fedepacher commented 2 years ago

Related Issue
https://github.com/wazuh/wazuh/issues/13191

Description

Windows 10 SCA policies have been updated https://github.com/wazuh/wazuh/issues/13191. On this account, It is necessary to ensure that these policies fit with the CIS Windows 10 Enterprise Release 21H2 Benchmark v1.12.. Also, manual testing for the used SCA rules is required, ensuring the proposed rules work as expected.

OS: Windows 10 Enterprise
SCA policy file: https://github.com/wazuh/wazuh/blob/83a39381f06965015363b09d4fbcc4fd150fb007/ruleset/sca/windows/cis_win10_enterprise.yml

For each check in the SCA policy checks:

The title, description, rationale, compliance and remediation must correspond to the ones in the check of the corresponding CIS benchmark file found in https://downloads.cisecurity.org/#/.
The check command found in the CIS benchmark file should work as expected and must match the rule specified in the check of the yml file.

The installers must also be tested:

Check the scan is executed automatically when installing.
Check the scan result.

Checks

Checks design

Check ID	Check Category	Description	ID/Title/Description/Rationable	Remediation	Compliance	Rules	Artifact
id	Category	Description	:black_circle:	:black_circle:	:black_circle:	:black_circle:	Artifact

All test results must have one of the following statuses:
:green_circle:	All checks passed.
:red_circle:	There is at least one failed result.
:yellow_circle:	There is at least one expected failure or skipped test and no failures.
:black_circle:	Not tested.

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

An extended report of the test results can be attached as a ZIP or TXT file. Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

Checks lists

Conclusions

All tests have been executed and the results can be found in the issue updates.

To be completed

fedepacher commented 2 years ago

Second revision by @fedepacher

1.1 Password Policy

1.1.1 (L1) "Ensure 'Enforce password history' is set to '24 or more password(s)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Account
Policies\Password Policy\Enforce password history

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Enforce password history

Compliance - :green_circle:

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>net.exe accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

To establish the recommended configuration via GP, set the following UI path to 365 or fewer days, but not 0 :
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age

Current remediation:

To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Maximum password age

Compliance - :green_circle:
Rules -
- Expected scan result: OK
- Log: Same as 1.1.1

1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Minimum password age

Compliance - :green_circle:
Rules -
- Expected scan result: FAIL
- Log: Same as 1.1.1

1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account 'Policies\\Password Policy\\Minimum password length'

Compliance - :green_circle:
Rules -
- Expected scan result: FAIL
- Log: Same as 1.1.1

1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description

Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements

Current remediation:

Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\\Password must meet complexity requirements

Compliance - :green_circle:

Rules -

Expected scan result: FAIL

Log:


C:\Users\vagrant>powershell Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser
Get-ADDefaultDomainPasswordPolicy : The term
'Get-ADDefaultDomainPasswordPolicy' is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of
the name, or if a path was included, verify that the path is correct and
try again.
At line:1 char:1

Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser


+ CategoryInfo          : ObjectNotFound: (Get-ADDefaultDomainPasswordP
olicy:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
```

1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected description

This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters. For more information please see the following Microsoft Security Blog.
The recommended state for this setting is: Enabled .

Current description

This policy setting determines whether the minimum password length setting can be increased beyond the legacy limit of 14 characters. For more information please see the following Microsoft Security Blog.

Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Relax minimum password length limits

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\AccountPolicies\\Password Policy\\Relax minimum password length limits

Compliance - ::green_circle:

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SAM'

1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' :red_circle:

Not present

fedepacher commented 2 years ago

Update 2022/06/30

1.2 Account Lockout Policy

1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :green_circle: Incomplete description Typo in rationale theAccount word Expected rationale:

A denial of service (DoS) condition can be created if an attacker abuses the Account lockout threshold and repeatedly attempts to log on with a specific account. Once you configure the Account lockout threshold setting, the account will be locked out after the specified number of failed attempts. If you configure the Account lockout duration setting to 0, then the account will remain locked out until an administrator unlocks it manually.

Current rationale:

A denial of service (DoS) condition can be created if an attacker abuses the Account lockout threshold and repeatedly attempts to log on with a specific account. Once you configure theAccount lockout threshold setting, the account will be locked out after the specified number of failed attempts. If you configure the Account lockout duration setting to 0, then the account will remain locked out until an administrator unlocks it manually.

Expected remediation:

To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s) :
Computer Configuration\Policies\Windows Settings\Security Settings\Account
Policies\Account Lockout Policy\Account lockout duration

Current remediation:

To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s): Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout duration

Compliance - :red_circle: Expected Compliance:
```
4.10
```
Current Compliance:
```
16
```

Rules -

Expected scan result: OK

Log:

C:\Users\vagrant>net.exe accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

To establish the recommended configuration via GP, set the following UI path to 5 or fewer invalid login attempt(s), but not 0 :    
Computer Configuration\Policies\Windows Settings\Security Settings\Account  
Policies\Account Lockout Policy\Account lockout threshold

Current remediation:

To establish the recommended configuration via GP, set the following UI path to 10 or fewer invalid login attempt(s), but not 0: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Account lockout threshold

Compliance - :red_circle: Expected Compliance:
```
4.10
```
Current Compliance:
```
16
```

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>net.exe accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Account
Policies\Account Lockout Policy\Reset account lockout counter after

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy\\Reset account lockout counter after

Compliance - :red_circle: Expected Compliance:
```
4.10
```
Current Compliance:
```
16
```

Rules -

Expected scan result: OK

Log:

C:\Users\vagrant>net.exe accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        WORKSTATION
The command completed successfully.

2.2 User Rights Assignment

2.2.1 to 2.2.39 Not present

2.3 Security Options

2.3.1.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Administrator account status

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Accounts: Administrator account status

Compliance - :red_circle: Expected Compliance:
```
4.7
```
Current Compliance:
```
16
```

Rules -

Expected scan result: OK

Log:


C:\Users\vagrant>net user administrator
User name                    Administrator
Full Name
Comment                      Built-in account for administering the computer/domain
User's comment
Country/region code          000 (System Default)
Account active               No
Account expires              Never

Password last set 6/8/2022 9:13:47 PM Password expires Never Password changeable 6/8/2022 9:13:47 PM Password required Yes User may change password Yes

Workstations allowed All Logon script User profile Home directory Last logon 2/14/2022 7:56:50 PM

Logon hours allowed All

Local Group Memberships Administrators Global Group memberships None The command completed successfully.


</details>

### 2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle: 
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts

- Compliance - :red_circle:
**No V8 version compliance**
- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.1.3 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' :green_circle:
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status

- Compliance - :red_circle:
**Expected Compliance**:

4.7

**Current Compliance**:

16

- Rules -
    - Expected scan result: `NO`
    - Log:

C:\Users\vagrant>net user guest User name Guest Full Name Comment Built-in account for guest access to the computer/domain User's comment Country/region code 000 (System Default) Account active No Account expires Never

Password last set 6/30/2022 3:05:16 PM Password expires Never Password changeable 6/30/2022 3:05:16 PM Password required No User may change password No

Workstations allowed All Logon script User profile Home directory Last logon Never

Logon hours allowed All

Local Group Memberships Guests Global Group memberships None The command completed successfully.


</details>

### 2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of blank passwords to console logon only

- Compliance - :red_circle:
**Expected Compliance**:

5.2

**Current Compliance**:

16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 648 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.1.5 (L1) Configure 'Accounts: Rename administrator account' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected rationale**:

The Administrator account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. The built-in Administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the Administrator account a popular target for brute force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are third-party tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on.

**Current rationale**:

The Administrator account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination.

**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator account

- Compliance - :red_circle: 
**Expected Compliance**:

4.7

**Current Compliance**:

16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>net user administrator User name Administrator Full Name Comment Built-in account for administering the computer/domain User's comment Country/region code 000 (System Default) Account active No Account expires Never

Password last set 6/8/2022 9:13:47 PM Password expires Never Password changeable 6/8/2022 9:13:47 PM Password required Yes User may change password Yes

Workstations allowed All Logon script User profile Home directory Last logon 2/14/2022 7:56:50 PM

Logon hours allowed All

Local Group Memberships Administrators Global Group memberships None The command completed successfully.


</details>

### 2.3.1.6 (L1) Configure 'Accounts: Rename guest account' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account

- Compliance - :red_circle: 
**Expected Compliance**:

4.7

**Current Compliance**:

16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>net user guest User name Guest Full Name Comment Built-in account for guest access to the computer/domain User's comment Country/region code 000 (System Default) Account active No Account expires Never

Password last set 6/30/2022 4:08:24 PM Password expires Never Password changeable 6/30/2022 4:08:24 PM Password required No User may change password No

Workstations allowed All Logon script User profile Home directory Last logon Never

Logon hours allowed All

Local Group Memberships Guests Global Group memberships None The command completed successfully.


</details>

### 2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

- Compliance - :red_circle: 
**Expected Compliance**:

8.5

**Current Compliance**:

6.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 648 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits

- Compliance - :red_circle:
**Expected Compliance**:

8.3

**Current Compliance**:

6

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 648 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete title**
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media

**Current remediation**:

omputer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media

- Compliance - :red_circle: 
**No V8 version compliance**:
**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'

AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 184303078237 ShutdownFlags : 2147484203 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-1012795254-2559317413-4052179137-1001 LastUsedUsername : vagrant PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers.

- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers'

AddPrinterDrivers : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Provi ders\LanMan Print Services\Servers PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Provi ders\LanMan Print Services PSChildName : Servers PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always).

- Compliance - :red_circle:
**Expected Compliance**:

3.10

**Current Compliance**:

13

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'

DisablePasswordChange : 0 MaximumPasswordAge : 30 RequireSignOrSeal : 1 RequireStrongKey : 1 SealSecureChannel : 1 ServiceDll : C:\Windows\system32\netlogon.dll SignSecureChannel : 1 Update : no PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible).

- Compliance - :red_circle:
**Expected Compliance**:

3.10

**Current Compliance**:

13

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'

DisablePasswordChange : 0 MaximumPasswordAge : 30 RequireSignOrSeal : 1 RequireStrongKey : 1 SealSecureChannel : 1 ServiceDll : C:\Windows\system32\netlogon.dll SignSecureChannel : 1 Update : no PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally sign secure channel data (when possible).

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

13

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'

DisablePasswordChange : 0 MaximumPasswordAge : 30 RequireSignOrSeal : 1 RequireStrongKey : 1 SealSecureChannel : 1 ServiceDll : C:\Windows\system32\netlogon.dll SignSecureChannel : 1 Update : no PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes.

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'

DisablePasswordChange : 0 MaximumPasswordAge : 30 RequireSignOrSeal : 1 RequireStrongKey : 1 SealSecureChannel : 1 ServiceDll : C:\Windows\system32\netlogon.dll SignSecureChannel : 1 Update : no PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>net.exe accounts Force user logoff how long after time expires?: Never Minimum password age (days): 0 Maximum password age (days): 42 Minimum password length: 0 Length of password history maintained: None Lockout threshold: Never Lockout duration (minutes): 30 Lockout observation window (minutes): 30 Computer role: WORKSTATION The command completed successfully.


</details>

### 2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Require strong (Windows 2000 or later) session key

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

13

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters'

DisablePasswordChange : 0 MaximumPasswordAge : 30 RequireSignOrSeal : 1 RequireStrongKey : 1 SealSecureChannel : 1 ServiceDll : C:\Windows\system32\netlogon.dll SignSecureChannel : 1 Update : no PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlog on PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected rationale**:

Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. An attacker could install a Trojan horse program that looks like the standard Windows logon dialog box and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has.

**Current rationale**:

Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path.

**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require CTRL+ALT+DEL

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

16.2, 5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display last user name.

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

13

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine account lockout threshold

- Compliance - :red_circle:
**Expected Compliance**:

4.10

**Current Compliance**:

16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Machine inactivity limit.

- Compliance - :red_circle:
**Expected Compliance**:

4.3

**Current Compliance**:

16.5

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

16

- Rules -
    - Expected scan result: `OK`
    - Log:

C:\Users\vagrant>reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v legalnoticetext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system legalnoticetext REG_SZ



</details>

fedepacher commented 2 years ago

Update 2022/07/01

2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Security Options\Interactive logon: Message title for users
attempting to log on

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local  Policies\\Security Options\\Interactive logon: Message title for users  attempting to log on

Compliance - :red_circle: No V8 version compliance Current Compliance:
```
5, 16
```

Rules -

Expected scan result: OK

Log:


PS C:\Users\vagrant> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v legalnoticecaption

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system legalnoticecaption REG_SZ


</details>

### 2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available)

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'

AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 321608052565 ShutdownFlags : 2147484203 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-1012795254-2559317413-4052179137-1001 LastUsedUsername : vagrant PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'

AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 321608052565 ShutdownFlags : 2147484203 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-1012795254-2559317413-4052179137-1001 LastUsedUsername : vagrant PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior 2

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card removal behavior

- Compliance - :red_circle:
**Expected Compliance**:

4.3

**Current Compliance**:

16.5

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'

AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 321608052565 ShutdownFlags : 2147484203 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-1012795254-2559317413-4052179137-1001 LastUsedUsername : vagrant PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

13

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'

EnablePlainTextPassword : 0 EnableSecuritySignature : 1 RequireSecuritySignature : 0 ServiceDll : C:\Windows\System32\wkssvc.dll ServiceDllUnloadOnStop : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lan manWorkstation\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lan manWorkstation PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees)

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

13

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'

EnablePlainTextPassword : 0 EnableSecuritySignature : 1 RequireSecuritySignature : 0 ServiceDll : C:\Windows\System32\wkssvc.dll ServiceDllUnloadOnStop : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lan manWorkstation\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lan manWorkstation PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send unencrypted password to third-party SMB servers

- Compliance - :red_circle:
**Expected Compliance**:

3.10

**Current Compliance**:

13

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters'

EnablePlainTextPassword : 0 EnableSecuritySignature : 1 RequireSecuritySignature : 0 ServiceDll : C:\Windows\System32\wkssvc.dll ServiceDllUnloadOnStop : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lan manWorkstation\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lan manWorkstation PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s) : Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session

**Current remediation**:

To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not 0: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Amount of idle time required before suspending session.

- Compliance - :red_circle:
**Expected Compliance**:

4.3

**Current Compliance**:

3

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {132, 249, 218, 43...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

13

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {132, 249, 218, 43...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (if client agrees)

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

13

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {132, 249, 218, 43...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expire

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Disconnect clients when logon hours expire

- Compliance - :red_circle:
**Expected Compliance**:

5.6

**Current Compliance**:

16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {132, 249, 218, 43...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Server SPN target name validation level

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Server SPN target name validation level

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {132, 249, 218, 43...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous SID/Name translation

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `OK`
    - Log:

C:\Users\vagrant>powershell "$null = secedit /export /cfg $env:temp/secexport.cfg; $(gc $env:temp/secexport.cfg | Select-String \"LSAAnonymousNameLookup\").ToString().Split(\"=\")[1].Trim()" 0


</details>

### 2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 652 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts and shares

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 652 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to
'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

16.14

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 652 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone permissions apply to anonymous users

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14, 16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 652 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14.1, 14.2

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {132, 249, 218, 43...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' is configured :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete title**
**Expected remediation**:

System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications SOFTWARE\Microsoft\Windows NT\CurrentVersion Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths

**Current remediation**:

System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications SOFTWARE\Microsoft\Windows NT\CurrentVersion Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14, 16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths'

Machine : {System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServer s\Winreg\AllowedExactPaths PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServer s\Winreg PSChildName : AllowedExactPaths PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete title**
**Incomplete description**
**Expected remediation**:

System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog SOFTWARE\Microsoft\OLAP Server SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths

**Current remediation**:

System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog SOFTWARE\Microsoft\OLAP Server SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14, 16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths'

Machine : {System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServer s\Winreg\AllowedPaths PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServer s\Winreg PSChildName : AllowedPaths PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry

System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog


</details>

### 2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected description**:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters

**Current description**:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters registry key

**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares

**Current remediation**:

omputer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14, 16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {132, 249, 218, 43...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict clients allowed to make remote calls to SAM

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict clients allowed to make remote calls to SAM

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

5.1, 9.1, 9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 652 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously

- Compliance - :red_circle:
**Expected Compliance**:

3.3

**Current Compliance**:

14, 16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {132, 249, 218, 43...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14, 16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 652 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14, 16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 652 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow LocalSystem NULL session fallback

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'

Auth132 : IISSUBA NtlmMinClientSec : 536870912 NtlmMinServerSec : 536870912 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSChildName : MSV1_0 PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U authentication requests to this computer to use online identities

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

16.9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\pku2u' Get-ItemProperty : Cannot find path 'HKLM:\System\CurrentControlSet\Control\Lsa\pku2u' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\System\Cu...ntrol\Lsa\pku2u:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Security Options\Network security: Configure encryption types
allowed for Kerberos

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos

Compliance - :red_circle: Expected Compliance:
```
3.10
```
Current Compliance:
```
16.14
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters'
Get-ItemProperty : Cannot find path
'HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Wi ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\Software\...eros\Parameters:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Security Options\Network security: Do not store LAN Manager hash
value on next password change

