Download
| Alert*
|
oval:org.secpod.oval:def:79552
This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type of scan. If you ... oval:org.secpod.oval:def:79583 This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Compute ... oval:org.secpod.oval:def:79257 Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note: When the Apply local firewall rules setting is configured to No, Microsoft recommends also configuring the Display a notificat ... oval:org.secpod.oval:def:79793 This policy setting allows you to require a pin for pairing. If you set this to 'Never', a pin isn't required for pairing. If you set this to 'First Time', the pairing ceremony for new devices will always require a PIN. If you set this to 'Always', all pairings will require PIN. Fix: (1) GPO: ... oval:org.secpod.oval:def:79574 This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted du ... oval:org.secpod.oval:def:79751 This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This policy setting also stops applications fr ... oval:org.secpod.oval:def:79725 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default) . Fix: (1) GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows ... oval:org.secpod.oval:def:79705 This security setting determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution Assigning this user right can be a security risk. Since owners of objects have full ... oval:org.secpod.oval:def:79832 This policy setting allows Web-based programs to install software on the computer without notifying the user. If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows t ... oval:org.secpod.oval:def:79778 Manages non-Administrator users' ability to install Windows app packages. If you enable this policy, non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Admin ... oval:org.secpod.oval:def:79624 This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: Job created. Job deleted. Job enabled. Job disabled. Job updated. For COM+ objects, the following are audited: Ca ... oval:org.secpod.oval:def:79265 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Counter Measure: Configure this policy setting to Yes. Poten ... oval:org.secpod.oval:def:79673 This security setting determines which users can use performance monitoring tools to monitor the performance of system processes. Default: Administrators. Counter Measure: Ensure that only the local Administrators group is assigned the Profile system performance user right. Potential Impact: ... oval:org.secpod.oval:def:79670 This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. Note: This security setting does not apply to the System, Local Service, or ... oval:org.secpod.oval:def:79828 This policy specifies whether the widgets feature is allowed on the device. Widgets will be turned on by default unless you change this in your settings. If you turned this feature on before, it will stay on automatically unless you turn it off. Fix: (1) GPO: Computer Configuration\Administrative ... oval:org.secpod.oval:def:79805 This setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. This applies both to existing users of a device ... oval:org.secpod.oval:def:79348 Devices: Prevent users from installing printer drivers when connecting to shared printers For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of c ... oval:org.secpod.oval:def:79677 This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users. For information about how to ... oval:org.secpod.oval:def:79623 This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights). The following privileges are non-sensitive: Access Credential Manager as a trusted caller. Access this computer from the network. Add workstations to domain. ... oval:org.secpod.oval:def:79702 This security setting determines whether to disconnect users who are connected to the local computer outside their user accounts valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB server to be forcibl ... oval:org.secpod.oval:def:79836 This policy setting enables or disables clipboard sharing with the sandbox. If you enable this policy setting, copy and paste between the host and Windows Sandbox are permitted. If you disable this policy setting, copy and paste in and out of Sandbox will be restricted. If you do not configure t ... oval:org.secpod.oval:def:79731 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default) . Fix: (1) GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows ... oval:org.secpod.oval:def:79568 This policy setting controls Event Log behavior when the log file reaches its maximum size. Counter Measure: Configure this setting to Disabled. Potential Impact: If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. ... oval:org.secpod.oval:def:79833 This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you enable this policy setting, Windows PowerShell will log the processing of commands, script blocks, functions, and scripts - whether invoked interactively, or through a ... oval:org.secpod.oval:def:79732 This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The recommended state for this setting is: Allow (default) . Fix: (1) GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows ... oval:org.secpod.oval:def:79562 Specifies whether or not the user is prompted for a password when the system resumes from sleep. Counter Measure: Configure Require a Password When a Computer Wakes (On Battery) to Enabled. Potential Impact: If you enable this policy, or if it is not configured, the user is prompted for a ... oval:org.secpod.oval:def:79667 This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities. Counter Measure: Configure this user right so that no account ... oval:org.secpod.oval:def:79534 Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7. Counter Measure: Configure Network security: Allow LocalSystem NULL session fallback to Disabled. Potential Impact: Any applications that require NULL s ... oval:org.secpod.oval:def:79807 Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting, you can set each rule to the following in the Options section: - Block: the rule will be applied - Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not ac ... oval:org.secpod.oval:def:79678 This privilege determines if the user can create a symbolic link from the computer he is logged on to. Default: Administrator WARNING: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that arent designed to handle them. Note ... oval:org.secpod.oval:def:79790 This policy setting allow the use of Camera devices on the machine. If you enable or do not configure this policy setting, Camera devices will be enabled. If you disable this property setting, Camera devices will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windo ... oval:org.secpod.oval:def:79418 Use this option to specify the path and name of the file in which Windows Firewall will write its log information. Counter Measure: Configure this policy setting to a value suitable for your organization, such as the default value of %SYSTEMROOT%\System32\LogFiles\firewall\domainfw.log. Poten ... oval:org.secpod.oval:def:79759 Turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. The tool can optionally share user writing samples wi ... oval:org.secpod.oval:def:79276 This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. If you disable this policy setting, the user is not pr ... oval:org.secpod.oval:def:79601 This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note: If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server. ... oval:org.secpod.oval:def:79746 This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. If you disable or do not configure this policy setting, domain users can set a network's loca ... oval:org.secpod.oval:def:79718 This security setting determines which accounts are prevented from being able to log on as a batch job. This policy setting supersedes the Log on as a batch job policy setting if a user account is subject to both policies. Default: None Counter Measure: Assign the Deny log on as a batch job u ... oval:org.secpod.oval:def:79619 This policy setting allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations. If you configure this policy setting, an audit event is generated during an IPsec Quick Mode negotiation. Success audits reco ... oval:org.secpod.oval:def:79644 This policy