ... oval:org.secpod.oval:def:19581 The Configure use of passwords for fixed data drives machine setting should be configured correctly. This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, ... oval:org.secpod.oval:def:19595 The Configure use of smart cards on removable data drives machine setting should be configured correctly. This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. If you enable this policy setti ... oval:org.secpod.oval:def:19233 The Control use of BitLocker on removable drives machine setting should be configured correctly. This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. When this policy setting is enabled you can select property setting ... oval:org.secpod.oval:def:19600 The Always install with elevated privileges machine setting should be configured correctly. Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs th ... oval:org.secpod.oval:def:19164 The Provide the unique identifiers for your organization machine setting should be configured correctly. This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed ... oval:org.secpod.oval:def:18886 The MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) setting should be configured correctly. The registry value entry Hidden was added to the template file in the HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Lanmanserver\\Parameter ... oval:org.secpod.oval:def:18883 The Audit: Shut down system immediately if unable to log security audits setting should be configured correctly. This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Co ... oval:org.secpod.oval:def:19295 The Allow access to BitLocker-protected fixed data drives from earlier versions of Windows machine setting should be configured correctly. This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Serve ... oval:org.secpod.oval:def:19172 The Choose how BitLocker-protected fixed drives can be recovered machine setting should be configured correctly. This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn ... oval:org.secpod.oval:def:18733 The Domain member: Digitally sign secure channel data (when possible) setting should be configured correctly. This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect ... oval:org.secpod.oval:def:18853 The Retain old events machine setting should be configured correctly for the security log. This policy setting controls Event Log behavior when the log file reaches its maximum size. Old events may or may not be retained according to the Backup log automatically when full policy setting. Fix: (1) ... oval:org.secpod.oval:def:19029 The Shutdown: Clear virtual memory pagefile setting should be configured correctly. This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down pr ... oval:org.secpod.oval:def:18867 The Interactive logon: Require Domain Controller authentication to unlock workstation setting should be configured correctly. Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting ... oval:org.secpod.oval:def:18746 Rights to access DCOM applications should be assigned as appropriate. This policy setting determines which users or groups might access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use this policy setting to ... oval:org.secpod.oval:def:8875 The Require secure RPC communication machine setting should be configured correctly. Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication ... oval:org.secpod.oval:def:19034 The Retain old events machine setting should be configured correctly for the system log. This policy setting controls Event Log behavior when the log file reaches its maximum size. Old events may or may not be retained according to the Backup log automatically when full policy setting. Fix: (1) G ... oval:org.secpod.oval:def:19155 The Configure use of smart cards on fixed data drives machine setting should be configured correctly. This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting s ... oval:org.secpod.oval:def:19158 The Do not process the legacy run list machine setting should be configured correctly. Ignores the customized run list. You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 ... oval:org.secpod.oval:def:7898 The Account lockout duration setting should be configured correctly. This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain un ... oval:org.secpod.oval:def:8833 The Microsoft network server: Digitally sign communications (if client agrees) setting should be configured correctly. This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no sig ... oval:org.secpod.oval:def:8739 The Domain member: Require strong (Windows 2000 or later) session key setting should be configured correctly. When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. ... oval:org.secpod.oval:def:8779 The Interactive logon: Do not display last user name setting should be configured correctly. This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computers respective Windows logon screen. Enable th ... oval:org.secpod.oval:def:8795 The Microsoft network client: Send unencrypted password to third-party SMB servers setting should be configured correctly. Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encrypt ... oval:org.secpod.oval:def:8824 The Network access: Named Pipes that can be accessed anonymously setting should be configured correctly. This policy setting determines which communication sessions, or pipes, have attributes and permissions that allow anonymous access. Fix: (1) GPO: Computer Configuration\Windows Settings\Securi ... |