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Do not store LAN Manager hash value on next password change

Compliance - :red_circle: Expected Compliance:
```
3.11
```
Current Compliance:
```
16.14
```

Rules -

Expected scan result: OK

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 652 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when logon hours expire

- Compliance - :red_circle:
**Expected Compliance**:

5.6

**Current Compliance**:

16

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {132, 249, 218, 43...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\LanManServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\LanManServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry



</details>

fedepacher commented 2 years ago

Update 2022/07/05

2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Security Options\Network security: LAN Manager authentication levelv

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: LAN Manager authentication level

Compliance - :red_circle: *Expected Compliance**:
```
3.10
```
Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa'

auditbasedirectories : 0 auditbaseobjects : 0 Bounds : {0, 48, 0, 0...} crashonauditfail : 0 fullprivilegeauditing : {0} LimitBlankPasswordUse : 1 NoLmHash : 1 Security Packages : {""} Notification Packages : {scecli} Authentication Packages : {msv1_0} LsaPid : 652 LsaCfgFlagsDefault : 0 SecureBoot : 1 ProductType : 4 disabledomaincreds : 0 everyoneincludesanonymous : 0 forceguest : 0 restrictanonymous : 0 restrictanonymoussam : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control PSChildName : Lsa PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: LDAP client signing requirements

- Compliance - :red_circle:
**Expected Compliance**:

3.10

**Current Compliance**:

13

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP'

ldapclientintegrity : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services PSChildName : LDAP PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) clients.

- Compliance - :red_circle:
**Expected Compliance**:

3.10

**Current Compliance**:

13

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCALMACHINE\System\CurrentControlSet\Control\Lsa\MSV1' Get-ItemProperty : Cannot find path 'HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\System\Cu...ntrol\Lsa\MSV1_:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Security Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Compliance - :red_circle: Expected Compliance:
```
3.10
```
Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0'

Auth132 : IISSUBA NtlmMinClientSec : 536870912 NtlmMinServerSec : 536870912 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa PSChildName : MSV1_0 PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected description**:

This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. The recommended state for this setting is: User is prompted when the key is first used . Configuring this setting to User must enter a password each time they use a key also conforms to the benchmark.

**Current description**:

Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is prompted when the key is first used' or higher

**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System cryptography: Force strong key protection for user keys stored on the computer

- Compliance - :red_circle:
**Expected Compliance**:

3.11

**Current Compliance**:

16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography'


</details>

### 2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non- Windows subsystems

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non- Windows subsystems

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

No current compliance

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel'

DpcWatchdogProfileOffset : 10000 ObUnsecureGlobalNames : {netfxcustomperfcounters.1.0, SharedPerfIPCBlock, Cor_Private_IPCBlock, Cor_PublicIPCBlock} SeTokenSingletonAttributesConfig : 3 obcaseinsensitive : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Cont rol\Session Manager\Kernel PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Cont rol\Session Manager PSChildName : Kernel PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

14.4

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session' Get-ItemProperty : Cannot find path 'HKLM:\System\CurrentControlSet\Control\Session' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\System\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\System\Cu...Control\Session:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\Security Options\User Account Control: Admin Approval Mode for the
Built-in Administrator account

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Policies\\Security Options\\User Account Control: Admin Approval Mode for the Built-in Administrator account

Compliance - :red_circle: No V8 version compliance Current Compliance:
```
5.1
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.17.4 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected description**:

This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following:

…\Program Files\ , including subfolders
…\Windows\System32\
…\Program Files (x86)\ , including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled .
```
**Current description**:
```
This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: ...\Program Files\, including subfolders; ...\Windows\system32\; ...\Program Files (x86)\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled.
```
**Expected remediation**:
```
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations
```
**Current remediation**:
```
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations
Compliance - :red_circle: No V8 version compliance Current Compliance:
```
5.1
```

Rules -

Expected scan result: OK

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.17.6 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode.

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.17.7 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation

- Compliance - :red_circle:
**No V8 version compliance**
**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 2.3.17.8 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected description**:

This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to:

%ProgramFiles%
%windir%
%windir%\System32
HKEY_LOCAL_MACHINE\SOFTWARE The recommended state for this setting is: Enabled .
```
**Current description**:
```
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles% - %Windir% - %Windir%\system32 - HKEY_LOCAL_MACHINE\Software. The recommended state for this setting is: Enabled."
```
**Expected remediation**:
```
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations
```
**Current remediation**:
```
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations
Compliance - :red_circle: No V8 version compliance Current Compliance:

Rules -

Expected scan result: OK

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 5 System Services

### 5.1 (L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Bluetooth Audio Gateway Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Bluetooth Audio Gateway Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService'

DependOnService : {rpcss} Description : @%SystemRoot%\system32\BTAGService.dll,-102 DisplayName : @%SystemRoot%\system32\BTAGService.dll,-101 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeIncreaseWorkingSetPrivilege, SeCreateGlobalPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGServi ce PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : BTAGService PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.2 (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Bluetooth Support Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Bluetooth Support Service

- Compliance - :red_circle:
**No V8 version compliance**
**Expected Compliance**:

4.8

**Current Compliance**:

16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv'

Description : @%SystemRoot%\System32\bthserv.dll,-102 DisplayName : @%SystemRoot%\System32\bthserv.dll,-101 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\system32\svchost.exe -k LocalService -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : bthserv PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.3 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' :green_circle: 
- Severity: `High`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- Not present

</details>

### 5.4 (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Downloaded Maps Manager

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Downloaded Maps Manager

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker'

DelayedAutoStart : 1 DependOnService : {rpcss} Description : @%SystemRoot%\System32\moshost.dll,-101 DisplayName : @%SystemRoot%\System32\moshost.dll,-100 ErrorControl : 1 Group : NetworkService ImagePath : C:\Windows\System32\svchost.exe -k NetworkService -p ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeImpersonatePrivilege} ServiceSidType : 1 Start : 2 Type : 16 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroke r PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : MapsBroker PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.5 (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Geolocation Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Geolocation Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroker'

DelayedAutoStart : 1 DependOnService : {rpcss} Description : @%SystemRoot%\System32\moshost.dll,-101 DisplayName : @%SystemRoot%\System32\moshost.dll,-100 ErrorControl : 1 Group : NetworkService ImagePath : C:\Windows\System32\svchost.exe -k NetworkService -p ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeImpersonatePrivilege} ServiceSidType : 1 Start : 2 Type : 16 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MapsBroke r PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : MapsBroker PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected rationale**:

Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly. Note: This security concern applies to any web server application installed on a workstation, not just IIS.

**Current rationale**:

Hosting a website from a workstation is an increased security risk, as the attack surface of that workstation is then greatly increased. If proper security mitigations are not followed, the chance of successful attack increases significantly

**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\IIS Admin Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\IIS Admin Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...rvices\IISADMIN:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

5.7 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\System
Services\Infrared monitor service

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System  Services\\Infrared monitor service

Compliance - :red_circle: Expected Compliance:
```
4.8
```
Current Compliance:
```
9.2
```

Rules -

Expected scan result: OK

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irmon'
Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\irmon' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...\Services\irmon:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

5.8 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\System
Services\Internet Connection Sharing (ICS)

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System  Services\\Internet Connection Sharing (ICS)

Compliance - :red_circle: Expected Compliance:
```
4.8
```
Current Compliance:
```
9.2
```
Rules -
- Expected scan result: FAIL
- Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess'

DependOnService : {BFE} Description : @%SystemRoot%\system32\ipnathlp.dll,-107 DisplayName : @%SystemRoot%\system32\ipnathlp.dll,-106 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege, SeLoadDriverPrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAcc ess PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : SharedAccess PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.9 (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Link-Layer Topology Discovery Mapper

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Link-Layer Topology Discovery Mapper

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc'

DependOnService : {rpcss, lltdio} Description : @%SystemRoot%\system32\lltdres.dll,-2 DisplayName : @%SystemRoot%\system32\lltdres.dll,-1 ErrorControl : 1 FailureActions : {0, 0, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalService -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeImpersonatePrivilege, SeChangeNotifyPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lltdsvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : lltdsvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.10 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\LxssManager

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\LxssManager

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LxssManager' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...ces\LxssManager:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

5.11 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\System
Services\Microsoft FTP Service

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System  Services\\Microsoft FTP Service

Compliance - :red_circle: Expected Compliance:
```
4.8
```
Current Compliance:
```
9.2
```

Rules -

Expected scan result: OK

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FTPSVC'
Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...Services\FTPSVC:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 5.12 (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Microsoft iSCSI Initiator Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Microsoft iSCSI Initiator Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSiSCSI'

Description : @%SystemRoot%\system32\iscsidsc.dll,-5001 DisplayName : @%SystemRoot%\system32\iscsidsc.dll,-5000 ErrorControl : 1 FailureActions : {80, 70, 0, 0...} FailureActionsOnNonCrashFailures : 1 FailureCommand : customScript.cmd Group : iSCSI ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RebootMessage : See Note 3 below RequiredPrivileges : {SeAuditPrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeCreatePermanentPrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv ices\MSiSCSI PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serv ices PSChildName : MSiSCSI PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.13 (L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\OpenSSH SSH Server

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\OpenSSH SSH Server

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd'

Type : 16 Start : 2 ErrorControl : 1 ImagePath : C:\Program Files\OpenSSH-Win64\sshd.exe ObjectName : LocalSystem Description : SSH Daemon PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshd PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : sshd PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.14 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Peer Name Resolution Protocol

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Peer Name Resolution Protocol

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc'

DependOnService : {p2pimsvc} Description : @%SystemRoot%\system32\pnrpsvc.dll,-8001 DisplayName : @%SystemRoot%\system32\pnrpsvc.dll,-8000 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPsvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : PNRPsvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.15 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Peer Networking Grouping

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Peer Networking Grouping

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc'

DependOnService : {p2pimsvc, PNRPSvc} Description : @%SystemRoot%\system32\p2psvc.dll,-8007 DisplayName : @%SystemRoot%\system32\p2psvc.dll,-8006 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2psvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : p2psvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry



</details>

fedepacher commented 1 year ago

Update 2022/07/06

5.16 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\System
Services\Peer Networking Identity Manager

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System  Services\\Peer Networking Identity Manager

Compliance - :red_circle: Expected Compliance:
```
4.8
```
Current Compliance:
```
9.2
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc'

Description : @%SystemRoot%\system32\pnrpsvc.dll,-8005 DisplayName : @%SystemRoot%\system32\pnrpsvc.dll,-8004 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\p2pimsvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : p2pimsvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.17 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\PNRP Machine Name Publication Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\PNRP Machine Name Publication Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoReg'

DependOnService : {pnrpsvc} Description : @%SystemRoot%\system32\pnrpauto.dll,-8003 DisplayName : @%SystemRoot%\system32\pnrpauto.dll,-8002 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalServicePeerNet ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PNRPAutoR eg PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : PNRPAutoReg PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.18 (L2) Ensure 'Print Spooler (Spooler)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected rationale**:

In a high security environment, unnecessary services especially those with known vulnerabilities should be disabled. Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service.

**Current rationale**:

In a high security environment, unnecessary services especially those with known vulnerabilities should be disabled.

**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Print Spooler

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Print Spooler

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler'

DependOnService : {RPCSS, http} Description : @%systemroot%\system32\spoolsv.exe,-2 DisplayName : @%systemroot%\system32\spoolsv.exe,-1 ErrorControl : 1 FailureActions : {16, 14, 0, 0...} Group : SpoolerGroup ImagePath : C:\Windows\System32\spoolsv.exe ObjectName : LocalSystem RequiredPrivileges : {SeTcbPrivilege, SeImpersonatePrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege...} ServiceSidType : 1 Start : 2 Type : 272 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : Spooler PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.19 (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Problem Reports and Solutions Control Panel Support

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Problem Reports and Solutions Control Panel Support

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsupport'

Description : @%SystemRoot%\System32\wercplsupport.dll,-100 DisplayName : @%SystemRoot%\System32\wercplsupport.dll,-101 ErrorControl : 1 ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : localSystem RequiredPrivileges : {SeImpersonatePrivilege, SeTcbPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wercplsup port PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : wercplsupport PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.20 (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Access Auto Connection Manager

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Access Auto Connection Manager

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto'

DependOnService : {RasAcd} Description : @%Systemroot%\system32\rasauto.dll,-201 DisplayName : @%Systemroot%\system32\rasauto.dll,-200 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : localSystem RequiredPrivileges : {SeImpersonatePrivilege, SeTcbPrivilege, SeIncreaseQuotaPrivilege, SeChangeNotifyPrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasAuto PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : RasAuto PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.21 (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Desktop Configuration

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Desktop Configuration

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEnv'

DependOnService : {RPCSS, LanmanWorkstation} Description : @%SystemRoot%\System32\SessEnv.dll,-1027 DisplayName : @%SystemRoot%\System32\SessEnv.dll,-1026 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : localSystem RequiredPrivileges : {SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeImpersonatePrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SessionEn v PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : SessionEnv PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.22 (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Desktop Services

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Desktop Services

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService'

DependOnService : {RPCSS} Description : @%SystemRoot%\System32\termsrv.dll,-267 DisplayName : @%SystemRoot%\System32\termsrv.dll,-268 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k NetworkService ObjectName : NT Authority\NetworkService RequiredPrivileges : {SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermServi ce PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : TermService PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.23 (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Desktop Services UserMode Port Redirector

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Desktop Services UserMode Port Redirector

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpService'

DependOnService : {TermService, RDPDR} Description : @%SystemRoot%\system32\umrdp.dll,-1001 DisplayName : @%SystemRoot%\system32\umrdp.dll,-1000 ErrorControl : 1 FailureActions : {0, 0, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p ObjectName : localSystem RequiredPrivileges : {SeAuditPrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege...} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UmRdpServ ice PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : UmRdpService PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.24 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Procedure Call (RPC) Locator

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Procedure Call (RPC) Locator

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocator'

Description : @%systemroot%\system32\Locator.exe,-3 DisplayName : @%systemroot%\system32\Locator.exe,-2 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\system32\locator.exe ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeChangeNotifyPrivilege} Start : 3 Type : 16 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcLocato r PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : RpcLocator PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.25 (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Registry

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Remote Registry

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry'

DependOnService : {RPCSS} Description : @regsvc.dll,-2 DisplayName : @regsvc.dll,-1 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k localService -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 4 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteReg istry PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : RemoteRegistry PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.26 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Routing and Remote Access

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Routing and Remote Access

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess'

ConfigurationFlags : 0 DependOnGroup : {NetBIOSGroup} DependOnService : {RpcSS, Bfe, RasMan, Http} Description : @%Systemroot%\system32\mprdim.dll,-201 DisplayName : @%Systemroot%\system32\mprdim.dll,-200 ErrorControl : 1 FailureActions : {132, 3, 0, 0...} ImagePath : C:\Windows\System32\svchost.exe -k netsvcs ObjectName : localSystem RequiredPrivileges : {SeChangeNotifyPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeAuditPrivilege...} ServiceSidType : 1 Start : 4 SvcHostSplitDisable : 1 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAc cess PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : RemoteAccess PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.27 (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Server

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Server

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer'

DependOnService : {SamSS, Srv2} Description : @%systemroot%\system32\srvsvc.dll,-101 DisplayName : @%systemroot%\system32\srvsvc.dll,-100 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeAuditPrivilege} ServiceSidType : 1 Start : 2 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanSer ver PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : LanmanServer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.28 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Simple TCP/IP Services

**Current remediation**:

Configuration\Policies\Windows Settings\Security Settings\System Services\Simple TCP/IP Services

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simptcp' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\simptcp' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...ervices\simptcp:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

5.29 (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\System
Services\SNMP Service

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System Services\\SNMP Service

Compliance - :red_circle: Expected Compliance:
```
4.8
```
Current Compliance:
```
9.2
```

Rules -

Expected scan result: OK

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP'
Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\SNMP' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...t\Services\SNMP:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

5.30 (L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\System
Services\Special Administration Console Helper

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System  Services\\Special Administration Console Helper

Compliance - :red_circle: Expected Compliance:
```
4.8
```
Current Compliance:
```
9.2
```

Rules -

Expected scan result: Ok

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sacsvr'
Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\sacsvr' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...Services\sacsvr:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 5.31 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\SSDP Discovery

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\SSDP Discovery

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV'

DependOnService : {HTTP, NSI} Description : @%systemroot%\system32\ssdpsrv.dll,-101 DisplayName : @%systemroot%\system32\ssdpsrv.dll,-100 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSDPSRV PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : SSDPSRV PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.32 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\UPnP Device Host

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\UPnP Device Host

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost'

DependOnService : {SSDPSRV, HTTP} Description : @%systemroot%\system32\upnphost.dll,-214 DisplayName : @%systemroot%\system32\upnphost.dll,-213 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p ObjectName : NT AUTHORITY\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : upnphost PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.33 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Web Management Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Web Management Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMSvc' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...\Services\WMSvc:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 5.34 (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Error Reporting Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Error Reporting Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc'

Description : @%SystemRoot%\System32\wersvc.dll,-101 DisplayName : @%SystemRoot%\System32\wersvc.dll,-100 ErrorControl : 0 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k WerSvcGroup ObjectName : localSystem RequiredPrivileges : {SeDebugPrivilege, SeTcbPrivilege, SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege} ServiceSidType : 1 Start : 3 Type : 16 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WerSvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : WerSvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.35 (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Event Collector

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Event Collector

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc'

DependOnService : {HTTP, Eventlog} Description : @%SystemRoot%\system32\wecsvc.dll,-201 DisplayName : @%SystemRoot%\system32\wecsvc.dll,-200 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k NetworkService -p ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeAuditPrivilege, SeChangeNotifyPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wecsvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : Wecsvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.36 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Media Player Network Sharing Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Media Player Network Sharing Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc'

DependOnService : {http, WSearch} Description : @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-102 DisplayName : @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : "C:\Program Files\Windows Media Player\wmpnetwk.exe" ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeChangeNotifyPrivilege, SeCreateGlobalPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 16 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WMPNetwor kSvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : WMPNetworkSvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.37 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Mobile Hotspot Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Mobile Hotspot Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc'

DependOnService : {RpcSs, wcmsvc} Description : @%SystemRoot%\System32\tetheringservice.dll,-4098 DisplayName : @%SystemRoot%\System32\tetheringservice.dll,-4097 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} Group : TDI ImagePath : C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p ObjectName : NT Authority\LocalService RequiredPrivileges : {SeChangeNotifyPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\icssvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : icssvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.38 (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Push Notifications System Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Push Notifications System Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnService'

DependOnService : {rpcss} Description : @%SystemRoot%\system32\wpnservice.dll,-2 DisplayName : @%SystemRoot%\system32\wpnservice.dll,-1 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege, SeTcbPrivilege} ServiceSidType : 1 Start : 2 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WpnServi ce PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : WpnService PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.39 (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows PushToInstall Service (PushToInstall)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows PushToInstall Service (PushToInstall)

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToInstall'

DependOnService : {rpcss} Description : @%SystemRoot%\system32\pushtoinstall.dll,-201 DisplayName : @%SystemRoot%\system32\pushtoinstall.dll,-200 ErrorControl : 0 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeTcbPrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PushToIn stall PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : PushToInstall PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.40 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Remote Management (WS-Management)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Windows Remote Management (WS-Management)

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM'

DelayedAutoStart : 0 DependOnService : {RPCSS, HTTP} Description : @%Systemroot%\system32\wsmsvc.dll,-102 DisplayName : @%Systemroot%\system32\wsmsvc.dll,-101 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\System32\svchost.exe -k NetworkService -p ObjectName : NT AUTHORITY\NetworkService RequiredPrivileges : {SeAssignPrimaryTokenPrivilege, SeAuditPrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege...} ServiceSidType : 1 Start : 2 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinRM PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : WinRM PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.41 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\World Wide Web Publishing Service

**Current remediation**:

Configuration\Policies\Windows Settings\Security Settings\System Services\World Wide Web Publishing Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...\Services\W3SVC:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

5.42 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\System
Services\Xbox Accessory Management Service

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\System  Services\\Xbox Accessory Management Service

Compliance - :red_circle: Expected Compliance:
```
4.8
```
Current Compliance:
```
9.2
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSvc'

Description : @%systemroot%\system32\xboxgipsvc.dll,-101 DisplayName : @%systemroot%\system32\xboxgipsvc.dll,-100 ErrorControl : 1 ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeTcbPrivilege, SeImpersonatePrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege} Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxGipSv c PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : XboxGipSvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.43 (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Xbox Live Auth Manager

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Xbox Live Auth Manager

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthManager'

DependOnService : {RpcSs} Description : @%systemroot%\system32\XblAuthManager.dll,-101 DisplayName : @%systemroot%\system32\XblAuthManager.dll,-100 ErrorControl : 1 ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeTcbPrivilege, SeImpersonatePrivilege, SeChangeNotifyPrivilege, SeCreateGlobalPrivilege...} Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblAuthMa nager PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : XblAuthManager PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.44 (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Xbox Live Game Save

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Xbox Live Game Save

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave'

DependOnService : {UserManager, XblAuthManager} Description : @%systemroot%\system32\XblGameSave.dll,-101 DisplayName : @%systemroot%\system32\XblGameSave.dll,-100 ErrorControl : 1 FailureActions : {128, 81, 1, 0...} ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XblGameSave PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : XblGameSave PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 5.45 (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Xbox Live Networking Service

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\System Services\Xbox Live Networking Service

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc'

DependOnService : {BFE, mpssvc, IKEEXT, KeyIso} Description : @%systemroot%\system32\XboxNetApiSvc.dll,-101 DisplayName : @%systemroot%\system32\XboxNetApiSvc.dll,-100 ErrorControl : 1 ImagePath : C:\Windows\system32\svchost.exe -k netsvcs -p ObjectName : LocalSystem RequiredPrivileges : {SeTcbPrivilege, SeImpersonatePrivilege} ServiceSidType : 1 Start : 3 Type : 32 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XboxNetAp iSvc PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services PSChildName : XboxNetApiSvc PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry



</details>

fedepacher commented 1 year ago

Update 2022/07/07

9.1 Domain Profile

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Domain Profile\Firewall state

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Firewall state

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:
```
9.2, 9.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\DomainProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Domain Profile\Inbound connections

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Inbound connections

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:
```
9.2, 9.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\DomainProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Domain Profile\Outbound connections

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Outbound connections

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:
```
9.2, 9.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\DomainProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Domain Profile\Settings
Customize\Display a notification

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Settings Customize\\Display a notification

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\DomainProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected title:

(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log'

Current title:

Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log'

Expected description:

Use this option to specify the path and name of the file in which Windows Firewall will write its log information.
The recommended state for this setting is:
%SystemRoot%\System32\logfiles\firewall\domainfw.log .

Current description:

Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log

Expected remediation:

%SystemRoot%\System32\logfiles\firewall\domainfw.log :
Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Domain Profile\Logging Customize\Name

Current remediation:

%SYSTEMROOT%\\System32\\logfiles\\firewall\\domainfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Name

Compliance - :red_circle: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.2, 6.3
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Domain Profile\Logging Customize\Size
limit (KB)

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Size limit (KB)

Compliance - :red_circle: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.3, 6.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Domain Profile\Logging Customize\Log
dropped packets

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log dropped packets

Compliance - :red_circle: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.2, 6.3
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Domain Profile\Logging Customize\Log
successful connections

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Domain Profile\\Logging Customize\\Log successful connections

Compliance - :red_circle: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.2, 6.3
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Private Profile\Firewall state

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Firewall state

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:
```
9.2, 9.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\PrivateProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Private Profile\Inbound connections

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Inbound connections

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:
```
9.2, 9.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\PrivateProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Private Profile\Outbound connections

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Outbound connections

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:
```
9.2, 9.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\PrivateProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Settings Customize\Display a notification

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Settings Customize\Display a notification

- Compliance - :red_circle:
**Expected Compliance**:

4.5

**Current Compliance**:

-

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\PrivateProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected title:

(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log'

Current title:

Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log'

Expected description:

Use this option to specify the path and name of the file in which Windows Firewall will write its log information.
The recommended state for this setting is:
%SystemRoot%\System32\logfiles\firewall\privatefw.log .

Current description:

Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log.

Expected remediation:

%SystemRoot%\System32\logfiles\firewall\privatefw.log :
Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Private Profile\Logging Customize\Name

Current remediation:

%SYSTEMROOT%\\System32\\logfiles\\firewall\\privatefw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Name

Compliance - :red_circle: No V8 version compliance: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.2, 6.3
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Private Profile\Logging Customize\Size
limit (KB)

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Size limit (KB)

Compliance - :red_circle: No V8 version compliance: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.3, 6.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Private Profile\Logging Customize\Log
dropped packets

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log dropped packets

Compliance - :red_circle: No V8 version compliance: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.2, 6.3
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Private Profile\Logging Customize\Log
successful connections

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Private Profile\\Logging Customize\\Log successful connections

Compliance - :red_circle: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.2, 6.3
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Public Profile\Firewall state

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Firewall state

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:
```
9.2, 9.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\PublicProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Public Profile\Inbound connections

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Inbound connections

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:
```
9.2, 9.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\PublicProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Public Profile\Outbound connections

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Outbound connections

Compliance - :red_circle: No V8 version compliance: Expected Compliance:
```
4.5
```
Current Compliance:
```
9.2, 9.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\PublicProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Public Profile\Settings
Customize\Display a notification

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Display a notification

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\PublicProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Settings Customize\Apply local firewall rules

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Settings Customize\Apply local firewall rules

- Compliance - :red_circle:
**Expected Compliance**:

4.5

**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\PublicProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Public Profile\Settings Customize\Apply
local connection security rules

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Settings Customize\\Apply local connection security rules

Compliance - :red_circle: Expected Compliance:
```
4.5
```
Current Compliance:
```
5.1
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\PublicProfile:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected title:

9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'

Current title:

Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log'

Expected description:

Use this option to specify the path and name of the file in which Windows Firewall will write its log information.
The recommended state for this setting is:
%SystemRoot%\System32\logfiles\firewall\publicfw.log .

Current description:

Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log.

Expected remediation:

%SystemRoot%\System32\logfiles\firewall\publicfw.log :
Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Public Profile\Logging Customize\Name

Current remediation:

%SYSTEMROOT%\\System32\\logfiles\\firewall\\publicfw.log: Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Name

Compliance - :red_circle: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.2, 6.3
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Logging Customize\Size limit (KB)

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Logging Customize\Size limit (KB)

- Compliance - :red_circle:
**Expected Compliance**:

4.5, 8.5

**Current Compliance**:

6.3, 6.4

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Logging Customize\Log dropped packets

**Current remediation**:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Logging Customize\Log dropped packets

- Compliance - :red_circle:
**Expected Compliance**:

4.5, 8.5

**Current Compliance**:

6.2, 6.3

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced
Security\Windows Firewall Properties\Public Profile\Logging Customize\Log
successful connections

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows Firewall with Advanced Security\\Windows Firewall with Advanced Security\\Windows Firewall Properties\\Public Profile\\Logging Customize\\Log successful connections

Compliance - :red_circle: Expected Compliance:
```
4.5, 8.5
```
Current Compliance:
```
6.2, 6.3
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging' because
it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Profile\Logging:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

17.1 Account Logon

17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Logon\Audit Credential
Validation

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced  Audit Policy Configuration\\Audit Policies\\Account Logon\\Audit Credential  Validation

Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Credential Validation"
System audit policy
Category/Subcategory                      Setting
Account Logon
Credential Validation                   No Auditing

17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Application Group Management

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced  Audit Policy Configuration\\Audit Policies\\Account Management\\Audit  Application Group Management

Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
6.3,16.12,16.9
```

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Application Group Management"
System audit policy
Category/Subcategory                      Setting
Account Management
Application Group Management            No Auditing

17.2.2 (L1) Ensure 'Audit Security Group Management' is set to include 'Success' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected rationale:

Auditing these events may be useful when investigating a security incident.

Current rationale:

Auditing events in this category may be useful when investigating an incident

Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced
Audit Policy Configuration\Audit Policies\Account Management\Audit Security
Group Management

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced  Audit Policy Configuration\\Audit Policies\\Account Management\\Audit Security  Group Management

Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
6.3, 16.6
```

Rules -

Expected scan result: OK

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Security Group Management"
System audit policy
Category/Subcategory                      Setting
Account Management
Security Group Management               Success

17.2.3 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:

Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management

Current remediation:

Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Advanced  Audit Policy Configuration\\Audit Policies\\Account Management\\Audit User  Account Management

Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
6.3, 16.6
```

Rules -

Expected scan result: OK

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"User Account Management"
System audit policy
Category/Subcategory                      Setting
Account Management
User Account Management                 Success

fedepacher commented 1 year ago

Update 2022/07/08

17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
8.4, 8.5, 13.7
```

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Plug and Play Events"
System audit policy
Category/Subcategory                      Setting
Detailed Tracking
Plug and Play Events                    No Auditing

17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
6.3
```

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Process Creation"
System audit policy
Category/Subcategory                      Setting
Detailed Tracking
Process Creation                        No Auditing

17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Expected Compliance:
```
8.5
```
Current Compliance:
```
6.3, 16.6
```

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Account Lockout"
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
Account Lockout                         Success

17.5.2 (L1) Ensure 'Audit Group Membership' is set to include 'Success' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
4.8, 6.3, 16.6
```

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Group Membership"
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
Group Membership                        No Auditing

17.5.3 (L1) Ensure 'Audit Logoff' is set to include 'Success' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
6.3, 16.13, 16.6
```

Rules -

Expected scan result: OK

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Logoff"
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
Logoff                                  Success

17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
6.3, 16.6, 16.13
```

Rules -

Expected scan result: OK

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Logon"
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
Logon                                   Success and Failure

17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description Expected remediation:
Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
6.3, 16.6, 16.13
```

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Other Logon/Logoff Events"
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
Other Logon/Logoff Events               No Auditing

17.5.6 (L1) Ensure 'Audit Special Logon' is set to include 'Success' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: Expected Compliance:
```
8.5
```
Current Compliance:
```
6.3, 16.6
```

Rules -

Expected scan result: OK

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Special Logon"
System audit policy
Category/Subcategory                      Setting
Logon/Logoff
Special Logon                           Success

17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected rationale:

Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent.

Current rationale:

Auditing these events may be useful when investigating a security incident.

Compliance - :red_circle: Expected Compliance:
```
3.3, 8.5
```
Current Compliance:
```
16.3, 14.6
```

Rules -

Expected scan result: FAIL

Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Detailed File Share"
System audit policy
Category/Subcategory                      Setting
Object Access
Detailed File Share                     No Auditing

17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: Expected Compliance:
```
3.3, 8.5
```
Current Compliance:
```
6.3, 14.6
```
Rules -
- Expected scan result: FAIL
- Log:


</details>

### 17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

6.2, 6.3

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Other Object Access Events" System audit policy Category/Subcategory Setting Object Access Other Object Access Events No Auditing


</details>

### 17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

6.3, 8.4, 8.5, 13.8

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Removable Storage" System audit policy Category/Subcategory Setting Object Access Removable Storage No Auditing


</details>

### 17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

5.5, 6.3

- Rules -
    - Expected scan result: `OK`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Audit Policy Change" System audit policy Category/Subcategory Setting Policy Change Audit Policy Change Success


</details>

### 17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

5.5, 6.3

- Rules -
    - Expected scan result: `OK`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Authentication Policy Change" System audit policy Category/Subcategory Setting Policy Change Authentication Policy Change Success


</details>

### 17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

5.5, 6.3, 14.9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Authorization Policy Change" System audit policy Category/Subcategory Setting Policy Change Authorization Policy Change No Auditing


</details>

### 17.7.4 (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

5.5, 6.3

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"MPSSVC Rule-Level Policy Change" System audit policy Category/Subcategory Setting Policy Change MPSSVC Rule-Level Policy Change No Auditing


</details>

### 17.7.5 (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

5.5, 6.3, 14.9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Other Policy Change Events" System audit policy Category/Subcategory Setting Policy Change Other Policy Change Events No Auditing


</details>

### 17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

4.3, 6.3

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Sensitive Privilege Use" System audit policy Category/Subcategory Setting Privilege Use Sensitive Privilege Use No Auditing


</details>

### 17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

6.3, 6.4, 6.5

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"IPsec Driver" System audit policy Category/Subcategory Setting System IPsec Driver No Auditing


</details>

### 17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

6.3, 6.4, 6.5, 9.4

- Rules -
    - Expected scan result: `OK`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Other System Events" System audit policy Category/Subcategory Setting System Other System Events Success and Failure


</details>

### 17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

6.3, 6.4, 6.5

- Rules -
    - Expected scan result: `OK`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Security State Change" System audit policy Category/Subcategory Setting System Security State Change Success


</details>

### 17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

8.5

**Current Compliance**:

6.3, 6.4, 6.5

- Rules -
    - Expected scan result: `FAIL`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"Security System Extension" System audit policy Category/Subcategory Setting System Security System Extension No Auditing


</details>

### 17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**No V8 version compliance**:
**Expected Compliance**:

8.5

**Current Compliance**:

6.3, 6.4, 6.5

- Rules -
    - Expected scan result: `OK`
    - Log:

C:\Users\vagrant>auditpol.exe /get /subcategory:"System Integrity" System audit policy Category/Subcategory Setting System System Integrity Success and Failure


</details>

## 18.1 Control Panel

### 18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

-

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Personalization:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Personalization' because it does not
exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Personalization:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.1.2.2 (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\InputPersonalization'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Personalization:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected remediation:

Computer Configuration\Policies\Administrative Templates\Control Panel\Allow
Online Tips

Current remediation:

Computer Configuration\\Policies\\Administrative Templates\\Control Panel\\Allow Online Tips Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9.1
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'

ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.2 LAPS

### 18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

5.2, 5.4

**Current Compliance**:

16.9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{D76B9641-3288-4f75-942D-087DE603E3EA}' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions{D76B9641-3288-4f75-942D-087DE603E3EA}' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...D-087DE603E3EA}:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
16.2,  16.10
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Services\AdmPwd:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
5.2, 5.4
```
Current Compliance:
```
16.9
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Services\AdmPwd:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

fedepacher commented 1 year ago

Update 2022/07/11

18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle Expected Compliance:
```
5.2
```
Current Compliance:
```
5.7
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Services\AdmPwd:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
5.2
```
Current Compliance:
```
5.7
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Services\AdmPwd:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
16.5
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Services\AdmPwd:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.3 MS Security Guide

18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: Expected Compliance:
```
5.4
```
Current Compliance:
```
5.8, 4.3
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.1, 9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Services\mrxsmb10' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...rvices\mrxsmb10:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9.1, 9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'

EnableAuthenticateUserSharing : 0 NullSessionPipes : {} ServiceDll : C:\Windows\system32\srvsvc.dll ServiceDllUnloadOnStop : 1 autodisconnect : 15 enableforcedlogoff : 1 enablesecuritysignature : 0 requiresecuritysignature : 0 restrictnullsessaccess : 1 Guid : {69, 164, 39, 193...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\LanmanServer\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service s\LanmanServer PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

10.5

**Current Compliance**:

8.4, 8.3

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\kernel'

DpcWatchdogProfileOffset : 10000 ObUnsecureGlobalNames : {netfxcustomperfcounters.1.0, SharedPerfIPCBlock, Cor_Private_IPCBlock, Cor_PublicIPCBlock} SeTokenSingletonAttributesConfig : 3 obcaseinsensitive : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont rol\Session Manager\kernel PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont rol\Session Manager PSChildName : kernel PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.3.5 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

-

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...s\PointAndPrint:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.3.6 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'

BcastNameQueryCount : 3 BcastQueryTimeout : 750 CacheTimeout : 600000 EnableLMHOSTS : 1 NameServerPort : 137 NameSrvQueryCount : 3 NameSrvQueryTimeout : 1500 NbProvider : _tcp SessionKeepAlive : 3600000 Size/Small/Medium/Large : 1 TransportBindName : \Device\ UseNewSmb : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetB T\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetB T PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.3.7 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

3.11

**Current Compliance**:

16.14

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest'

Debuglevel : 0 Negotiate : 0 UTF8HTTP : 1 UTF8SASL : 1 DigestEncryptionAlgorithms : 3des,rc4 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se curityProviders\WDigest PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Se curityProviders PSChildName : WDigest PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.4 MSS (Legacy)

### 18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

3.11

**Current Compliance**:

16

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'

AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 172704432805 ShutdownFlags : 2147484203 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-1012795254-2559317413-4052179137-1001 LastUsedUsername : vagrant PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters'

Dhcpv6DUID : {0, 1, 0, 1...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Paramete rs PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6 PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'

DataBasePath : C:\Windows\System32\drivers\etc Domain : ForwardBroadcasts : 0 ICSDomain : mshome.net IPEnableRouter : 0 NameServer : SyncDomainWithMembership : 1 NV Hostname : DESKTOP-8174DLI Hostname : DESKTOP-8174DLI TcpWindowSize : 64240 DhcpNameServer : 10.0.2.3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:(DisableSavePassword) Prevent the dial-up password from being saved

**Current remediation**:

To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:(DisableSavePassword) Prevent the dial-up password from being saved. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings - Microsoft Security Guidance blog.

- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters'

AllowL2TPWeakCrypto : 0 AllowPPTPWeakCrypto : 0 KeepRasConnections : 0 Medias : {rastapi} ServiceDll : C:\Windows\System32\rasmans.dll ServiceDllUnloadOnStop : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMa n PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'

DataBasePath : C:\Windows\System32\drivers\etc Domain : ForwardBroadcasts : 0 ICSDomain : mshome.net IPEnableRouter : 0 NameServer : SyncDomainWithMembership : 1 NV Hostname : DESKTOP-8174DLI Hostname : DESKTOP-8174DLI TcpWindowSize : 64240 DhcpNameServer : 10.0.2.3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets
are sent in milliseconds' is set to 'Enabled: 300,000 or 5 minutes
(recommended)' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'

DataBasePath : C:\Windows\System32\drivers\etc Domain : ForwardBroadcasts : 0 ICSDomain : mshome.net IPEnableRouter : 0 NameServer : SyncDomainWithMembership : 1 NV Hostname : DESKTOP-8174DLI Hostname : DESKTOP-8174DLI TcpWindowSize : 64240 DhcpNameServer : 10.0.2.3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters'

BcastNameQueryCount : 3 BcastQueryTimeout : 750 CacheTimeout : 600000 EnableLMHOSTS : 1 NameServerPort : 137 NameSrvQueryCount : 3 NameSrvQueryTimeout : 1500 NbProvider : _tcp SessionKeepAlive : 3600000 Size/Small/Medium/Large : 1 TransportBindName : \Device\ UseNewSmb : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetB T\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetB T PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.8 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'

DataBasePath : C:\Windows\System32\drivers\etc Domain : ForwardBroadcasts : 0 ICSDomain : mshome.net IPEnableRouter : 0 NameServer : SyncDomainWithMembership : 1 NV Hostname : DESKTOP-8174DLI Hostname : DESKTOP-8174DLI TcpWindowSize : 64240 DhcpNameServer : 10.0.2.3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

2.6

**Current Compliance**:

8

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager'

AutoChkTimeout : 8 BootExecute : {autocheck autochk *} BootShell : C:\Windows\system32\bootim.exe CriticalSectionTimeout : 2592000 ExcludeFromKnownDlls : {} GlobalFlag : 0 GlobalFlag2 : 0 HeapDeCommitFreeBlockThreshold : 0 HeapDeCommitTotalFreeThreshold : 0 HeapSegmentCommit : 0 HeapSegmentReserve : 0 InitConsoleFlags : 0 NumberOfInitialSessions : 2 ObjectDirectories : {\Windows, \RPC Control} ProcessorControl : 2 ProtectionMode : 1 ResourceTimeoutCount : 150 RunLevelExecute : {WinInit, ServiceControlManager} RunLevelValidate : {ServiceControlManager} SETUPEXECUTE : {} AutoChkSkipSystemPartition : 0 PendingFileRenameOperations : {\??\C:\Program Files (x86)\Microsoft\Edge\Temp\scoped_dir6300_1212191828\old_msedge.exe, , \??\C:\Program Files (x86)\Microsoft\Edge\Temp\scoped_dir6300_1212191828, ...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l PSChildName : Session Manager PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.3

**Current Compliance**:

16.5

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon'

AutoRestartShell : 1 Background : 0 0 0 CachedLogonsCount : 10 DebugServerCommand : no DisableBackButton : 1 EnableSIHostIntegration : 1 ForceUnlockLogon : 0 LegalNoticeCaption : LegalNoticeText : PasswordExpiryWarning : 5 PowerdownAfterShutdown : 0 PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk : 1 Shell : explorer.exe ShellCritical : 0 ShellInfrastructure : sihost.exe SiHostCritical : 0 SiHostReadyTimeOut : 0 SiHostRestartCountLimit : 0 SiHostRestartTimeGap : 0 Userinit : C:\Windows\system32\userinit.exe, VMApplet : SystemPropertiesPerformance.exe /pagefile WinStationsDisabled : 0 scremoveoption : 0 DisableCAD : 1 LastLogOffEndTimePerfCounter : 172704432805 ShutdownFlags : 2147484203 DisableLockWorkstation : 0 EnableFirstLogonAnimation : 1 AutoLogonSID : S-1-5-21-1012795254-2559317413-4052179137-1001 LastUsedUsername : vagrant PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion PSChildName : Winlogon PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'

Dhcpv6DUID : {0, 1, 0, 1...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Paramete rs PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6 PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.12 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Enabled: 3' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters'

DataBasePath : C:\Windows\System32\drivers\etc Domain : ForwardBroadcasts : 0 ICSDomain : mshome.net IPEnableRouter : 0 NameServer : SyncDomainWithMembership : 1 NV Hostname : DESKTOP-8174DLI Hostname : DESKTOP-8174DLI TcpWindowSize : 64240 DhcpNameServer : 10.0.2.3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip\Parameters PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcp ip PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Current Compliance**:

6.3, 6.4

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security'

DisplayNameFile : C:\Windows\system32\wevtapi.dll DisplayNameID : 257 File : C:\Windows\System32\winevt\Logs\Security.evtx Isolation : 2 MaxSize : 20971520 PrimaryModule : Security Retention : 0 Security : {1, 0, 20, 128...} RestrictGuestAccess : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog \Security PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog PSChildName : Security PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.5 Network

### 18.5.4.1 (L1) Ensure 'Configure DNS over HTTPS (DoH) name resolution' is set to 'Enabled: Allow DoH' or higher :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

3.10

**Current Compliance**:

14.4

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ws NT\DNSClient:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.5.4.2 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
4.8
```
Current Compliance:
```
9
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ws NT\DNSClient:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.5.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
16.5
```
Current Compliance:
```
3, 13
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.5.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9.1, 9.2
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation' because it does not
exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...nmanWorkstation:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.5.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ft\Windows\LLTD:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.5.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LLTD'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ft\Windows\LLTD:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
4.8
```
Current Compliance:
```
9.1, 9.2
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet'

Disabled : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Peernet PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : Peernet PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry



</details>

fedepacher commented 1 year ago

Update 2022/07/12

18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
12.2
```
Current Compliance:
```
5.1
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'

NC_PersonalFirewallConfig : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ Network Connections PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : Network Connections PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8, 12.2

**Current Compliance**:

9.1, 9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'

NC_PersonalFirewallConfig : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ Network Connections PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : Network Connections PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

5.4

**Current Compliance**:

5.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections'

NC_PersonalFirewallConfig : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ Network Connections PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : Network Connections PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

3

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths'


</details>

### 18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

4.8

**Current Compliance**:

9

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters'

Dhcpv6DUID : {0, 1, 0, 1...} PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Paramete rs PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6 PSChildName : Parameters PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

15.4, 15.5

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\WCN\Registrars:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
15.4, 15.5
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WCN\UI'        Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows\WCN\UI:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
12
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'

18.5.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
12
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy'

18.5.23.2.1 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
15.4, 15.5
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkmanager\config'

PowerDelayLowPowerScan : 1200000 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkma nager\config PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WcmSvc\wifinetworkma nager PSChildName : config PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.6 Printers

### 18.6.1 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

9.2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers' Get-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\WindowsNT\Printers' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\Software\...dowsNT\Printers:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.6.2 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected rationale:

Enabling Windows User Account Control (UAC) for the installation of new print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks.
Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed.

Current rationale:

Enabling Windows User Account Control (UAC) for the installation of new print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks.

Compliance - :red_circle: No V8 version compliance: Current Compliance:

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint'
Get-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' because it
does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\Software\...s\PointAndPrint:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.6.3 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Incomplete description Expected rationale:

Enabling Windows User Account Control (UAC) for updating existing print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks.
Although the Point and Print default driver installation behavior overrides this setting, it is important to configure this as a backstop in the event that behavior is reversed.

Current rationale:

Enabling Windows User Account Control (UAC) for updating existing print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks.

Compliance - :red_circle: No V8 version compliance: Current Compliance:

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint'
Get-ItemProperty : Cannot find path 'HKLM:\Software\Policies\Microsoft\WindowsNT\Printers\PointAndPrint' because it
does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\Software\...s\PointAndPrint:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.7 Start Menu and Taskbar

18.7.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
15.4, 15.5
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications'
because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...shNotifications:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

## 18.8 System

### 18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected rationale**:

Capturing process command line information in event logs can be very valuable when performing forensic investigations of attack incidents.

**Current rationale**:

When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data.

- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

16.14

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit'


</details>

### 18.8.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

7.3

**Current Compliance**:

16.4

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...dSSP\Parameters:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
10.5
```
Current Compliance:
```
16
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...tialsDelegation:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
10.5
```
Current Compliance:
```
16.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ows\DeviceGuard:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Protection' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle Expected Compliance:
```
10.5
```
Current Compliance:
```
16.4
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ows\DeviceGuard:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
10.5
```
Current Compliance:
```
5.1
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ows\DeviceGuard:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
10.5
```
Current Compliance:
```
5.1
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ws\DeviceGuard\:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
10.5
```
Current Compliance:
```
9.2
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ws\DeviceGuard\:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected rationale:

Secure Launch changes the way Windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment.

Current rationale:

Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft.

Compliance - :red_circle: Expected Compliance:
```
10.5
```
Current Compliance:
```
16.14
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ws\DeviceGuard\:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
Not Present

18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
Not Present

18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
Not Present

18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
Not Present

18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
Not Present

18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)' :red_circle:

Severity: High
[ ] Fixed
[ ] Second review

Details
Not Present

18.8.7.2 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceMetadata'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceMetadata' because it does not
exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\DeviceMetadata:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**Expected Compliance**:

10.5

**Current Compliance**:

8

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' Get-ItemProperty : Cannot find path 'HKLM:\SYSTEM\CurrentControlSet\Policies\EarlyLaunch' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SYSTEM\Cu...ies\EarlyLaunch:String) [Get-ItemProperty], ItemNotFoundE
xception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
3.7, 5.4, 5.5
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group
Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...A-00C04FBBCFA2}:String) [Get-ItemProperty], ItemNotFoundE
xception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

3.7, 5.4, 5.5

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Group Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Group Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...A-00C04FBBCFA2}:String) [Get-ItemProperty], ItemNotFoundE
xception
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9.1, 9.2
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
3.7, 5.4, 5.5
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.8.22.1.1 (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

2

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...indows\Explorer:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.22.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected description:

This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP.
The recommended state for this setting is: Enabled .

Current description:

This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.

Expected rationale:

Users might download drivers that include malicious code.

Current rationale:

The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software.

Compliance - :red_circle: Expected Compliance:
```
2.5
```
Current Compliance:
```
2
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ows NT\Printers:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.22.1.3 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TabletPC'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...indows\TabletPC:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.22.1.4 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports' because it
does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ingErrorReports:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.22.1.5 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard' because it
does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...nnection Wizard:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

7.4

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'

ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.8.22.1.7 (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

13.1

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...ows NT\Printers:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control' because it
does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\... Wizard Control:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.22.1.9 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SearchCompanion'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...SearchCompanion:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.22.1.10 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'

ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry



</details>

fedepacher commented 1 year ago

Update 2022/07/13

18.8.22.1.11 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'

ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.8.22.1.12 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected description**

This policy setting specifies whether the Windows Customer Experience Improvement Program can collect anonymous information about how Windows is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to improve features that are most used and to detect flaws so that they can be corrected more quickly. Enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled .

**Current description**:

This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled.

- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

13

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Messenger\Client' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Messenger\Client' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...essenger\Client:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.22.1.13 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\SQMClient\Windows' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...MClient\Windows:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 18.8.22.1.14 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

13

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Error Reporting:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.25.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' :red_circle:

Severity: Medium
[x] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
1.6, 1.8
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters'
Get-ItemProperty : Cannot find path
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wi ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...eros\parameters:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.26.1 (BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13.1
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection' because it does
not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\... DMA Protection:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 18.8.27.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

16.5, 16.11

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Control Panel\International' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...l\International:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
16.5
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
5
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.28.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
16.9
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.28.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
16.9
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
16.5
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
16.5
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
16.5
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.31.1 (L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :green_circle: Expected description:

This setting determines whether Clipboard contents can be synchronized across devices.
The recommended state for this setting is: Disabled .

Current description:

This policy setting determines whether published User Activities can be uploaded to the cloud. The recommended state for this setting is: Disabled.

Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
5.1, 13.5
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.31.2 (L2) Ensure 'Allow upload of User Activities' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
5.1, 13.5
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

18.8.34.6.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
Get-ItemProperty : Cannot find path
'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...44-eafa664402d9:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.34.6.2 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9'
Get-ItemProperty : Cannot find path
'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...44-eafa664402d9:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.34.6.3 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

Not Present

18.8.34.6.4 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' :red_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details

Not Present

18.8.34.6.5 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:

Title, description, rationale, remediation - :red_circle: Expected description:

Specifies whether or not the user is prompted for a password when the system resumes from sleep.
The recommended state for this setting is: Enabled .

Current description:

Dictates whether or not Windows is allowed to use standby states when sleeping the computer.

Expected rationale:

Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system.

Current rationale:

System sleep states (S1-S3) keep power to the RAM which may contain secrets, such as the BitLocker volume encryption key. An attacker finding a computer in sleep states (S1-S3) could directly attack the memory of the computer and gain access to the secrets through techniques such as RAM reminisce and direct memory access (DMA).

Expected remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled :
Computer Configuration\Policies\Administrative Templates\System\Power
Management\Sleep Settings\Require a password when a computer wakes (on
battery)

Current remediation:

To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\\Policies\\Administrative Templates\\System\\Power Management\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (on battery)

Compliance - :red_circle: Expected Compliance:
```
4.3
```
Current Compliance:
```
13.2, 13.6
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51'
Get-ItemProperty : Cannot find path
'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' because it does not
exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...d5-f7d2daa51f51:String) [Get-ItemProperty], ItemNotF
oundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 18.8.34.6.6 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

4.3

**Current Compliance**:

16.5

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...d5-f7d2daa51f51:String) [Get-ItemProperty], ItemNotF
oundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.36.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9.1, 9.2
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

18.8.36.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
5.1
```

Rules -

Expected scan result: FAIL

Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

18.8.37.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9.1, 9.2
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows NT\Rpc:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.37.2 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
9.1, 9.2
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Rpc' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...\Windows NT\Rpc:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.48.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy'
because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...Provider\Policy:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.48.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}'
Get-ItemProperty : Cannot find path
'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d}' because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...1-88dd50a6299d}:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.50.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Current Compliance:
```
13
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo' because it does not
exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...AdvertisingInfo:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.53.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
8.4
```
Current Compliance:
```
6.1
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpClient' because it
does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...iders\NtpClient:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.8.53.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
8.4
```
Current Compliance:
```
9.1, 9.2
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\W32Time\TimeProviders\NtpServer' because it
does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...iders\NtpServer:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: Expected Compliance:
```
3.3
```
Current Compliance:
```
14.4, 14.6
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager'
Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager'
because it does not exist.
At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...el\StateManager:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand


</details>

### 18.9.4.2 (L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

2.5

**Current Compliance**:

2.6

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx'


</details>

### 18.9.5.1 (L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :red_circle:
**No V8 version compliance**:
**Current Compliance**:

14.4

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...dows\AppPrivacy:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :red_circle: Incomplete description
Compliance - :red_circle: Expected Compliance:
```
5.6
```
Current Compliance:
```
16.9
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.6.2 (L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set to 'Enabled' :red_circle: 
- Severity: `Medium`
- [x] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Incomplete description**
- Compliance - :red_circle:
**Expected Compliance**:

10.3

**Current Compliance**:

8.3, 8.4, 8.5

- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer' Get-ItemProperty : Cannot find path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer' because it does not exist. At line:1 char:1

Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Mic ...


+ CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...indows\Explorer:String) [Get-ItemProperty], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand
```

18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' :green_circle:

Severity: Medium
[x] Fixed
[x] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:
Compliance - :red_circle: No V8 version compliance: Expected Compliance:
```
10.3
```
Current Compliance:
```
8.3, 8.4, 8.5
```

Rules -

Expected scan result: FAIL

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'

ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'

ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 NoDriveTypeAutoRun : 255 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi on\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures'

EnhancedAntiSpoofing : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\ Policies\Microsoft\Biometrics\FacialFeatures PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\ Policies\Microsoft\Biometrics PSChildName : FacialFeatures PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.11.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.6 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.7 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.8 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.9 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.11 (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.12 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.1.13 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.2 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.3 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.4 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.7 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.8 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.9 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.10 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.11 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.12 (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.13 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.2.14 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.1 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.2 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.3 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.6 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.7 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.8 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.10 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.11 (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.12 (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.13 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.14 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.3.15 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.11.4 (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Camera'

AllowCamera : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft\Camera PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft PSChildName : Camera PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.14.1 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'

DisableCloudOptimizedContent : 1 DisableWindowsConsumerFeatures : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\CloudContent PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows PSChildName : CloudContent PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.14.2 (L2) Ensure 'Turn off cloud optimized content' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'

DisableCloudOptimizedContent : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windo ws\CloudContent PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windo ws PSChildName : CloudContent PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.14.3 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent'

DisableCloudOptimizedContent : 1 DisableWindowsConsumerFeatures : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\CloudContent PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows PSChildName : CloudContent PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.15 Connect

### 18.9.15.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Connect'

RequirePinForPairing : 2 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Conne ct PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : Connect PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.16 Credential User Interface

### 18.9.16.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredUI'

DisablePasswordReveal : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Cred UI PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : CredUI PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.16.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI'

EnumerateAdministrators : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Policies\CredUI PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers ion\Policies PSChildName : CredUI PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.16.3 (L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

NoLocalPasswordResetQuestions : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.17 Data Collection and Preview Builds

### 18.9.17.1 (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'

AllowTelemetry : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollect ion PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : DataCollection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.17.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'

AllowTelemetry : 1 DisableEnterpriseAuthProxy : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows \DataCollection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : DataCollection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.17.3 (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'

AllowTelemetry : 1 DisableEnterpriseAuthProxy : 1 DisableOneSettingsDownloads : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window s\DataCollection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Window s PSChildName : DataCollection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.17.4 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'

AllowTelemetry : 1 DisableEnterpriseAuthProxy : 1 DisableOneSettingsDownloads : 1 DoNotShowFeedbackNotifications : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\DataCollection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows PSChildName : DataCollection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.17.5 (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'

AllowTelemetry : 1 DisableEnterpriseAuthProxy : 1 DisableOneSettingsDownloads : 1 DoNotShowFeedbackNotifications : 1 EnableOneSettingsAuditing : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\DataCollection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows PSChildName : DataCollection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.17.6 (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'

AllowTelemetry : 1 DisableEnterpriseAuthProxy : 1 DisableOneSettingsDownloads : 1 DoNotShowFeedbackNotifications : 1 EnableOneSettingsAuditing : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\DataCollection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows PSChildName : DataCollection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.17.7 (L1) Ensure 'Limit Dump Collection' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `FAIL`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection'

AllowTelemetry : 1 DisableEnterpriseAuthProxy : 1 DisableOneSettingsDownloads : 1 DoNotShowFeedbackNotifications : 1 EnableOneSettingsAuditing : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\DataCollection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows PSChildName : DataCollection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.17.8 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds'

AllowBuildPreview : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PreviewB uilds PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : PreviewBuilds PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.18 Delivery Optimization

### 18.9.18.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization'

DODownloadMode : 3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOpt imization PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : DeliveryOptimization PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.27.1 Application

### 18.9.27.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'

Retention : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Appl ication PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog PSChildName : Application PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.27.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Application'

Retention : 0 MaxSize : 32768 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Appl ication PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog PSChildName : Application PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.27.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'

Retention : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Secu rity PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog PSChildName : Security PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.27.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security'

Retention : 0 MaxSize : 196608 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Secu rity PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog PSChildName : Security PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.27.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'

Retention : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setu p PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog PSChildName : Setup PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.27.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup'

Retention : 0 MaxSize : 32768 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Setu p PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog PSChildName : Setup PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.27.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'

Retention : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Syst em PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.27.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\System'

Retention : 0 MaxSize : 32768 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog\Syst em PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\EventLog PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.31 File Explorer (formerly Windows Explorer)

### 18.9.31.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'

NoDataExecutionPrevention : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.31.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Explorer'

NoDataExecutionPrevention : 0 NoHeapTerminationOnCorruption : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.31.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer'

ForceActiveDesktopOn : 0 NoActiveDesktop : 1 NoActiveDesktopChanges : 1 NoRecentDocsHistory : 0 NoDriveTypeAutoRun : 255 PreXPSP2ShellProtocolBehavior : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Explorer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies PSChildName : Explorer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.36 HomeGroup

### 18.9.36.1 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup'

DisableHomeGroup : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\HomeGroup PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : HomeGroup PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.41 Location and Sensors

### 18.9.41.1 (L2) Ensure 'Turn off location' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors'

DisableLocation : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\LocationAn dSensors PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : LocationAndSensors PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.45 Messaging

### 18.9.45.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging'

AllowMessageSync : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Messaging PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : Messaging PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.46 Microsoft account

### 18.9.46.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount'

DisableUserAuth : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : MicrosoftAccount PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.4.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'

LocalSettingOverrideSpynetReporting : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsof t\Windows Defender\Spynet PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsof t\Windows Defender PSChildName : Spynet PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.4.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet'

LocalSettingOverrideSpynetReporting : 0 SpynetReporting : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsof t\Windows Defender\Spynet PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsof t\Windows Defender PSChildName : Spynet PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.5.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR'

ExploitGuard_ASR_Rules : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard PSChildName : ASR PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### TITLE :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules'

ExploitGuard_ASR_Rules : 1 BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 : 1 D4F940AB-401B-4EFC-AADC-AD5F3C50688A : 1 3B576869-A4EC-4529-8536-B80A7769E899 : 1 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 : 1 D3E037E1-3EB8-44C8-A917-57927947596D : 1 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC : 1 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B : 1 26190899-1602-49E8-8B27-eB1D0A1CE869 : 1 7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C : 1 9E6C4E1F-7D60-472F-bA1A-A39EF669E4B2 : 1 B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4 : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_M ACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_M ACHINE\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR PSChildName : Rules PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.5.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

**Current remediation**:

To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection'

EnableNetworkProtection : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWA RE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWA RE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard PSChildName : Network Protection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.6.1 (L2) Ensure 'Enable file hash computation feature' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules - :red_circle: 
**Expected rules**:

r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine'

'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation'
'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine -> EnableFileHashComputation -> 1'

**Current rules**:

r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\MpEngine'

'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\MpEngine -> EnableFileHashComputation'
'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\MpEngine -> EnableFileHashComputation -> 1'

    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine'

EnableFileHashComputation : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender PSChildName : MpEngine PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.9.1 (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules - :red_circle: 
**Expected rules**:

'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableRealtimeMonitoring'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableRealtimeMonitoring -> 0'

**Current rules**:

'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableIOAVProtection'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableIOAVProtection -> 0'

    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection'

DisableIOAVProtection : 0 DisableRealtimeMonitoring : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender PSChildName : Real-Time Protection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.9.2 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules - :red_circle: 
**Expected rules**:

'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableRealtimeMonitoring'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableRealtimeMonitoring -> 0'

**Current rules**:

'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableRealtimeMonitoring'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableRealtimeMonitoring -> 0'

    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection'

DisableIOAVProtection : 0 DisableRealtimeMonitoring : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender PSChildName : Real-Time Protection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.9.3 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules - :red_circle:
**Expected Compliance**:

'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableBehaviorMonitoring -> 0'
```
**Current Compliance**:
```
'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableBehaviorMonitoring'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableBehaviorMonitoring -> 0'
```
- Expected scan result: `OK`
- Log: 
```
  PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection'

DisableIOAVProtection : 0 DisableRealtimeMonitoring : 0 DisableBehaviorMonitoring : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender PSChildName : Real-Time Protection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.9.4 (L1) Ensure 'Turn on script scanning' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules - :red_circle:
**Expected Compliance**:

'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableScriptScanning'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection -> DisableScriptScanning -> 0'
```
**Current Compliance**:
```
'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableScriptScanning'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender\Real-TimeProtection -> DisableScriptScanning -> 0'
```
- Expected scan result: `FAIL`
- Log: 
```


</details>

### 18.9.47.11.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting'

DisableGenericRePorts : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender PSChildName : Reporting PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.12.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'

DisableRemovableDriveScanning : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows Defender\Scan PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows Defender PSChildName : Scan PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.12.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan'

DisableRemovableDriveScanning : 0 DisableEmailScanning : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows Defender\Scan PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows Defender PSChildName : Scan PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.15 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'

PUAProtection : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : Windows Defender PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.47.16 (L1) Ensure 'Turn off Microsoft Defender AntiVirus' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules - :red_circle:
**Expected rules**:

'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender -> DisableAntiSpyware -> 0'
```
**Current rules**:
```
'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender'
- 'not r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender -> DisableAntiSpyware'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsDefender -> DisableAntiSpyware -> 0'
```
- Expected scan result: `OK`
- Log: 
```
  PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender'

PUAProtection : 1 DisableAntiSpyware : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : Windows Defender PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.48 Microsoft Defender Application Guard (formerly Windows Defender Application Guard)

### 18.9.48.1 (NG) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.48.2 (NG) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.48.3 (NG) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.48.4 (NG) Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.48.5 (NG) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

### 18.9.48.6 (NG) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1' :red_circle: 
- Severity: `High`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- Not Present

</details>

## 18.9.57 News and interests

### 18.9.57.1 (L2) Ensure 'Enable news and interests on the taskbar' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules - :red_circle:
**Expected rules**:

'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds -> EnableFeeds'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds -> EnableFeeds -> 0'
```
**Current rules**:
```
'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsFeeds'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsFeeds -> EnableFeeds'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsFeeds -> EnableFeeds -> 0'
```
- Expected scan result: `OK`
- Log: 
```
  PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds'

EnableFeeds : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Feeds PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : Windows Feeds PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.58 OneDrive (formerly SkyDrive)

### 18.9.58.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDrive'

DisableFileSyncNGSC : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\OneDri ve PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows PSChildName : OneDrive PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.64 Push To Install

### 18.9.64.1 (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall'

DisablePushToInstall : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PushToInstall PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft PSChildName : PushToInstall PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

DisablePasswordSaving : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.2.1 (L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

DisablePasswordSaving : 1 fDenyTSConnections : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.3.1 (L2) Ensure 'Allow UI Automation redirection' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules - :red_circle: 
**Expected rules**:

'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> EnableUiaRedirection'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> EnableUiaRedirection -> 0'
```
**Current rules**:
```
'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\TerminalServices'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\TerminalServices -> EnableUiaRedirection'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\TerminalServices -> EnableUiaRedirection -> 0'
```
- Expected scan result: `OK`
- Log: 
```
  PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

DisablePasswordSaving : 1 fDenyTSConnections : 1 EnableUiaRedirection : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.3.2 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules - :red_circle:
**Expected rules**:

'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1'
```
**Current rules**:
```
'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> 1'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm'
- 'r:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services -> fDisableCcm -> 1'
```
- Expected scan result: `OK`
- Log: 
```
  PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.3.3 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.3.4 (L2) Ensure 'Do not allow location redirection' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLocationRedir : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry



</details>

fedepacher commented 1 year ago

Update 2022/07/14

18.9.65.3.3.5 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' :green_circle:

Severity: Medium
[ ] Fixed
[ ] Second review

Details
ID - :green_circle:
Title, description, rationale, remediation - :green_circle:

Rules -

Expected scan result: OK

Log:


PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.3.6 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 fDisablePNPRedir : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 fDisablePNPRedir : 1 fPromptForPassword : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 fDisablePNPRedir : 1 fPromptForPassword : 1 fEncryptRPCTraffic : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 fDisablePNPRedir : 1 fPromptForPassword : 1 fEncryptRPCTraffic : 1 SecurityLayer : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 fDisablePNPRedir : 1 fPromptForPassword : 1 fEncryptRPCTraffic : 1 SecurityLayer : 1 UserAuthentication : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polic ies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 fDisablePNPRedir : 1 fPromptForPassword : 1 fEncryptRPCTraffic : 1 SecurityLayer : 1 UserAuthentication : 1 MinEncryptionLevel : 3 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less, but not Never (0)' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 fDisablePNPRedir : 1 fPromptForPassword : 1 fEncryptRPCTraffic : 1 SecurityLayer : 1 UserAuthentication : 1 MinEncryptionLevel : 3 MaxIdleTime : 900000 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 fDisablePNPRedir : 1 fPromptForPassword : 1 fEncryptRPCTraffic : 1 SecurityLayer : 1 UserAuthentication : 1 MinEncryptionLevel : 3 MaxIdleTime : 900000 MaxDisconnectionTime : 60000 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.65.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services'

EnableUiaRedirection : 0 fDisableLocationRedir : 1 DisablePasswordSaving : 1 fDenyTSConnections : 1 fDisableCcm : 1 fDisableCdm : 1 fDisableLPT : 1 fDisablePNPRedir : 1 fPromptForPassword : 1 fEncryptRPCTraffic : 1 SecurityLayer : 1 UserAuthentication : 1 MinEncryptionLevel : 3 MaxIdleTime : 900000 MaxDisconnectionTime : 60000 DeleteTempDirsOnExit : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows NT\Terminal Services PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows NT PSChildName : Terminal Services PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.66.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds'

DisableEnclosureDownload : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\P olicies\Microsoft\Internet Explorer\Feeds PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\P olicies\Microsoft\Internet Explorer PSChildName : Feeds PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.67.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' :red_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules - :red_circle: 
    - Expected scan result: `FAIL`
**Expected output**
´´´
AllowCloudSearch : 1
´´´
**Current output**
´´´
AllowCloudSearch : 0
´´´
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'

AllowCloudSearch : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\Windows Search PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows PSChildName : Windows Search PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.67.3 (L1) Ensure 'Allow Cortana' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'

AllowCortana : 0 AllowCloudSearch : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows\Windows Search PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\Windows PSChildName : Windows Search PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.67.4 (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'

AllowCortana : 0 AllowCloudSearch : 1 AllowCortanaAboveLock : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows\Windows Search PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows PSChildName : Windows Search PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.67.5 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'

AllowCortana : 0 AllowCloudSearch : 1 AllowCortanaAboveLock : 0 AllowIndexingEncryptedStoresOrItems : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Windows\Windows Search PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Windows PSChildName : Windows Search PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.67.6 (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search'

AllowCortana : 0 AllowCloudSearch : 1 AllowCortanaAboveLock : 0 AllowIndexingEncryptedStoresOrItems : 0 AllowSearchToUseLocation : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Windows\Windows Search PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Windows PSChildName : Windows Search PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.72 Software Protection Platform

### 18.9.72.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform'

NoGenTicket : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\Windows NT\CurrentVersion\Software Protection Platform PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\Windows NT\CurrentVersion PSChildName : Software Protection Platform PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.75 Store

### 18.9.75.1 (L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'

AutoDownload : 2 DisableStoreApps : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\ Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.75.2 (L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'

AutoDownload : 2 DisableStoreApps : 1 RequirePrivateStoreOnly : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.75.3 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'

AutoDownload : 4 DisableStoreApps : 1 RequirePrivateStoreOnly : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.75.4 (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'

DisableStoreApps : 1 RequirePrivateStoreOnly : 1 AutoDownload : 4 DisableOSUpgrade : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.75.5 (L2) Ensure 'Turn off the Store application' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore'

DisableStoreApps : 1 RequirePrivateStoreOnly : 1 AutoDownload : 4 DisableOSUpgrade : 1 RemoveWindowsStore : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft\WindowsStore PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft PSChildName : WindowsStore PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.81 Widgets

### 18.9.81.1 (L1) Ensure 'Allow widgets' is set to 'Disabled' :red_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules - :red_circle:

-Not present in windows registry


</details>

## 18.9.85 Windows Defender SmartScreen

### 18.9.85.1.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System'

NoLocalPasswordResetQuestions : 1 EnableSmartScreen : 1 ShellSmartScreenLevel : Block PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTW ARE\Policies\Microsoft\Windows\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTW ARE\Policies\Microsoft\Windows PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.85.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter'

EnabledV9 : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\MicrosoftEdge\PhishingFilter PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\MicrosoftEdge PSChildName : PhishingFilter PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.85.2.2 (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules - :red_circle:
**Expected output flag**:
´´´
PreventOverride
´´´
**Current output flag**:
´´´
PreventOverrideAppRepUnknown
´´´
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter'

EnabledV9 : 1 PreventOverride : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\M icrosoft\MicrosoftEdge\PhishingFilter PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\M icrosoft\MicrosoftEdge PSChildName : PhishingFilter PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.87 Windows Game Recording and Broadcasting

### 18.9.87.1 (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\GameDVR'

AllowGameDVR : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\Windows\GameDVR PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\Windows PSChildName : GameDVR PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.89 Windows Ink Workspace

### 18.9.89.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace'

AllowSuggestedAppsInWindowsInkWorkspace : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MAC HINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspa ce PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MAC HINE\SOFTWARE\Policies\Microsoft PSChildName : WindowsInkWorkspace PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.89.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but not 'Enabled: On' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspace'

AllowSuggestedAppsInWindowsInkWorkspace : 0 AllowWindowsInkWorkspace : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MAC HINE\SOFTWARE\Policies\Microsoft\WindowsInkWorkspa ce PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MAC HINE\SOFTWARE\Policies\Microsoft PSChildName : WindowsInkWorkspace PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.90 Windows Installer

### 18.9.90.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'

EnableUserControl : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft\Windows\Installer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies \Microsoft\Windows PSChildName : Installer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.90.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'

EnableUserControl : 0 AlwaysInstallElevated : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows\Installer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows PSChildName : Installer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.90.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer'

EnableUserControl : 0 AlwaysInstallElevated : 0 SafeForScripting : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows\Installer PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Poli cies\Microsoft\Windows PSChildName : Installer PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.91 Windows Logon Options

### 18.9.91.1 (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'

ConsentPromptBehaviorAdmin : 5 ConsentPromptBehaviorUser : 3 DSCAutomationHostEnabled : 2 EnableCursorSuppression : 1 EnableFullTrustStartupTasks : 2 EnableInstallerDetection : 0 EnableLUA : 0 EnableSecureUIAPaths : 1 EnableUIADesktopToggle : 0 EnableUwpStartupTasks : 2 EnableVirtualization : 1 PromptOnSecureDesktop : 1 SupportFullTrustStartupTasks : 1 SupportUwpStartupTasks : 1 ValidateAdminCodeSignatures : 0 dontdisplaylastusername : 0 legalnoticecaption : legalnoticetext : scforceoption : 0 shutdownwithoutlogon : 1 undockwithoutlogon : 1 LocalAccountTokenFilterPolicy : 1 DisableAutomaticRestartSignOn : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTW ARE\Microsoft\Windows\CurrentVersion\Policies\System PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTW ARE\Microsoft\Windows\CurrentVersion\Policies PSChildName : System PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.100 Windows PowerShell

### 18.9.100.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'

EnableScriptBlockLogging : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\P olicies\Microsoft\Windows\PowerShell\ScriptBlockLogging PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\P olicies\Microsoft\Windows\PowerShell PSChildName : ScriptBlockLogging PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.100.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription'

EnableTranscripting : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\PowerShell\Transcription PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\PowerShell PSChildName : Transcription PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.102 Windows Remote Management (WinRM)

### 18.9.102.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'

AllowBasic : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\Windows\WinRM\Client PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Micr osoft\Windows\WinRM PSChildName : Client PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.102.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'

AllowBasic : 0 AllowUnencryptedTraffic : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft\Windows\WinRM\Client PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft\Windows\WinRM PSChildName : Client PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.102.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Client'

AllowBasic : 0 AllowUnencryptedTraffic : 0 AllowDigest : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft\Windows\WinRM\Client PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Po licies\Microsoft\Windows\WinRM PSChildName : Client PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.102.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'

AllowBasic : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM PSChildName : Service PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.102.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'

AllowBasic : 0 AllowAutoConfig : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Serv ice PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM PSChildName : Service PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.102.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'

AllowBasic : 0 AllowAutoConfig : 0 AllowUnencryptedTraffic : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wi nRM\Service PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wi nRM PSChildName : Service PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.102.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service'

AllowBasic : 0 AllowAutoConfig : 0 AllowUnencryptedTraffic : 0 DisableRunAs : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wi nRM\Service PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Wi nRM PSChildName : Service PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.103 Windows Remote Shell

### 18.9.103.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\WinRS'

AllowRemoteShellAccess : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Win RM\Service\WinRS PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Win RM\Service PSChildName : WinRS PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.104 Windows Sandbox

### 18.9.104.1 (L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled' :red_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules - :red_circle:

No registry was found


</details>

### 18.9.104.2 (L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled' :red_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Rules - :red_circle:

No registry was found


</details>

## 18.9.105 Windows Security (formerly Windows Defender Security Center)

### 18.9.105.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection'

DisallowExploitProtectionOverride : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows Defender Security Center\App and Browser protection PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows Defender Security Center PSChildName : App and Browser protection PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

## 18.9.108 Windows Update

### 18.9.108.1.1 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'

AUOptions : 4 AutoInstallMinorUpdates : 0 DetectionFrequencyEnabled : 0 DetectionFrequency : 22 NoAutoRebootWithLoggedOnUsers : 0 NoAutoUpdate : 4 ScheduledInstallDay : 0 ScheduledInstallTime : 0 AllowMUUpdateService : 1 UseWUServer : 0 SetDisablePauseUXAccess : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate\AU PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate PSChildName : AU PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.108.2.1 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'

AUOptions : 4 AutoInstallMinorUpdates : 0 DetectionFrequencyEnabled : 0 DetectionFrequency : 22 NoAutoRebootWithLoggedOnUsers : 1 NoAutoUpdate : 0 ScheduledInstallDay : 0 ScheduledInstallTime : 0 AllowMUUpdateService : 1 UseWUServer : 0 SetDisablePauseUXAccess : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate\AU PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate PSChildName : AU PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.108.2.2 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'

AUOptions : 4 AutoInstallMinorUpdates : 0 DetectionFrequencyEnabled : 0 DetectionFrequency : 22 NoAutoRebootWithLoggedOnUsers : 1 NoAutoUpdate : 4 ScheduledInstallDay : 0 ScheduledInstallTime : 0 AllowMUUpdateService : 1 UseWUServer : 0 SetDisablePauseUXAccess : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate\AU PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate PSChildName : AU PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.108.2.3 (L1) Ensure 'Remove access to “Pause updates” feature' is set to 'Enabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU'

AUOptions : 4 AutoInstallMinorUpdates : 0 DetectionFrequencyEnabled : 0 DetectionFrequency : 22 NoAutoRebootWithLoggedOnUsers : 1 NoAutoUpdate : 1 ScheduledInstallDay : 0 ScheduledInstallTime : 0 AllowMUUpdateService : 1 UseWUServer : 0 SetDisablePauseUXAccess : 1 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate\AU PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wind ows\WindowsUpdate PSChildName : AU PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.108.4.1 (L1) Ensure 'Manage preview builds' is set to 'Disabled' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'

DisableOSUpgrade : 0 ElevateNonAdmins : 1 TargetGroupEnabled : 0 TargetGroup : WUServer : WUStatusServer : ManagePreviewBuildsPolicyValue : 0 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows\WindowsUpdate PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Win dows PSChildName : WindowsUpdate PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.108.4.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days' :green_circle: 
- Severity: `Medium`
- [ ] Fixed
- [ ] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :green_circle:
- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'

DisableOSUpgrade : 0 ElevateNonAdmins : 1 TargetGroupEnabled : 0 TargetGroup : WUServer : WUStatusServer : ManagePreviewBuildsPolicyValue : 0 DeferFeatureUpdates : 1 DeferFeatureUpdatesPeriodInDays : 384 PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows PSChildName : WindowsUpdate PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry


</details>

### 18.9.108.4.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' :green_circle: 
- Severity: `Medium`
- [x] Fixed
- [x] Second review 
<details>
<summary>Details</summary>

- ID - :green_circle:
- Title, description, rationale, remediation - :red_circle:
**Expected remediation**:

To establish the recommended configuration via GP, set the following UI path to Enabled:0 days : Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Select when Quality Updates are received Note: This Group Policy path does not exist by default. An updated Group Policy template ( WindowsUpdate.admx/adml ) is required - it is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).

**Current remediation**:

To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Select when Quality Updates are received. Note: This Group Policy path does not exist by default. An updated Group Policy template (WindowsUpdate.admx/adml) is required.

- Compliance - :green_circle:
- Rules -
    - Expected scan result: `OK`
    - Log:

PS C:\Users\vagrant> Get-ItemProperty -PAth 'HKLM:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate'

DisableOSUpgrade : 0 ElevateNonAdmins : 1 TargetGroupEnabled : 0 TargetGroup : WUServer : WUStatusServer : ManagePreviewBuildsPolicyValue : 0 DeferFeatureUpdates : 1 DeferFeatureUpdatesPeriodInDays : 384 DeferQualityUpdates : 1 DeferQualityUpdatesPeriodInDays : 0 PauseQualityUpdatesStartTime : PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\WindowsUpdate PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows PSChildName : WindowsUpdate PSDrive : HKLM PSProvider : Microsoft.PowerShell.Core\Registry



</details>

fabamatic commented 1 year ago

Comments on second review

Unimplemented checks won't be added because of technichal impossibilities or because they exceed target scope (Like BL and NG checks)
18.9.67.2: Wording of the check is a bit weird, it looks to enable the disabled status, according to https://admx.help/?Category=Windows_10_2016&Policy=FullArmor.Policies.3B9EA2B5_A1D1_4CD5_9EDE_75B22990BC21::AllowCloudSearch the correct value is 0
18.9.104.1, 18.9.104.2, 18.9.81.1: Agree on that those keys can't be found on the registry, perhaps these keys only appear when computer is in a domain. Anyway we can't correct CIS, we will keep using the registries they indicate to use for auditing
Added 18.9.6.2

damarisg commented 2 months ago

We decided to close them as it was not planned.

wazuh / wazuh-qa

Wazuh 4.3 - SCA policies manual tests - SCA Policy for CIS Microsoft Windows 10 Enterprise Release 21H2 Benchmark v1.12.0 / @fedepacher #3044

Description

Checks

Checks design

Checks lists

Conclusions

1.1 Password Policy

1.1.1 (L1) "Ensure 'Enforce password history' is set to '24 or more password(s)' :green_circle:

1.1.2 (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0' :green_circle:

1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' :green_circle:

1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' :green_circle:

1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' :green_circle:

1.1.6 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled' :green_circle:

1.1.7 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' :red_circle:

Update 2022/06/30

1.2 Account Lockout Policy

1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' :green_circle:

1.2.2 (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalid logon attempt(s), but not 0' :green_circle:

1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' :green_circle:

2.2 User Rights Assignment

2.2.1 to 2.2.39 Not present

2.3 Security Options

2.3.1.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' :green_circle:

Update 2022/07/01

2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' :green_circle:

2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' :green_circle:

2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' :green_circle:

Update 2022/07/05

2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM' :green_circle:

2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' :green_circle:

2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' :green_circle:

5.7 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed' :green_circle:

5.8 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' :green_circle:

5.11 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' :green_circle:

Update 2022/07/06

5.16 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' :green_circle:

5.29 (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' :green_circle:

5.30 (L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed' :green_circle:

5.42 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' :green_circle:

Update 2022/07/07

9.1 Domain Profile

9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' :green_circle:

9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' :green_circle:

9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' :green_circle:

9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' :green_circle:

9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.log' :green_circle:

9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' :green_circle:

9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' :green_circle:

9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' :green_circle:

9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' :green_circle:

9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' :green_circle:

9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' :green_circle:

9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log' :green_circle:

9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' :green_circle:

9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' :green_circle:

9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' :green_circle:

9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' :green_circle:

9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' :green_circle:

9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' :green_circle:

9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' :green_circle:

9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' :green_circle:

9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' :green_circle:

9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' :green_circle:

17.1 Account Logon

17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' :green_circle:

17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' :green_circle:

17.2.2 (L1) Ensure 'Audit Security Group Management' is set to include 'Success' :green_circle:

17.2.3 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' :green_circle:

Update 2022/07/08

17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success' :green_circle:

17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success' :green_circle:

17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' :green_circle:

17.5.2 (L1) Ensure 'Audit Group Membership' is set to include 'Success' :green_circle:

17.5.3 (L1) Ensure 'Audit Logoff' is set to include 'Success' :green_circle:

17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' :green_circle:

17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' :green_circle:

17.5.6 (L1) Ensure 'Audit Special Logon' is set to include 'Success' :green_circle:

17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' :green_circle:

17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' :green_circle: