search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
11.09k stars 1.68k forks source link

Wazuh 4.4 - SCA policies manual tests - Windows server 2022 #14362

Closed JavierBejMen closed 2 years ago

JavierBejMen commented 2 years ago
Component Action type Main Issue
SCA Manual test #13895

Description

This issue aims to manually test the new Windows server 2022 SCA checks.

Tests

For each check in the SCA policy checks:

https://github.com/wazuh/wazuh/blob/f53ba8fa1ad5accede84703fe348cd75d56cfa6b/ruleset/sca/windows/cis_win2022.yml#L1-L5632

The installers must also be tested:

Test report procedure

Individual comments shows rule/condition test. Text checking is semi-automated:

All test results must have one of the following statuses:
:green_circle: Everything in the CIS check is correct (description, rule, ID, etc).
:red_circle: There is an error in the CIS check.
:yellow_circle: There is a typo or minor error in the CIS check.

Any failing test must be properly addressed with a new issue, detailing the error and the possible cause.

Please attach any documents, screenshots, or tables to the issue update with the results. This report can be used by the auditors to dig deeper into any possible failures and details.

JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.1.1 27000 :green_circle: (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' (Automated)
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.1.2 27001 :green_circle: (L1) Ensure 'Maximum password age' is set to '365 or fewer days, but not 0'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.1.3 27002 :green_circle: (L1) Ensure 'Minimum password age' is set to '1 or more day
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.1.4 27003 :green_circle: (L1) Ensure 'Minimum password length' is set to '14 or morecharacter
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.1.5 27004 :red_circle: (L1) Ensure 'Password must meet complexity requirements' is set to'Enabled'
Item Check Notes
id :green_circle:
condition/rule :red_circle: Get-ADDefaultDomainPasswordPolicy not found
dashboard :green_circle: 
PS C:\Program Files (x86)\ossec-agent\ruleset\sca> Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser
Get-ADDefaultDomainPasswordPolicy : The term 'Get-ADDefaultDomainPasswordPolicy' is not recognized as the name of a cmdlet, function, script file, or operable program. 
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ Get-ADDefaultDomainPasswordPolicy -Current LoggedOnUser
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ADDefaultDomainPasswordPolicy:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.1.6 27005 :green_circle: (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.1.7 --- :green_circle: (L1) Ensure 'Store passwords using reversible encryption' is set to'Disabled'

Can't be implemented

JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.2.1 27006 :green_circle: (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' (Automated)
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.2.2 27007 :green_circle: (L1) Ensure 'Account lockout threshold' is set to '5 or fewer invalidlogon attempt
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
1.2.3 27008 :green_circle: (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago

Automatic test CIS texts Results

Not Found

The following CIS IDs were not found: ID CIS ID
27229 18.8.34.6.6
27310 18.9.67.5