setting allows you to audit events generated by changes in the security state of the computer such as the following events: Startup and shutdown of the computer. Change of system time. Recovering the system from CrashOnAuditFail, which is logged after a system restarts when t ... oval:org.secpod.oval:def:79773 This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. If you disable this policy ... oval:org.secpod.oval:def:79632 This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted. If you configure this policy setting, an audit event is generated when an attempt to change a computer account is made. Success audits record suc ... oval:org.secpod.oval:def:79679 This user right determines which users and groups can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time ... oval:org.secpod.oval:def:79628 This policy setting allows you to audit other logon/logoff-related events that are not covered in the Logon/Logoff policy setting such as the following: Terminal Services session disconnections. New Terminal Services sessions. Locking and unlocking a workstation. Invoking a screen sa ... oval:org.secpod.oval:def:79749 This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including "Set up a wireless router or access point" and "Add a wireles ... oval:org.secpod.oval:def:79680 This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other user ... oval:org.secpod.oval:def:79707 This security setting determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. Defau ... oval:org.secpod.oval:def:79617 This policy setting allows you to audit events generated by the IPsec filter driver such as the following: Startup and shutdown of the IPsec services. Network packets dropped due to integrity check failure. Network packets dropped due to replay check failure. Network packets dropped ... oval:org.secpod.oval:def:79335 MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Counter Measure: Configure the MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) entry to a value of Enabled. The possible values for this registry entry are: - 1 or 0. The default configuration for W ... oval:org.secpod.oval:def:79681 This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user ri ... oval:org.secpod.oval:def:79715 This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separ ... oval:org.secpod.oval:def:79758 This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers. If you enable this policy setting, the system waits until the current user logs off the system before updating the com ... oval:org.secpod.oval:def:79447 This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabl ... oval:org.secpod.oval:def:79439 Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. Counter Measure: Disable this setting depending on your organizations requirements. Potential ... oval:org.secpod.oval:def:79689 This security setting determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operat ... oval:org.secpod.oval:def:79483 This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: T ... oval:org.secpod.oval:def:79695 Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a serv ... oval:org.secpod.oval:def:79810 Enable or disable file hash computation feature. Enabled: When this feature is enabled Microsoft Defender will compute hash value for files it scans. Disabled: File hash value is not computed Not configured: Same as Disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Win ... oval:org.secpod.oval:def:79594 This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group ... oval:org.secpod.oval:def:79838 Prevent users from making changes to the Exploit protection settings area in Windows Security. Enabled: Local users can not make changes in the Exploit protection settings area. Disabled: Local users are allowed to make changes in the Exploit protection settings area. Not configured: Same as D ... oval:org.secpod.oval:def:79387 This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under Get Insider builds, and enable users to make their devices available for downloading and installing Windows preview software. If you en ... oval:org.secpod.oval:def:79683 This security setting allows a user to be logged on by means of a batch-queue facility and is provided only for compatibility with older versions of Windows. For example, when a user submits a job by means of the task scheduler, the task scheduler logs that user on as a batch user rather than as an ... oval:org.secpod.oval:def:79588 This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. ... oval:org.secpod.oval:def:79649 This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed. Only AD DS objects with a matching system access control list (SACL) are logged. Events in this subcategory are similar to the Directory Service Access events available in ... oval:org.secpod.oval:def:79455 This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled. Counter Measure: Configure this setting depending on your organizat ... oval:org.secpod.oval:def:79798 This policy setting controls whether Windows records attempts to connect with the OneSettings service to the EventLog. If you enable this policy, Windows will record attempts to connect with the OneSettings service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel. If you disa ... oval:org.secpod.oval:def:79825 Allow search and Cortana to search cloud sources like OneDrive and SharePoint Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cloud Search (2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCloudSearch oval:org.secpod.oval:def:79827 Denies access to the retail catalog in the Microsoft Store, but displays the private store. If you enable this setting, users will not be able to view the retail catalog in the Microsoft Store, but they will be able to view apps in the private store. If you disable or don't configure this setting, ... oval:org.secpod.oval:def:79738 Specifies if the DNS client will perform name resolution over DNS over HTTPS (DoH). By default, the DNS client will do classic DNS name resolution (over UDP or TCP). This setting can enhance the DNS client to use DoH protocol to resolve domain names. To use this policy setting, click Enabled, and ... oval:org.secpod.oval:def:79812 This policy setting allows you to configure script scanning. If you enable or do not configure this setting, script scanning will be enabled. If you disable this setting, script scanning will be disabled. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Microso ... oval:org.secpod.oval:def:79710 This security setting determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. For such auditing to be ena ... oval:org.secpod.oval:def:79576 This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, scanning for all downloaded files and attachments w ... oval:org.secpod.oval:def:79760 Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a secure connection. Microsoft uses these error rep ... oval:org.secpod.oval:def:79541 This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in ... oval:org.secpod.oval:def:79743 This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution and distributed processing. If you enable this settin ... oval:org.secpod.oval:def:79834 This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you enable this policy setting, Windows PowerShell will enable transcripting for Windows PowerShell, the Windows PowerShell ISE, and any other applications that leverage the Win ... oval:org.secpod.oval:def:79666 This subcategory reports events generated by the Kerberos Authentication Server. These events occur on the computer that is authoritative for the credentials. Events for this subcategory include: - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authentication failed ... oval:org.secpod.oval:def:79703 This security setting determines which users can use performance monitoring tools to monitor the performance of non system processes. Default: Administrators, Power users. Counter Measure: Ensure that only the local Administrators group is assigned the Profile single process user right. Pote ... oval:org.secpod.oval:def:79630 This policy setting allows you to audit events that violate the integrity of the security subsystem, such as the following: Events that could not be written to the event log because of a problem with the auditing system. A process that uses a local procedure call (LPC) port that is not vali ... oval:org.secpod.oval:def:79823 This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services does not allow redirection of supported Plug and Play and Rem ... oval:org.secpod.oval:def:79662 This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the ob ... oval:org.secpod.oval:def:79843 Enable this policy to specify when to receive quality updates. You can defer receiving quality updates for up to 30 days. To prevent quality updates from being received on their scheduled time, you can temporarily pause quality updates. The pause will remain in effect for 35 days or until you clea ... oval:org.secpod.oval:def:79837 This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. If you enable this policy setting, networking is done by creating a virtual switch on the host, and connects the Windows Sandbox to it via a virtu ... oval:org.secpod.oval:def:79822 This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remo ... oval:org.secpod.oval:def:79839 Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. Note: This policy does not apply to Windows RT. This setting lets you specify whether automatic updates are enabled on this computer. If the service is enable ... oval:org.secpod.oval:def:79682 This user right determines which users and groups can change the time zone used by the computer for displaying the local time, which is the computers system time plus the time zone offset. System time itself is absolute and is not affected by a change in the time zone. This user right is defined i ... oval:org.secpod.oval:def:79708 This security setting determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can ... oval:org.secpod.oval:def:79309 MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) Counter Measure: Configure the MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) entry to a value of Disabled. The po ... oval:org.secpod.oval:def:79704 This security setting determines which users who are logged on locally to the computer can shut down the operating system using the Shut Down command. Misuse of this user right can result in a denial of service. Default on Workstations: Administrators, Backup Operators, Users. Default on Servers: ... oval:org.secpod.oval:def:79811 This policy setting turns off real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. If you enable this policy setting, Microsoft Defender Antivirus wil ... oval:org.secpod.oval:def:79660 This policy setting allows you to audit events related to security system extensions or services such as the following: A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It is used to aut ... oval:org.secpod.oval:def:79279 This policy setting controls whether the elevation request prompt is displayed on the interactive users desktop or the secure desktop. The options are: * Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard ... oval:org.secpod.oval:def:79684 This security setting determines which users are allowed to shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service. This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy ... oval:org.secpod.oval:def:79297 This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. Counter Me ... oval:org.secpod.oval:def:79733 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state ... oval:org.secpod.oval:def:79291 This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computers keyboard. Default: Enabled. ... oval:org.secpod.oval:def:79305 MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) entry to a value of Highest protection, source routing is compl ... oval:org.secpod.oval:def:79554 This security setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To pre ... oval:org.secpod.oval:def:79491 This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality includ ... oval:org.secpod.oval:def:79590 Logon information must be provided to unlock a locked computer. For domain accounts, this security setting determines whether a domain controller must be contacted to unlock a computer. If this setting is disabled, a user can unlock the computer using cached credentials. If this setting is enabled, ... oval:org.secpod.oval:def:79389 This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. If you disable or do not configure this policy setting, KMS client activation data w ... oval:org.secpod.oval:def:79277 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Counter Measure: Configure this policy setting to Yes. Potential Impa ... oval:org.secpod.oval:def:79475 This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: Automat ... oval:org.secpod.oval:def:79712 This security setting determines which accounts can be used by a process to add entries to the security log. The security log is used to trace unauthorized system access. Misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causi ... oval:org.secpod.oval:def:79742 This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Ser ... oval:org.secpod.oval:def:79757 This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device ex ... oval:org.secpod.oval:def:79728 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state ... oval:org.secpod.oval:def:79774 This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this ... oval:org.secpod.oval:def:79471 This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Counter Measure: Enable this policy setting to ensure that Windows Messenger does not collect usage information and to prevent display of the ... oval:org.secpod.oval:def:79396 This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. If you disable or do n ... oval:org.secpod.oval:def:79341 This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches. Counter Measure: Configure this policy setting to Enabled to prevent Search Companion from downloading content updates during searches. Potential Impact: ... oval:org.secpod.oval:def:79398 This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature. If you disable or do not configure thi ... oval:org.secpod.oval:def:79664 This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share ... oval:org.secpod.oval:def:79754 Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require ... oval:org.secpod.oval:def:79750 This policy controls whether the print spooler will accept client connections. When the policy is unconfigured or enabled, the spooler will always accept client connections. When the policy is disabled, the spooler will not accept client connections nor allow users to share printers. All printers ... oval:org.secpod.oval:def:79409 Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users will no longer be able to modify slide show settings ... oval:org.secpod.oval:def:79691 This security setting determines which users and groups are prohibited from logging on as a Remote Desktop Services client. Default: None. Important This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2. Counter Measure: Assign the Deny ... oval:org.secpod.oval:def:79692 This security setting determines the least number of characters that a password for a user account may contain. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. Default: 7 on domain controllers. 0 on sta ... oval:org.secpod.oval:def:79752 Encryption Oracle Remediation This policy setting applies to applications using the CredSSP component (for example: Remote Desktop Connection). Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable ... oval:org.secpod.oval:def:79727 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state ... oval:org.secpod.oval:def:79797 This policy setting controls whether Windows attempts to connect with the OneSettings service. If you enable this policy, Windows will not attempt to connect with the OneSettings Service. If you disable or don't configure this policy setting, Windows will periodically attempt to connect with the O ... oval:org.secpod.oval:def:79366 This policy setting specifies whether search and Cortana can provide location aware search and Cortana results. If this is enabled, search and Cortana can access location information. Counter Measure: Configure this setting depending on your organizations requirements. Potential Impact: ... oval:org.secpod.oval:def:79792 This policy setting lets you turn off cloud optimized content in all Windows experiences. If you enable this policy, Windows experiences that use the cloud optimized content client component, will instead present the default fallback content. If you disable or do not configure this policy, Windows ... oval:org.secpod.oval:def:79629 This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts. If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT is requested for a user account. Success audit ... oval:org.secpod.oval:def:79412 MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Configure the MSS: (TcpMaxDataRetransmissions) IPv6 How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. ... oval:org.secpod.oval:def:79421 Determines whether a domain member periodically changes its computer account password. If this setting is enabled, the domain member does not attempt to change its computer account password. If this setting is disabled, the domain member attempts to change its computer account password as specifie ... oval:org.secpod.oval:def:79360 When you enable this setting, planned password expiration longer than password age dictated by Password Settings policy is NOT allowed. When such expiration is detected, password is changed immediately and password expiration is set according to policy. When you disable or not configure this se ... oval:org.secpod.oval:def:79310 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Counter Measure: Configure this policy setting to Yes. Poten ... oval:org.secpod.oval:def:79377 This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. If you disable or do not configure this policy setting, use ... oval:org.secpod.oval:def:79369 This policy setting specifies whether Cortana is allowed on the device. If you enable or dont configure this setting, Cortana will be allowed on the device. If you disable this setting, Cortana will be turned off. When Cortana is off, users will still be able to use search to find things ... oval:org.secpod.oval:def:79674 This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right. Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server. Default on workstations and ser ... oval:org.secpod.oval:def:79592 This policy setting configures access to remote shells. If you enable this policy setting and set it to False, new remote shell connections are rejected by the server. If you disable or do not configure this policy setting, new remote shell connections are allowed. Counter Measure: Configure ... oval:org.secpod.oval:def:79696 This security setting determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies. Default: Guest Counter Measure: Assign the Deny access ... oval:org.secpod.oval:def:79764 This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect yo ... oval:org.secpod.oval:def:79638 This policy setting allows you to audit any of the following events: Startup and shutdown of the Windows Firewall service and driver. Security policy processing by the Windows Firewall Service. Cryptography key file and migration operations. Volume: Low. Default: Success, Failure. Co ... oval:org.secpod.oval:def:79481 This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in t ... oval:org.secpod.oval:def:79587 This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (including non-Microsoft components) are expec ... oval:org.secpod.oval:def:79687 This security setting determines whether passwords must meet complexity requirements. If this policy is enabled, passwords must meet the following minimum requirements: Not contain the users account name or parts of the users full name that exceed two consecutive characters * Be at least six chara ... oval:org.secpod.oval:def:79646 This policy setting allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. Currently, there are no events in this subcategory. Default: No Auditing. Counter Measure: Enable Audit poli ... oval:org.secpod.oval:def:79741 This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysi ... oval:org.secpod.oval:def:79300 MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Counter Measure: Configure the MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) entry to a value of Highest protection, source routing is ... oval:org.secpod.oval:def:79745 Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer. ICS lets administrators configure their system as an Internet gateway for a small network and provides network services, ... oval:org.secpod.oval:def:79582 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Counter Measure: Configure this policy setting to Yes. Potential Impa ... oval:org.secpod.oval:def:79255 This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system will automat ... oval:org.secpod.oval:def:79648 This policy setting allows you to audit events generated by changes to application groups such as the following: Application group is created, changed, or deleted. Member is added or removed from an application group. If you configure this policy setting, an audit event is generated when an ... oval:org.secpod.oval:def:79530 Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. Counter Measure: Configure this policy setting to Yes. Potential Impa ... oval:org.secpod.oval:def:79318 This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. The options are: No Action Lock Workstation Force Logoff Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box fo ... oval:org.secpod.oval:def:79813 This policy setting allows you to configure whether or not Watson events are sent. If you enable or do not configure this setting, Watson events will be sent. If you disable this setting, Watson events will not be sent. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Com ... oval:org.secpod.oval:def:79285 MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Counter Measure: Configure the MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) entry to a value of 3. The possib ... oval:org.secpod.oval:def:79485 This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file r ... oval:org.secpod.oval:def:79685 This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon at ... oval:org.secpod.oval:def:79641 This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall. Events include the following: Reporting of active policies when Windows Firewall service starts. Changes to Windows ... oval:org.secpod.oval:def:79736 This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow . Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note 2: If your organiza ... oval:org.secpod.oval:def:79640 This policy setting allows you to audit events generated by changes to the authorization policy such as the following: Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that are not audited through the Authentication Policy Change subcategory. Removal of user rights (pr ... oval:org.secpod.oval:def:79292 MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Counter Measure: Configure the MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes entry to a value of Disabled. The possible values for this registry entry are: ? 1 or 0. The ... oval:org.secpod.oval:def:79325 This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote Desktop Services allows users to disconn ... oval:org.secpod.oval:def:79339 This security setting allows the specification of a title to appear in the title bar of the window that contains the Interactive logon: Message text for users attempting to log on. Default: No message. Microsoft recommends that you use this setting, if appropriate to your environment and your orga ... oval:org.secpod.oval:def:79657 This policy setting allows you to audit events generated by changes to the authentication policy such as the following: Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Confi ... oval:org.secpod.oval:def:79637 This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following: The password hash of a user account was accessed. This typically happens during an Active Directory Management Tool password migration. The Pas ... oval:org.secpod.oval:def:79469 This security setting determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut down the computer does not appear on the Windows l ... oval:org.secpod.oval:def:79393 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not con ... oval:org.secpod.oval:def:79770 This policy setting determines whether published User Activities can be uploaded. If you enable this policy setting, activities of type User Activity are allowed to be uploaded. If you disable this policy setting, activities of type User Activity are not allowed to be uploaded. Deletion of activitie ... oval:org.secpod.oval:def:79388 Enables management of password for local administrator account If you enable this setting, local administrator password is managed If you disable or not configure this setting, local administrator password is NOT managed Counter Measure: Enable this setting. Potential Impact: Lo ... oval:org.secpod.oval:def:79349 This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. Counter Measure: Enable this setting to prevent p ... oval:org.secpod.oval:def:79518 This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. Counter Measure: Enable the Turn off the Publish to Web task for files and folder ... oval:org.secpod.oval:def:79633 This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Speci ... oval:org.secpod.oval:def:79550 This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PCs network connectivity state cannot be changed without signing into Windows. If you disable or dont configure this policy setting, ... oval:org.secpod.oval:def:79671 This security setting determines which users or groups have permission to log on as a Remote Desktop Services client. Default: On workstation and servers: Administrators, Remote Desktop Users. On domain controllers: Administrators. Important This setting does not have any effect on Windows 2000 ... oval:org.secpod.oval:def:79765 Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the dev ... oval:org.secpod.oval:def:79419 This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certai ... oval:org.secpod.oval:def:79735 This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters. The recommended state for this setting is: Enabled . Note: This setting only affects local accounts on the computer. Domain accounts are only affected by se ... oval:org.secpod.oval:def:79487 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for an ... oval:org.secpod.oval:def:79824 This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download ... oval:org.secpod.oval:def:79546 Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be able to enable or disable lock sc ... oval:org.secpod.oval:def:79313 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Counter Measure: Configure the MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) entry to a value of 0. The possible ... oval:org.secpod.oval:def:79434 This security setting determines whether Credential Manager saves passwords and credentials for later use when it gains domain authentication. If you enable this setting, Credential Manager does not store passwords and credentials on the computer. If you disable or do not configure this policy sett ... oval:org.secpod.oval:def:79267 By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. If you disable or do not configure this ... oval:org.secpod.oval:def:79526 This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2, Autoplay is disabled ... oval:org.secpod.oval:def:79338 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not configure this policy setting, the WinRM client ... oval:org.secpod.oval:def:79280 This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user cant set up or sign in with a picture password. If you disable or dont configure this policy setting, a domain user can set up and use a pi ... oval:org.secpod.oval:def:79747 This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. Specify hardened network paths. In the name field, type a fully-qualified UNC path for each network resour ... oval:org.secpod.oval:def:79254 This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SM ... oval:org.secpod.oval:def:79525 Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. Default: not enforced. Counter Measure: Configure this policy setting to 900 seconds (15 minutes) so that the risk of a users de ... oval:org.secpod.oval:def:79734 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state ... oval:org.secpod.oval:def:79337 This security setting determines how network logons that use local accounts are authenticated. If this setting is set to Classic, network logons that use local account credentials authenticate by using those credentials. The Classic model allows fine control over access to resources. By using the Cl ... oval:org.secpod.oval:def:79766 Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. Note: this policy does not apply to 1394, PCMCIA or ExpressCard devices. Fix: (1) GPO: Computer Configuration\Admin ... oval:org.secpod.oval:def:79800 This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem. The recommended state for this setting is: Enabled. By enabling this setting, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps. If ... oval:org.secpod.oval:def:79842 Enable this policy to specify when to receive Feature Updates. Defer Updates | This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from ... oval:org.secpod.oval:def:79721 Determines which users can log on to the computer. Important Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (http://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft websit ... oval:org.secpod.oval:def:79454 This policy will be turned off by default on domain joined machines. This would prevent online identities from authenticating to the domain joined machine. Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Window ... oval:org.secpod.oval:def:79799 This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional diagnostic data. By enabling this policy setting, diagnostic logs ... oval:org.secpod.oval:def:79374 This policy setting determines whether users can enable the following WLAN settings: Connect to suggested open hotspots, Connect to networks shared by my contacts, and Enable paid services. Connect to suggested open hotspots enables Windows to automatically connect users to open hotspots it kno ... oval:org.secpod.oval:def:79262 The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of failed logon attempts that causes the machine to be locke ... oval:org.secpod.oval:def:79431 This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards. Counter Measure: Enable this setting Potential Impact: If this policy setting is enabled, Windows is prevented from downloading providers; only the service pr ... oval:org.secpod.oval:def:79729 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default) . Fix: (1) GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Fi ... oval:org.secpod.oval:def:79639 This policy setting allows you to audit changes to user accounts. Events include the following: A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked. A user accounts password is set or changed. A security identifier (SID) is added to the SID Hi ... oval:org.secpod.oval:def:79762 This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online. If you disabl ... oval:org.secpod.oval:def:79532 This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. If you enable this policy setting, the advertising ID is turned off. Apps cant use the ID for experiences across apps. If you disable or do not configure this policy setting, us ... oval:org.secpod.oval:def:79531 When WDigest authentication is enabled, Lsass.exe retains a copy of the users plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. If this setting is not configured, WDigest authentication is disabled in Windo ... oval:org.secpod.oval:def:79791 This policy setting lets you turn off cloud consumer account state content in all Windows experiences. If you enable this policy, Windows experiences that use the cloud consumer account state content client component, will instead present the default fallback content. If you disable or do not co ... oval:org.secpod.oval:def:79504 This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in the Idle session limit drop- ... oval:org.secpod.oval:def:79767 This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the availability of user input methods on the lock screen or with t ... oval:org.secpod.oval:def:79362 Manages a Windows apps ability to share data between users who have installed the app. If you enable this policy, a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folder is available through the Windows.Storage API. If yo ... oval:org.secpod.oval:def:79806 This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detec ... oval:org.secpod.oval:def:79281 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable or do not configure t ... oval:org.secpod.oval:def:79584 This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM is configured to use HTTP transport, then the user name and password are sent over ... oval:org.secpod.oval:def:79489 This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on ... oval:org.secpod.oval:def:79763 This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" ... oval:org.secpod.oval:def:79488 This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send LM a ... oval:org.secpod.oval:def:79303 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ... oval:org.secpod.oval:def:79575 This policy setting allows you to disable the client computers ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet. Counter Measure: Enable this setting to prevent users from submitting print jobs via HTTP. Potential Impact: I ... oval:org.secpod.oval:def:79775 This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. If you enable this policy setting, users can use MSDT to collect and send diagnostic data to a support pro ... oval:org.secpod.oval:def:79604 This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer configuration\Administrative ... oval:org.secpod.oval:def:79271 This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy. Counter Measure: Disable this setting to override firewall rules created locally by administrators. Potential Impac ... oval:org.secpod.oval:def:79709 This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused ... oval:org.secpod.oval:def:79566 This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do not configure this policy setting, connected users will be ... oval:org.secpod.oval:def:79376 This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. If you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do ... oval:org.secpod.oval:def:79724 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default) . Fix: (1) GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Fi ... oval:org.secpod.oval:def:79578 This security setting determines whether the system shuts down if it is unable to log security events. If this security setting is enabled, it causes the system to stop if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full an ... oval:org.secpod.oval:def:79730 This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default) . Fix: (1) GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Fi ... oval:org.secpod.oval:def:79570 This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users cant access OneDrive from the OneDrive app and file picker. * Windows Store apps cant access OneDrive using the WinRT API. * OneDrive doesnt appe ... oval:org.secpod.oval:def:79383 Enables or disables the automatic download of app updates on PCs running Windows 8. If you enable this setting, the automatic download of app updates is turned off. If you disable this setting, the automatic download of app updates is turned on. If you dont configure this setting, the ... oval:org.secpod.oval:def:79796 This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically ... oval:org.secpod.oval:def:79569 This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a domain controller cannot be contacted. This policy setting determines the number of unique use ... oval:org.secpod.oval:def:79333 MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Counter Measure: Do not configure the MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) entry except on highly secure computers, where it should be configured to a value of Disabled. The possible values for this r ... oval:org.secpod.oval:def:79761 This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exi ... oval:org.secpod.oval:def:79753 Remote host allows delegation of non-exportable credentials When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host s ... oval:org.secpod.oval:def:79406 This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (O ... oval:org.secpod.oval:def:79809 Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet. Enabled: Specify the mode in the Options section: -Blo ... oval:org.secpod.oval:def:79769 This policy setting determines whether Clipboard contents can be synchronized across devices. If you enable this policy setting, Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft account or Azure AD account. If you disable this policy setting, Clipbo ... oval:org.secpod.oval:def:79429 Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as op ... oval:org.secpod.oval:def:79768 This policy prevents the user from showing account details (email address or user name) on the sign-in screen. If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. If you disable or do not configure this policy setting, the user may choose to sho ... oval:org.secpod.oval:def:79737 Enables or disables the retrieval of online tips and help for the Settings app. If disabled, Settings will not contact Microsoft content services to retrieve tips and help content. Fix: (1) GPO: Computer Configuration\Administrative Templates\Control Panel\Allow Online Tips (2) REG: HKEY_LOCAL_ ... oval:org.secpod.oval:def:79748 This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 WLAN, through the Windows Portable Device API (WPD), and via USB Flash drives. Additional ... oval:org.secpod.oval:def:79826 This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don't configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to ... oval:org.secpod.oval:def:79661 This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category, such as the following: Trusted Platform Module (TPM) configuration changes. Kernel-mode cryptographic self tests. Cryptographic provider operation ... oval:org.secpod.oval:def:79829 Windows Game Recording and Broadcasting. This setting enables or disables the Windows Game Recording and Broadcasting features. If you disable this setting, Windows Game Recording will not be allowed. If the setting is enabled or not configured, then Recording and Broadcasting (streaming) will be a ... oval:org.secpod.oval:def:79266 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ... oval:org.secpod.oval:def:79804 This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Messaging\Allow Message Service Cloud Sync (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Messa ... oval:org.secpod.oval:def:79567 This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure cha ... oval:org.secpod.oval:def:79565 This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you disable or do not co ... oval:org.secpod.oval:def:79327 This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy setting, users can choose which apps display notifications ... oval:org.secpod.oval:def:79346 This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not conf ... oval:org.secpod.oval:def:79618 This policy setting allows you to audit events generated by validation tests on user account logon credentials. Events in this subcategory occur only on the computer that is authoritative for those credentials. For domain accounts, the domain controller is authoritative. For local accounts, the loc ... oval:org.secpod.oval:def:79744 Determines whether a user can install and configure the Network Bridge. Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected to a DNS do ... oval:org.secpod.oval:def:79726 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. The recommended state ... oval:org.secpod.oval:def:79433 Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. Counter Measure: Configure this policy setting to Yes. Poten ... oval:org.secpod.oval:def:79268 This policy setting allows Local System services that use Negotiate to use the computer identity when reverting to NTLM authentication. If you enable this policy setting, services running as Local System that use Negotiate will use the computer identity. This might cause some authentication request ... oval:org.secpod.oval:def:79654 This policy setting allows you to audit events generated by changes to security groups such as the following: Security group is created, changed, or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting, an audit event is ... oval:org.secpod.oval:def:79668 This security setting determines whether the operating system stores passwords using reversible encryption. This policy provides support for applications that use protocols that require knowledge of the users password for authentication purposes. Storing passwords using reversible encryption is ess ... oval:org.secpod.oval:def:79794 If you turn this policy setting on, local users won't be able to set up and use security questions to reset their passwords. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Credential User Interface\Prevent the use of security questions for local accounts (2) REG ... oval:org.secpod.oval:def:79408 Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (in ... oval:org.secpod.oval:def:79693 This security setting determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access mem ... oval:org.secpod.oval:def:79453 This security setting determines whether to disconnect users who are connected to the local computer outside their user accounts valid logon hours. This setting affects the Server Message Block (SMB) component. When this policy is enabled, it causes client sessions with the SMB Service to be forcib ... oval:org.secpod.oval:def:79484 This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Power Users Administrators and Interactive Users Default: This policy is not defined and only Administrators have this ability. Counter Mea ... oval:org.secpod.oval:def:79706 This security setting determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is sim ... oval:org.secpod.oval:def:79840 This setting allows to remove access to "Pause updates" feature. Once enabled user access to pause updates is removed. Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\Remove access to "Pause updates" feature (2) REG: HK ... oval:org.secpod.oval:def:79714 This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation. Use caution when assigning this user right. Users with this user right can explore disks and extend files in to memory that contains other data. When the extended files are ... oval:org.secpod.oval:def:79841 Enable this policy to manage which updates you receive prior to the update being released to the world. Dev Channel Ideal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that is earliest in a development cycle. These builds are not matc ... oval:org.secpod.oval:def:79711 This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. Important If you apply this security policy to the Everyone group, no one will be able to lo ... oval:org.secpod.oval:def:79722 This user right determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders ... oval:org.secpod.oval:def:79688 This security setting determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or unde ... oval:org.secpod.oval:def:79690 This user right determines which accounts can be used by processes to create a directory object using the object manager. This user right is used internally by the operating system and is useful to kernel-mode components that extend the object namespace. Because components that are running in kerne ... oval:org.secpod.oval:def:79699 This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution Assigning this user right can be a ... oval:org.secpod.oval:def:79490 This security setting determines which communication sessions (pipes) will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, t ... oval:org.secpod.oval:def:79444 Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communications between clients and RD Session Host servers during remote conne ... oval:org.secpod.oval:def:79411 This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. If this policy is enabled on a computer, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the us ... oval:org.secpod.oval:def:79298 This security setting determines whether case insensitivity is enforced for all subsystems. The Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as POSIX. If this setting is enabled, case insensitivity is enforced for all directory object ... oval:org.secpod.oval:def:79319 This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: Require NTLMv2 session security: The connection will fail if NTLMv2 prot ... oval:org.secpod.oval:def:79482 This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: * None: The LDAP BIND request is issued with the options that are specified by the caller. * Negotiate signing: If Transport Layer Security/Secure Sockets Layer ... oval:org.secpod.oval:def:79716 This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less ... oval:org.secpod.oval:def:79717 This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator exp ... oval:org.secpod.oval:def:79675 This security setting determines whether a different account name is associated with the security identifier (SID) for the account Administrator. Renaming the well-known Administrator account makes it slightly more difficult for unauthorized persons to guess this privileged user name and password co ... oval:org.secpod.oval:def:79307 This security setting determines which registry keys can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications ... oval:org.secpod.oval:def:79256 This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire. Determines how far in advance (in days) users are warned that their ... oval:org.secpod.oval:def:79446 When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: Network access: Named pipes that can be accessed anonymously Network access: Shares that can be accessed anonymously Default: Enabled. Counter Measure: Configure the Network access: Restr ... oval:org.secpod.oval:def:79289 This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channe ... oval:org.secpod.oval:def:79351 This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the Users cant add Microsoft accounts option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain accoun ... oval:org.secpod.oval:def:79404 Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If the s ... oval:org.secpod.oval:def:79669 This security setting determines whether the local Administrator account is enabled or disabled. Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In ... oval:org.secpod.oval:def:79326 This security setting determines which registry paths and subpaths can be accessed over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Default: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Even ... oval:org.secpod.oval:def:79544 This security setting determines which network shares can accessed by anonymous users. Default: None specified. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. Note: It can be ... oval:org.secpod.oval:def:79697 This security setting determines how often a domain member will attempt to change its computer account password. Default: 30 days. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the computers ... oval:org.secpod.oval:def:79831 Allow Windows Ink Workspace Fix: (1) GPO: Computer Configuration\Administrative Templates\Windows Components\Windows Ink Workspace\Allow Windows Ink Workspace (2) REG: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsInkWorkspace!AllowWindowsInkWorkspace oval:org.secpod.oval:def:79424 This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for scheduled Automatic Updates installations setting, Automatic Updates does not restart c ... oval:org.secpod.oval:def:79286 This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secure channel with a domain controller that is not capable of signing or encr ... oval:org.secpod.oval:def:79426 This security setting determines whether packet signing is required by the SMB server component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ... oval:org.secpod.oval:def:79486 This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an adminis ... oval:org.secpod.oval:def:79251 This security setting determines whether 128-bit key strength is required for encrypted secure channel data. When a computer joins a domain, a computer account is created. After that, when the system starts, it uses the computer account password to create a secure channel with a domain controller w ... oval:org.secpod.oval:def:79430 Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category le ... oval:org.secpod.oval:def:79597 This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the ... oval:org.secpod.oval:def:79301 This security setting determines what additional permissions are granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrat ... oval:org.secpod.oval:def:79459 Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile. Counter Measure: ... oval:org.secpod.oval:def:79719 This security setting determines whether a different account name is associated with the security identifier (SID) for the account Guest. Renaming the well-known Guest account makes it slightly more difficult for unauthorized persons to guess this user name and password combination. Default: Guest. ... oval:org.secpod.oval:def:79261 If this security setting is enabled, the Server Message Block (SMB) redirector is allowed to send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk. Default: Disabled Counter Measure: ... oval:org.secpod.oval:def:79586 This security setting specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. Default: No message. Microso ... oval:org.secpod.oval:def:79336 This security setting determines whether the SMB client attempts to negotiate SMB packet signing. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ... oval:org.secpod.oval:def:79296 This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle ... oval:org.secpod.oval:def:79602 This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. If you enable this policy setting or if you do not configure this policy setting, the SMB client will allow insecure guest logons. If you disable this policy setting, the SMB client will reject ... oval:org.secpod.oval:def:80182 This policy setting controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. If you enable this policy setting, users are not gi ... oval:org.secpod.oval:def:80180 This policy setting specifies whether to enable or disable tracking of responsiveness events. If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM. if you disable this policy setting, responsiveness ... oval:org.secpod.oval:def:80175 By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data collected under this policy impacts the operating system an ... oval:org.secpod.oval:def:80176 This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setting overrides the setting in the Device Installation Settings di ... oval:org.secpod.oval:def:80174 Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. Enabled: Specify the mode in the Options section: -Block: Potentially unwanted software ... oval:org.secpod.oval:def:80178 This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Service ... oval:org.secpod.oval:def:80172 This policy setting specifies whether Windows apps can be activated by voice while the system is locked. If you choose the "User is in control" option, employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > ... oval:org.secpod.oval:def:80170 This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only op ... oval:org.secpod.oval:def:81375 This service syncs save data for Xbox Live save enabled games. Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company). Default: Manual (Trigger Start) Counter Measure: The recommended state for this setting is Disabled. Po ... oval:org.secpod.oval:def:81374 Provides authentication and authorization services for interacting with Xbox Live. Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company). Default: Manual. Counter Measure: The recommended state for this setting is Disabled. ... oval:org.secpod.oval:def:81373 This service manages connected Xbox Accessories. Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company) Default: Manual. Counter Measure: The recommended state for this setting is Disabled. Potential Impact: Connected ... oval:org.secpod.oval:def:81372 Provides Web connectivity and administration through the Internet Information Services Manager. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - World Wide Web Services). Note #2: ... oval:org.secpod.oval:def:81376 This service supports the Windows.Networking.XboxLive application programming interface. Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company). Default: Manual. Counter Measure: The recommended state for this setting is Di ... oval:org.secpod.oval:def:81342 The LXSS Manager service supports running native ELF binaries. The service provides the infrastructure necessary for ELF binaries to run on Windows. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Windows Subsyst ... oval:org.secpod.oval:def:81340 Provides network access translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Internet Connection Sharing (ICS) is a feature that allows someone to "share" their Internet connection with other machines on the network - it was designed for ... oval:org.secpod.oval:def:81346 SSH protocol based service to provide secure encrypted communications between two untrusted hosts over an insecure network. Note: This service is not installed by default. It is supplied with Windows, but it is installed by enabling an optional Windows feature (OpenSSH Server) Hosting an SSH serve ... oval:org.secpod.oval:def:81343 Enables the server to be a File Transfer Protocol (FTP) server Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services - FTP Server). Hosting an FTP server (especially a non-secure FTP serv ... oval:org.secpod.oval:def:81339 Detects other Infrared devices that are in range and launches the file transfer application. Infrared connections can potentially be a source of data compromise - especially via the automatic "file transfer application" functionality. Enterprise-managed systems should utilize a more secure method o ... oval:org.secpod.oval:def:81338 Enables the server to administer the IIS metabase. The IIS metabase stores configuration for the SMTP and FTP services. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Internet Information Services). Note #2: An ... oval:org.secpod.oval:def:81335 Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. Note: In Windows 8.1 and Windows 10, this service is bundled with the SMB 1.0/CIFS File Sharing Support optional feature. As a result, removing that feature (highly recommended unless b ... oval:org.secpod.oval:def:81364 The Web Management Service enables remote and delegated management capabilities for administrators to manage for the Web server, sites and applications present on the machine. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windo ... oval:org.secpod.oval:def:81363 Allows UPnP devices to be hosted on this computer. Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes that UPnP is different than regular Plug n Play (PnP). Workstations should not be advertising their services (or automati ... oval:org.secpod.oval:def:81362 Discovers networked devices and services that use the SSDP discovery protocol, such as UPnP devices. Also announces SSDP devices and services running on the local computer. Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and attachment to network devices. Notes ... oval:org.secpod.oval:def:81368 Provides the ability to share a cellular data connection with another device. The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers Default: Manual (Trigger Start) Counter Measure: The recommended state ... oval:org.secpod.oval:def:81367 Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play. Network sharing of media from Media Player has no place in an enterprise managed environment. Default: Manual Counter Measure: The recommended state for this setting is Disable ... oval:org.secpod.oval:def:81360 Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day. Note: This service is not installed by default. It is supplied with Windows, but is installed by enabling an optional Windows feature (Simple TCPIP services (i.e. echo, daytime etc)) The Sim ... oval:org.secpod.oval:def:81358 Offers routing services to businesses in local area and wide area network environments. This services main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment Default: Disabled Counter Measure: The recommen ... oval:org.secpod.oval:def:81356 In Windows 2003 and older versions of Windows, the Remote Procedure Call (RPC) Locator service manages the RPC name service database. In Windows Vista and newer versions of Windows, this service does not provide any functionality and is present for application compatibility. This is a legacy servic ... |