Results

ID CIS ID Title Description Rationale Remediation
27000 1.1.1 :green_circle: :green_circle: :green_circle: :green_circle:
27001 1.1.2 :green_circle: :green_circle: :green_circle: :green_circle:
27002 1.1.3 :green_circle: :red_circle: :red_circle: :green_circle:
27003 1.1.4 :green_circle: :red_circle: :green_circle: :green_circle:
27004 1.1.5 :green_circle: :red_circle: :green_circle: :green_circle:
27005 1.1.6 :green_circle: :green_circle: :green_circle: :green_circle:
27006 1.2.1 :green_circle: :green_circle: :green_circle: :green_circle:
27007 1.2.2 :green_circle: :green_circle: :green_circle: :green_circle:
27008 1.2.3 :green_circle: :green_circle: :green_circle: :green_circle:
27009 2.3.1.1 :green_circle: :green_circle: :green_circle: :green_circle:
27010 2.3.1.2 :green_circle: :green_circle: :green_circle: :red_circle:
27011 2.3.1.3 :green_circle: :green_circle: :green_circle: :green_circle:
27012 2.3.1.4 :green_circle: :green_circle: :red_circle: :green_circle:
27013 2.3.1.5 :green_circle: :red_circle: :green_circle: :green_circle:
27014 2.3.1.6 :green_circle: :red_circle: :green_circle: :green_circle:
27015 2.3.2.1 :green_circle: :green_circle: :green_circle: :green_circle:
27016 2.3.2.2 :green_circle: :green_circle: :green_circle: :green_circle:
27017 2.3.4.1 :green_circle: :green_circle: :green_circle: :red_circle:
27018 2.3.4.2 :green_circle: :green_circle: :green_circle: :red_circle:
27019 2.3.5.1 :green_circle: :red_circle: :green_circle: :green_circle:
27020 2.3.5.2 :red_circle: :red_circle: :green_circle: :green_circle:
27021 2.3.5.3 :red_circle: :red_circle: :red_circle: :red_circle:
27022 2.3.5.4 :green_circle: :red_circle: :red_circle: :green_circle:
27023 2.3.5.5 :green_circle: :red_circle: :green_circle: :green_circle:
27024 2.3.6.1 :green_circle: :green_circle: :red_circle: :red_circle:
27025 2.3.6.2 :green_circle: :green_circle: :red_circle: :red_circle:
27026 2.3.6.3 :green_circle: :green_circle: :red_circle: :green_circle:
27027 2.3.6.4 :green_circle: :green_circle: :green_circle: :green_circle:
27028 2.3.6.5 :green_circle: :red_circle: :red_circle: :green_circle:
27029 2.3.6.6 :green_circle: :green_circle: :green_circle: :green_circle:
27030 2.3.7.1 :green_circle: :green_circle: :green_circle: :green_circle:
27031 2.3.7.2 :green_circle: :green_circle: :green_circle: :red_circle:
27033 2.3.7.4 :green_circle: :red_circle: :green_circle: :green_circle:
27034 2.3.7.6 :red_circle: :red_circle: :red_circle: :red_circle:
27035 2.3.7.7 :red_circle: :red_circle: :red_circle: :red_circle:
27037 2.3.7.8 :green_circle: :red_circle: :green_circle: :red_circle:
27038 2.3.7.9 :green_circle: :green_circle: :green_circle: :green_circle:
27039 2.3.8.1 :green_circle: :green_circle: :green_circle: :green_circle:
27040 2.3.8.2 :green_circle: :green_circle: :green_circle: :green_circle:
27041 2.3.8.3 :green_circle: :green_circle: :green_circle: :green_circle:
27042 2.3.9.1 :green_circle: :green_circle: :green_circle: :green_circle:
27043 2.3.9.2 :green_circle: :green_circle: :green_circle: :green_circle:
27044 2.3.9.3 :green_circle: :green_circle: :green_circle: :green_circle:
27045 2.3.9.4 :green_circle: :green_circle: :green_circle: :green_circle:
27046 2.3.9.5 :green_circle: :red_circle: :green_circle: :green_circle:
27047 2.3.10.1 :green_circle: :green_circle: :green_circle: :green_circle:
27048 2.3.10.2 :green_circle: :green_circle: :green_circle: :green_circle:
27049 2.3.10.3 :green_circle: :green_circle: :green_circle: :green_circle:
27050 2.3.10.4 :green_circle: :green_circle: :green_circle: :green_circle:
27051 2.3.10.5 :green_circle: :green_circle: :green_circle: :green_circle:
27052 2.3.10.6 :green_circle: :red_circle: :green_circle: :red_circle:
27053 2.3.10.7 :green_circle: :red_circle: :green_circle: :red_circle:
27054 2.3.10.8 :green_circle: :red_circle: :green_circle: :red_circle:
27055 2.3.10.9 :green_circle: :red_circle: :green_circle: :red_circle:
27056 2.3.10.10 :green_circle: :red_circle: :green_circle: :red_circle:
27057 2.3.10.11 :green_circle: :red_circle: :green_circle: :red_circle:
27058 2.3.10.12 :green_circle: :green_circle: :red_circle: :red_circle:
27059 2.3.10.13 :green_circle: :green_circle: :green_circle: :red_circle:
27060 2.3.11.1 :green_circle: :green_circle: :green_circle: :red_circle:
27061 2.3.11.2 :green_circle: :green_circle: :green_circle: :green_circle:
27062 2.3.11.3 :green_circle: :green_circle: :green_circle: :green_circle:
27063 2.3.11.4 :green_circle: :green_circle: :green_circle: :green_circle:
27064 2.3.11.5 :green_circle: :green_circle: :green_circle: :green_circle:
27065 2.3.11.6 :green_circle: :green_circle: :green_circle: :green_circle:
27066 2.3.11.7 :green_circle: :red_circle: :red_circle: :green_circle:
27067 2.3.11.8 :green_circle: :green_circle: :green_circle: :green_circle:
27068 2.3.11.9 :green_circle: :green_circle: :green_circle: :green_circle:
27069 2.3.11.10 :green_circle: :green_circle: :green_circle: :green_circle:
27070 2.3.13.1 :green_circle: :red_circle: :green_circle: :red_circle:
27072 2.3.15.1 :red_circle: :green_circle: :green_circle: :red_circle:
27073 2.3.15.2 :green_circle: :green_circle: :green_circle: :green_circle:
27074 2.3.17.1 :green_circle: :green_circle: :red_circle: :green_circle:
27075 2.3.17.2 :green_circle: :green_circle: :green_circle: :green_circle:
27076 2.3.17.3 :green_circle: :green_circle: :green_circle: :green_circle:
27077 2.3.17.4 :green_circle: :green_circle: :green_circle: :green_circle:
27078 2.3.17.5 :green_circle: :red_circle: :red_circle: :green_circle:
27079 2.3.17.6 :green_circle: :green_circle: :green_circle: :green_circle:
27080 2.3.17.7 :green_circle: :green_circle: :green_circle: :green_circle:
27081 2.3.17.8 :green_circle: :red_circle: :green_circle: :green_circle:
27082 5.1 :green_circle: :red_circle: :red_circle: :green_circle:
27083 5.2 :green_circle: :red_circle: :red_circle: :green_circle:
27084 9.2.1 :green_circle: :green_circle: :green_circle: :green_circle:
27085 9.2.2 :green_circle: :green_circle: :green_circle: :green_circle:
27086 9.2.3 :green_circle: :green_circle: :green_circle: :green_circle:
27087 9.2.4 :green_circle: :green_circle: :green_circle: :green_circle:
27088 9.2.5 :green_circle: :green_circle: :green_circle: :green_circle:
27089 9.2.6 :green_circle: :green_circle: :green_circle: :green_circle:
27090 9.2.7 :green_circle: :green_circle: :green_circle: :green_circle:
27091 9.2.8 :green_circle: :green_circle: :green_circle: :green_circle:
27092 9.3.1 :green_circle: :green_circle: :green_circle: :green_circle:
27093 9.3.2 :green_circle: :green_circle: :green_circle: :green_circle:
27094 9.3.3 :green_circle: :green_circle: :green_circle: :green_circle:
27095 9.3.4 :green_circle: :green_circle: :green_circle: :green_circle:
27096 9.3.5 :green_circle: :green_circle: :green_circle: :green_circle:
27097 9.3.6 :green_circle: :green_circle: :green_circle: :green_circle:
27098 9.3.7 :red_circle: :red_circle: :green_circle: :green_circle:
27099 9.3.8 :green_circle: :green_circle: :green_circle: :green_circle:
27100 9.3.9 :green_circle: :green_circle: :green_circle: :green_circle:
27101 9.3.10 :green_circle: :green_circle: :green_circle: :red_circle:
27102 17.1.1 :green_circle: :red_circle: :green_circle: :green_circle:
27103 17.1.2 :green_circle: :red_circle: :green_circle: :red_circle:
27104 17.1.3 :green_circle: :red_circle: :green_circle: :red_circle:
27105 17.2.1 :green_circle: :red_circle: :green_circle: :green_circle:
27106 17.2.2 :green_circle: :red_circle: :green_circle: :red_circle:
27107 17.2.3 :green_circle: :red_circle: :red_circle: :red_circle:
27108 17.2.4 :green_circle: :red_circle: :green_circle: :red_circle:
27109 17.2.5 :green_circle: :red_circle: :red_circle: :red_circle:
27110 17.2.6 :green_circle: :red_circle: :green_circle: :green_circle:
27111 17.3.1 :green_circle: :green_circle: :green_circle: :green_circle:
27112 17.3.2 :green_circle: :red_circle: :green_circle: :green_circle:
27113 17.4.1 :green_circle: :red_circle: :green_circle: :red_circle:
27114 17.4.2 :green_circle: :red_circle: :green_circle: :red_circle:
27115 17.5.1 :green_circle: :green_circle: :green_circle: :green_circle:
27116 17.5.2 :green_circle: :green_circle: :green_circle: :green_circle:
27117 17.5.3 :green_circle: :red_circle: :green_circle: :green_circle:
27118 17.5.4 :green_circle: :red_circle: :green_circle: :green_circle:
27119 17.5.5 :green_circle: :red_circle: :green_circle: :green_circle:
27120 17.5.6 :green_circle: :green_circle: :green_circle: :green_circle:
27121 17.6.1 :green_circle: :red_circle: :red_circle: :green_circle:
27122 17.6.2 :green_circle: :green_circle: :red_circle: :green_circle:
27123 17.6.3 :green_circle: :red_circle: :green_circle: :green_circle:
27124 17.6.4 :green_circle: :green_circle: :green_circle: :green_circle:
27125 17.7.1 :green_circle: :red_circle: :green_circle: :green_circle:
27126 17.7.2 :green_circle: :red_circle: :green_circle: :green_circle:
27127 17.7.3 :green_circle: :red_circle: :green_circle: :green_circle:
27128 17.7.4 :green_circle: :red_circle: :green_circle: :red_circle:
27129 17.7.5 :green_circle: :red_circle: :green_circle: :green_circle:
27130 17.8.1 :green_circle: :red_circle: :green_circle: :green_circle:
27131 17.9.1 :green_circle: :red_circle: :green_circle: :green_circle:
27132 17.9.2 :green_circle: :red_circle: :green_circle: :green_circle:
27133 17.9.3 :green_circle: :red_circle: :green_circle: :green_circle:
27134 17.9.4 :green_circle: :red_circle: :green_circle: :green_circle:
27135 17.9.5 :green_circle: :red_circle: :green_circle: :green_circle:
27136 18.1.1.1 :green_circle: :green_circle: :green_circle: :green_circle:
27137 18.1.1.2 :green_circle: :green_circle: :green_circle: :red_circle:
27138 18.1.2.2 :green_circle: :green_circle: :green_circle: :green_circle:
27139 18.1.3 :green_circle: :green_circle: :green_circle: :green_circle:
27140 18.2.1 :green_circle: :green_circle: :green_circle: :green_circle:
27141 18.2.2 :green_circle: :red_circle: :green_circle: :green_circle:
27142 18.2.3 :red_circle: :green_circle: :green_circle: :green_circle:
27143 18.2.4 :green_circle: :green_circle: :green_circle: :green_circle:
27144 18.2.5 :green_circle: :green_circle: :green_circle: :green_circle:
27145 18.2.6 :green_circle: :green_circle: :green_circle: :green_circle:
27146 18.3.1 :red_circle: :red_circle: :green_circle: :red_circle:
27147 18.3.2 :red_circle: :green_circle: :red_circle: :red_circle:
27148 18.3.3 :green_circle: :green_circle: :red_circle: :red_circle:
27149 18.3.4 :green_circle: :green_circle: :green_circle: :red_circle:
27150 18.3.5 :green_circle: :green_circle: :green_circle: :red_circle:
27151 18.3.6 :red_circle: :red_circle: :green_circle: :red_circle:
27152 18.3.7 :green_circle: :red_circle: :green_circle: :red_circle:
27153 18.4.1 :green_circle: :green_circle: :green_circle: :red_circle:
27154 18.4.2 :green_circle: :green_circle: :green_circle: :red_circle:
27155 18.4.3 :green_circle: :green_circle: :green_circle: :red_circle:
27156 18.4.4 :green_circle: :green_circle: :green_circle: :red_circle:
27157 18.4.5 :green_circle: :green_circle: :green_circle: :red_circle:
27158 18.4.6 :green_circle: :green_circle: :green_circle: :red_circle:
27159 18.4.7 :green_circle: :green_circle: :green_circle: :red_circle:
27160 18.4.8 :green_circle: :red_circle: :green_circle: :red_circle:
27161 18.4.9 :green_circle: :green_circle: :green_circle: :red_circle:
27162 18.4.10 :green_circle: :green_circle: :green_circle: :red_circle:
27163 18.4.11 :green_circle: :green_circle: :green_circle: :red_circle:
27164 18.4.12 :green_circle: :green_circle: :green_circle: :red_circle:
27165 18.5.4.1 :green_circle: :green_circle: :green_circle: :green_circle:
27166 18.5.4.2 :green_circle: :green_circle: :green_circle: :green_circle:
27167 18.5.5.1 :green_circle: :green_circle: :green_circle: :green_circle:
27168 18.5.8.1 :green_circle: :green_circle: :green_circle: :green_circle:
27169 18.5.9.1 :green_circle: :green_circle: :green_circle: :green_circle:
27170 18.5.9.2 :green_circle: :green_circle: :green_circle: :green_circle:
27171 18.5.10.2 :green_circle: :green_circle: :green_circle: :red_circle:
27172 18.5.11.2 :green_circle: :green_circle: :green_circle: :green_circle:
27173 18.5.11.3 :green_circle: :red_circle: :green_circle: :green_circle:
27174 18.5.11.4 :green_circle: :green_circle: :green_circle: :green_circle:
27175 18.5.14.1 :green_circle: :red_circle: :green_circle: :red_circle:
27176 18.5.19.2.1 :green_circle: :green_circle: :green_circle: :red_circle:
27177 18.5.20.1 :green_circle: :green_circle: :green_circle: :green_circle:
27178 18.5.20.2 :green_circle: :green_circle: :green_circle: :green_circle:
27179 18.5.21.1 :green_circle: :green_circle: :green_circle: :green_circle:
27180 18.5.21.2 :green_circle: :green_circle: :green_circle: :green_circle:
27181 18.6.1 :green_circle: :red_circle: :green_circle: :red_circle:
27182 18.6.2 :green_circle: :green_circle: :green_circle: :green_circle:
27183 18.6.3 :green_circle: :green_circle: :green_circle: :green_circle:
27184 18.7.1.1 :green_circle: :green_circle: :green_circle: :green_circle:
27185 18.8.3.1 :green_circle: :green_circle: :green_circle: :green_circle:
27186 18.8.4.1 :green_circle: :green_circle: :red_circle: :green_circle:
27187 18.8.4.2 :green_circle: :green_circle: :green_circle: :green_circle:
27188 18.8.5.1 :green_circle: :red_circle: :green_circle: :green_circle:
27189 18.8.5.2 :green_circle: :red_circle: :green_circle: :green_circle:
27190 18.8.5.3 :green_circle: :red_circle: :green_circle: :green_circle:
27191 18.8.5.4 :green_circle: :red_circle: :green_circle: :green_circle:
27192 18.8.5.5 :red_circle: :red_circle: :green_circle: :red_circle:
27193 18.8.5.6 :green_circle: :red_circle: :green_circle: :red_circle:
27194 18.8.5.7 :green_circle: :red_circle: :red_circle: :red_circle:
27195 18.8.7.2 :green_circle: :green_circle: :green_circle: :green_circle:
27196 18.8.14.1 :green_circle: :red_circle: :green_circle: :green_circle:
27197 18.8.21.2 :green_circle: :green_circle: :green_circle: :green_circle:
27198 18.8.21.3 :green_circle: :green_circle: :green_circle: :green_circle:
27199 18.8.21.4 :green_circle: :green_circle: :green_circle: :green_circle:
27200 18.8.21.5 :green_circle: :green_circle: :green_circle: :green_circle:
27201 18.8.22.1.1 :green_circle: :green_circle: :green_circle: :green_circle:
27202 18.8.22.1.2 :green_circle: :green_circle: :green_circle: :green_circle:
27203 18.8.22.1.3 :green_circle: :green_circle: :green_circle: :green_circle:
27204 18.8.22.1.4 :green_circle: :green_circle: :green_circle: :green_circle:
27205 18.8.22.1.5 :green_circle: :green_circle: :green_circle: :green_circle:
27206 18.8.22.1.6 :green_circle: :green_circle: :green_circle: :green_circle:
27207 18.8.22.1.7 :green_circle: :green_circle: :green_circle: :green_circle:
27208 18.8.22.1.8 :green_circle: :green_circle: :green_circle: :green_circle:
27209 18.8.22.1.9 :green_circle: :green_circle: :green_circle: :green_circle:
27210 18.8.22.1.10 :red_circle: :red_circle: :green_circle: :green_circle:
27211 18.8.22.1.11 :green_circle: :red_circle: :green_circle: :green_circle:
27212 18.8.22.1.12 :green_circle: :red_circle: :green_circle: :green_circle:
27213 18.8.22.1.13 :green_circle: :green_circle: :green_circle: :green_circle:
27214 18.8.25.1 :green_circle: :green_circle: :green_circle: :green_circle:
27215 18.8.26.1 :green_circle: :green_circle: :green_circle: :green_circle:
27216 18.8.27.1 :green_circle: :green_circle: :green_circle: :green_circle:
27217 18.8.28.1 :red_circle: :green_circle: :red_circle: :green_circle:
27218 18.8.28.2 :green_circle: :green_circle: :green_circle: :green_circle:
27219 18.8.28.3 :red_circle: :green_circle: :green_circle: :green_circle:
27220 18.8.28.4 :green_circle: :green_circle: :green_circle: :green_circle:
27221 18.8.28.5 :green_circle: :green_circle: :green_circle: :green_circle:
27222 18.8.28.6 :green_circle: :green_circle: :green_circle: :green_circle:
27223 18.8.28.7 :green_circle: :green_circle: :green_circle: :green_circle:
27224 18.8.31.1 :green_circle: :green_circle: :red_circle: :red_circle:
27225 18.8.31.2 :green_circle: :green_circle: :green_circle: :green_circle:
27226 18.8.34.6.1 :red_circle: :green_circle: :green_circle: :green_circle:
27227 18.8.34.6.2 :red_circle: :green_circle: :green_circle: :green_circle:
27228 18.8.34.6.3 :green_circle: :green_circle: :green_circle: :green_circle:
27230 18.8.36.1 :green_circle: :green_circle: :green_circle: :green_circle:
27231 18.8.36.2 :green_circle: :green_circle: :green_circle: :green_circle:
27232 18.8.37.1 :green_circle: :red_circle: :green_circle: :green_circle:
27233 18.8.37.2 :green_circle: :red_circle: :green_circle: :green_circle:
27234 18.8.40.1 :green_circle: :red_circle: :red_circle: :red_circle:
27235 18.8.48.5.1 :green_circle: :green_circle: :green_circle: :green_circle:
27236 18.8.48.11.1 :green_circle: :green_circle: :green_circle: :green_circle:
27237 18.8.50.1 :green_circle: :green_circle: :green_circle: :green_circle:
27238 18.8.53.1.1 :green_circle: :green_circle: :red_circle: :green_circle:
27239 18.8.53.1.2 :green_circle: :red_circle: :green_circle: :green_circle:
27240 18.9.4.1 :green_circle: :green_circle: :green_circle: :green_circle:
27241 18.9.6.1 :green_circle: :green_circle: :green_circle: :green_circle:
27242 18.9.8.1 :green_circle: :green_circle: :green_circle: :green_circle:
27243 18.9.8.2 :green_circle: :green_circle: :green_circle: :green_circle:
27244 18.9.8.3 :green_circle: :green_circle: :green_circle: :green_circle:
27245 18.9.10.1.1 :green_circle: :green_circle: :green_circle: :green_circle:
27246 18.9.12.1 :green_circle: :green_circle: :green_circle: :green_circle:
27247 18.9.14.1 :green_circle: :green_circle: :green_circle: :green_circle:
27248 18.9.14.2 :green_circle: :green_circle: :green_circle: :green_circle:
27249 18.9.15.1 :green_circle: :green_circle: :green_circle: :green_circle:
27250 18.9.16.1 :green_circle: :green_circle: :green_circle: :green_circle:
27251 18.9.16.2 :green_circle: :green_circle: :green_circle: :green_circle:
27252 18.9.17.1 :green_circle: :red_circle: :green_circle: :green_circle:
27253 18.9.17.2 :green_circle: :green_circle: :green_circle: :green_circle:
27254 18.9.17.3 :green_circle: :green_circle: :red_circle: :green_circle:
27255 18.9.17.4 :green_circle: :green_circle: :green_circle: :green_circle:
27256 18.9.17.5 :green_circle: :green_circle: :green_circle: :green_circle:
27257 18.9.17.6 :green_circle: :green_circle: :red_circle: :green_circle:
27258 18.9.17.7 :green_circle: :green_circle: :green_circle: :green_circle:
27259 18.9.17.8 :green_circle: :red_circle: :green_circle: :green_circle:
27260 18.9.27.1.1 :green_circle: :green_circle: :green_circle: :green_circle:
27261 18.9.27.1.2 :green_circle: :green_circle: :green_circle: :green_circle:
27262 18.9.27.2.1 :green_circle: :green_circle: :green_circle: :green_circle:
27263 18.9.27.2.2 :green_circle: :green_circle: :green_circle: :green_circle:
27264 18.9.27.3.1 :green_circle: :green_circle: :green_circle: :green_circle:
27265 18.9.27.3.2 :green_circle: :green_circle: :green_circle: :green_circle:
27266 18.9.27.4.1 :green_circle: :green_circle: :green_circle: :green_circle:
27267 18.9.27.4.2 :green_circle: :green_circle: :green_circle: :green_circle:
27268 18.9.31.2 :green_circle: :red_circle: :green_circle: :green_circle:
27269 18.9.31.3 :green_circle: :green_circle: :green_circle: :green_circle:
27270 18.9.31.4 :green_circle: :green_circle: :green_circle: :green_circle:
27271 18.9.41.1 :green_circle: :green_circle: :red_circle: :green_circle:
27272 18.9.45.1 :green_circle: :green_circle: :green_circle: :green_circle:
27273 18.9.46.1 :green_circle: :green_circle: :green_circle: :green_circle:
27274 18.9.47.4.1 :green_circle: :red_circle: :green_circle: :green_circle:
27275 18.9.47.4.2 :green_circle: :red_circle: :green_circle: :green_circle:
27276 18.9.47.5.1.1 :green_circle: :green_circle: :red_circle: :green_circle:
27277 18.9.47.5.1.2 :green_circle: :green_circle: :red_circle: :green_circle:
27278 18.9.47.5.3.1 :green_circle: :green_circle: :green_circle: :red_circle:
27279 18.9.47.6.1 :green_circle: :green_circle: :green_circle: :red_circle:
27280 18.9.47.9.1 :green_circle: :green_circle: :green_circle: :green_circle:
27281 18.9.47.9.2 :green_circle: :green_circle: :green_circle: :red_circle:
27282 18.9.47.9.3 :green_circle: :green_circle: :green_circle: :green_circle:
27283 18.9.47.9.4 :green_circle: :green_circle: :green_circle: :green_circle:
27284 18.9.47.11.1 :green_circle: :green_circle: :green_circle: :green_circle:
27285 18.9.47.12.1 :green_circle: :green_circle: :green_circle: :green_circle:
27286 18.9.47.12.2 :green_circle: :green_circle: :green_circle: :green_circle:
27287 18.9.47.15 :green_circle: :green_circle: :green_circle: :green_circle:
27288 18.9.47.16 :green_circle: :green_circle: :green_circle: :red_circle:
27289 18.9.58.1 :green_circle: :green_circle: :red_circle: :green_circle:
27290 18.9.64.1 :green_circle: :green_circle: :green_circle: :green_circle:
27291 18.9.65.2.2 :green_circle: :green_circle: :green_circle: :green_circle:
27292 18.9.65.3.2.1 :green_circle: :red_circle: :green_circle: :red_circle:
27293 18.9.65.3.3.1 :green_circle: :red_circle: :green_circle: :green_circle:
27294 18.9.65.3.3.2 :green_circle: :green_circle: :green_circle: :green_circle:
27295 18.9.65.3.3.3 :green_circle: :green_circle: :green_circle: :green_circle:
27296 18.9.65.3.3.4 :green_circle: :green_circle: :green_circle: :green_circle:
27297 18.9.65.3.3.5 :green_circle: :green_circle: :green_circle: :green_circle:
27298 18.9.65.3.3.6 :green_circle: :green_circle: :green_circle: :green_circle:
27299 18.9.65.3.9.1 :green_circle: :green_circle: :green_circle: :green_circle:
27300 18.9.65.3.9.2 :green_circle: :green_circle: :green_circle: :green_circle:
27301 18.9.65.3.9.3 :green_circle: :green_circle: :green_circle: :green_circle:
27302 18.9.65.3.9.4 :green_circle: :green_circle: :green_circle: :green_circle:
27303 18.9.65.3.9.5 :green_circle: :green_circle: :green_circle: :green_circle:
27304 18.9.65.3.10.1 :green_circle: :green_circle: :green_circle: :green_circle:
27305 18.9.65.3.10.2 :green_circle: :green_circle: :green_circle: :green_circle:
27306 18.9.65.3.11.1 :green_circle: :green_circle: :green_circle: :green_circle:
27307 18.9.65.3.11.2 :green_circle: :green_circle: :green_circle: :red_circle:
27308 18.9.66.1 :green_circle: :green_circle: :green_circle: :green_circle:
27309 18.9.67.2 :green_circle: :green_circle: :green_circle: :green_circle:
27311 18.9.72.1 :green_circle: :green_circle: :green_circle: :green_circle:
27312 18.9.85.1.1 :green_circle: :red_circle: :red_circle: :green_circle:
27313 18.9.89.1 :green_circle: :green_circle: :green_circle: :green_circle:
27314 18.9.89.2 :green_circle: :green_circle: :green_circle: :green_circle:
27315 18.9.90.1 :green_circle: :green_circle: :green_circle: :green_circle:
27316 18.9.90.2 :green_circle: :green_circle: :green_circle: :green_circle:
27317 18.9.90.3 :green_circle: :green_circle: :green_circle: :green_circle:
27318 18.9.91.1 :green_circle: :green_circle: :green_circle: :green_circle:
27319 18.9.100.1 :green_circle: :green_circle: :green_circle: :green_circle:
27320 18.9.100.2 :green_circle: :green_circle: :green_circle: :green_circle:
27321 18.9.102.1.1 :green_circle: :red_circle: :green_circle: :green_circle:
27322 18.9.102.1.2 :green_circle: :green_circle: :green_circle: :green_circle:
27323 18.9.102.1.3 :green_circle: :green_circle: :green_circle: :green_circle:
27324 18.9.102.2.1 :green_circle: :green_circle: :green_circle: :green_circle:
27325 18.9.102.2.2 :green_circle: :green_circle: :green_circle: :green_circle:
27326 18.9.102.2.3 :green_circle: :green_circle: :green_circle: :green_circle:
27327 18.9.102.2.4 :green_circle: :green_circle: :green_circle: :green_circle:
27328 18.9.103.1 :green_circle: :green_circle: :green_circle: :green_circle:
27329 18.9.105.2.1 :green_circle: :green_circle: :green_circle: :green_circle:
27330 18.9.108.1.1 :green_circle: :green_circle: :green_circle: :green_circle:
27331 18.9.108.2.1 :green_circle: :red_circle: :green_circle: :green_circle:
27332 18.9.108.2.2 :green_circle: :green_circle: :green_circle: :green_circle:
27333 18.9.108.4.1 :green_circle: :green_circle: :green_circle: :green_circle:
27334 18.9.108.4.2 :green_circle: :red_circle: :green_circle: :green_circle:
27335 18.9.108.4.3 :green_circle: :red_circle: :green_circle: :red_circle:
JavierBejMen commented 2 years ago

Failed Details

27002

description: Exp: This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. The recommended state for this setting is: 1 or more day(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Act: This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. The recommended state for this setting is: 1 or more day(s)`). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.` rationale: Exp: Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual user account, with foreknowledge of data about that user, reuse of old passwords can cause a security breach. To address password reuse a combination of security settings is required. Using this policy setting with the Enforce password history setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history setting to ensure that users cannot reuse any of their last 12 passwords, they could change their password 13 times in a few minutes and reuse the password they started with, unless you also configure the Minimum password age setting to a number that is greater than 0. You must configure this policy setting to a number that is greater than 0 for the Enforce password history setting to be effective. Act: Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual`'s user account, with foreknowledge of data about that user, reuse of old passwords can cause a security breach. To address password reuse a combination of security settings is required. Using this policy setting with the Enforce password history setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history setting to ensure that users cannot reuse any of their last 12 passwords, they could change their password 13 times in a few minutes and reuse the password they started with, unless you also configure the Minimum password age setting to a number that is greater than 0. You must configure this policy setting to a number that is greater than 0 for the Enforce password history setting to be effective.`

27003

description: Exp: This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "passphrase" is a better term than "password." In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. The recommended state for this setting is: 14 or more character(s). Note: In Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length. Note #2: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Act: This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps `'passphrase' is a better term than 'password.' In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as 'I want to drink a $5 milkshake' is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. The recommended state for this setting is: 14 or more character(s). Note: In Windows Server 2016 and older versions of Windows Server, the GUI of the Local Security Policy (LSP), Local Group Policy Editor (LGPE) and Group Policy Management Editor (GPME) would not let you set this value higher than 14 characters. However, starting with Windows Server 2019, Microsoft changed the GUI to allow up to a 20 character minimum password length. Note #2: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.`

27004

description: Exp: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - - - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters Be at least six characters in length Contain characters from three of the following categories: - English uppercase characters (A through Z) - English lowercase characters (a through z) - Base 10 digits (0 through 9) - Non-alphabetic characters (for example, !, $, #, %) - A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific. Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@". Proper use of the password settings can help make it difficult to mount a brute force attack. The recommended state for this setting is: Enabled. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center. Act: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - `Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - Be at least six characters in length - Contain characters from three of the following categories: - English uppercase characters (A through Z) - English lowercase characters (a through z) - Base 10 digits (0 through 9) - Non-alphabetic characters (for example, !, $, #, %) o A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific. Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as '!'' or '@''. Proper use of the password settings can help make it difficult to mount a brute force attack. The recommended state for this setting is: Enabled. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.`

27010

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts Act: To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with Microsoft accounts: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Block Microsoft accounts`.`

27012

rationale: Exp: Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on. Act: Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domain`-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on.`

27013

description: Exp: The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console). On Domain Controllers, since they do not have their own local accounts, this rule refers to the built-in Administrator account that was established when the domain was first created. Act: The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console).``

27014

description: Exp: The built-in local guest account is another well-known name to attackers. It is recommended to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. On Domain Controllers, since they do not have their own local accounts, this rule refers to the built-in Guest account that was established when the domain was first created. Act: The built-in local guest account is another well-known name to attackers. It is recommended to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security.``

27017

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Administrators: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media Act: To establish the recommended configuration via GP, set the following UI path to Administrators` and Interactive Users: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Allowed to format and eject removable media.`

27018

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from installing printer drivers`.`

27019

description: Exp: This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job. Note: An AT Service Account can be modified to select a different account rather than the LOCAL SYSTEM account. To change the account, open System Tools, click Scheduled Tasks, and then click Accessories folder. Then click AT Service Account on the Advanced menu. The recommended state for this setting is: Disabled. Act: This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by means of the Task Scheduler Wizard, but those jobs will run in the context of the account with which the user authenticates when they set up the job.``

27020

title: Exp: Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC Only) Act: Ensure 'Domain controller: Allow vulnerable Netlogon secure channel connections' is set to 'Not Configured' (DC `only)` description: Exp: This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections for specified machine accounts. When deployed, this policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU. When the Create Vulnerable Connections list (allow list) is configured: - - Given allow permission, the domain controller will allow accounts to use a Netlogon secure channel without secure RPC. Given deny permission, the domain controller will require accounts to use a Netlogon secure channel with secure RPC which is the same as the default (not necessary). Note: Warning from Microsoft - enabling this policy will expose your domain-joined devices and can expose your Active Directory forest to risk. This policy should be used as a temporary measure for 3rd-party devices as you deploy updates. Once a 3rd-party device is updated to support using secure RPC with Netlogon secure channels, the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring accounts to be allowed to use vulnerable Netlogon secure channel connections, please visit How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472. The recommended state for this setting is: Not Configured. Act: This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections for specified machine accounts. When deployed, this policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU.``

27021

title: Exp: Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC Only) Act: Ensure 'Domain controller: LDAP server channel binding token requirements' is set to 'Always' (DC `only)` description: Exp: This setting determines whether the LDAP server (Domain Controller) enforces validation of Channel Binding Tokens (CBT) received in LDAP bind requests that are sent over SSL/TLS (i.e. LDAPS). The recommended state for this setting is: Always. Note: All LDAP clients must have the CVC-2017-8563 security update to be compatible with Domain Controllers that have this setting enabled. More information on this setting is available at: MSKB 4520412: 2020 LDAP channel binding and LDAP signing requirements for Windows Act: This setting determines whether the LDAP server (Domain Controller) enforces validation of Channel Binding Tokens (CBT) received in LDAP bind requests that are sent over SSL/TLS (i.e. LDAPS).`` rationale: Exp: Requiring Channel Binding Tokens (CBT) can prevent an attacker who is able to capture users' authentication credentials (e.g. OAuth tokens, session identifiers, etc.) from reusing those credentials in another TLS session. This also helps to increase protection against "man-in-the-middle" attacks using LDAP authentication over SSL/TLS (LDAPS). Act: Requiring Channel Binding Tokens (CBT) can prevent an attacker who is able to capture users' authentication credentials (e.g. OAuth tokens, session identifiers, etc.) from reusing those credentials in another TLS session. This also helps to increase protection against `man-in-the-middle attacks using LDAP authentication over SSL/TLS (LDAPS).` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Always: Computer Configuration\Policies\Windows Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements. Note: This Group Policy path requires the installation of the March 2020 (or later) Windows security update. With that update, Microsoft added this setting to the built-in OS security template. Act: To establish the recommended configuration via GP, set the following UI path to Always: Computer Configuration\Policies\Windows Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements``

27022

description: Exp: This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. The recommended state for this setting is: Require signing. Note: Domain member computers must have Network security: LDAP signing requirements (Rule 2.3.11.8) set to Negotiate signing or higher. If not, they will fail to authenticate once the above Require signing value is configured on the Domain Controllers. Fortunately, Negotiate signing is the default in the client configuration. Note #2: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are shipped with Windows XP Professional use LDAP simple bind or LDAP simple bind through SSL to talk to a Domain Controller. Note #3: Before enabling this setting, you should first ensure that there are no clients (including server-based applications) that are configured to authenticate with Active Directory via unsigned LDAP, because changing this setting will break those applications. Such applications should first be reconfigured to use signed LDAP, Secure LDAP (LDAPS), or IPsec-protected connections. For more information on how to identify whether your DCs are being accessed via unsigned LDAP (and where those accesses are coming from), see this Microsoft TechNet blog article: Identifying Clear Text LDAP binds to your DC’s – Practical Windows Security Act: This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing.`` rationale: Exp: Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of manin-the-middle attacks extremely difficult. Additionally, allowing the use of regular, unsigned LDAP permits credentials to be received over the network in clear text, which could very easily result in the interception of account passwords by other systems on the network. Act: Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client, modifies them, and then forwards them to the client. Where LDAP servers are concerned, an attacker could cause a client to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. Also, you could implement Internet Protocol security (IPsec) authentication header mode (AH), which performs mutual authentication and packet integrity for IP traffic to make all types of manin-the-middle attacks extremely difficult.``

27023

description: Exp: This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords. The recommended state for this setting is: Disabled. Note: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations. Act: This security setting determines whether Domain Controllers will refuse requests from member computers to change computer account passwords.``

27024

rationale: Exp: When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller. Act: When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated`-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always) Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt or sign secure channel data (always)`.`

27025

rationale: Exp: When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller. Act: When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated`-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible) Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt secure channel data (when possible)`.`

27026

rationale: Exp: When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller. Act: When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated`-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller.`

27028

description: Exp: This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. The recommended state for this setting is: 30 or fewer days, but not 0. Note: A value of 0 does not conform to the benchmark as it disables maximum password age. Note #2: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations. Act: This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. `If you increase this interval significantly so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts. The recommended state for this setting is: 30 or fewer days, but not 0. Note: A value of 0 does not conform to the benchmark as it disables maximum password age. Note #2: Some problems can occur as a result of machine account password expiration, particularly if a machine is reverted to a previous point-in-time state, as is common with virtual machines. Depending on how far back the reversion is, the older machine account password stored on the machine may no longer be recognized by the domain controllers, and therefore the computer loses its domain trust. This can also disrupt non-persistent VDI implementations, and devices with write filters that disallow permanent changes to the OS volume. Some organizations may choose to exempt themselves from this recommendation and disable machine account password expiration for these situations.` rationale: Exp: In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the passwords of computer accounts. Act: In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the password` of one or more computer accounts.`

27031

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in. Note: In older versions of Microsoft Windows, this setting was named Interactive logon: Do not display last user name, but it was renamed starting with Windows Server 2019. Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Don't display last signed-in. Note: In older versions of Microsoft Windows, this setting was named Interactive logon: Do not display last user name, but it was renamed starting with Windows `10 Release 1703.`

27033

description: Exp: This policy setting specifies a text message that displays to users when they log on. Configure this setting in a manner that is consistent with the security and operational requirements of your organization. Act: This policy setting specifies a text message that displays to users when they log on. `Set the following group policy to a value that is consistent with the security and operational requirements of your organization.`

27034

title: Exp: Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only) Act: `Configure 'Interactive logon: Message title for users attempting to log on'` description: Exp: This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s). Act: This policy setting `specifies the text displayed in the title bar of the window that users see when they log on to the system. Configure this setting in a manner that is consistent with the security and operational requirements of your organization.` rationale: Exp: The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location. Act: `Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to 4 or fewer logon(s): Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available) Act: To establish the recommended configuration via GP, `configure the following UI path to a value that is consistent with the security and operational requirements of your organization: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on`

27035

title: Exp: Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' Act: Ensure 'Interactive logon: `Number of previous logons to cache (in case domain controller is not available)' is set to '4 or fewer logon(s)' (MS only)` description: Exp: This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days. Act: This policy setting determines `whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s).` rationale: Exp: It is recommended that user passwords be configured to expire periodically. Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections. Act: `The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to a value between 5 and 14 days: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration Act: To establish the recommended configuration via GP, set the following UI path to `4 or fewer logon(s): Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Number of previous logons to cache (in case domain controller is not available)`

27037

description: Exp: Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer. The recommended state for this setting is: Enabled. Act: Logon information is required to unlock a locked computer. For domain accounts, this security setting determines whether it is necessary to contact a Domain Controller to unlock a computer.`` remediation: Exp: To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller Authentication to unlock workstation Act: To implement the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\`\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require Domain Controller Authentication to unlock workstation`

27046

description: Exp: This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers. Act: This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client to prevent a class of attacks against SMB servers referred to as SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark.``

27052

description: Exp: This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously. Act: This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: LSARPC, NETLOGON, SAMR and (when the legacy Computer Browser service is enabled) BROWSER.`` remediation: Exp: To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously Act: To establish the recommended configuration via GP, `set the following UI path to (i.e. None): Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously.`

27053

description: Exp: This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: (i.e. None), or (when the legacy Computer Browser service is enabled) BROWSER. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Licensing Role Service will require a special exception to this recommendation, to allow the HydraLSPipe and TermServLicensing Named Pipes to be accessed anonymously. Act: This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. The recommended state for this setting is: (i.e. None)`.` remediation: Exp: To establish the recommended configuration via GP, configure the following UI path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously Act: To establish the recommended configuration via GP, `set the following UI path to (i.e. None): Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that can be accessed anonymously.`

27054

description: Exp: This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called "Network access: Remotely accessible registry paths and subpaths" in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2). Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Act: This policy setting determines which registry paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called `Network access: Remotely accessible registry paths and subpaths in Windows Server 2003, Windows Vista, and Windows Server 2008 (non-R2).` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths Act: To establish the recommended configuration via GP, set the following UI path to: System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications S`OFTWARE\Microsoft\Windows NT\CurrentVersion Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths.`

27055

description: Exp: This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called "Network access: Remotely accessible registry paths," the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog The recommended state for servers that hold the Active Directory Certificate Services Role with Certification Authority Role Service includes the above list and: System\CurrentControlSet\Services\CertSvc The recommended state for servers that have the WINS Server Feature installed includes the above list and: System\CurrentControlSet\Services\WINS Act: This policy setting determines which registry paths and sub-paths will be accessible over the network, regardless of the users or groups listed in the access control list (ACL) of the winreg registry key. Note: In Windows XP this setting is called `Network access: Remotely accessible registry paths, the setting with that same name in Windows Vista, Windows Server 2008 (non-R2), and Windows Server 2003 does not exist in Windows XP. Note #2: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value. The recommended state for this setting is: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths When a server holds the Active Directory Certificate Services Role with Certification Authority Role Service, the above list should also include: System\CurrentControlSet\Services\CertSvc. When a server has the WINS Server Feature installed, the above list should also include: System\CurrentControlSet\Services\WINS Act: To establish the recommended configuration via GP, set the following UI path to: System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog S`OFTWARE\Microsoft\OLAP Server SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and sub-paths.`

27056

description: Exp: When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled. Act: When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\S`ystem\CurrentControlSet\Services\LanManServer\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict anonymous access to Named Pipes and Shares`.`

27057

description: Exp: This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy. Note #2: If your organization is using Azure Advanced Threat Protection (APT), the service account, “AATP Service” will need to be added to the recommendation configuration. For more information on adding the “AATP Service” account please see Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity | Microsoft Docs. Act: This policy setting allows you to restrict remote RPC connections to SAM. The recommended state for this setting is: Administrators: Remote Access: Allow. Note: A Windows 10 R1607, Server 2016 or newer OS is required to access and set this value in Group Policy.`` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict clients allowed to make remote calls to SAM Act: To establish the recommended configuration via GP, set the following UI path to Administrators: Remote Access: Allow: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict clients allowed to make remote calls to SAM`.`

27058

rationale: Exp: It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data. Act: It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data`` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously Act: To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can be accessed anonymously`.`

27059

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Classic local users authenticate as themselves: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts Act: To establish the recommended configuration via GP, set the following UI path to Classic `- local users authenticate as themselves: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Sharing and security model for local accounts`

27060

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local System to use computer identity for NTLM`.`

27066

description: Exp: LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: - - - - - Join a domain Authenticate between Active Directory forests Authenticate to down-level domains Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP Authenticate to computers that are not in the domain The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM. Act: LAN Manager (LM) was a family of early Microsoft client/server software (predating Windows NT) that allowed users to link personal computers together on a single network. LM network capabilities included transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: -`Join a domain -Authenticate between Active Directory forests -Authenticate to down-level domains -Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP -Authenticate to computers that are not in the domain. The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers. The recommended state for this setting is: Send NTLMv2 response only. Refuse LM & NTLM.` rationale: Exp: Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (nonR2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible. Act: Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non`- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible.`

27070

description: Exp: This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server. Act: This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system.`` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on Act: `Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on `

27072

title: Exp: Ensure 'System objects: Require case insensitivity for nonWindows subsystems' is set to 'Enabled' Act: Ensure 'System objects: Require case insensitivity for non`-Windows subsystems' is set to 'Enabled'` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for nonWindows subsystems Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case insensitivity for non`-Windows subsystems`

27074

rationale: Exp: One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named "Administrator" because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled. Act: One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named `'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. - If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled.`

27078

description: Exp: This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - - - …\Program Files\, including subfolders …\Windows\System32\ …\Program Files (x86)\, including subfolders (for 64-bit versions of Windows) Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled. Act: This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: `...\Program Files\, including subfolders; ...\Windows\system32\; ...\Program Files (x86)\, including subfolders (for 64-bit versions of Windows). Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled.` rationale: Exp: UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - - - - - To set the foreground window. To drive any application window using SendInput function. To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. To set journal hooks. To uses AttachThreadInput to attach a thread to a higher integrity input queue. Act: UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - `To set the foreground window. - To drive any application window using SendInput function. - To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher integrity input queue.`

27081

description: Exp: This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - - - - %ProgramFiles% %windir% %windir%\System32 HKEY_LOCAL_MACHINE\SOFTWARE The recommended state for this setting is: Enabled. Act: This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - `%ProgramFiles% - %windir% - %windir%\System32 - HKEY_LOCAL_MACHINE\SOFTWARE. The recommended state for this setting is: Enabled.`

27082

description: Exp: This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled. Act: This service spools print jobs and handles interaction with printers`` rationale: Exp: Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service. Act: Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability ` (CVE-2021-34527) and other attacks against the service.`

27083

description: Exp: This service spools print jobs and handles interaction with printers. The recommended state for this setting is: Disabled. Act: This service spools print jobs and handles interaction with printers`` rationale: Exp: Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service. Act: Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability ` (CVE-2021-34527) and other attacks against the service.`

27098

title: Exp: Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log' Act: Ensure 'Windows Firewall: Public: Logging: Name' is set to '%S`YSTEMROOT%\System32\logfiles\firewall\publicfw.log'` description: Exp: Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\System32\logfiles\firewall\publicfw.log. Act: Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %S`YSTEMROOT%\System32\logfiles\firewall\publicfw.log.`

27101

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Yes: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Logging Customize\Log successful connections Act: To establish the recommended configuration via GP, set the following UI path to Yes`. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Logging Customize\Log successful connections`

27102

description: Exp: This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include: - - - - 4774: An account was mapped for logon. 4775: An account could not be mapped for logon. 4776: The Domain Controller attempted to validate the credentials for an account. 4777: The Domain Controller failed to validate the credentials for an account. The recommended state for this setting is: Success and Failure. Act: This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the Domain Controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the Domain Controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include: - `4774: An account was mapped for logon. - 4775: An account could not be mapped for logon. - 4776: The Domain Controller attempted to validate the credentials for an account. - 4777: The Domain Controller failed to validate the credentials for an account. The recommended state for this setting is: Success and Failure.`

27103

description: Exp: This subcategory reports the results of events generated after a Kerberos authentication TGT request. Kerberos is a distributed authentication service that allows a client running on behalf of a user to prove its identity to a server without sending data across the network. This helps mitigate an attacker or server from impersonating a user. - - - 4768: A Kerberos authentication ticket (TGT) was requested. 4771: Kerberos pre-authentication failed. 4772: A Kerberos authentication ticket request failed. The recommended state for this setting is: Success and Failure. Act: This subcategory reports the results of events generated after a Kerberos authentication ` TGT request. Kerberos is a distributed authentication service that allows a client running on behalf of a user to prove its identity to a server without sending data across the network. This helps mitigate an attacker or server from impersonating a user.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Kerberos Authentication Service Act: To establish the recommended configuration via GP, set the following UI path to Success ` and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Kerberos Authentication Service`

27104

description: Exp: This subcategory reports the results of events generated by Kerberos authentication ticketgranting ticket (TGT) requests. Kerberos Service Ticket requests (TGS requests) occur as part of service use and access requests by specific accounts. Auditing these events will record the IP address from which the account requested TGS, when TGS was requested, and which encryption type was used. - - - 4769: A Kerberos service ticket was requested. 4770: A Kerberos service ticket was renewed. 4773: A Kerberos service ticket request failed. The recommended state for this setting is: Success and Failure. Act: This subcategory reports the results of events generated by Kerberos authentication ticket`-granting ticket (TGT) requests. Kerberos Service Ticket requests (TGS requests) occur as part of service use and access requests by specific accounts. Auditing these events will record the IP address from which the account requested TGS, when TGS was requested, and which encryption type was used.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Kerberos Service Ticket Operations Act: To establish the recommended configuration via GP, set the following UI path to Success ` and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Logon\Audit Kerberos Service Ticket Operations`

27105

description: Exp: This policy setting allows you to audit events generated by changes to application groups such as the following: - - Application group is created, changed, or deleted. Member is added or removed from an application group. Application groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at MSDN Windows Authorization Manager. The recommended state for this setting is: Success and Failure. Act: This policy setting allows you to audit events generated by changes to application groups such as the following: - `Application group is created, changed, or deleted. - Member is added or removed from an application group. Application groups are utilized by Windows Authorization Manager, which is a flexible framework created by Microsoft for integrating role-based access control (RBAC) into applications. More information on Windows Authorization Manager is available at MSDN - Windows Authorization Manager. The recommended state for this setting is: Success and Failure.`

27106

description: Exp: This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: - - - 4741: A computer account was created. 4742: A computer account was changed. 4743: A computer account was deleted. The recommended state for this setting is to include: Success. Act: This subcategory reports each event of computer account management, such as when a ` computer account is created, changed, deleted, renamed, disabled, or enabled.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Computer Account Management Act: To establish the recommended configuration via GP, set the following UI path to include ` Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Computer Account Management`

27107

description: Exp: This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of group accounts. Events for this subcategory include: - - - - - - - - - - - - - - - 4744: A security-disabled local group was created. 4745: A security-disabled local group was changed. 4746: A member was added to a security-disabled local group. 4747: A member was removed from a security-disabled local group. 4748: A security-disabled local group was deleted. 4749: A security-disabled global group was created. 4750: A security-disabled global group was changed. 4751: A member was added to a security-disabled global group. 4752: A member was removed from a security-disabled global group. 4753: A security-disabled global group was deleted. 4759: A security-disabled universal group was created. 4760: A security-disabled universal group was changed. 4761: A member was added to a security-disabled universal group. 4762: A member was removed from a security-disabled universal group. 4763: A security-disabled universal group was deleted. The recommended state for this setting is to include: Success. Act: This subcategory reports each event of distribution group management, such as when a ` distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of group accounts. ` rationale: Exp: Auditing these events may provide an organization with insight when investigating an incident. For example, when a given unauthorized user was added to a sensitive distribution group. Act: Auditing these events may provide an organization with insight when investigating an ` incident. For example, when a given unauthorized user was added to a sensitive distribution group.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Distribution Group Management Act: To establish the recommended configuration via GP, set the following UI path to include ` Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Distribution Group Management`

27108

description: Exp: This subcategory reports other account management events. Events for this subcategory include: - - 4782: The password hash an account was accessed. 4793: The Password Policy Checking API was called. The recommended state for this setting is to include: Success. Act: This subcategory reports other account management events.`` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Other Account Management Events Act: To establish the recommended configuration via GP, set the following UI path to include ` Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Other Account Management Events`

27109

description: Exp: This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include: - - - - - - - - - - - - - - - - 4727: A security-enabled global group was created. 4728: A member was added to a security-enabled global group. 4729: A member was removed from a security-enabled global group. 4730: A security-enabled global group was deleted. 4731: A security-enabled local group was created. 4732: A member was added to a security-enabled local group. 4733: A member was removed from a security-enabled local group. 4734: A security-enabled local group was deleted. 4735: A security-enabled local group was changed. 4737: A security-enabled global group was changed. 4754: A security-enabled universal group was created. 4755: A security-enabled universal group was changed. 4756: A member was added to a security-enabled universal group. 4757: A member was removed from a security-enabled universal group. 4758: A security-enabled universal group was deleted. 4764: A group's type was changed. The recommended state for this setting is to include: Success. Act: This subcategory reports each event of security group management, such as when a ` security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts.` rationale: Exp: Auditing these events may be useful when investigating a security incident. Act: Auditing `events in this category may be useful when investigating an incident.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Security Group Management Act: To establish the recommended configuration via GP, set the following UI path to include ` Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit Security Group Management`

27110

description: Exp: This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: - - - - - - - - - - - - - - - - 4720: A user account was created. 4722: A user account was enabled. 4723: An attempt was made to change an account's password. 4724: An attempt was made to reset an account's password. 4725: A user account was disabled. 4726: A user account was deleted. 4738: A user account was changed. 4740: A user account was locked out. 4765: SID History was added to an account. 4766: An attempt to add SID History to an account failed. 4767: A user account was unlocked. 4780: The ACL was set on accounts which are members of administrators groups. 4781: The name of an account was changed: 4794: An attempt was made to set the Directory Services Restore Mode. 5376: Credential Manager credentials were backed up. 5377: Credential Manager credentials were restored from a backup. The recommended state for this setting is: Success and Failure. Act: This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: - `4720: A user account was created. - 4722: A user account was enabled. - 4723: An attempt was made to change an account's password. - 4724: An attempt was made to reset an account's password. - 4725: A user account was disabled. - 4726: A user account was deleted. - 4738: A user account was changed. - 4740: A user account was locked out. - 4765: SID History was added to an account. - 4766: An attempt to add SID History to an account failed. - 4767: A user account was unlocked. - 4780: The ACL was set on accounts which are members of administrators groups. - 4781: The name of an account was changed: - 4794: An attempt was made to set the Directory Services Restore Mode. - 5376: Credential Manager credentials were backed up. - 5377: Credential Manager credentials were restored from a backup. The recommended state for this setting is: Success and Failure.`

27112

description: Exp: This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - - 4688: A new process has been created. 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting. The recommended state for this setting is to include: Success. Act: This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - `4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting. The recommended state for this setting is to include: Success.`

27113

description: Exp: This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This subcategory applies only to Domain Controllers. Events for this subcategory include: - 4662 : An operation was performed on an object. The recommended state for this setting is to include: Failure. Act: This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause ` audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This subcategory applies only to Domain Controllers.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to include Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Access Act: To establish the recommended configuration via GP, set the following UI path to include ` Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Access`

27114

description: Exp: This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. This subcategory applies only to Domain Controllers. Events for this subcategory include: - - - - 5136 : A directory service object was modified. 5137 : A directory service object was created. 5138 : A directory service object was undeleted. 5139 : A directory service object was moved. The recommended state for this setting is to include: Success. Act: This subcategory reports changes to objects in Active Directory Domain Services (AD DS). ` The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. This subcategory applies only to Domain Controllers.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to include Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes Act: To establish the recommended configuration via GP, set the following UI path to include ` Success: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes`

27117

description: Exp: This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - - 4634: An account was logged off. 4647: User initiated logoff. The recommended state for this setting is to include: Success. Act: This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - `4634: An account was logged off. - 4647: User initiated logoff. The recommended state for this setting is to include: Success.`

27118

description: Exp: This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - - - - 4624: An account was successfully logged on. 4625: An account failed to log on. 4648: A logon was attempted using explicit credentials. 4675: SIDs were filtered. The recommended state for this setting is: Success and Failure. Act: This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - `4624: An account was successfully logged on. - 4625: An account failed to log on. - 4648: A logon was attempted using explicit credentials. - 4675: SIDs were filtered. The recommended state for this setting is: Success and Failure.`

27119

description: Exp: This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: - - - - - - - - - - 4649: A replay attack was detected. 4778: A session was reconnected to a Window Station. 4779: A session was disconnected from a Window Station. 4800: The workstation was locked. 4801: The workstation was unlocked. 4802: The screen saver was invoked. 4803: The screen saver was dismissed. 5378: The requested credentials delegation was disallowed by policy. 5632: A request was made to authenticate to a wireless network. 5633: A request was made to authenticate to a wired network. The recommended state for this setting is: Success and Failure. Act: This subcategory reports other logon/logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: - `4649: A replay attack was detected. - 4778: A session was reconnected to a Window Station. - 4779: A session was disconnected from a Window Station. - 4800: The workstation was locked. - 4801: The workstation was unlocked. - 4802: The screen saver was invoked. - 4803: The screen saver was dismissed. - 5378: The requested credentials delegation was disallowed by policy. - 5632: A request was made to authenticate to a wireless network. - 5633: A request was made to authenticate to a wired network. The recommended state for this setting is: Success and Failure.`

27121

description: Exp: This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure Act: This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure`.` rationale: Exp: Auditing the Failures will log which unauthorized users attempted (and failed) to get access to a file or folder on a network share on this computer, which could possibly be an indication of malicious intent. Act: Auditing the`se events may be useful when investigating a security incident.`

27122

rationale: Exp: In an enterprise managed environment, it's important to track deletion, creation, modification, and access events for network shares. Any unusual file sharing activity may be useful in an investigation of potentially malicious activity. Act: In an enterprise managed environment, `workstations should have limited file sharing activity, as file servers would normally handle the overall burden of file sharing activities. Any unusual file sharing activity on workstations may therefore be useful in an investigation of potentially malicious activity.`

27123

description: Exp: This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - - - - - Job created. Job deleted. Job enabled. Job disabled. Job updated. For COM+ objects, the following are audited: - - - Catalog object added. Catalog object updated. Catalog object deleted. The recommended state for this setting is: Success and Failure. Act: This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects. For scheduler jobs, the following are audited: - `Job created. - Job deleted. - Job enabled. - Job disabled. - Job updated. For COM+ objects, the following are audited: - Catalog object added. - Catalog object updated. - Catalog object deleted. The recommended state for this setting is: Success and Failure.`

27125

description: Exp: This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - - - - - - - - - 4715: The audit policy (SACL) on an object was changed. 4719: System audit policy was changed. 4902: The Per-user audit policy table was created. 4904: An attempt was made to register a security event source. 4905: An attempt was made to unregister a security event source. 4906: The CrashOnAuditFail value has changed. 4907: Auditing settings on object were changed. 4908: Special Groups Logon table modified. 4912: Per User Audit Policy was changed. The recommended state for this setting is include: Success. Act: This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: - `4715: The audit policy (SACL) on an object was changed. - 4719: System audit policy was changed. - 4902: The Per-user audit policy table was created. - 4904: An attempt was made to register a security event source. - 4905: An attempt was made to unregister a security event source. - 4906: The CrashOnAuditFail value has changed. - 4907: Auditing settings on object were changed. - 4908: Special Groups Logon table modified. - 4912: Per User Audit Policy was changed. The recommended state for this setting is to include: Success.`

27126

description: Exp: This subcategory reports changes in authentication policy. Events for this subcategory include: - - - - - - - - - - - 4706: A new trust was created to a domain. 4707: A trust to a domain was removed. 4713: Kerberos policy was changed. 4716: Trusted domain information was modified. 4717: System security access was granted to an account. 4718: System security access was removed from an account. 4739: Domain Policy was changed. 4864: A namespace collision was detected. 4865: A trusted forest information entry was added. 4866: A trusted forest information entry was removed. 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success. Act: This subcategory reports changes in authentication policy. Events for this subcategory include` - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4713: Kerberos policy was changed. - 4716: Trusted domain information was modified. - 4717: System security access was granted to an account. - 4718: System security access was removed from an account. - 4739: Domain Policy was changed. - 4864: A namespace collision was detected. - 4865: A trusted forest information entry was added. - 4866: A trusted forest information entry was removed. - 4867: A trusted forest information entry was modified. The recommended state for this setting is to include: Success.`

27127

description: Exp: This subcategory reports changes in authorization policy. Events for this subcategory include: - - - - - 4704: A user right was assigned. 4705: A user right was removed. 4706: A new trust was created to a domain. 4707: A trust to a domain was removed. 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success. Act: This subcategory reports changes in authorization policy. Events for this subcategory include: - `4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success.`

27128

description: Exp: This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - - - - - - - - - - - - - - 4944: The following policy was active when the Windows Firewall started. 4945: A rule was listed when the Windows Firewall started. 4946: A change has been made to Windows Firewall exception list. A rule was added. 4947: A change has been made to Windows Firewall exception list. A rule was modified. 4948: A change has been made to Windows Firewall exception list. A rule was deleted. 4949: Windows Firewall settings were restored to the default values. 4950: A Windows Firewall setting has changed. 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. 4956: Windows Firewall has changed the active profile. 4957: Windows Firewall did not apply the following rule. 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure Act: This subcategory determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe). Events for this subcategory include: - `4944: The following policy was active when the Windows Firewall started. - 4945: A rule was listed when the Windows Firewall started. - 4946: A change has been made to Windows Firewall exception list. A rule was added. - 4947: A change has been made to Windows Firewall exception list. A rule was modified. - 4948: A change has been made to Windows Firewall exception list. A rule was deleted. - 4949: Windows Firewall settings were restored to the default values. - 4950: A Windows Firewall setting has changed. - 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. - 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. - 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. - 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. - 4956: Windows Firewall has changed the active profile. - 4957: Windows Firewall did not apply the following rule. - 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. The recommended state for this setting is : Success and Failure` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit MPSSVC RuleLevel Policy Change Act: To establish the recommended configuration via GP, set the following UI path to Success and Failure: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit MPSSVC Rule`-Level Policy Change`

27129

description: Exp: This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - - - - - - - - - 5063: A cryptographic provider operation was attempted. 5064: A cryptographic context operation was attempted. 5065: A cryptographic context modification was attempted. 5066: A cryptographic function operation was attempted. 5067: A cryptographic function modification was attempted. 5068: A cryptographic function provider operation was attempted. 5069: A cryptographic function property operation was attempted. 5070: A cryptographic function property modification was attempted. 6145: One or more errors occurred while processing security policy in the group policy objects. The recommended state for this setting is to include: Failure. Act: This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - `5063: A cryptographic provider operation was attempted. - 5064: A cryptographic context operation was attempted. - 5065: A cryptographic context modification was attempted. - 5066: A cryptographic function operation was attempted. - 5067: A cryptographic function modification was attempted. - 5068: A cryptographic function provider operation was attempted. - 5069: A cryptographic function property operation was attempted. - 5070: A cryptographic function property modification was attempted. - 6145: One or more errors occurred while processing security policy in the group policy objects. The recommended state for this setting is to include: Failure.`

27130

description: Exp: This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: - - - - - - - - - - - - - Act as part of the operating system Back up files and directories Create a token object Debug programs Enable computer and user accounts to be trusted for delegation Generate security audits Impersonate a client after authentication Load and unload device drivers Manage auditing and security log Modify firmware environment values Replace a process-level token Restore files and directories Take ownership of files or other objects Auditing this subcategory will create a high volume of events. Events for this subcategory include: - - - 4672: Special privileges assigned to new logon. 4673: A privileged service was called. 4674: An operation was attempted on a privileged object. The recommended state for this setting is: Success and Failure. Act: This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: - `Act as part of the operating system - Back up files and directories - Create a token object - Debug programs - Enable computer and user accounts to be trusted for delegation - Generate security audits - Impersonate a client after authentication - Load and unload device drivers - Manage auditing and security log - Modify firmware environment values - Replace a process-level token - Restore files and directories - Take ownership of files or other objects Auditing this subcategory will create a high volume of events. Events for this subcategory include: - 4672: Special privileges assigned to new logon. - 4673: A privileged service was called. - 4674: An operation was attempted on a privileged object. The recommended state for this setting is: Success and Failure.`

27131

description: Exp: This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - - - - - - - - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. 5478: IPsec Services has started successfully. 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. - - - 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started. 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The recommended state for this setting is: Success and Failure. Act: This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - `4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. - 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. - 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. - 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. - 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. - 5478: IPsec Services has started successfully. - 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. - 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started.- 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The recommended state for this setting is: Success and Failure.`

27132

description: Exp: This subcategory reports on other system events. Events for this subcategory include: - - - - - - - - - - - - - 5024 : The Windows Firewall Service has started successfully. 5025 : The Windows Firewall Service has been stopped. 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. 5030: The Windows Firewall Service failed to start. 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. 5033 : The Windows Firewall Driver has started successfully. 5034 : The Windows Firewall Driver has been stopped. 5035 : The Windows Firewall Driver failed to start. 5037 : The Windows Firewall Driver detected critical runtime error. Terminating. 5058: Key file operation. 5059: Key migration operation. The recommended state for this setting is: Success and Failure. Act: This subcategory reports on other system events. Events for this subcategory include: - `5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. - 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. - 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. - 5030: The Windows Firewall Service failed to start. - 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. - 5033 : The Windows Firewall Driver has started successfully. - 5034 : The Windows Firewall Driver has been stopped. - 5035 : The Windows Firewall Driver failed to start. - 5037 : The Windows Firewall Driver detected critical runtime error. Terminating. - 5058: Key file operation. - 5059: Key migration operation. The recommended state for this setting is: Success and Failure.`

27133

description: Exp: This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - - - - 4608: Windows is starting up. 4609: Windows is shutting down. 4616: The system time was changed. 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. The recommended state for this setting is to include: Success. Act: This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: - `4608: Windows is starting up. - 4609: Windows is shutting down. - 4616: The system time was changed. - 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some audit-able activity might not have been recorded. The recommended state for this setting is to include: Success.`

27134

description: Exp: This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - - - - - 4610: An authentication package has been loaded by the Local Security Authority. 4611: A trusted logon process has been registered with the Local Security Authority. 4614: A notification package has been loaded by the Security Account Manager. 4622: A security package has been loaded by the Local Security Authority. 4697: A service was installed in the system. The recommended state for this setting is to include: Success. Act: This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: - `4610: An authentication package has been loaded by the Local Security Authority. - 4611: A trusted logon process has been registered with the Local Security Authority. - 4614: A notification package has been loaded by the Security Account Manager. - 4622: A security package has been loaded by the Local Security Authority. - 4697: A service was installed in the system. The recommended state for this setting is to include: Success.`

27135

description: Exp: This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - - - - - - - - - - 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. 4615 : Invalid use of LPC port. 4618 : A monitored security event pattern has occurred. 4816 : RPC detected an integrity violation while decrypting an incoming message. 5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. 5056: A cryptographic self test was performed. 5057: A cryptographic primitive operation failed. 5060: Verification operation failed. 5061: Cryptographic operation. 5062: A kernel-mode cryptographic self test was performed. The recommended state for this setting is: Success and Failure. Act: This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: - `4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. - 4615 : Invalid use of LPC port. - 4618 : A monitored security event pattern has occurred. - 4816 : RPC detected an integrity violation while decrypting an incoming message. - 5038 : Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. - 5056: A cryptographic self test was performed. - 5057: A cryptographic primitive operation failed. - 5060: Verification operation failed. - 5061: Cryptographic operation. - 5062: A kernel-mode cryptographic self test was performed. The recommended state for this setting is: Success and Failure.`

27137

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen slide show. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen slide show. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & `2012 R2 Administrative Templates (or newer).`

27141

description: Exp: In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations. Act: In May 2015, Microsoft released the Local Administrator Password Solution (LAPS) tool, which is free and supported software that allows an organization to automatically set randomized and unique local Administrator account passwords on domain-attached workstations and Member Servers. The passwords are stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved Sysadmins when needed. The LAPS tool requires a small Active Directory Schema update in order to implement, as well as installation of a Group Policy Client Side Extension (CSE) on targeted computers. Please see the LAPS documentation for details. LAPS supports Windows Vista or newer workstation OSes, and Server 2003 or newer server OSes. LAPS does not support standalone computers - they must be joined to a domain. The recommended state for this setting is: Enabled. Note: Organizations that utilize 3rd-party commercial software to manage unique & complex local Administrator passwords on domain members may opt to disregard these LAPS recommendations. Note #2: LAPS is only designed to manage local Administrator passwords, and is therefore not recommended (or supported) for use directly on Domain Controllers, which do not have a traditional local Administrator account. We strongly encourage you to only deploy the LAPS CSE and LAPS GPO settings to member servers and workstations.``

27142

title: Exp: Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only) Act: Ensure 'Enable Local Admin Password Management' is set to 'Enabled'``

27146

title: Exp: Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (MS only) Act: Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'`` description: Exp: This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled. Act: This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Enabling this policy significantly reduces that risk. Enabled: Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows. Disabled: Allows local accounts to have full administrative rights when authenticating via network logon, by configuring the LocalAccountTokenFilterPolicy registry value to 1. For more information about local accounts and credential theft, review the `'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about LocalAccountTokenFilterPolicy, see Microsoft Knowledge Base article 951016: Description of User Account Control and remote restrictions in Windows Vista. The recommended state for this setting is: Enabled.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Apply UAC restrictions to local accounts on network logons. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Apply UAC restrictions to local accounts on network logons. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required`.`

27147

title: Exp: Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' Act: Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver`'` rationale: Exp: Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3. More information on this can be found at the following links: Stop using SMB1 | Storage at Microsoft Disable SMB v1 in Managed Environments with Group Policy – "Stay Safe" Cyber Security Blog Disabling SMBv1 through Group Policy – Microsoft Security Guidance blog Act: Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3.`` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver (recommended): Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 client driver. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver (recommended): Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 client driver. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required`.`

27148

rationale: Exp: Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3. More information on this can be found at the following links: Stop using SMB1 | Storage at Microsoft Disable SMB v1 in Managed Environments with Group Policy – "Stay Safe" Cyber Security Blog Disabling SMBv1 through Group Policy – Microsoft Security Guidance blog Act: Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3.`` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 server. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 server. Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required`.`

27149

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Enable Structured Exception Handling Overwrite Protection (SEHOP). Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. More information is available at MSKB 956607: How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Enable Structured Exception Handling Overwrite Protection (SEHOP). Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required`.`

27150

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\Policies\Administrative Templates\MS Security Guide\Limits print driver installation to Administrators. Note: This Group Policy path does not exist by default. An additional Group Policy template SecGuide.admx/adml is required - it is available from Microsoft at this link. Act: To establish the recommended configuration via GP, set the following UI path to Enabled. Computer Configuration\Policies\Administrative Templates\MS Security Guide\Limits print driver installation to Administrators. Note: This Group Policy path does not exist by default. An additional Group Policy template SecGuide.admx/adml is required`.`

27151

title: Exp: Ensure 'NetBT NodeType configuration' is set to 'Enabled: Pnode (recommended)' Act: Ensure 'NetBT NodeType configuration' is set to 'Enabled: P`-node (recommended)'` description: Exp: This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are: - - - - The B-node (broadcast) method only uses broadcasts. The P-node (point-to-point) method only uses name queries to a name server (WINS). The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed. The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed. The recommended state for this setting is: Enabled: P-node (recommended) (point-topoint). Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured. Act: This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are: `The B-node (broadcast) method only uses broadcasts. The P-node (point-to-point) method only uses name queries to a name server (WINS). The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed. The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed. The recommended state for this setting is: Enabled: P-node (recommended) (point-to- point). Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended): Computer Configuration\Policies\Administrative Templates\MS Security Guide\NetBT NodeType configuration. Note: This change does not take effect until the computer has been restarted. Note #2: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. Please note that this setting is only available in the Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 (or newer) release of SecGuide.admx/adml, so if you previously downloaded this template, you may need to update it from a newer Microsoft baseline to get this new NetBT NodeType configuration setting. Act: To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended): Computer Configuration\Policies\Administrative Templates\MS Security Guide\NetBT NodeType configuration. Note: This change does not take effect until the computer has been restarted. Note #2: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required`.`

27152

description: Exp: When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. For more information about local accounts and credential theft, review the "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" documents. For more information about UseLogonCredential, see Microsoft Knowledge Base article 2871997: Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014. The recommended state for this setting is: Disabled. Act: When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. For more information about local accounts and credential theft, review the `'Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques' documents. For more information about UseLogonCredential, see Microsoft Knowledge Base article 2871997: Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014. The recommended state for this setting is: Disabled.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDigest Authentication (disabling may require KB2871997). Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required - it is available from Microsoft at this link. Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDigest Authentication (disabling may require KB2871997). Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml) is required`.`

27153

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27154

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27155

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection, source routing is completely disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27156

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes.``

27157

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Enabled: 300,000 or 5 minutes (recommended): Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27158

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27159

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27160

description: Exp: The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: - - Search folders specified in the system path first, and then search the current working folder. Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled. Note: More information on how Safe DLL search mode works is available at this link: Dynamic-Link Library Search Order - Windows applications | Microsoft Docs Act: The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: - `Search folders specified in the system path first, and then search the current working folder. - Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27161

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended). Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27162

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27163

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Enabled: 3: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:(TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27164

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is available from this TechNet blog post: The MSS settings – Microsoft Security Guidance blog Act: To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning. Note: This Group Policy path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required`.`

27171

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services. Note: This Group Policy path is provided by the Group Policy template P2Ppnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services. Note: This Group Policy path is provided by the Group Policy template P2P`- pnrp.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.`

27173

description: Exp: Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled. Act: Although this `'legacy' setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled.`

27175

description: Exp: This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the "Privacy" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing. Act: This policy setting configures secure access to UNC paths. The recommended state for this setting is: Enabled, with `Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares. Note: If the environment exclusively contains Windows 8.0 / Server 2012 (non-R2) or newer systems, then the "Privacy" setting may (optionally) also be set to enable SMB encryption. However, using SMB encryption will render the targeted share paths completely inaccessible by older OSes, so only use this additional option with caution and thorough testing.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths. Note: This Group Policy path does not exist by default. An additional Group Policy template (NetworkProvider.admx/adml) is required - it is included with the MS15-011 / MSKB 3000483 security update or with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Enabled with the following paths configured, at a minimum: \\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths. Note: This Group Policy path does not exist by default. An additional Group Policy template (NetworkProvider.admx/adml) is required`.`

27176

remediation: Exp: To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:Disabl edComponents. Note: This change does not take effect until the computer has been restarted Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not "undo" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state. Act: To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:Disabl`edComponents. Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not "undo" the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state.`

27181

description: Exp: This policy setting controls whether the Print Spooler service will accept client connections. The recommended state for this setting is: Disabled. Note: The Print Spooler service must be restarted for changes to this policy to take effect. Warning: An exception to this recommendation must be made for print servers in order for them to function properly. Users will not be able to print to the server when client connections are disabled. Act: This policy setting controls whether the Print Spooler service will accept client connections. The recommended state for this setting is: Disabled. Note: The Print Spooler service must be restarted for changes to this policy to take effect.`` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Printers:Allow Print Spooler to accept client connections. Note: This Group Policy path is provided by the Group Policy template Printing2.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Printers`\Allow Print Spooler to accept client connections. Note: This Group Policy path is provided by the Group Policy template printing2.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.`

27186

rationale: Exp: This setting is important to mitigate the CredSSP encryption oracle vulnerability, for which information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability. All versions of Windows Server from Server 2008 (non-R2) onwards are affected by this vulnerability, and will be compatible with this recommendation provided that they have been patched up through May 2018 (or later). Act: This setting is important to mitigate the CredSSP encryption oracle vulnerability, for which information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability. All versions of Windows `from Windows Vista onwards are affected by this vulnerability, and will be compatible with this recommendation provided that they have been patched at least through May 2018 (or later).`

27188

description: Exp: This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Enabled Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. Act: This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Enabled`. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.`

27189

description: Exp: This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Secure Boot and DMA Protection Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. Act: This policy setting specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. The recommended state for this setting is: Secure Boot and DMA Protection`. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.`

27190

description: Exp: This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature. The recommended state for this setting is: Enabled with UEFI lock Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. Act: This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature. The recommended state for this setting is: Enabled with UEFI lock`. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.`

27191

description: Exp: This option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. The recommended state for this setting is: True (checked) Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. Act: This option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility. The recommended state for this setting is: True (checked)`. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.`

27192

title: Exp: Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (MS Only) Act: Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'`` description: Exp: This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. The recommended state for this setting is: Enabled with UEFI lock, but only on Member Servers (not Domain Controllers). Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. Act: This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI. The recommended state for this setting is: Enabled with UEFI lock`. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock (on Member Servers only): Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Credential Guard Configuration. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock`: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Credential Guard Configuration. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).`

27193

description: Exp: This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials. The recommended state for this setting is: Disabled on Domain Controllers. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. Act: This setting lets users turn on Credential Guard with virtualization-based security to help ` protect credentials. The recommended state for this setting is: Disabled on Domain Controllers.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Credential Guard Configuration. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\System\Device ` Guard\Turn On Virtualization Based Security: Credential Guard Configuration`

27194

description: Exp: Secure Launch protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware. The recommended state for this setting is: Enabled. Note: Virtualization Based Security requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM. More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. Act: Secure Launch protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware. The recommended state for this setting is: Enabled` .` rationale: Exp: Secure Launch changes the way windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment. Act: `Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Secure Launch Configuration. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Secure Launch Configuration``

27196

description: Exp: This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - - - - Good: The driver has been signed and has not been tampered with. Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical. Act: This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - `Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If your malware detection application does not include an Early Launch Antimalware bootstart driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. The recommended state for this setting is: Enabled: Good, unknown and bad but critical.`

27210

title: Exp: Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' Act: Ensure`'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled'` description: Exp: This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The recommended state for this setting is: Enabled. Act: This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders. The `Web Publishing wizard is used to download a list of providers and allow users to publish content to the Web. The recommended state for this setting is: Enabled.`

27211

description: Exp: This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled. Act: This policy setting specifies whether `the Windows Customer Experience Improvement Program can collect anonymous information about how Windows is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to improve features that are most used and to detect flaws so that they can be corrected more quickly. Enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled.`

27212

description: Exp: This policy setting specifies whether the Windows Customer Experience Improvement Program can collect anonymous information about how Windows is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to improve features that are most used and to detect flaws so that they can be corrected more quickly. Enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled. Act: This policy setting specifies whether `Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used. Microsoft uses information collected through the Windows Customer Experience Improvement Program to detect software flaws so that they can be corrected more quickly, enabling this setting will reduce the amount of data Microsoft is able to gather for this purpose. The recommended state for this setting is: Enabled.`

27217

title: Exp: Ensure 'Block user from showing account details on signin' is set to 'Enabled' Act: Ensure 'Block user from showing account details on sign`-in' is set to 'Enabled'` rationale: Exp: An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on. Act: An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the `workstation through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on.`

27219

title: Exp: Ensure 'Do not enumerate connected users on domainjoined computers' is set to 'Enabled' Act: Ensure 'Do not enumerate connected users on domain`-joined computers' is set to 'Enabled'`

27224

rationale: Exp: Due to privacy concerns, clipboard data should stay local to the system and not synced across devices. Act: `In high security environments, clipboard data should stay local to the system and not synced across devices, as it may contain very sensitive information that must be contained locally.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\System\OS Policies\Allow Clipboard synchronization across devices Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\System\OS Policies\Allow Clipboard synchronization across devices`. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template OSPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer).`

27226

title: Exp: Ensure 'Allow network connectivity during connectedstandby (on battery)' is set to 'Disabled' Act: Ensure 'Allow network connectivity during connected`-standby (on battery)' is set to 'Disabled'`

27227

title: Exp: Ensure 'Allow network connectivity during connectedstandby (plugged in)' is set to 'Disabled' Act: Ensure 'Allow network connectivity during connected`-standby (plugged in)' is set to 'Disabled'`

27232

description: Exp: This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not be in effect until the system is rebooted. The recommended state for this setting is: Enabled. Act: This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. This policy setting can cause a specific issue with 1-way forest trusts if it is applied to the trusting domain DCs (see Microsoft KB3073942), so we do not recommend applying it to Domain Controllers. Note: This policy will not `in effect until the system is rebooted. The recommended state for this setting is: Enabled.`

27233

description: Exp: This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended. Note: This policy setting will not be applied until the system is rebooted. The recommended state for this setting is: Enabled: Authenticated. Act: This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a Domain Controller. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. -- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. -- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. -- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. This value has the potential to cause serious problems and is not recommended.`' Note: This policy setting will not be applied until the system is rebooted. The recommended state for this setting is: Enabled: Authenticated.`

27234

description: Exp: This policy setting allows you to configure how Domain Controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith´s attack" (ROCA) vulnerability. If this policy setting is enabled the following options are supported: Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability. Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail). The recommended state for this setting is: Enabled: Audit. Configuring this setting to Enabled: Block: also conforms to the benchmark. Note: This setting only takes effect on Domain Controllers. Note #2: A reboot is not required for changes to this setting to take effect. Act: This policy setting allows you to configure how Domain Controllers handle Windows Hello ` for Business (WHfB) keys that are vulnerable to the 'Return of Coppersmith´s attack' (ROCA) vulnerability. If this policy setting is enabled the following options are supported: Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability. Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerability (authentications will still succeed). Block: during authentication the domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail). The recommended state for this setting is: Enabled: Audit. Configuring this setting to Enabled: Block: also conforms to the benchmark.` rationale: Exp: The "Return of Coppersmith´s attack" or ROCA vulnerability is a cryptographic weakness in a widely used cryptographic library. An attacker can reveal secret keys (offline with no physical access to the affected device) on certified devices using this library. For more information on this vulnerability, visit ADV170012 - Security Update Guide Microsoft - Vulnerability in TPM could allow Security Feature Bypass. Act: The `'Return of Coppersmith´s attack' or ROCA vulnerability is a cryptographic weakness in a widely used cryptographic library. An attacker can reveal secret keys (offline with no physical access to the affected device) on certified devices using this library.` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Audit (configuring to Enabled: Block also conforms to the benchmark): Computer Configuration\Policies\Administrative Templates\System\Security Account Manager\Configure validation of ROCA-vulnerable WHfB keys during authentication. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Sam.admx/adml that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Enabled: ` Audit (configuring to Enabled: Block also conforms to the benchmark): Computer Configuration\Policies\Administrative Templates\System\Security Account Manager\Configure validation of ROCA-vulnerable WHfB keys during authentication`

27238

rationale: Exp: A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events Act: A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events`.`

27239

description: Exp: This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled. Note: In most enterprise managed environments, you should not disable the Windows NTP Server on Domain Controllers, as it is very important for the operation of NT5DS (domain hierarchy-based) time synchronization. Act: This policy setting allows you to specify whether the Windows NTP Server is enabled. The recommended state for this setting is: Disabled.``

27252

description: Exp: This policy setting determines the amount of diagnostic and usage data reported to Microsoft: - - - A value of (0) Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions. If you choose this setting, devices in your organization will still be secure. A value of (1) Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the Optional diagnostic data control in the Settings app. A value of (3)Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the Limit Dump Collection and the Limit Diagnostic Log Collection policies for more granular control of what optional diagnostic data is sent. Windows telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10/11. The recommended state for this setting is: Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data. Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of updates. Note #2: The Configure diagnostic data opt-in settings user interface group policy can be used to prevent end users from changing their data collection settings. Note #3: Enhanced diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. For more information on these settings visit Manage diagnostic data using Group Policy and MDM Act: This policy setting determines the amount of diagnostic and usage data reported to Microsoft: - `A value of (0) Diagnostic data off (not recommended). Using this value, no diagnostic data is sent from the device. This value is only supported on Enterprise, Education, and Server editions. If you choose this setting, devices in your organization will still be secure. - A value of (1) Send required diagnostic data. This is the minimum diagnostic data necessary to keep Windows secure, up to date, and performing as expected. Using this value disables the Optional diagnostic data control in the Settings app. - A value of (3)Send optional diagnostic data. Additional diagnostic data is collected that helps us to detect, diagnose and fix issues, as well as make product improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the Limit Dump Collection and the Limit Diagnostic Log Collection policies for more granular control of what optional diagnostic data is sent. Windows telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10/11. The recommended state for this setting is: Enabled: Diagnostic data off (not recommended) or Enabled: Send required diagnostic data. Note: If your organization relies on Windows Update, the minimum recommended setting is Required diagnostic data. Because no Windows Update information is collected when diagnostic data is off, important information about update failures is not sent. Microsoft uses this information to fix the causes of those failures and improve the quality of updates. Note #2: The Configure diagnostic data opt-in settings user interface group policy can be used to prevent end users from changing their data collection settings. Note #3: Enhanced diagnostic data setting is not available on Windows 11 and Windows Server 2022 and has been replaced with policies that can control the amount of optional diagnostic data that is sent. For more information on these settings visit Manage diagnostic data using Group Policy and MDM`

27254

rationale: Exp: Sending data to a 3rd party vendor is a security concern and should only be done on an asneeded basis. Act: Sending data to a 3rd party vendor is a security concern and should only be done on an as`-needed basis.`

27257

rationale: Exp: Sending data to a 3rd-party vendor is a security concern and should only be done on an asneeded basis. Act: Sending data to a 3rd-party vendor is a security concern and should only be done on an as`-needed basis.`

27259

description: Exp: This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. The recommended state for this setting is: Disabled. Note: This policy setting applies only to devices running Windows Server 2016, up until Release 1703. For Release 1709 or newer, Microsoft encourages using the Manage preview builds setting (recommendation title 'Manage preview builds'). We have kept this setting in the benchmark to ensure that any older builds of Windows Server 2016 in the environment are still enforced. Act: This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. The recommended state for this setting is: Disabled. Note: This policy setting applies only to devices running Windows `10 Pro or Windows 10 Enterprise, up until Release 1703. For Release 1709 or newer, Microsoft encourages using the Manage preview builds setting (recommendation title ‘Manage preview builds’). We have kept this setting in the benchmark to ensure that any older builds of Windows 10 in the environment are still enforced.`

27268

description: Exp: Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled. Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plugin/software. Act: Disabling Data Execution Prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled. Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug`- in/software.`

27271

rationale: Exp: This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments. Act: This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it`'s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments.`

27274

description: Exp: This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to "Microsft Defender Antivirus Cloud Protection Service". This setting can only be set by Group Policy. The recommended state for this setting is: Disabled. Act: This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft `renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. This setting can only be set by Group Policy. The recommended state for this setting is: Disabled.`

27275

description: Exp: This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - - - (0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled. Act: This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft `renamed to Windows Defender Antivirus Cloud Protection Service and then Microsoft Defender Antivirus Cloud Protection Service. Microsoft MAPS / Microsoft Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that you apply or that are applied automatically and whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software file names how the software operates and how it has impacted your computer. The recommended state for this setting is: Disabled.`

27276

rationale: Exp: Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines. Act: Attack surface reduction helps prevent actions and apps that are typically used by exploit`-seeking malware to infect machines.`

27277

rationale: Exp: Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines. Act: Attack surface reduction helps prevent actions and apps that are typically used by exploit`-seeking malware to infect machines.`

27278

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Block: Computer Configuration\Policies\Administrative Templates\Windows Components\`Windows Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).`

27279

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release 2004 Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release `1709 Administrative Templates (or newer).`

27281

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn off realtime protection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-Time Protection\Turn off real`-time protection. Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).`

27288

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Turn off Microsoft Defender AntiVirus. Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn off Windows Defender, but it was renamed starting with the Windows 10 Release 1703 Administrative Templates. It was again renamed to Windows Defender Antivirus starting with the Windows 10 Release 2004 Administrative Templates. Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Turn off Microsoft Defender AntiVirus. Note: This Group Policy path is provided by the Group Policy template WindowsDefender.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn off Windows Defender, but it was renamed `to Windows Defender Antivirus starting with the Windows 10 Release 1703 Administrative Templates. It was again renamed to Turn off Microsoft Defender Antivirus starting with the Windows 10 Release 2004 Administrative Templates.`

27289

rationale: Exp: Enabling this setting prevents users from accidentally (or intentionally) uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client. Note: This security concern applies to any cloud-based file storage application installed on a server, not just the one supplied with Windows Server. Act: Enabling this setting prevents users from accidentally (or intentionally) uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client. Note: This security concern applies to any cloud-based file storage application installed on a `workstation, not just the one supplied with Windows.`

27292

description: Exp: This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled. Act: This policy setting allows you to restrict users to a single Remote Desktop Services session. The recommended state for this setting is: Enabled.` ` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Restrict Remote Desktop Services users to a single Remote Desktop Services session. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates. Act: To establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Restrict Remote Desktop Services users to a single Remote Desktop Services session` Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Note #2: In older Microsoft Windows Administrative Templates, this setting was named Restrict Terminal Services users to a single remote session, but it was renamed starting with the Windows 7 & Server 2008 R2 Administrative Templates. `

27293

description: Exp: This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server. UI Automation gives programs access to most UI elements, which allows use of assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI. For example, the local computer´s Narrator and Magnifier clients can be used to interact with UI on a web page opened in a remote session. The recommended state for this setting is: Disabled. Note: Remote Desktop sessions don´t currently support UI Automation redirection. Act: This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can access UI elements on the server. UI Automation gives programs access to most UI elements, which allows use of assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI. For example, the local computer`s Narrator and Magnifier clients can be used to interact with UI on a web page opened in a remote session. The recommended state for this setting is: Disabled. Note: Remote Desktop sessions dont currently support UI Automation redirection.`

27307

remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary Folders\Do not use temporary folders per session. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. Act: To establish the recommended configuration via GP, set the following UI path to Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary Folders\Do not use temporary folders per session` Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates. `

27312

description: Exp: This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass. Act: This policy setting allows you to manage the behavior of Windows `Defender SmartScreen. Windows Defender SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. The recommended state for this setting is: Enabled: Warn and prevent bypass.` rationale: Exp: Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it. Act: Windows `Defender SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it.`

27321

description: Exp: This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled. Act: This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. The recommended state for this setting is: Disabled.` Note: Clients that use Microsoft's Exchange Online service (Office 365) will require an exception to this recommendation, to instead have this setting set to Enabled. Exchange Online uses Basic authentication over HTTPS, and so the Exchange Online authentication traffic will still be safely encrypted.`

27331

description: Exp: This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: - - - - 2 - Notify for download and auto install (Notify before downloading any updates) 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting "Configure automatic updating:" has 4 possible values – all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this recommendation, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process. Act: This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the network connection to search Windows Update or your designated intranet site for updates that apply to them. After you configure this policy setting to Enabled, select one of the following three options in the Configure Automatic Updates Properties dialog box to specify how the service will work: `2 - Notify for download and auto install (Notify before downloading any updates) 3 - Auto download and notify for install (Download the updates automatically and notify when they are ready to be installed.) (Default setting) 4 - Auto download and schedule the install (Automatically download updates and install them on the schedule specified below.)) 5 - Allow local admin to choose setting (Leave decision on above choices up to the local Administrators (Not Recommended)) The recommended state for this setting is: Enabled. Note: The sub-setting "Configure automatic updating:" has 4 possible values - all of them are valid depending on specific organizational needs, however if feasible we suggest using a value of 4 - Auto download and schedule the install. This suggestion is not a scored requirement. Note #2: Organizations that utilize a 3rd-party solution for patching may choose to exempt themselves from this recommendation, and instead configure it to Disabled so that the native Windows Update mechanism does not interfere with the 3rd-party patching process.`

27334

description: Exp: This policy setting determines when Preview Build or Feature Updates are received. Defer Updates This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from the Semi-Annual Channel, a version for the device to move to and/or stay on until the policy is updated or the device reaches end of service can be specified. Note: If you set both policies, the version specified will take precedence and the deferrals will not be in effect. Please see the Windows Release Information page for OS version information. Pause Updates To prevent Feature Updates from being received on their scheduled time, you can temporarily pause Feature Updates. The pause will remain in effect for 35 days from the specified start date or until the field is cleared (Quality Updates will still be offered). Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - - Demystifying “Dual Scan” – WSUS Product Team Blog Improving Dual Scan on 1607 – WSUS Product Team Blog Note #3: Prior to Windows 10 R1703, values above 180 days are not recognized by the OS. Starting with Windows 10 R1703, the maximum number of days you can defer is 365 days. Act: This policy setting determines when Preview Build or Feature Updates are received. Defer Updates This enables devices to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Semi-Annual Channel. Or, if the device is updating from the Semi-Annual Channel, a version for the device to move to and/or stay on until the policy is updated or the device reaches end of service can be specified. Note: If you set both policies, the version specified will take precedence and the deferrals will not be in effect. Please see the Windows Release Information page for OS version information. Pause Updates To prevent Feature Updates from being received on their scheduled time, you can temporarily pause Feature Updates. The pause will remain in effect for 35 days from the specified start date or until the field is cleared (Quality Updates will still be offered). Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows 10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - `Demystifying "Dual Scan" - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog Note #3: Prior to Windows 10 R1703, values above 180 days are not recognized by the OS. Starting with Windows 10 R1703, the maximum number of days you can defer is 365 days.`

27335

description: Exp: This settings controls when Quality Updates are received. The recommended state for this setting is: Enabled: 0 days. Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows Server 2016 RTM (Release 1607), Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - - Demystifying “Dual Scan” – WSUS Product Team Blog Improving Dual Scan on 1607 – WSUS Product Team Blog Act: This settings controls when Quality Updates are received. The recommended state for this setting is: Enabled: 0 days. Note: If the "Allow Diagnostic Data" (formerly "Allow Telemetry") policy is set to 0, this policy will have no effect. Note #2: Starting with Windows `10 R1607, Microsoft introduced a new Windows Update (WU) client behavior called Dual Scan, with an eye to cloud-based update management. In some cases, this Dual Scan feature can interfere with Windows Updates from Windows Server Update Services (WSUS) and/or manual WU updates. If you are using WSUS in your environment, you may need to set the above setting to Not Configured or configure the setting Do not allow update deferral policies to cause scans against Windows Update (added in the Windows 10 Release 1709 Administrative Templates) in order to prevent the Dual Scan feature from interfering. More information on Dual Scan is available at these links: - Demystifying “Dual Scan” - WSUS Product Team Blog - Improving Dual Scan on 1607 - WSUS Product Team Blog` remediation: Exp: To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Select when Quality Updates are received. Note: This Group Policy path does not exist by default. An updated Group Policy template (WindowsUpdate.admx/adml) is required - it is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer). Act: To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Select when Quality Updates are received` Note: This Group Policy path does not exist by default. An updated Group Policy template (WindowsUpdate.admx/adml) is required - it is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).`
fabamatic commented 2 years ago

Some of the found issues are minor typos, wont be fixing those

JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.1.1 27009 :green_circle: (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' (MS only)
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.1.2 27010 :green_circle: (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.1.3 27011 :green_circle: (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.1.4 27012 :green_circle: (L1) Ensure 'Accounts: Limit local account use of blank passwords toconsole logon only' is set to 'Enabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.1.5 27013 :green_circle: (L1) Configure 'Accounts: Rename administrator account'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.1.6 27014 :green_circle: (L1) Configure 'Accounts: Rename guest account'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.2.1 27015 :green_circle: (L1) Ensure 'Audit: Force audit policy subcategory settings
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:

When policy is not Enabled should fail, but when is Not Defined it passes: image

Edit: Default registry value is as specified in the CIS

JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.2.2 27016 :green_circle: (L1) Ensure 'Audit: Shut down system immediately if unable to logsecurity audits' is set to 'Disabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.4.2 27018 :green_circle: (L1) Ensure 'Devices: Prevent users from installing printer drivers' isset to 'Enabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.5.2 27020 :green_circle: (L1) Ensure 'Domain controller: Allow vulnerable Netlogon securechannel connections' is set to 'Not Configured'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.5.4 27022 :green_circle: (L1) Ensure 'Domain controller: LDAP server signing requirements' isset to 'Require signing'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.6.1 27024 :green_circle: (L1) Ensure 'Domain member: Digitally encrypt or sign securechannel data
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.6.3 27026 :green_circle: (L1) Ensure 'Domain member: Digitally sign secure channel data
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.6.5 27028 :yellow_circle: (L1) Ensure 'Domain member: Maximum machine account passwordage' is set to '30 or fewer days, but not 0'
Item Check Notes
id :green_circle:
condition/rule :yellow_circle:
dashboard :green_circle:

The GP Path is set as defined in the CIS, but the command to check shows other settings, maybe it's because I have not configured Active Directory, in this case, should it be Not Applicable? image

JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.7.1 27030 :green_circle: (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is setto 'Disabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.7.3 27032 :green_circle: (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.7.5 27034 :green_circle: (L1) Configure 'Interactive logon: Message title for users attemptingto log on'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.7.7 27036 :red_circle: (L1) Ensure 'Interactive logon: Prompt user to change passwordbefore expiration' is set to 'between 5 and 14 days'
Item Check Notes
id :red_circle:
condition/rule :green_circle:
dashboard :green_circle:

CIS id is wrong, is settled as 2.3.7.8

JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.7.9 27038 :green_circle: (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to'Lock Workstation' or higher
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.8.2 27040 :green_circle: (L1) Ensure 'Microsoft network client: Digitally sign communications
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.9.1 27042 :green_circle: (L1) Ensure 'Microsoft network server: Amount of idle time requiredbefore suspending session' is set to '15 or fewer minute
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.9.3 27044 :green_circle: (L1) Ensure 'Microsoft network server: Digitally sign communications
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.9.5 27046 :green_circle: (L1) Ensure 'Microsoft network server: Server SPN target namevalidation level' is set to 'Accept if provided by client' or higher
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.10.2 27048 :green_circle: (L1) Ensure 'Network access: Do not allow anonymous enumerationof SAM accounts' is set to 'Enabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.10.4 27050 :green_circle: (L2) Ensure 'Network access: Do not allow storage of passwords andcredentials for network authentication' is set to 'Enabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.10.6 27052 :green_circle: (L1) Configure 'Network access: Named Pipes that can be accessedanonymously'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.10.8 27054 :green_circle: (L1) Configure 'Network access: Remotely accessible registry paths'is configured
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.10.10 27056 :green_circle: (L1) Ensure 'Network access: Restrict anonymous access to NamedPipes and Shares' is set to 'Enabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.10.12 27058 :red_circle: (L1) Ensure 'Network access: Shares that can be accessedanonymously' is set to 'None'
Item Check Notes
id :green_circle:
condition/rule :red_circle:
dashboard :green_circle:

It passes after setting some value to the GP/Registry image

JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.11.1 27060 :green_circle: (L1) Ensure 'Network security: Allow Local System to use computeridentity for NTLM' is set to 'Enabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.11.3 27062 :green_circle: (L1) Ensure 'Network Security: Allow PKU2U authenticationrequests to this computer to use online identities' is set to 'Disabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.11.5 27064 :green_circle: (L1) Ensure 'Network security: Do not store LAN Manager hashvalue on next password change' is set to 'Enabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.11.7 27066 :red_circle: (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'
Item Check Notes
id :green_circle:
condition/rule :red_circle:
dashboard :green_circle:

Fails when compatibility level is settled to 5: image

JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.11.9 27068 :red_circle: (L1) Ensure 'Network security: Minimum session security for NTLMSSP based
Item Check Notes
id :green_circle:
condition/rule :red_circle:
dashboard :green_circle:

Reg number is different from specified in rule, and capitalization is incorrect too: image

JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.13.1 27070 :green_circle: (L1) Ensure 'Shutdown: Allow system to be shut down withouthaving to log on' is set to 'Disabled'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.15.2 27072 :green_circle: (L1) Ensure 'System objects: Strengthen default permissions ofinternal system objects
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle:
JavierBejMen commented 2 years ago
CIS ID SCA ID Status Name
2.3.17.2 27074 :green_circle: (L1) Ensure 'User Account Control: Behavior of the elevation promptfor administrators in Admin Approval Mode' is set to 'Prompt for consent onthe secure desktop'
Item Check Notes
id :green_circle:
condition/rule :green_circle:
dashboard :green_circle: