accepted
FDCC: Guidance for Securing Microsoft Windows Vista Systems for IT Professional
This guide has been created to assist IT professionals, in effectively securing systems with Microsoft Vista
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. NIST would appreciate acknowledgement if the document and template are used.
todo - add text
Trademark InformationMicrosoft, Windows, Windows XP, Windows Vista, Internet Explorer, and Windows Firewall are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.All other names are registered trademarks or trademarks of their respective companies.
National Institute of Standards and Technology
SP 800-68
v1.2.0.0
800-53 Low
This profile selects specific controls that are recommended by Special Publication 800-53 for information systems in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
800-53 Moderate
This profile selects specific controls that are recommended by Special Publication 800-53 for information systems in which at least one security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of moderate and no security objective is assigned a FIPS 199 potential impact value of high. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
800-53 High
This profile selects specific controls that are recommended by Special Publication 800-53 for information systems in which at least one security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of high. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
800-53 All
This profile selects all the security controls that are recommended by Special Publication 800-53 for information systems. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
Federal Desktop Core Configuration version 1.2.0.0
This profile represents guidance outlined in Federal Desktop Core Configuration for desktop systems with Microsoft Windows Vista installed.
NIST SP 800-53 Controls
Applicable 800-53 Access Control Checks
Access Control Policy and Procedures
ISO/IEC 17799: 11.1.1, 11.4.1, 15.1.1
NIST 800-26: 15, 16
DOD 8500.2: ECAN-1, ECPA-1, PRAS-1, DCAR-1
DCID 6/3: 2.B.4.e(5), 4.B.1.a(1)(b)
Account Management
ISO/IEC 17799: 6.2.2, 6.2.3, 8.3.3, 11.2.1, 11.2.2, 11.2.4, 11.7.2
NIST 800-26: 6.1.8, 15.1.1, 15.1.4, 15.1.15, 15.1.8, 15.2.2, 16.1.3, 16.1.5, 16.2.12
GAO FISCAM: AC-2.1 AC-2.2, AC-3.2, SP-4.1
DOD 8500.2: IAAC-1
DCID 6/3: 4.B.2.a(3)
Access Enforcement
ISO/IEC 17799: 11.2.4, 11.4.5
NIST 800-26: 10.1.2, 15.1.1, 16.1.1, 16.1.2, 16.1.3, 16.1.7, 16.1.9, 16.2.1, 16.2.7, 16.2.10, 16.2.11, 16.2.15
GAO FISCAM: AC-2, AC-3.2
DOD 8500.2: DCFA-1, ECAN-1, EBRU-1, PRNK-1, ECCD-1, ECSD-2
DCID 6/3: Discretionary Access Control (DAC): 4.B.2.a(2), Mandatory Access Control (MAC): 4.B.4.a(3)
Information Flow Enforcement
ISO/IEC 17799: 10.6.2, 11.4.5, 11.4.6, 11.4.7
DOD 8500.2: EBBD-1, EBBD-2
DCID 6/3: 4.B.3.a(3), 7.B.3.g
Separation of Duties
ISO/IEC 17799: 10.1.3, 10.6.1, 10.10.1
NIST 800-26: 6.1.1, 6.1.2, 6.1.3, 15.2.1, 16.1.2, 17.1.5
GAO FISCAM: AC-3.2, SD-1.2
DOD 8500.2: ECLP-1
DCID 6/3: 2.A.1, 4.B.3.a(18)
Least Privilege
ISO/IEC 17799: 11.2.2
NIST 800-26: 16.1.2, 16.1.3, 17.1.5
GAO FISCAM: AC-3.2
DOD 8500.2: ECLP-1
DCID 6/3: 4.B.2.a(10)
Unsuccessful Login Attempts
ISO/IEC 17799: 11.5.1
NIST 800-26: 15.1.14
GAO FISCAM: AC-3.2
DOD 8500.2: ECLO-1
DCID 6/3: 4.B.2.a(17)(c)-(d)
System Use Notification
ISO/IEC 17799: 11.5.1, 15.1.5
NIST 800-26: 16.2.13, 16.3.1, 17.1.9
GAO FISCAM: AC-3.2
DOD 8500.2: ECWM-1
DCID 6/3: 4.B.1.a(6)
Previous Logon Notification
ISO/IEC 17799: 11.5.1
GAO FISCAM: AC-3.2
DOD 8500.2: ECLO-2
Concurrent Session Control
DOD 8500.2: ECLO-1
DCID 6/3: 4.B.2.a(17)(a)
Session Lock
ISO/IEC 17799: 11.3.2
NIST 800-26: 16.1.4
GAO FISCAM: AC-3.2
DOD 8500.2: PESL-1
DCID 6/3: 4.B.1.a(5)
Session Termination
ISO/IEC 17799: 11.3.2, 11.5.5
NIST 800-26: 16.1.4, 16.2.6
GAO FISCAM: AC-3.2
DCID 6/3: 4.B.2.a(17)(b)
Supervision and Review—Access Control
ISO/IEC 17799: 10.10.2, 11.2.4
NIST 800-26: 7.1.10, 11.2.2, 16.1.10, 16.2.5, 17.1.6, 17.1.7
GAO FISCAM: AC-4, AC-4.3, SS-2.2
DOD 8500.2: ECAT-1, ECAT-2, E3.3.9
DCID 6/3: 2.B.7.c, 4.B.3.a(8)(b)
Permitted Actions without Identification or Authentication
NIST 800-26: 16.2.12
DCID 6/3: 7.D.3.a
Automated Marking
ISO/IEC 17799: 7.2.2
NIST 800-26: 8.2.4, 16.1.6
GAO FISCAM: AC-3.2
DOD 8500.2: ECML-1
DCID 6/3: 4.B.2.a(11)
Automated Labeling
ISO/IEC 17799: 7.2.2
NIST 800-26: 16.1.6
GAO FISCAM: AC-3.2
DOD 8500.2: ECML-1
DCID 6/3: 4.B.1.a(3), 4.B.4.a(15), 4.B.4.a(16)
Remote Access
ISO/IEC 17799: 11.4.2, 11.4.3, 11.4.4
NIST 800-26: 16.2.4, 16.2.8
GAO FISCAM: AC-3.2
DOD 8500.2: EBRP-1, EBRU-1
DCID 6/3: 4.B.1.a(1)(b), 4.B.3.a(11), 7.D.2.e
Wireless Access Restrictions
ISO/IEC 17799: 11.4.2, 11.7.1, 11.7.2
DOD 8500.2: ECCT-1, ECWN-1
DCID 6/3: 4.B.1.a(8), 5.B.3.a(11)
Access Control for Portable and Mobile Systems
ISO/IEC 17799: 11.7.1
NIST 800-26: 7.3.1, 7.3.2
DOD 8500.2: ECWN-1
DCID 6/3: 8.B.6.c, 9.G.4
Use of External Information Systems
ISO/IEC 17799: 6.1.4, 9.2.5, 11.7.1
NIST 800-26: 10.2.13
DCID 6/3: 8.B.6.c
Applicable 800-53 Awareness and Training
Security Awareness and Training Policy and Procedures
ISO/IEC 17799: 5.1.1, 8.2.2, 15.1.1
NIST 800-26: 13
DOD 8500.2: PRTN-1, DCAR-1
DCID 6/3: DCID: B.3.c, Manual: 2.B.2.b(8); 2.B.4.e(6)
Security Awareness
ISO/IEC 17799: 6.2.3, 8.2.2, 10.4.1, 11.7.1, 13.1.1, 14.1.4, 15.1.4
NIST 800-26: 13.1.4, 13.1.5
DOD 8500.2: PRTN-1
DCID 6/3: 8.B.1
Security Training
ISO/IEC 17799: 8.2.2, 10.3.2, 11.7.1, 13.1.1, 14.1.4
NIST 800-26: 13.1, 13.1.3, 13.1.5
DOD 8500.2: PRTN-1
DCID 6/3: 8.B.1
Security Training Records
NIST 800-26: 13.1.2
DCID 6/3: 8.B.1
Contacts with Security Groups and Associations
ISO/IEC 17799: 6.1.7
Applicable 800-53 Audit and Accountability
Audit and Accountability Policy and Procedures
ISO/IEC 17799: 10.1, 15.1.1
NIST 800-26: 17
DOD 8500.2: ECAT-1, ECTB-1, DCAR-1
DCID 6/3: DCID: B.2.d, Manual: 2.B.4.e(5); 4.B.2.a(4)
Auditable Events
ISO/IEC 17799: 10.10.1
NIST 800-26: 17.1.1, 17.1.2, 17.1.4
DOD 8500.2: ECAR-3
DCID 6/3: 4.B.2.a(4)(d)
Content of Audit Records
ISO/IEC 17799: 10.10.1, 10.10.4
NIST 800-26: 17.1.1
DOD 8500.2: ECAR-1, ECAR-2, ECAR-3, ECLC-1
DCID 6/3: 4.B.2.a(4)(a), 4.B.2.a(5)(a)
Audit Storage Capacity
ISO/IEC 17799: 10.10.3
DCID 6/3: 5.B.2.a(5)(a)(1)
Response to Audit Processing Failures
ISO/IEC 17799: 10.10.3
DCID 6/3: 4.B.4.a(9)(d)
Audit Monitoring, Analysis, and Reporting
ISO/IEC 17799: 10.10.2, 10.10.4, 13.2.1
NIST 800-26: 16.2.5, 17.1.7, 17.1.8
GAO FISCAM: AC-4.3
DOD 8500.2: ECAT-1, E3.3.9
DCID 6/3: 4.B.4.a(10)
Audit Reduction and Report Generation
ISO/IEC 17799: 10.10.3
NIST 800-26: 17.1.2, 17.1.7
DOD 8500.2: ECRG-1
DCID 6/3: 4.B.3.a(6)
Time Stamps
ISO/IEC 17799: 10.10.6
DOD 8500.2: ECAR-1
DCID 6/3: 4.B.2.a(4)(a)
Protection of Audit Information
ISO/IEC 17799: 10.10.3, 15.1.3, 15.3.2
NIST 800-26: 17.1.3, 17.1.4
DOD 8500.2: ECTP-1
DCID 6/3: 4.B.2.a(4)(b)
Non-repudiation
ISO/IEC 17799: 10.8.2, 10.9.1, 12.3.1
NIST 800-26: 15.1.2, 17.1.1
DOD 8500.2: DCNR-1
DCID 6/3: 5.B.3.a(8)
Audit Record Retention
ISO/IEC 17799: 10.10.1, 15.1.3
NIST 800-26: 17.1.4
DOD 8500.2: ECRR-1
DCID 6/3: 4.B.2.a(4)(c)
Applicable 800-53 Certification, Accreditation, and Security Assessment
Certification, Accreditation, and Security Assessment Policies and Procedures
ISO/IEC 17799: 6.1.4, 10.3.2, 15.1.1
NIST 800-26: 2, 4
DOD 8500.2: DCAR-1, DCII-1
DCID 6/3: DCID: B.3, Manual: 2.B.2.b(1)
Security Assessments
ISO/IEC 17799: 6.1.8, 15.2.1, 15.2.2
NIST 800-26: 2.1.1, 2.1.3, 2.1.4
GAO FISCAM: SP-5.1
DOD 8500.2: DCII-1, ECMT-1, PEPS-1, E3.3.10
DCID 6/3: DCID: B.2.b; B.3.a, Manual: 4.B.2.b(6); 5.B.1.b(1); 9.B.1; 9.B.4
Information System Connections
ISO/IEC 17799: 10.6.2, 10.9.1, 11.4.5, 11.4.6, 11.4.7
NIST 800-26: 1.1.1, 3.2.9, 4.1.8, 12.2.3
GAO FISCAM: CC-2.1
DOD 8500.2: DCID-1, EBCR-1 EBRU-1, EBPW-1, ECIC-1
DCID 6/3: 9.B.3, 9.D.3.c
Security Certification
ISO/IEC 17799: 10.3.2
NIST 800-26: 2.1.2, 3.2.3, 3.2.5, 3.2.6, 4.1.1, 4.1.6, 11.2.8. 12.2.5
GAO FISCAM: CC-2.1
DOD 8500.2: DCAR-1, 5.7.5
DCID 6/3: DCID: B.3, Manual: 4.B.3.b(8); 9.E.2.a(2); 9.E.2.a(3)
Plan of Action and Milestones
ISO/IEC 17799: 15.2.1
NIST 800-26: 1.1.5, 1.2.3, 2.2.1, 4.2.1
GAO FISCAM: SP-5.1 SP-5.2
DOD 8500.2: 5.7.5
DCID 6/3: 9.E.2.a(3)(a)
Security Accreditation
ISO/IEC 17799: 10.3.2
NIST 800-26: 3.2.7, 12.2.5
DOD 8500.2: 5.7.5
DCID 6/3: DCID: B.3, Manual: 9.D.3; 9.D.4
Continuous Monitoring
ISO/IEC 17799: 15.2.1, 15.2.2
NIST 800-26: 10.2.1
DOD 8500.2: DCCB-1, DCPR-1, E3.3.9
DCID 6/3: DCID: B.2.d; Manual: 2.B.4.e(7); 2.B.5.c(10); 5.B.2.b(2); 9.B.1; 9.D.7
Applicable 800-53 Configuration Management
Configuration Management Policy and Procedures
ISO/IEC 17799: 12.4.1, 12.5.1, 15.1.1
DOD 8500.2: DCCB-1, DCPR-1, DCAR-1, E3.3.8
DCID 6/3: DCID: B.2.a Manual: 2.B.4.e(5); 5.B.2.a(5)
Baseline Configuration and System Component Inventory
ISO/IEC 17799: 7.1.1, 15.1.2
NIST 800-26: 1.1.1, 3.1.9, 10.2.7, 10.2.9, 12.1.4
GAO FISCAM: CC-2.3, CC-3.1, SS-1.2
DOD 8500.2: DCHW-1, DCSW-1
DCID 6/3: 2.B.7.c(7), 4.B.1.c(3), 4.B.2.b(6)
Configuration Change Control
ISO/IEC 17799: 10.1.2, 10.2.3, 12.4.1, 12.5.1, 12.5.2, 12.5.3
NIST 800-26: 3.1.4, 10.2.2, 10.2.3, 10.2.8, 10.2.10, 10.2.11
GAO FISCAM: SS-3.2, CC-2.2
DOD 8500.2: DCPR-1
DCID 6/3: 2.B.7.c(7) 4.B.1.c(3), 4.B.2.b(6), 5.B.2.a(5)
Monitoring Configuration Changes
ISO/IEC 17799: 10.1.2
NIST 800-26: 10.2.1, 10.2.4
GAO FISCAM: SS-3.1, SS-3.2, CC-2.1
DOD 8500.2: DCPR-1, E3.3.8
DCID 6/3: 2.B.7.c(7), 4.B.1.c(3), 5.B.2.b(2), 8.B.8.c(7)
Access Restrictions for Change
ISO/IEC 17799: 11.6.1
NIST 800-26: 6.1.3, 6.1.4, 10.1.1, 10.1.4, 10.1.5
GAO FISCAM: SD-1.1, SS-1.2, SS-2.1
DOD 8500.2: DCPR-1, ECSD-2
DCID 6/3: 5.B.3.a(2)(b)
Configuration Settings
NIST 800-26: 10.2.6, 10.3.1, 16.2.2, 16.2.3, 16.2.11
DOD 8500.2: DCSS-1, ECSC-1, E3.3.8
DCID 6/3: 4.B.2.a(10)
Least Functionality
NIST 800-26: 10.3.1
DOD 8500.2: DCPP-1, ECIM-1, ECVI-1, E3.3.8
DCID 6/3: 4.B.2.a(10), 7.D.2.b
Applicable 800-53 Contingency Planning
Contingency Planning Policy and Procedures
ISO/IEC 17799: 5.1.1, 10.4.1, 14.1.1, 14.1.3, 15.1.1
NIST 800-26: 9
DOD 8500.2: COBR-1, DCAR-1
DCID 6/3: 2.B.4.e(5), 6.B.1.a(1)
Contingency Plan
ISO/IEC 17799: 10.3.2, 10.4.1, 10.8.5, 14.1.3, 14.1.4
NIST 800-26: 4.1.4, 9.1.1, 9.2, 9.2.1, 9.2.2, 9.2.3, 9.2.10, 12.1.8, 12.2.2
GAO FISCAM: SC-3.1, SC-1.1
DOD 8500.2: CODP-1, COEF-1
DCID 6/3: 6.B.2.b(1)
Contingency Training
ISO/IEC 17799: 14.1.3, 14.1.4
NIST 800-26: 9.3.2
GAO FISCAM: SC-2.3
DOD 8500.2: PRTN-1
DCID 6/3: 8.B.1
Contingency Plan Testing
ISO/IEC 17799: 10.5.1, 14.1.5
NIST 800-26: 4.1.4, 9.3.3
GAO FISCAM: SC-3.1
DOD 8500.2: COED-1
DCID 6/3: 6.B.3.b(2)(b)
Contingency Plan Update
ISO/IEC 17799: 14.1.3, 14.1.5
NIST 800-26: 9.3.1, 9.3.3, 10.2.12
GAO FISCAM: SC-2.1, SC-3.1
DOD 8500.2: DCAR-1
DCID 6/3: 6.B.3.b(2)
Alternate Storage Sites
ISO/IEC 17799: 10.5.1
NIST 800-26: 9.2.4, 9.2.5, 9.2.7, 9.2.9
GAO FISCAM: SC-2.1, SC-3.1
DOD 8500.2: CODB-2
DCID 6/3: 6.B.2.a(2), 6.B.3.a(2)(d)
Alternate Processing Sites
ISO/IEC 17799: 14.1.4
NIST 800-26: 9.1.3, 9.2.4, 9.2.5, 9.2.7, 9.2.9
GAO FISCAM: SC-2.1, SC-3.1
DOD 8500.2: COAS-1, COEB-1, COSP-1, COSP-2
DCID 6/3: 6.B.3.a(2)(d)
Telecommunications Services
ISO/IEC 17799: 14.1.4
DCID 6/3: 6.B.2.a(4)
Information System Backup
ISO/IEC 17799: 10.5.1, 11.7.1
NIST 800-26: 9.1.1, 9.2.6, 9.2.9, 9.3.1, 12.1.9
GAO FISCAM: SC-2.1
DOD 8500.2: CODB-1, CODB-2, COSW-1
DCID 6/3: 6.B.1.a(2)
Information System Recovery and Reconstitution
ISO/IEC 17799: 14.1.4
NIST 800-26: 9.2.8
GAO FISCAM: SC-2.1
DOD 8500.2: COTR-1, ECND-1
DCID 6/3: 4.B.1.a(4), 6.B.1.a(1), 6.B.2.a(3)(d)
Applicable 800-53 Identification and Authentication
Identification and Authentication Policy and Procedures
ISO/IEC 17799: 15.1.1
NIST 800-26: 11.2.3
DOD 8500.2: IAIA-1, DCAR-1
DCID 6/3: DCID: B.2.a Manual: 2.B.4.e(5)
User Identification and Authentication
ISO/IEC 17799: 11.2.3, 11.4.2, 11.5.2
NIST 800-26: 15.1
DOD 8500.2: IAIA-1
DCID 6/3: 4.B.2.a(7)
Device Identification and Authentication
ISO/IEC 17799: 11.4.2, 11.4.3, 11.7.1
NIST 800-26: 16.2.7
DCID 6/3: 4.B.5.a(14)
Identifier Management
ISO/IEC 17799: 11.2.3, 11.5.2
NIST 800-26: 15.1.1, 15.2.2, 15.1.8
GAO FISCAM: AC-2.1, AC-3.2, SP-4.1
DOD 8500.2: IAGA-1, IAIA-1
DCID 6/3: 4.B.1.a(2)
Authenticator Management
ISO/IEC 17799: 11.5.2, 11.5.3
NIST 800-26: 15.1.6, 15.1.7, 15.1.9, 15.1.10, 15.1.11, 15.1.12, 15.1.13, 16.1.3, 16.2.3
GAO FISCAM: AC-3.2
DOD 8500.2: IAKM-1, IATS-1
DCID 6/3: 4.B.2.a(7), 4.B.3.a(11)
Authenticator Feedback
ISO/IEC 17799: 11.5.1
DCID 6/3: 4.B.2.a(7)(g)
Cryptographic Module Authentication
NIST 800-26: 16.1.7
DCID 6/3: 1.G
Applicable 800-53 Incident Response
Incident Response Policy and Procedures
ISO/IEC 17799: 10.4.1, 13.1, 13.2.1, 15.1.1
NIST 800-26: 14
DOD 8500.2: VIIR-1, DCAR-1
DCID 6/3: DCID: B.2.c; C.4 Manual: 2.B.4.e(5); 2.B.2.b(6); 2.B.6.c(10); 8.B.7
Incident Response Training
ISO/IEC 17799: 13.1.1
NIST 800-26: 14.1.4
GAO FISCAM: SP-3.4
DOD 8500.2: VIIR-1
DCID 6/3: 8.B.1.b(1)(f), 8.B.1.c(1)(e), 8.B.1.c(2)©
Incident Response Testing
ISO/IEC 17799: 14.1.5
DOD 8500.2: VIIR-1
DCID 6/3: 8.B.7
Incident Handling
ISO/IEC 17799: 6.1.6, 13.2.1, 13.2.2
NIST 800-26: 2.1.5, 14.1.1, 14.1.2, 14.1.6
GAO FISCAM: SP-3.4
DOD 8500.2: VIIR-1, E3.3.9
DCID 6/3: 8.B.7, 9.B.2.e
Incident Monitoring
NIST 800-26: 14.1.3
DOD 8500.2: VIIR-1
DCID 6/3: 8.B.7.a
Incident Reporting
ISO/IEC 17799: 6.1.6, 6.2.2, 6.2.3, 13.1.1, 13.1.2
NIST 800-26: 14.1.2, 14.1.3, 14.2.1, 14.2.2, 14.2.3
DOD 8500.2: VIIR-1, E3.3.9
DCID 6/3: 8.B.7
Incident Response Assistance
ISO/IEC 17799: 14.1.3
NIST 800-26: 8.1.1, 14.1.1
GAO FISCAM: SP-3.4
DCID 6/3: 8.B.7.c
Applicable 800-53 Maintenance
System Maintenance Policy and Procedures
ISO/IEC 17799: 10.1.1, 15.1.1
NIST 800-26: 10
DOD 8500.2: PRMP-1, DCAR-1
DCID 6/3: DCID: B.2.a Manual: 2.B.4.e(5); 6.B.2.a(5)
Periodic Maintenance
ISO/IEC 17799: 9.2.4
NIST 800-26: 10.1.1, 10.1.3, 10.2.1
GAO FISCAM: SS-3.1
DCID 6/3: 6.B.2.a(5), 8.B.8.c
Maintenance Tools
NIST 800-26: 10.1.3, 11.2.4
DCID 6/3: 6.B.3.a(5), 8.B.8.c(4), 8.B.8.c(5)
Remote Maintenance
ISO/IEC 17799: 11.4.4
NIST 800-26: 10.1.1, 17.1.1
GAO FISCAM: SS-3.1
DOD 8500.2: EBRP-1
DCID 6/3: 8.B.8.d
Maintenance Personnel
ISO/IEC 17799: 6.2.3, 9.2.4
NIST 800-26: 10.1.1, 10.1.3
GAO FISCAM: SS-3.1
DOD 8500.2: PRMP-1
DCID 6/3: 8.B.8.a
Timely Maintenance
NIST 800-26: 9.1.2
GAO FISCAM: SC-1.2
DOD 8500.2: COMS-1, COSP-1
DCID 6/3: 6.B.2.a(5)
Applicable 800-53 Media Protection
Media Protection Policy and Procedures
ISO/IEC 17799: 10.1.1, 10.7, 15.1.1, 15.1.3
NIST 800-26: 8.2
DOD 8500.2: PESP-1, DCAR-1
DCID 6/3: DCID: B.2.a Manual: 2.B.6.c(7); 8.B.2
Media Access
ISO/IEC 17799: 10.7.3
NIST 800-26: 8.2.1, 8.2.2, 8.2.3, 8.2.6, 8.2.7
DOD 8500.2: PEDI-1, PEPF-1
DCID 6/3: 2.B.9.b(4), 4.B.1.a(1), 4.B.1.a(7)
Media Labeling
ISO/IEC 17799: 7.2.2, 10.7.3, 10.8.2, 15.1.3
NIST 800-26: 8.2.5, 8.2.6, 10.2.9
DOD 8500.2: ECML-1
DCID 6/3: 2.B.9.b(4), 8.B.2.a, 8.B.2.c
Media Storage
ISO/IEC 17799: 10.7.1, 10.7.2, 10.7.3, 10.7.4, 15.1.3
NIST 800-26: 7.1.4, 8.2.1, 8.2.2, 8.2.9, 10.1.2
GAO FISCAM: AC-3.1
DOD 8500.2: PESS-1
DCID 6/3: 2.B.9.b(4), 4.B.1.a(7)
Media Transport
ISO/IEC 17799: 10.8.3
NIST 800-26: 8.2.2, 8.2.4
DCID 6/3: 2.B.9.b(4)
Media Sanitization
ISO/IEC 17799: 9.2.6, 10.7.1, 10.7.2
NIST 800-26: 3.2.11, 3.2.12, 3.2.13, 8.2.8, 8.2.9, 8.2.10
GAO FISCAM: AC-3.4
DOD 8500.2: PECS-1, PEDD-1
DCID 6/3: 8.B.5, 2.B.9.b(4), 8.B.5.a(4), 8.B.5.d, 8.B.5.e
Media Destruction and Disposal
ISO/IEC 17799:
NIST 800-26:
GAO FISCAM:
DOD 8500.2:
DCID 6/3:
Applicable 800-53 Physical and Environmental Protection
Physical and Environmental Protection Policy and Procedures
ISO/IEC 17799: 15.1.1
NIST 800-26: 7
DOD 8500.2: PETN-1, DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5); 8.D
Physical Access Authorizations
ISO/IEC 17799: 9.1.2, 9.1.6
NIST 800-26: 7.1.1, 7.1.2
GAO FISCAM: AC-3.1
DOD 8500.2: PECF-1
DCID 6/3: 4.B.1.a(1), 8.E
Physical Access Control
ISO/IEC 17799: 9.1.1, 9.1.2, 9.1.5, 9.1.6, 10.5.1
NIST 800-26: 7.1.1, 7.1.2, 7.1.5, 7.1.6, 7.1.8
GAO FISCAM: AC-3.1
DOD 8500.2: PEPF-1
DCID 6/3: 4.B.1.a(1), 8.D.2, 8.E
Access Control for Transmission Medium
ISO/IEC 17799: 9.2.3
NIST 800-26: 7.2.2, 16.2.9
DCID 6/3: 8.D.2, 4.B.1.a(8)
Access Control for Display Medium
ISO/IEC 17799: 9.1.2, 11.3.3
NIST 800-26: 7.2.1
DOD 8500.2: PEDI-1, PEPF-1
DCID 6/3: 8.C.2.a, 8.D.2
Monitoring Physical Access
ISO/IEC 17799: 9.1.2
NIST 800-26: 7.1.9
GAO FISCAM: AC-4
DOD 8500.2: PEPF-2
DCID 6/3: 4.B.1.a(1), 8.C.2.a, 8.D.2
Visitor Control
ISO/IEC 17799: 9.1.2
NIST 800-26: 7.1.7, 7.1.11
GAO FISCAM: AC-3.1
DOD 8500.2: PEVC-1
DCID 6/3: 8.C.2.a, 8.D.2, 8.E
Access Records
ISO/IEC 17799: 9.1.2
NIST 800-26: 7.1.9
GAO FISCAM: AC-4
DOD 8500.2: PEPF-2, PEVC-1
DCID 6/3: 8.C.2.a, 8.D.2, 8.E
Power Equipment and Power Cabling
ISO/IEC 17799: 9.2.2, 9.2.3
NIST 800-26: 7.1.16
GAO FISCAM: SC-2.2
DCID 6/3: 8.D.2
Emergency Shutoff
ISO/IEC 17799: 9.2.2
DOD 8500.2: PEMS-1
DCID 6/3: 8.D.2
Emergency Power
ISO/IEC 17799: 9.2.2
NIST 800-26: 7.1.18
GAO FISCAM: SC-2.2
DOD 8500.2: COPS-1, COPS-2, COPS-3
DCID 6/3: 6.B.2.a(6), 6.B.2.a(7)
Emergency Lighting
ISO/IEC 17799: 9.2.2
DOD 8500.2: PEEL-1
DCID 6/3: 8.D.2
Fire Protection
ISO/IEC 17799: 9.1.4, 9.2.1
NIST 800-26: 7.1.12
GAO FISCAM: SC-2.2
DOD 8500.2: PEFD-1, PEFS-1
DCID 6/3: 8.C.2.a, 8.D.2
Temperature and Humidity Controls
ISO/IEC 17799: 9.2.1, 10.5.1, 10.7.1
NIST 800-26: 7.1.14, 7.1.15
GAO FISCAM: SC-2.2
DOD 8500.2: PEHC-1, PETC-1
DCID 6/3: 8.D.2
Water Damage Protection
ISO/IEC 17799: 9.1.4, 9.2.1
NIST 800-26: 7.1.17
GAO FISCAM: SC-2.2
DCID 6/3: 8.C.2.a, 8.D.2
Delivery and Removal
ISO/IEC 17799: 9.1.6, 9.2.7, 10.7.1
NIST 800-26: 7.1.3
GAO FISCAM: AC-3.1
DCID 6/3: 8.B.5.e
Alternate Work Site
ISO/IEC 17799: 11.7.2
DOD 8500.2: EBRU-1
Location of Information System Components
ISO/IEC 17799: 9.2.1
Information Leakage
Applicable 800-53 Planning
Security Planning Policy and Procedures
ISO/IEC 17799: 6.1, 15.1.1
NIST 800-26: 5
DOD 8500.2: DCAR-1, E3.4.6
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5)
System Security Plan
ISO/IEC 17799: 6.1
NIST 800-26: 4.1.5, 5.1.1, 5.1.2, 12.2.1
GAO FISCAM: SP-2.1
DOD 8500.2: DCSD-1
DCID 6/3: 1.F.6, 2.B.6.c(3), 2.B.7.c(5), 9.E.2.a(1)(d), 9.F.2.a, Appendix C
System Security Plan Update
ISO/IEC 17799: 6.1
NIST 800-26: 3.2.10, 5.2.1
GAO FISCAM: SP-2.1
DOD 8500.2: 5.7.5
DCID 6/3: 2.B.7.c(5)
Rules of Behavior
ISO/IEC 17799: 7.1.3, 8.1.3, 15.1.5
NIST 800-26: 4.1.3, 13.1.1
DOD 8500.2: PRRB-1
DCID 6/3: 2.B.9.b
Privacy Impact Assessment
ISO/IEC 17799: 15.1.4
DCID 6/3: DCID: B.3.a; Manual: 8.B.9
Security-Related Activity Planning
ISO/IEC 17799: 15.3.1
Applicable 800-53 Personnel Security
Personnel Security Policy and Procedures
ISO/IEC 17799: 8.1.1, 15.1.1
NIST 800-26: 6
DOD 8500.2: PRRB-1, DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5); 8.E
Position Categorization
ISO/IEC 17799: 8.1.2
NIST 800-26: 6.1.1, 6.1.2
GAO FISCAM: SD-1.2
DCID 6/3: 8.E
Personnel Screening
ISO/IEC 17799: 8.1.2
NIST 800-26: 6.2.1, 6.2.3
GAO FISCAM: SP-4.1
DOD 8500.2: PRAS-1
DCID 6/3: 2.B.7.c(2), 2.B.8.b(5), 8.E
Personnel Termination
ISO/IEC 17799: 8.1.3, 8.3, 11.2.1
NIST 800-26: 6.1.7
GAO FISCAM: SP-4.1
DOD 8500.2: 5.12.7
DCID 6/3: 2.B.9.b(6), 4.B.2.a(3)(e), 8.E
Personnel Transfer
ISO/IEC 17799: 8.3.1, 8.3.3, 11.2.1
NIST 800-26: 6.1.7
GAO FISCAM: SP-4.1
DOD 8500.2: 5.12.7
DCID 6/3: 2.B.9.b(6)
Access Agreements
ISO/IEC 17799: 6.1.5, 8.1.3
NIST 800-26: 6.1.5, 6.2.2
GAO FISCAM: SP-4.1
DOD 8500.2: PRRB-1
DCID 6/3: 1.E.2, 8.E
Third-Party Personnel Security
ISO/IEC 17799: 6.2.1, 6.2.3, 8.1.1, 8.1.2, 8.1.3, 8.2.1, 8.2.2, 11.2.1
GAO FISCAM: SP-4.1
DOD 8500.2: 5.7.10
DCID 6/3: 1.A.1, 8.D, 8.E
Personnel Sanctions
ISO/IEC 17799: 8.2.3, 11.2.1
NIST 800-26: 6.1.5
DOD 8500.2: PRRB-1
DCID 6/3: 4.B.2.a(3)(e), 8.E
Applicable 800-53 Risk Assessment
Risk Assessment Policy and Procedures
ISO/IEC 17799: 4.1, 15.1.1
NIST 800-26: 1
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.3.a, Manual: 2.B.4.e(5)
Security Categorization
ISO/IEC 17799: 7.2.1
NIST 800-26: 1.1.3, 3.1.1
GAO FISCAM: SP-1, AC-1.1, AC-1.2
DOD 8500.2: E3.4.2
DCID 6/3: 3.C, 3.D, 9.E.2.a(1)(a), 9.E.2.a(1)(d)
Risk Assessment
ISO/IEC 17799: 4, 4.1, 4.2, 6.2.1, 10.10.2, 10.10.5, 12.5.1, 12.6.1, 14.1.1, 14.1.2
NIST 800-26: 1.1.2, 1.1.4, 1.1.5, 1.1.6, 1.2.1, 1.2.2, 1.2.3, 3.1.7, 3.1.8, 4.1.7, 7.1.13, 7.1.19, 12.2.4
GAO FISCAM: SP-1
DOD 8500.2: DCDS-1, DCII-1, E3.3.10
DCID 6/3: 9.B
Risk Assessment Update
ISO/IEC 17799: 4.1
NIST 800-26: 1.1.2, 4.1.2
GAO FISCAM: SP-1
DOD 8500.2: DCAR-1, DCII-1
DCID 6/3: 9.B.4.f, 9.D.1.d
Vulnerability Scanning
ISO/IEC 17799: 12.6.1
NIST 800-26: 10.3.2, 14.2.1
DOD 8500.2: ECMT-1, VIVM-1
DCID 6/3: 4.B.3.a(8)(b), 4.B.3.b(6)(b), 9.B.4.e
Applicable 800-53 System and Services Acquisition
System and Services Acquisition Policy and Procedures
ISO/IEC 17799: 12.1, 15.1.1
NIST 800-26: 3
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5)
Allocation of Resources
ISO/IEC 17799: 10.3.1
NIST 800-26: 3.1.2, 3.1.3, 3.1.5, 5.1.3
DOD 8500.2: DCPB-1, E3.3.4
DCID 6/3: DCID: C.2.a, Manual: 2.B.4.e(8)
Life Cycle Support
NIST 800-26: 3.1
DOD 8500.2: 5.8.1
DCID 6/3: DCID: B.2.a, Manual: 9.E.2
Acquisitions
ISO/IEC 17799: 12.1.1
NIST 800-26: 3.1.6, 3.1.7, 3.1.10, 3.1.11, 3.1.12
DOD 8500.2: DCAS-1, DCDS-1, DCIT-1, DCMC-1
DCID 6/3: DCID: B.2.a; C.2.a, Manual: 9.B.4
Information System Documentation
ISO/IEC 17799: 10.7.4
NIST 800-26: 3.2.3, 3.2.4, 3.2.8, 12.1.1, 12.1.2, 12.1.3, 12.1.6, 12.1.7
GAO FISCAM: CC-2.1
DOD 8500.2: DCCS-1, DCHW-1, DCID-1, DCSD-1, DCSW-1, ECND-1, DCFA-1
DCID 6/3: 4.B.2.b(2), 4.B.2.b(3), 4.B.4.b(4), 9.C.3
Software Usage Restrictions
ISO/IEC 17799: 15.1.2
NIST 800-26: 10.2.10, 10.2.13
GAO FISCAM: SS-3.2, SP-2.1
DOD 8500.2: DCPD-1
DCID 6/3: 2.B.9.b(11)
User Installed Software
ISO/IEC 17799: 15.1.2
NIST 800-26: 10.2.10
GAO FISCAM: SS-3.2
DCID 6/3: 2.B.9.b(11)
Security Engineering Principles
ISO/IEC 17799: 12.1
NIST 800-26: 3.2.1
DOD 8500.2: DCBP-1, DCCS-1, E3.4.4
DCID 6/3: 1.H.1
Outsourced Information System Services
ISO/IEC 17799: 6.2.1, 6.2.3, 10.2.1, 10.2.2, 10.6.2
NIST 800-26: 12.2.3
DOD 8500.2: DCDS-1, DCID-1 DCIT-1, DCPP-1
DCID 6/3: 1.B.1, 8.C.2, 8.E
Developer Configuration Management
ISO/IEC 17799: 12.5.1, 12.5.2
GAO FISCAM: SS-3.1, CC-3
DCID 6/3: 4.B.4.b(4), 8.C.2.a
Developer Security Testing
ISO/IEC 17799: 12.5.1, 12.5.2
NIST 800-26: 3.2.1, 3.2.2, 10.2.5, 12.1.5
GAO FISCAM: SS-3.1, CC-2.1
DOD 8500.2: E3.4.4
DCID 6/3: 4.B.4.b(4)
Applicable 800-53 System and Communication Protection
System and Communications Protection Policy and Procedures
ISO/IEC 17799: 10.8.1, 15.1.1
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5)
Application Partitioning
ISO/IEC 17799: 11.4.5
DOD 8500.2: DCPA-1
DCID 6/3: 4.B.3.b(6)(a), 4.B.4.b(8), 5.B.3.b(2)
Security Function Isolation
ISO/IEC 17799: 11.4.5
DOD 8500.2: DCSP-1
DCID 6/3: 4.B.3.b(6)(a), 4.B.4.b(8), 5.B.3.b(1), 5.B.3.b(2)
Information Remnants
ISO/IEC 17799: 10.8.1
GAO FISCAM: AC-3.4
DOD 8500.2: ECRC-1
DCID 6/3: 4.B.2.a(14)
Denial of Service Protection
ISO/IEC 17799: 10.8.4, 13.2.1
DCID 6/3: 6.B.3.a(6)
Resource Priority
DCID 6/3: 6.B.3.a(11)
Boundary Protection
ISO/IEC 17799: 11.4.6
NIST 800-26: 16.2.2, 16.2.7, 16.2.9, 16.2.10, 16.2.11, 16.2.14
GAO FISCAM: AC-3.2
DOD 8500.2: COEB-1, EBBD-1, ECIM-1, ECVI-1
DCID 6/3: 4.B.4.a(27), 5.B.3.a(11)(b), 7.A.3, 7.B, 7.C, 7.D
Transmission Integrity
ISO/IEC 17799: 10.6.1, 10.8.1, 10.9.1
NIST 800-26: 11.2.1, 11.2.4, 11.2.9, 16.2.14
GAO FISCAM: AC-3.2
DOD 8500.2: ECTM-1
DCID 6/3: 5.B.3.a(11)
Transmission Confidentiality
ISO/IEC 17799: 10.6.1, 10.8.1, 10.9.1
DOD 8500.2: ECCT-1
DCID 6/3: 4.B.1.a(8)(a)
Network Disconnect
ISO/IEC 17799: 11.5.6
NIST 800-26: 16.2.6
GAO FISCAM: AC-3.2
DCID 6/3: 4.B.2.a(17)
Trusted Path
ISO/IEC 17799: 10.9.2
NIST 800-26: 16.2.7
DCID 6/3: 4.B.4.a(14)
Cryptographic Key Establishment and Mgmt.
ISO/IEC 17799: 12.3.1, 12.3.2
NIST 800-26: 16.1.7, 16.1.8
DOD 8500.2: IAKM-1
DCID 6/3: 1.G
Use of Validated Cryptography
NIST 800-26: 16.1.7, 16.1.8
DOD 8500.2: IAKM-1, IATS-1
DCID 6/3: 1.G.1
Public Access Protections
ISO/IEC 17799: 10.7.4, 10.9.3
DOD 8500.2: EBPW-1
Collaborative Computing
DOD 8500.2: ECVI-1
DCID 6/3: 7.G
Transmission of Security Parameters
ISO/IEC 17799: 7.2.2, 10.8.2, 10.9.2
NIST 800-26: 16.1.6
GAO FISCAM: AC-3.2
DOD 8500.2: ECTM-2
DCID 6/3: 4.B.1.a(3)
Public Key Infrastructure Certificates
ISO/IEC 17799: 12.3.2
DOD 8500.2: IAKM-1
DCID 6/3: 2.B.4.e(5), 4.B.3.a(11)
Mobile Code
ISO/IEC 17799: 10.4.1, 10.4.2
DOD 8500.2: DCMC-1
DCID 6/3: 2.B.4.e(5), 7.E
Voice Over Internet Protocol
DOD 8500.2: ECVI-1
DCID 6/3: DCID 6/3 2.B.4.d, 9.D.1.a
Secure Name Address Resolution Service (Authoritative Source)
Secure Name Address Resolution Service (Resolution)
Architecture and Provisioning for Name/Address Resolution Service
Session Authenticity
Applicable 800-53 System and Information Integrity
System and Information Integrity Policy and Procedures
ISO/IEC 17799: 15.1.1
NIST 800-26: 11
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5), 5.B.1.b(1), 5.B.2.a(5)(a)(1)
Flaw Remediation
ISO/IEC 17799: 10.10.5, 12.4.1, 12.5.1, 12.5.2, 12.6.1
NIST 800-26: 10.3.2, 11.1.1, 11.1.2, 11.2.2, 11.2.7
GAO FISCAM: SS-2.2
DOD 8500.2: DCSQ-1, DCCT-1, VIVM-1
DCID 6/3: 5.B.2.a(5)(a)(3), 6.B.2.a(5)
Malicious Code Protection
ISO/IEC 17799: 10.4.1
NIST 800-26: 11.1.1, 11.1.2
DOD 8500.2: ECVP-1, VIVM-1
DCID 6/3: 5.B.1.a(4), 7.B.4.b(1)
Information System Monitoring Tools and Techniques
ISO/IEC 17799: 10.6.2, 10.10.1, 10.10.2, 10.10.4
NIST 800-26: 11.2.5, 11.2.6
DOD 8500.2: EBBD-1, EBVC-1, ECID-1
DCID 6/3: 4.B.2.a(5)(b), 4.B.3.a(8)(b), 6.B.3.a(8)
Security Alerts and Advisories
ISO/IEC 17799: 6.1.7, 10.4.1
NIST 800-26: 14.1.1, 14.1.2, 14.1.5
GAO FISCAM: SP-3.4
DOD 8500.2: VIVM-1
DCID 6/3: 8.B.7
Security Functionality Verification
NIST 800-26: 11.2.1, 11.2.2
GAO FISCAM: SS-2.2
DOD 8500.2: DCSS-1
DCID 6/3: 4.B.1.c(2), 5.B.2.b(2)
Software and Information Integrity
ISO/IEC 17799: 12.2.1, 12.2.2, 12.2.4
NIST 800-26: 11.2.1, 11.2.4
DOD 8500.2: ECSD-2
DCID 6/3: 4.B.1.c(2), 5.B.1.a(3), 5.B.2.a(6)
Spam Protection
DCID 6/3: 5.B.1.a(4)
Information Input Restrictions
ISO/IEC 17799: 12.2.1, 12.2.2
GAO FISCAM: SD-1
DCID 6/3: 2.B.9.b(11)
Information Accuracy, Completeness, Validity, and Authenticity
ISO/IEC 17799: 10.7.3, 12.2.1, 12.2.2
DCID 6/3: 7.B.2.h, 2.B.4.d
Error Handling
ISO/IEC 17799: 12.2.1, 12.2.2, 12.2.3, 12.2.4
DCID 6/3: 2.B.4.d
Information Output Handling and Retention
ISO/IEC 17799: 10.7.3, 12.2.4
DOD 8500.2: PESP-1
DCID 6/3: 2.B.4.d, 8.B.9, 8.G
Introduction
This guide has been created to assist federal agencies in effectively securing systems with Microsoft Windows Vista based on OMB Federal Desktop Core Configuration recommendations.Under the direction of OMB and in collaboration with DHS, DISA, NSA, USAF, and Microsoft, NIST has provided the following baseline to help agencies test, implement, and deploy the Microsoft Windows Vista Federal Desktop Core Configuration (FDCC) baseline. The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration.Please refer to the FDCC home page for additional information. http://fdcc.nist.gov
FDCC Security Settings
FDCC has identified the following controls that must be checked in order to verify compliance.
Account Policies Group
todo - description needed
Account Lockout Policy Settings
Attackers often attempt to gain access to user accounts by guessing passwords. Windows Vista can be configured to lock out (disable) an account when too many failed login attempts occur for a single user account in a certain time period. The following account lockout parameters are set in the NIST templates:One of the main challenges in setting account policies is balancing security, functionality, and usability. For example, locking out user accounts after only a few failed logon attempts in a long time period may make it more difficult to gain unauthorized access to accounts by guessing passwords, but may also sharply increase the number of calls to the help desk to unlock accounts accidentally locked by failed attempts from legitimate users. This could also cause more users to write down their passwords or choose easier-to-remember passwords. Organizations should carefully think out such issues before setting Windows Vista account policies.
Account Lockout Duration
The amount of time in seconds that an account is locked before it is automatically unlocked by the system. 15 minutes = 900 seconds A value of 0 means that an administrator must unlock the account.
900
0
900
86400
Account Lockout Threshold
The maximum number of failed attempts that can occur before the account is locked out
50
3
5
10
50
Reset Account Lockout Counter After
The time period in seconds to be used with the lockout threshold value. For example, if the threshold is set to 10 attempts and the duration is set to 15 minutes, then if more than 10 failed login attempts occur with a single user account within a 15-minute period, the account will be disabled. 15 minutes = 900 seconds
900
900
3600
86400
Account Lockout Duration
This value specifies how long the user account should be locked out. This is often set to a low but substantial value (e.g., 15 minutes), for two reasons. First, a legitimate user that is accidentally locked out only has to wait 15 minutes to regain access, instead of asking an administrator to unlock the account. Second, an attacker who is guessing passwords using brute force methods will only be able to try a small number of passwords at a time, then wait 15 minutes before trying any more. This greatly reduces the chances that the brute force attack will be successful.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
CCE-2363-0
CCE-980
Account Lockout Threshold
The threshold value specifies the maximum number of failed attempts that can occur before the account is locked out.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
CCE-3177-3
CCE-658
Reset Account Lockout Counter After
This specifies the time period to be used with the lockout threshold value. For example, if the threshold is set to 10 attempts and the duration is set to 15 minutes, then if more than 10 failed login attempts occur with a single user account within a 15-minute period, the account will be disabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
CCE-2715-1
CCE-733
Password Policy Settings
In addition to educating users regarding the selection and use of good passwords, it is also important to set password parameters so that passwords are sufficiently strong. This reduces the likelihood of an attacker guessing or cracking passwords to gain unauthorized access to the system.86 As described in Section 3.2.1, NIST recommends the use of NTLM v2 or Kerberos instead of LM or NTLM v1 for authentication. The following parameters are specified in the NIST templates:
Enforce Password History
The number of passwords remembered
24
24
5
Maximum Password Age
The maximum age in seconds before a password expires. (90 days = 7776000 seconds; 60 days = 5184000)
7776000
5184000
7776000
Minimum Password Age
The minimum age in seconds before a password may be changed. (1 day = 86400 seconds; 5 days = 432000)
86400
86400
432000
Minimum Password Length
The minimum number of characters required for a password
8
8
9
12
14
15
Enforce Password Complexity
This value determines whether Windows Vista implements a minimum level of strong password filtering. 1 = enabled
1
0
1
Enforce Reversible Encryption When Storing Passwords
This value determines whether Windows Vista is configured to prevent passwords from being stored using a two-way hash. 1 = enabled
0
0
1
Enforce Password History
This setting determines how many old passwords the system will remember for each account. Users will be prevented from reusing any of the old passwords. For example, if this is set to 24, then the system will not allow users to reuse any of their last 24 passwords. Old passwords may have been compromised, or an attacker may have taken a long time to crack encrypted passwords. Reusing an old password could inadvertently give attackers access to the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-2323-4
CCE-60
Maximum Password Age
This forces users to change their passwords regularly. The lower this value is set, the more likely users will be to choose poor passwords that are easier for them to remember (e.g., Mypasswd1, Mypasswd2, Mypasswd3). The higher this value is set, the more likely the password will be compromised and used by unauthorized parties.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-2967-8
CCE-871
Minimum Password Age
This setting requires users to wait for a certain number of days before changing their password again. The setting prevents a user from changing a password when it reaches the maximum age and then immediately changing it back to the previous password. Unfortunately, this setting also prevents users who inadvertently reveal a new password to others from changing it immediately without administrator intervention.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-3240-9
CCE-324
Minimum Password Length
This setting specifies the minimum length of a password in characters. The rationale behind this setting is that longer passwords are more difficult to guess and crack than shorter passwords. The downside is that longer passwords are often more difficult for users to remember. Organizations that want to set a relatively large minimum password length should encourage their users to use passphrases, which may be easier to remember than conventional passwords.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-2883-7
CCE-100
Password Complexity
Like the Minimum Password Length setting, this setting makes it more difficult to guess or crack passwords. Enabling this setting implements complexity requirements including not having the user account name in the password and using a mixture of character types, including upper case and lower case letters, digits, and special characters such as punctuation marks.
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-3033-8
CCE-633
Reversible Password Encryption
If this setting is enabled, passwords will be stored in a decryptible format, putting them at higher risk of compromise. This setting should be disabled unless it is needed to support a legacy authentication protocol, such as Challenge Handshake Authentication Protocol (CHAP).
GPO
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
CCE-3311-8
CCE-479
Local Policies Group
todo - description needed
Audit Policy Settings
todo - description needed
Audit Account Logon Events
Audits when a user logs on or off a remote computer from this workstation.
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Account Management
Audits when a user account or group is created, changed, or deleted; a user account is renamed, disabled, or enabled; a password is set or changed.
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Directory Service Access
Audit Directory Service Access
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Logon Events
Audits users logging on, logging off, or making a network connection to the local computer.
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Object Access
Audits a user accessing an object (for example, a file, folder, registry key, or printer) that has its own SACL specified.
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Policy Change
Audits every change to user rights assignment policies, audit policies, and trust policies.
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Privilege Use
Audits each instance of a user exercising a user right.
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Process Tracking
Audits detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit System Events
Audits when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Account Logon Events
Audits when a user logs on or off a remote computer from this workstation.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
CCE-2820-9
CCE-3089-0
CCE-2628
CCE-2543
Audit Account Management
Audits when a user account or group is created, changed, or deleted; a user account is renamed, disabled, or enabled; a password is set or changed.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
CCE-3287-0
CCE-3234-2
CCE-2000
CCE-1646
Audit Directory Service Access
Audits the event of a user accessing an active directory object that has its own System Access Control List (SACL) specified. This setting is not applicable to Windows XP systems.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
CCE-3041-1
CCE-3309-2
CCE-2118
CCE-2390
Audit Logon Events
Audits users logging on, logging off, or making a network connection to the local computer.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
CCE-3076-7
CCE-2970-2
CCE-1686
CCE-1744
Audit Object Access
Audits a user accessing an object (for example, a file, folder, registry key, or printer) that has its own SACL specified. Auditing of success or failure of system wide object access will create numerous log entries. Certain object access failures may be normal as a result of applications requesting all access types to objects, even though the application does not require all access types to function properly. Use object access auditing with caution.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
CCE-2724-3
CCE-3243-3
CCE-2640
CCE-1991
Audit Policy Change
Audits every change to user rights assignment policies, audit policies, and trust policies.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
CCE-2746-6
CCE-2653-4
CCE-2412
CCE-2347
Audit Privilege Use
Audits each instance of a user exercising a user right. This is likely to generate a very large number of events.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
CCE-2322-6
CCE-3257-3
CCE-2431
CCE-2584
Audit of Process Tracking
Audits detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling this setting will generate many events, so it should only be used when absolutely necessary.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
CCE-3024-7
CCE-2927-2
CCE-2529
CCE-2617
Audit System Events
Audits when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
CCE-2953-8
CCE-3222-7
CCE-2420
CCE-1680
Security Options Settings
Besides the Local Security Policy settings mentioned earlier in this section, additional settings called Security Options can be modified to achieve greater security than the default settings provide. The NIST templates specify values for dozens of such settings. Examples of the types of settings available are as follows:
Limiting the use of blank passwords
Renaming the default Administrator and Guest accounts
Restricting remote access to floppy and CD-ROM drives
Encrypting secure channel data in a domain
Securing the interactive logon screen (e.g., not showing the previous user’s account name, displaying a warning banner, prompting users to change passwords before they expire)
Restricting which types of network access may be performed
Specifying which types of authentication may be used (e.g., NTLM v2).
The Security Options settings can also be accessed and adjusted manually by performing the following steps:
From the Start menu, choose Control Panel.
Select Administrative Tools, and then choose Local Security Policy.
Expand Local Policies and select Security Options.
The right pane lists the security option and indicates the current setting for each. Make any necessary changes by double-clicking on the appropriate security option, modifying the setting, and clicking OK to save the change.
Accounts: Administrator account status
The Administrator account status is enabled to allow the administrator to perform configuration control of the system.
1
0
1
Status of Guest Account
This value defines the desired status of the built-in Guest account. 0 = disabled; 1 = enabled.
0
0
1
Accounts: Limit local account use to blank passwords to console logon only
This value defines the desired status of limiting the use of blank passwords. 1 = enabled; 0= disabled
1
0
1
Audit: Audit the access of global system objects
Controls the ability to audit access of global systems objects. When this setting is enabled, system objects such as mutexes, events, semaphores, and DOS devices, are created with a default system access control list (SACL).
0
0
1
Audit: Audit the use of Backup and Restore privilege
Controls the ability to audit the use of all user privileges, including Backup and Restore. If this policy is disabled, certain user rights will not be audited even if "Audit privilege use" audit policy is enabled.
00
00
01
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
1
0
1
Audit: Shut down system immediately if unable to log security audits
If events cannot be written to the security log, the system is halted immediately. If the system halts as a result of a full log, an administrator must log ont the system and clear the log.
0
0
1
Devices: Allow only administrators to format and eject removable media
Verifies that only the correct users are allowed to format and eject removable media 0 - Only Administrator, 1 - Only Administrators and power users, 2 - Only Administrators and Interactive user
0
0
1
2
Prevent Users From Installing Printer Drivers
Defines who is allowed to add and to delete printer drivers on the local system. 1 = Enabled; 0 = disabled
0
0
1
Restrict Access to CDROM Drive
This value determines if access to the CDROM drive is restricted to locally logged-on users. 1 = restricted
0
0
1
Restrict Access to Floppy Drive
This value determines if access to the floppy drive is restricted to locally logged-on users. 1 = restricted
0
0
1
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt or sign secure channel data (always). Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted or signed. If this policy is enabled, outgoing secure channel traffic should be encrypted.
1
0
1
Domain member: Digitally encrypt secure channel data (when possible)
Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic should be encrypted.
1
0
1
Domain member: Digitally sign secure channel data (when possible)
Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, all outgoing secure channel traffic should be signed.
1
0
1
Domain member: Disable machine account password changes
Computer account passwords are changed automatically every seven days. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. If this policy is disabled, a new password for the computer account will be generated every week.
1
0
1
Maximum Machine Account Password Age
This setting controls the maximum password age that a machine account may have.
30
7
30
Require Strong Session Key
This setting controls the required strength of a session key.
1
0
1
Interactive logon: Do not display last user name
This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box.
1
0
1
Interactive logon: Do not require CTRL+ALT+DEL
Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner. 0 = disabled
0
0
1
Interactive logon: Message text for users attempting to log on
Specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.
.+
.+
Interactive logon: Message title for users attempting to log on
The logon banner should be titled with a warning label containing the name of the owning organization.
.+
.+
Number of Previous Logons to Cache (in Case Domain Controller Is Not Available)
Defines the number of last logon credentials cached for users who log on interactively to a system.
2
0
1
2
5
10
Prompt User to Change Password Before Expiration
This setting configures the system to display a warning to users telling them how many days are left before their password expires.
14
14
Require Domain Controller Authentication to Unlock Workstation
This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked.
0
0
1
Smart Card Removal Behavior
This value determines the desired behavior when a smart card is removed. 0 - No action 1 - Lock workstation 2 - Force logoff
1
0
1
2
Client Digitally Sign Communications (Always)
This check verifies that the client policy is set to always sign packets.
0
0
1
Microsoft network client: Digitally sign communications (if server agrees)
This check verifies that the client policy is set to sign packets if the server agrees.
1
0
1
Microsoft network client: Send unencrypted password to third-party SMB servers
Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication.
0
0
1
Amount of Idle Time Required Before Suspending Session
Administrators should use this setting to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished.
15
15
Microsoft network server: Digitally sign communications (always)
This check verifies that the server policy is set to always sign packets.
1
0
1
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Digitally sign communications (if client agrees). This check verifies that the server policy is set to sign packets if the client agrees.
1
0
1
Microsoft network server: Disconnect clients when logon hours expire
Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored.
1
0
1
MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended)
Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed.
0
0
1
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
todo - description needed
0
0
1
2
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
todo - description needed
0
0
1
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
todo - description needed
0
0
1
MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds
This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. HKLM\System\CurrentControlSet\Tcpip\Parameters\KeepAliveTime
300000
300000
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windows- based systems to the IP addresses configured on those systems. This value determines whether the computer releases its NetBIOS name when it receives a name release request. The NoNameReleaseOnDemand setting configures the system to refuse name release requests to release its SMB name. This setting prevents an attacker from sending a name release request to a server, causing the server to be inaccessible to legitimate clients. If this setting is configured on a client, however, and that client is mis-configured with the same name as a critical server, the server will be unable to recover the name, and legitimate requests may be directed to the rogue server instead, causing a denial of service condition at best.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ NoNameReleaseOnDemand registry key.
1
0
1
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) (Disabled = 0)
Vista supports 8.3 file name formats for backward compatibility with 16- bit applications. The 8.3 file name convention is a naming format that allows file names that are up to eight characters in length. The following registry value entry has been added to the template in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\ NtfsDisable8dotNameCreation registry key.
1
0
1
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically. HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery
0
0
1
2
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) to avoid having to reimplement functionality. The operating system actually loads several DLLs for each program, depending on what type of program it is. When the program does not specify an absolute location for a DLL, the default search order is used to locate it. By default, the search order used by the operating system is as follows: 1. Memory 2. KnownDLLs 3. Manifests and .local 4. Application directory 5. Current working directory 6. System directories (%systemroot%, %systemroot%\system, and %systemroot%\system32) 7. The path variable The fact that the current working directory is searched before the system directories can be used by someone with access to the file system to cause a program launched by a user to load a spoofed DLL. If a user launches a program by double-clicking a document, the current working directory is actually the location of the
document. If a DLL in that directory has the same name as a system DLL in that location will then be loaded instead of the system DLL. This attack vector was actually used by the Nimda virus. To combat this, a new setting was created in Service Pack 3, which moves the current working directory to after the system directories in the search order. To avoid application compatibility issues, however, this switch was not turned on by default. To turn it on, set the following registry valueMACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
1
0
1
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Setting Added to Registry to Make Screensaver Password Protection Immediate The default grace period allowed for user movement before the screen – saver lock takes effect is five seconds. Leaving the grace period in the default setting makes your computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period.
0
0
5
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
This registry value causes TCP to adjust retransmission of SYN- ACKs. When you configure this value, the connection responses time- out more quickly in the event of a connect request (SYN) attack. 1 = Connections timeout more quickly if a SYN attack is detected 0 = No additional protection, use default settings Note: W2K had another option = 2 that has been incorporated into option 1 in W2K3. HKLM\System\CurrentControlSet\Tcpip\Parameters\SynAttackProtect
1
0
1
MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
This parameter determines the number of times that TCP retransmits a SYN before aborting the attempt. The retransmission time-out is doubled with each successive retransmission in a given connect attempt. The initial time-out value is three seconds. 0 = No retransmission, half- open connections dropped after 3 seconds 1 = 3 seconds, half- open connections dropped after 9 seconds 2 = 3 and 6 seconds, half- open connections dropped after 21 seconds 3 = 3, 6, and 9 seconds, half- open connections dropped after 45 seconds HKLM\System\CurrentControlSet\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions
2
0
1
2
3
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
3
3
5
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Windows Server 2003 and Service Pack 3 for Windows 2000 include a new feature for generating a security audit in the security event log when the security log reaches a user defined threshold. Note: new to W2K3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel
90
90
Network access: Allow anonymous SID/Name translation
todo - description needed
False
False
True
Network access: Do not allow anonymous enumeration of SAM accounts
todo - description needed
1
0
1
Network access: Do not allow anonymous enumeration of SAM accounts and shares
todo - description needed
1
0
1
Network access: Do not allow storage of credentials or .NET Passports for network authentication
Network access: Do not allow storage of credentials or .NET Passports for network authentication
1
0
1
Network access: Let Everyone permissions apply to anonymous users
Network access: Let Everyone permissions apply to anonymous users
0
0
1
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Restrict anonymous access to Named Pipes and Shares
1
0
1
Network access: Sharing and security model for local accounts
Network access: Sharing and security model for local accounts
0
0
1
Network security: Do not store LAN Manager hash value on next password change
Network security: Do not store LAN Manager hash value on next password change
Enabled
Disabled
Enabled
Network security: Force logoff when logon hours expire
Network security: Force logoff when logon hours expire
0
0
1
Network Security: LAN Manager Authentication Level
Network Security: LAN Manager Authentication Level
3
0
1
2
3
4
5
Network Security: LDAP client signing requirements
Network Security: LDAP client signing requirements
1
0
1
2
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
537395200
537395200
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
537395200
537395200
Recovery Console: Allow Automatic Administrative Logon
Recovery Console: Allow Automatic Administrative Logon
0
0
1
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
0
0
1
Shutdown: Allow System to be Shut Down Without Having to Log On
Shutdown: Allow System to be Shut Down Without Having to Log On
0
0
1
Shutdown: Clear Virtual Memory Pagefile
Shutdown: Clear Virtual Memory Pagefile
1
0
1
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
0
0
1
System objects: Require case insensitivity for non-Windows subsystems
System objects: Require case insensitivity for non-Windows subsystems
0
0
1
System objects: Strengthen default permissions of internal system objects
System objects: Strengthen default permissions of internal system objects
1
0
1
Accounts: Administrator account status
The Administrator account status is enabled to allow the administrator to perform configuration control of the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3032-0
CCE-499
Accounts: Guest account status
A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned. This account is a member of the Everyone user group and has all the rights and permissions associated with that group, which could subsequently provide access to system resources to anonymous users. Ensure the built-in guest account is disabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3248-2
CCE-332
Accounts: Limit local account use to blank passwords to console logon only
In Windows Vista, accounts with null or blank passwords can only be used to log on at the physical system’s logon screen. This means that accounts with blank or null passwords cannot be used over networks or with the secondary logon service (RunAs). This feature prevents attackers and malware from gaining remote access through blank passwords. Section 6 contains information on other recommended password settings.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2398-6
CCE-533
Accounts: Rename administrator account
The Administrator account is created by default when installing Windows Vista, but is disabled. Associating the Administrator SID with a different name may thwart a potential hacker who is targeting the built-in Administrator account.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2714-4
CCE-438
Accounts: Rename guest account
The Guest account is created by default when installing Windows Vista, but is disabled. Associating the Guest SID with a different name may thwart a potential hacker who is targeting the built-in Guest account.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2359-8
CCE-834
Audit: Audit the access of global system objects
Controls the ability to audit access of global systems objects. When this setting is enabled, system objects such as mutexes, events, semaphores, and DOS devices, are created with a default system access control list (SACL).
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3285-4
CCE-2
Audit: Audit the use of Backup and Restore privilege
Controls the ability to audit the use of all user privileges, including Backup and Restore. If this policy is disabled, certain user rights will not be audited even if "Audit privilege use" audit policy is enabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3303-5
CCE-905
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3450-4
CCE-111
Audit: Shut down system immediately if unable to log security audits
If events cannot be written to the security log, the system is halted immediately. If the system halts as a result of a full log, an administrator must log ont the system and clear the log.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3001-5
CCE-92
Devices: Allowed to format and eject removable media
Verifies that only the correct users are allowed to format and eject removable media>
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3225-0
CCE-919
Devices: Prevent users from installing printer drivers
This setting determines who is allowed to install a printer driver as part of adding a network printer.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3325-8
CCE-402
Devices: Restrict CD-ROM access to locally logged-on user only
Removable media devices (CD-ROM) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2858-9
CCE-565
Devices: Restrict floppy access to locally logged-on user only
Removable media devices (floppy disks) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3168-2
CCE-463
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt or sign secure channel data (always). Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted or signed. If this policy is enabled, outgoing secure channel traffic should be encrypted.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3330-8
CCE-549
Domain member: Digitally encrypt secure channel data (when possible)
Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic should be encrypted.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2467-9
CCE-161
Domain member: Digitally sign secure channel data (when possible)
Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, all outgoing secure channel traffic should be signed.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3233-4
CCE-918
Domain member: Disable machine account password changes
Computer account passwords are changed automatically every seven days. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. If this policy is disabled, a new password for the computer account will be generated every week.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3255-7
CCE-831
Domain member: Maximum machine account password age
This setting controls the maximum password age that a machine account may have. This setting should be set to no more that 30 days, ensuring that the machine changes its password monthly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3075-9
CCE-194
Domain member: Require strong session key
This setting controls the required strength of a session key.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3212-8
CCE-417
Interactive logon: Do not display last user name
This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3173-2
CCE-65
Interactive logon: Do not require CTRL+ALT+DEL
Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3307-6
CCE-133
Interactive logon: Message text for users attempting to log on
Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3336-5
CCE-829
Interactive logon: Message title for users attempting to log on
The logon banner should be titled with a warning label containing the name of the owning organization.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3314-2
CCE-23
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
The default Windows XP configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons such as the users machine is disconnected from the network or domain controllers are not available. Even though the credential cache is well-protected, storing encrypted copies of users passwords on workstations do not always have the same physical protection required for domain controllers. If a workstation is attacked, the unauthorized individual may isolate the password to a domain user account using a password-cracking program, and gain access to the domain.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2376-2
CCE-773
Interactive logon: Prompt user to change password before expiration
This setting configures the system to display a warning to users telling them how many days are left before their password expires. By giving the user advanced warning, the user has time to construct a sufficiently strong password.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3230-0
CCE-814
Interactive logon: Require Domain Controller authentication to unlock workstation
This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3220-1
CCE-374
Interactive logon: Smart card removal behavior
When the smart card for a logged-on user is removed from the smart card reader, the workstation should be locked.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3251-6
CCE-443
Microsoft network client: Digitally sign communications (always)
This check verifies that the client policy is set to always sign packets.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3252-4
CCE-576
Microsoft network client: Digitally sign communications (if server agrees)
This check verifies that the client policy is set to sign packets if the server agrees.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2380-4
CCE-519
Microsoft network client: Send unencrypted password to third-party SMB servers
Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2838-1
CCE-228
Microsoft network server: Amount of idle time required before suspending session
Administrators should use this setting to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2519-7
CCE-222
Microsoft network server: Digitally sign communications (always)
This check verifies that the server policy is set to always sign packets.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3023-9
CCE-171
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Digitally sign communications (if client agrees). This check verifies that the server policy is set to sign packets if the client agrees.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3164-1
CCE-104
Microsoft network server: Disconnect clients when logon hours expire
Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3361-3
CCE-278
MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended)
Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3072-6
CCE-283
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3261-5
CCE-564
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3120-3
CCE-897
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3239-1
CCE-150
MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds
This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. HKLM\System\CurrentControlSet\Tcpip\Parameters\KeepAliveTime
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3142-7
CCE-188
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended)
MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4904-9
CCE-501
MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)
Disable Autorun on all drives, any pluggable device included (not just CDs) Affects registry key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2719-3
CCE-44
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windows- based systems to the IP addresses configured on those systems. This value determines whether the computer releases its NetBIOS name when it receives a name release request. The NoNameReleaseOnDemand setting configures the system to refuse name release requests to release its SMB name. This setting prevents an attacker from sending a name release request to a server, causing the server to be inaccessible to legitimate clients. If this setting is configured on a client, however, and that client is mis-configured with the same name as a critical server, the server will be unable to recover the name, and legitimate requests may be directed to the rogue server instead, causing a denial of service condition at best.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ NoNameReleaseOnDemand registry key.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2785-4
CCE-817
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)
Vista supports 8.3 file name formats for backward compatibility with 16- bit applications. The 8.3 file name convention is a naming format that allows file names that are up to eight characters in length. The following registry value entry has been added to the template in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\ NtfsDisable8dotNameCreation registry key.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3244-1
CCE-511
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS)
This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically. HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3279-7
CCE-952
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) to avoid having to reimplement functionality. The operating system actually loads several DLLs for each program, depending on what type of program it is. When the program does not specify an absolute location for a DLL, the default search order is used to locate it. By default, the search order used by the operating system is as follows: 1. Memory 2. KnownDLLs 3. Manifests and .local 4. Application directory 5. Current working directory 6. System directories (%systemroot%, %systemroot%\system, and %systemroot%\system32) 7. The path variable The fact that the current working directory is searched before the system directories can be used by someone with access to the file system to cause a program launched by a user to load a spoofed DLL. If a user launches a program by double-clicking a document, the current working directory is actually the location of the
document. If a DLL in that directory has the same name as a system DLL in that location will then be loaded instead of the system DLL. This attack vector was actually used by the Nimda virus. To combat this, a new setting was created in Service Pack 3, which moves the current working directory to after the system directories in the search order. To avoid application compatibility issues, however, this switch was not turned on by default. To turn it on, set the following registry valueMACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3199-7
CCE-271
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Setting Added to Registry to Make Screensaver Password Protection Immediate The default grace period allowed for user movement before the screen – saver lock takes effect is five seconds. Leaving the grace period in the default setting makes your computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3050-2
CCE-830
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
This registry value causes TCP to adjust retransmission of SYN- ACKs. When you configure this value, the connection responses time- out more quickly in the event of a connect request (SYN) attack. 1 = Connections timeout more quickly if a SYN attack is detected 0 = No additional protection, use default settings Note: W2K had another option = 2 that has been incorporated into option 1 in W2K3. HKLM\System\CurrentControlSet\Tcpip\Parameters\SynAttackProtect
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2679-9
CCE-284
MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
This parameter determines the number of times that TCP retransmits a SYN before aborting the attempt. The retransmission time-out is doubled with each successive retransmission in a given connect attempt. The initial time-out value is three seconds. 0 = No retransmission, half- open connections dropped after 3 seconds 1 = 3 seconds, half- open connections dropped after 9 seconds 2 = 3 and 6 seconds, half- open connections dropped after 21 seconds 3 = 3, 6, and 9 seconds, half- open connections dropped after 45 seconds HKLM\System\CurrentControlSet\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3459-5
CCE-577
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3460-3
CCE-872
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Windows Server 2003 and Service Pack 3 for Windows 2000 include a new feature for generating a security audit in the security event log when the security log reaches a user defined threshold. Note: new to W2K3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3181-5
CCE-125
Network access: Allow anonymous SID-Name translation
Determines if an anonymous user can request security identifier (SID) attributes for another user or use a SID to get the corresponding username.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2339-0
CCE-953
Network access: Do not allow anonymous enumeration of SAM accounts
If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names, thus providing a map of potential points to attack the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3272-2
CCE-318
Network access: Do not allow anonymous enumeration of SAM accounts and shares
If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names and enumerate all shared resources, thus providing a map of potential points to attack the system.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3232-6
CCE-195
Network access: Do not allow storage of credentials or .NET Passports for network authentication
This setting controls the storage of authentication credentials or .NET passports on the local system. Such credentials should never be stored on the local machine as that may lead to account compromise.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3379-5
CCE-542
Network access: Let Everyone permissions apply to anonymous users
This setting helps define the permissions that anonymous users have. If this setting is enabled then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users should not have these permissions or rights.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2457-0
CCE-18
Network access: Named Pipes that can be accessed anonymously - netlogon, lsarpc, samr, browser
Network access: Named Pipes that can be accessed anonymously. Pipes are internal system communications processes. They are identified internally by ID numbers that vary between systems. To make access to these processes easier, these pipes are given names that do not vary between systems. This setting controls which of these pipes anonymous users may access.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3380-3
CCE-136
Network access: Remotely accessible registry paths(System\CurrentControlSet\Control\ProductOptions; System\CurrentControlSet\Control\Server Applications; Software\Microsoft\Windows NT\CurrentVersion)
Network access: Remotely accessible registry paths(System\CurrentControlSet\Control\ProductOptions; System\CurrentControlSet\Control\Server Applications; Software\Microsoft\Windows NT\CurrentVersion)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-2825-8
CCE-189
Network access: Remotely accessible registry paths and sub paths ("Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog")
Network access: Remotely accessible registry paths ("Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog")
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4781-1
CCE-1185
Network access: Restrict anonymous access to Named Pipes and Shares
This check determines whether anonymous access is restricted to named pipes and shares.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3292-0
CCE-638
Network access: Shares that can be accessed anonymously
This setting controls which network shares may be accessed by an anonymous user. The default setting includes the shares, DFS$, and COMCFG. It is recommended that they be left as the default setting.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3349-8
CCE-942
Network access: Sharing and security model for local accounts
Windows XP includes two network-sharing security models Classic and Guest only. It is recommended that the Classic mode be used.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3367-0
CCE-343
Network security: Do not store LAN Manager hash value on next password change
This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed. The LAN Manager hash is a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3138-5
CCE-233
Network security: Force logoff when logon hours expire
This setting controls whether or not users are forced to log off when their allowed logon hours expire. If logon hours are set for users, then this should be enforced.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3283-9
CCE-775
Network Security: LAN Manager Authentication Level
Windows network authentication has changed considerably as various security vulnerabilities have been identified and fixed. The original LAN Manager (or LM) password hash is considered very weak, but is still used by most Windows 9x clients. Using commercially available software, and off-the-shelf computers, most LM password hashes can be used to reveal the actual password in a matter of days, or hours. With the release of Windows NT 4.0, Microsoft developed NTLM authentication. Serious vulnerabilities made NTLM almost as easy to crack as LM, so NTLM version 2 (NTLMv2) was introduced. NTLMv2 provides significant improvements to security; when combined with strong password policy, accounts are well protected against brute force attacks. All of these authentication methods are incorporated into Windows 2000. All authentication models work with a hash of the password, not the password itself. This presents challenges with down-level compatibility
between operating systems. In order to smooth the transition, when one computer attempts to authenticate with another, the default behavior is to send the basic LM hash along with the more secure NTLM hash. This setting improves control over the response to an authentication challenge: Send LM and NTLM responses, Send LM and NTLM, Use NTLMv2 session security if negotiated, Send NTLM response only, Send NTLMv2 response only, Send NTLMv2 response only\refuse LM, Send NTLMv2 response only\refuse LM and NTLM, The default, and weakest option, is the first: send LM and NTLM responses. As a result, using NTLM is ineffective because both protocols are sent together. In order to take a much more effective stand to protect network authentication, set LAN Manager Authentication Level to Send NTLMv2 response only\refuse LM and NTLM. Enabling this setting may have adverse effects on your ability to communicate with other Windows machines unless the change is made
network-wide. If you find that you are unable to require a certain level of LM Authentication, back down to “Send LM and NTLM – Use NTLMv2 session security if negotiated” and try your network authentication again. Communication with Windows 9x/Me machines requires the DSCLIENT.EXE utility from the Windows 2000 installation CD.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4922-1
CCE-719
Network Security: LDAP client signing requirements
Similar to the SMB protocol, the LDAP protocol supports signing. LDAP, “Lightweight Directory Access Protocol,” provides one means for the client to talk to active directory. LDAP protocol is text-based, but supports authentication to gain access to sensitive sections of the directory. Require signing to provide the assurance of mutual authentication for this communications channel.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4940-3
CCE-732
Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
NTLM authentication can provide a security service to manage connection between various clients and servers, including through the Remote Procedure Call (RPC) service. Windows 2000 improved the security model for secure, authenticated client-server communications; this setting manages the new features for communications established by this workstation.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4583-1
CCE-674
Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
Similar to "Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients", this setting manages features for communication services provided by this workstation to other computers.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4213-5
CCE-766
Recovery Console: Allow Automatic Administrative Logon
The Recovery Console, new to Windows 2000 and XP, provides a limited command-line access to an otherwise unbootable operating system. The console allows access to the NTFS file system, which does not natively allow access when the operating system becomes unbootable. Other third-party applications have been developed to perform this action as well, but the Recovery Console is part of the operating system. It can be installed from the Windows 2000 CD with the “d:\i386\winnt32.exe /cmdcons” command. It can also be run directly from the Windows 2000 installation CD. The Recovery Console does not grant full and unrestricted access to the operating system by default. It does require that you log on using the password of the default Administrator account. Keep in mind that this must be the local administrator account, not just a member of the local administrators group. Also, the policy for renaming the administrator account does not apply to the
recovery console, and that password must be used. If configured, a boot to the recovery console could result in automatic logon, and bypass the need for the password of the administrator account. Since this gives administrator access to anyone who can reboot the computer, the setting is generally disabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4107-9
CCE-410
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
By default, the Recovery Console only allows access to the root folder of each drive, and the operating system folder (typically C:\Windows). The console also prevents copying files from the hard drive onto removable media. Although this protection can be bypassed by enabling floppy copy and drive access, the setting is enabled by default and should remain disabled.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3953-7
CCE-76
Shutdown: Allow System to be Shut Down Without Having to Log On
Some systems run critical processes and should only be shut down by authorized users. Occasionally, special processes could be evoked during system startup, sometimes even trojaned processes. In environments where abnormal system reboots could cause problems, require a logon prior to reboot.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3954-5
CCE-224
Shutdown: Clear Virtual Memory Pagefile
Virtual memory extends the physical memory available to the CPU. As data and applications fill the available physical memory, the operating system writes less-frequently used pages of memory out to disk, into the virtual memory pagefile. This greatly extends the amount of “virtual” memory available to the computer. Since the pagefile contains information that was in memory, it potentially holds a great deal of information useful for an attacker. Digging through the pagefile can reveal SSL web pages, queries set from the client to databases, sometimes even user ids and passwords from poorly written applications. The workstation does not clean this information from the pagefile on shutdown. Although the file can not be accessed when booted in Windows, anyone booting the workstation to an alternate operating system (e.g., from a boot CD) may access the page file. Enabling this options provides greater security by erasing the data during normal
operations; however, this may also significantly increase the time required to shut down the computer. When enabled, the hibernation file (hiberfil.sys) is also cleaned on shutdown.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-3969-3
CCE-422
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4774-6
CCE-55
System objects: Require case insensitivity for non-Windows subsystems
The Windows operating systems ignore case when accessing resources; for example, “C:\Windows”, “C:\WINDOWS” and “c:\windows” all refer to the same directory. However, the Windows kernel allows interfaces with other case-sensitive operating systems (e.g., Unix). Enabling this setting causes the interoperability features to be case-insensitive as well. This setting has no effect when the workstation communicates only with other Windows systems.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4841-3
CCE-300
System objects: Strengthen default permissions of internal system objects
This setting actually digs deep into the operating system behavior and should be left at the default setting (Enabled) unless explicitly required. “Internal system objects” are shared physical and logical resources such as semaphores and DOS device name; the objects all are created with access control lists (ACLs). When enabled, the ACL allows other non-administrative system processes to query internal system objects, but will not allow them to modify them.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4011-3
CCE-508
User Account Control
User Account Control (UAC) is a new security component in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.
Admin Approval Mode for the Built-in Administrator account
This security setting determines the behavior of Admin Approval Mode for the Built-in Administrator account.
0
0
1
Behavior of the elevation prompt for administrators in Admin Approval Mode
This security setting determines the behavior of the elevation prompt for administrators.
0
0
1
2
Behavior of the elevation prompt for standard users
This security setting determines the behavior of the elevation prompt for standard users.
0
0
1
Detect application installations and prompt for elevation
This security setting determines the behavior of application installation detection for the computer.
0
0
1
Only elevate executables that are signed and validated
This security setting will enforce public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control which administrative applications are allowed through the certificates in the local computer's Trusted Publishers certificate store.
0
0
1
Only elevate UIAccess applications that are installed in secure locations
This security setting will enforce the requirement that applications requesting to be run with a UIAccess integrity level must reside in a secure location on the file system.
0
0
1
Run all administrators in Admin Approval Mode
This security setting determines the behavior of all UAC policies for the entire system.
0
0
1
Switch to the secure desktop when prompting for elevation
This security setting determines whether the elevation prompt appears on the interactive user's desktop or the secure desktop.
0
0
1
Virtualize file and registry write failures to per-user locations
This security setting enables the redirection of application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data to protected locations (%ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software\...). Virtualization facilitates the running of applications that historically failed to run as standard user because of application write failures.
0
0
1
Admin Approval Mode for the Built-in Administrator account
The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4955-1
CCE-1078
Behavior of the elevation prompt for administrators in Admin Approval Mode
The "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4016-2
CCE-1063
Behavior of the elevation prompt for standard users
The "User Account Control: Behavior of the elevation prompt for standard users" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4969-2
CCE-1067
Detect application installations and prompt for elevation
The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4612-8
CCE-1128
Only elevate executables that are signed and validated
The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-5004-7
CCE-1104
Only elevate UIAccess applications that are installed in secure locations
The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4020-4
CCE-986
Run all administrators in Admin Approval Mode
The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4907-2
CCE-1050
Switch to the secure desktop when prompting for elevation
The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4925-4
CCE-230
Virtualize file and registry write failures to per-user locations
The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
CCE-4194-7
CCE-673
User Rights Assignments
The NIST security templates specify which groups (e.g., Administrators, Users) have certain user rights. The goal is for each group to have only the necessary rights, and for users to only belong to the necessary groups. This is the principle of least privilege, described previously in Section 2.2. Examples of user rights that can be specified are as follows:
Accessing the system remotely and locally
Performing backups
Changing the time and date on the system
Managing the logs
Shutting down the system.
Verify that the user right '' has been granted appropriately.
Right To Access This Computer From The Network
Verify that the user right 'Access This Computer From The Network' has been granted appropriately. (Only Administrators) NOTE: This can break IPSec see Microsoft Knowledge Base article 823659 for further guidance
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4334-9
CCE-532
Right To Act As Part Of The Operating System
Verify that the user right 'Act As Part Of The Operating System' has been granted appropriately. (No One)
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4088-1
CCE-162
Right To Adjust Memory Quotas For A Process
Verify that the user right 'Adjust Memory Quotas For A Process' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4854-6
CCE-807
Right To Log On Locally
Verify that the user right 'Allow Log On Locally' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4872-8
CCE-965
Right To Log On Through Terminal Services
Verify that the user right 'Allow Log On Through Terminal Services' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4264-8
CCE-883
Right To Back Up Files and Directories
Verify that the user right 'Back Up Files and Directories' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4827-2
CCE-931
Right To Bypass Traverse Checking
Verify that the user right 'Bypass Traverse Checking' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4973-4
CCE-376
Right To Change the System Time
Verify that the user right 'Change the System Time' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4863-7
CCE-799
Change the time zone
The "Change the time zone" user right should be assigned to the appropriate accounts.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-5008-8
CCE-470
Right To Create A Pagefile
Verify that the user right 'Create A Pagefile' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4757-1
CCE-895
Right To Create A Token Object
Verify that the user right 'Create A Token Object' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4902-3
CCE-926
Right To Create Global Objects
Verify that the user right 'Create Global Objects' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4792-8
CCE-383
Right To Create Permanent Shared Objects
Verify that the user right 'Create Permanent Shared Objects' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4184-8
CCE-335
Right To Debug Programs
Verify that the user right 'Debug Programs' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4687-0
CCE-842
Denied Access To This Computer From The Network
Verify that the user right 'Deny Access To This Computer From The Network' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4704-3
CCE-898
Denied Logon As A Batch Job
Verify that the user right 'Deny Logon As A Batch Job' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4722-5
CCE-165
Denied Logon As A Service
Verify that the user right 'Deny Logon As A Service' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4867-8
CCE-597
Denied Logon Locally
Verify that the user right 'Deny Logon Locally' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4889-2
CCE-64
Denied Logon Through Terminal Services
Verify that the user right 'Deny Logon Through Terminal Services' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4656-5
CCE-108
Right To Force Shutdown From A Remote System
Verify that the user right 'Force Shutdown From A Remote System' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4673-0
CCE-754
Right To Generate Security Audits
Verify that the user right 'Generate Security Audits' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4488-3
CCE-939
Impersonate a Client After Authentication
Verify that the user right 'Impersonate a Client After Authentication' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4382-8
CCE-304
Increase a Process Working Set
The "Increase a Process Working Set" setting should be configured correctly.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4651-6
CCE-1027
Right To Increase Scheduling Priority
Verify that the user right 'Increase Scheduling Priority' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4796-9
CCE-349
Right To Load And Unload Device Drivers
Verify that the user right 'Load And Unload Device Drivers' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4034-5
CCE-860
Right To Lock Pages In Memory
Verify that the user right 'Lock Pages In Memory' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4317-4
CCE-749
Right To Log On As A Batch Job
Verify that the user right 'Log On As A Batch Job' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4083-2
CCE-177
Right To Log On As A Service
Verify that the user right 'Log On As A Service' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4038-6
CCE-216
Right To Manage Auditing And Security Log
Verify that the user right 'Manage Auditing And Security Log' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4046-9
CCE-850
Modify an object label
The "Modify an object label" user right should be assigned to the appropriate accounts.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4285-3
CCE-1023
Right To Modify Firmware Environment Values
Verify that the user right 'Modify Firmware Environment Values' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4048-5
CCE-17
Right To Perform Volume Maintenance Tasks
Verify that the user right 'Perform Volume Maintenance Tasks' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4071-7
CCE-314
Right To Profile Single Process
Verify that the user right 'Profile Single Process' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4962-7
CCE-260
Right To Profile System Performance
Verify that the user right 'Profile System Performance' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4618-5
CCE-599
Right To Remove Computer From Docking Station
Verify that the user right 'Remove Computer From Docking Station' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4861-1
CCE-656
Right To Replace A Process Level Token
Verify that the user right 'Replace A Process Level Token' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4372-9
CCE-667
Right To Restore Files And Directories
Verify that the user right 'Restore Files And Directories' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4948-6
CCE-553
Right To Shut Down The System
Verify that the user right 'Shut Down The System' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4569-0
CCE-839
Right To Synchronize Directory Service Data
Verify that the user right 'Synchronize Directory Service Data' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4970-0
CCE-381
Right To Take Ownership Of Files Or Other Objects
Verify that the user right 'Take Ownership Of Files Or Other Objects' has been granted appropriately.
GPO
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
CCE-4988-2
CCE-492
System Services Group
todo - description needed
System Services Settings
todo - description needed
WLAN AutoConfig
WLAN AutoConfig
4
0
1
2
3
4
WLAN AutoConfig
This service enumerates WLAN adapters, manages WLAN connections and profiles.
GPO
Computer Configuration\Windows Settings\Security Settings\System Services
CCE-4627-6
CCE-957
FDCC Other Settings
FDCC has identified the following additional controls that must be checked in order to verify compliance.
Computer Configuration - Administrative Templates - Network Settings
todo - description needed
Link-Layer Topology Discovery
The Link Layer Topology Discovery (LLTD) specification describes how the LLTD protocol operates over wired (802.3 Ethernet) and wireless (802.11) media. LLTD enables device discovery via the data-link layer and determines the topology of a network. This specification also describes the Quality of Service (QoS) Extensions that enable stream prioritization and quality media streaming experiences, even on networks with limited bandwidth.
Turn on Mapper I/O (LLTDIO) driver
This policy setting turns on the Mapper I/O network protocol driver. (Enabled=1; Disabled=0; Not Configured)
0
0
1
Turn on Responder (RSPNDR) driver
This policy setting turns on the Responder network protocol driver. (Enabled=1; Disabled=0; Not Configured)
0
0
1
Turn on Mapper I/O (LLTDIO) driver
This policy setting turns on the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to.
GPO
Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery
CCE-4992-4
CCE-347
Turn on Responder (RSPNDR) driver
This policy setting turns on the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network.
GPO
Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery
CCE-4077-4
CCE-1134
Microsoft Peer-to-Peer Networking Services
todo - description needed
Turn Off Microsoft Peer-to-Peer Networking Services
This setting turns off Microsoft Peer-to-Peer Networking Services. (Enabled=1; Disabled=0; Not Configured)
1
0
1
Turn Off Microsoft Peer-to-Peer Networking Services
This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working.
GPO
Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services
CCE-3270-6
CCE-86
Network Connection Settings
The features for implementing and administering small networks are described as follows:-- Internet Connection Sharing (ICS) --ICS provides Internet access for a home or small office network by using one common connection as the Internet gateway. The ICS host is the only computer that is directly connected to the Internet. Multiple ICS clients simultaneously use the common Internet connection and benefit from Internet services as if the clients were directly connected to the Internet service provider (ISP). Security is enhanced when ICS is enabled because only the ICS host computer is visible to the Internet. The addresses of ICS clients are hidden from the Internet rendering ICS clients invisible to the Internet. In addition, ICS simplifies the configuration of small networks by providing local private network services, such as name resolution and addressing.Note: You should not use Internet Connection Sharing in an
existing network with Windows 2000 Server domain controllers, Domain Name System (DNS) servers, gateways, Dynamic Host Configuration Protocol (DHCP) servers, or systems configured for static IP addresses.-- Internet Connection Firewall (ICF) --With ICF, the firewall checks all communications that cross the connection between your network and the Internet and is selective about which responses from the Internet it allows. ICF protects only the computer on which it is enabled. If ICF is enabled on the Internet Connection Sharing (ICS) host computer, however, ICS clients that use the shared Internet connection for Internet connectivity are protected because they cannot be seen from outside your network. For this reason, you should always enable ICF on the ICS host computer. In addition, if there are clients on your network with direct Internet connections, or if you have a stand-alone computer that is connected to the Internet, then you
should enable ICF on those Internet connections as well.-- Network Bridge --Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN segments. With Network Bridge, multiple LAN segments become a single IP subnet, even if the LAN segments are of mixed network media types. Network Bridge automates the configuration and management of the address allocation, routing, and name resolution that is typically required in a network that consists of multiple LAN segments.Caution If neither ICF nor ICS is enabled on your network, do not set up Network Bridge between the public Internet connection and the private network connection. Setting up Network Bridge between the public Internet connection and the private network connection creates an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When either ICF or
ICS is enabled, this risk is mitigated.
Prohibit installation and configuration of Network Bridge on your DNS domain network
todo - description needed
1
1
0
Prohibit use of Internet Connection Firewall on your DNS domain network
todo - description needed
1
1
0
Prohibit use of Internet Connection Sharing on your DNS domain network
todo - description needed
1
1
0
Prohibit installation and configuration of Network Bridge on your DNS domain network
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections
CCE-4152-5
CCE-896
Prohibit use of Internet Connection Firewall on your DNS domain network
The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections
CCE-5020-3
CCE-241
Prohibit use of Internet Connection Sharing on your DNS domain network
The "Prohibit use of Internet Connection Sharing on your DNS domain network" setting should be configured correctly.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections
CCE-4078-2
CCE-672
Network connections - Windows Connect Now
todo - description needed
Configuration of Wireless Settings Using Windows Connect Now
Configuration of Wireless Settings Using Windows Connect Now. (Enabled = 0; Disabled = 1)
0
0
1
Prohibit Access of the Windows Connect Now Wizards
Prohibit Access of the Windows Connect Now Wizards. (Enabled = 1; Disabled = 0)
0
0
1
Configuration of Wireless Settings Using Windows Connect Now
Configuration of Wireless Settings Using Windows Connect Now
GPO
Computer Configuration\Administrative Templates\Network\Windows Connect Now
CCE-5061-7
CCE-734
Prohibit Access of the Windows Connect Now Wizards
Prohibit Access of the Windows Connect Now Wizards
GPO
Computer Configuration\Administrative Templates\Network\Windows Connect Now
CCE-3045-2
CCE-629
Computer Configuration - Administrative Templates - System Settings
todo - description needed
Local Computer - Administrative Templates - System Settings - Device Installation
todo - description needed
Allow remote access to the PnP interface
Computer Configuration\Administrative Templates\System\Device Installation: Allow remote access to the PnP interface. (Enabled = 1; Disabled = 0)
0
0
1
Do not create system restore point when new device driver installed
Computer Configuration\Administrative Templates\System\Device Installation: Do not create system restore point when new device driver installed. (Enabled = 1; Disabled = 0)
0
0
1
Do not send a Windows Error Report when a generic driver is installed on a device
Computer Configuration\Administrative Templates\System\Device Installation: Do not send a Windows Error Report when a generic driver is installed on a device. (Enabled = 0; Disabled = 1)
1
0
1
Allow remote access to the PnP interface
Computer Configuration\Administrative Templates\System\Device Installation: Allow remote access to the PnP interface.
GPO
Computer Configuration\Administrative Templates\System\Device Installation
CCE-3331-6
CCE-593
Do not create system restore point when new device driver installed
Computer Configuration\Administrative Templates\System\Device Installation: Do not create system restore point when new device driver installed.
GPO
Computer Configuration\Administrative Templates\System\Device Installation
CCE-3464-5
CCE-849
Do not send a Windows Error Report when a generic driver is installed on a device
Computer Configuration\Administrative Templates\System\Device Installation: Do not send a Windows Error Report when a generic driver is installed on a device.
GPO
Computer Configuration\Administrative Templates\System\Device Installation
CCE-3468-6
CCE-571
Local Computer - Administrative Templates - System Settings - Driver Installation
todo - description needed
Turn Off Windows Update Device Driver Search Prompt
Computer Configuration\Administrative Templates\System\Driver Installation: Turn Off Windows Update Device Driver Search Prompt. (Enabled = 1; Disabled = 0)
1
0
1
Turn Off Windows Update Device Driver Search Prompt
Computer Configuration\Administrative Templates\System\Driver Installation: Turn Off Windows Update Device Driver Search Prompt.
GPO
Computer Configuration\Administrative Templates\System\Driver Installation
CCE-3278-9
CCE-927
Group Policy Client-Side Extensions
The following rules specify the desired setting for the client-side extensions designed for Group Policy.
Registry Policy Processing
Computer Configuration\Administrative Templates\System: Group Policy - Registry Policy Processing.
0
-1
0
1
2
3
Registry Policy
Computer Configuration\Administrative Templates\System: Group Policy - Registry Policy Processing.
GPO
Computer Configuration\Administrative Templates\System\Group Policy
CCE-3452-0
CCE-584
Computer_Configuration - Administrative_Templates - System: Internet Communication Management - Internet Communication settings
todo - description needed
Turn Off Automatic Root Certificates Update
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Automatic Root Certificates Update.
Enabled
Disabled
Enabled
Turn off downloading of print drivers over HTTP
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off downloading of print drivers over HTTP.
Enabled
Disabled
Enabled
Turn Off Event Views "Events.asp" Links
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Event Views "Events.asp" Links.
Disabled
Disabled
Enabled
Turn Off Handwriting Reconition Error Reporting
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Handwriting Reconition Error Reporting.
Enabled
Disabled
Enabled
Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com.
Enabled
Disabled
Enabled
Turn off Internet download for Web publishing and online ordering wizards
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards.
Enabled
Disabled
Enabled
Turn Off Internet File Association Service
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet File Association Service.
Enabled
Disabled
Enabled
Turn off printing over HTTP
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off printing over HTTP.
Enabled
Disabled
Enabled
Turn Off Registration if URL Connection is Referring to Microsoft.com
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Registration if URL Connection is Referring to Microsoft.com.
Enabled
Disabled
Enabled
Turn off Search Companion content file updates
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Search Companion content file updates.
Enabled
Disabled
Enabled
Turn Off the "Order Prints" Picture Task
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off the "Order Prints" Picture Task.
Enabled
Disabled
Enabled
Turn off the "Publish to Web" task for files and folders
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the "Publish to Web" task for files and folders.
Enabled
Disabled
Enabled
Turn off the Windows Messenger Customer Experience Improvement Program
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program.
Enabled
Disabled
Enabled
Turn Off Windows Error Reporting
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Error Reporting.
Enabled
Disabled
Enabled
Turn Off Windows Movies Maker Automatic Codec Downloads
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Movies Maker Automatic Codec Downloads.
Enabled
Disabled
Enabled
Turn Off Windows Movie Maker Online Web Links
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Movie Maker Online Web Links.
Enabled
Disabled
Enabled
Turn Off Windows Movie Maker Saving to Online Video Hosting Provider
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Movie Maker Saving to Online Video Hosting Provider.
Enabled
Disabled
Enabled
Turn off Windows Update device driver searching
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Windows Update device driver searching.
Enabled
Disabled
Enabled
Turn Off Automatic Root Certificates Update
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Automatic Root Certificates Update.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3454-6
CCE-858
Turn off downloading of print drivers over HTTP
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off downloading of print drivers over HTTP.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-2754-0
CCE-887
Turn Off Event Views "Events.asp" Links
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Event Views "Events.asp" Links.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3348-0
CCE-263
Turn Off Handwriting Reconition Error Reporting
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Handwriting Reconition Error Reporting.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-2868-8
CCE-430
Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3432-2
CCE-1055
Turn off Internet download for Web publishing and online ordering wizards
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3364-7
CCE-691
Turn Off Internet File Association Service
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet File Association Service.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-2697-1
CCE-1064
Turn off printing over HTTP
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off printing over HTTP.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3421-5
CCE-852
Turn Off Registration if URL Connection is Referring to Microsoft.com
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Registration if URL Connection is Referring to Microsoft.com.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3093-2
CCE-88
Turn off Search Companion content file updates
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Search Companion content file updates.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-2778-9
CCE-818
Turn Off the "Order Prints" Picture Task
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off the "Order Prints" Picture Task.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3115-3
CCE-375
Turn off the "Publish to Web" task for files and folders
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the "Publish to Web" task for files and folders.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-2477-8
CCE-1009
Turn off the Windows Messenger Customer Experience Improvement Program
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3259-9
CCE-722
Turn Off Windows Error Reporting
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Error Reporting.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-4694-6
CCE-592
Turn Off Windows Movies Maker Automatic Codec Downloads
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Movies Maker Automatic Codec Downloads.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3403-3
CCE-1040
Turn Off Windows Movie Maker Online Web Links
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Movie Maker Online Web Links.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3297-9
CCE-1062
Turn Off Windows Movie Maker Saving to Online Video Hosting Provider
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Movie Maker Saving to Online Video Hosting Provider.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3385-2
CCE-93
Turn off Windows Update device driver searching
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Windows Update device driver searching.
GPO
Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings
CCE-3278-9
CCE-927
Computer_Configuration - Administrative_Templates - System - Logon
todo - description needed
Always Use Classic Logon
Computer Configuration\Administrative Templates\System: Logon - Always Use Classic Logon.
Enabled
Disabled
Enabled
Enabled
Enabled
Don’t Display the Getting Started Welcome Screen at Logon
Computer Configuration\Administrative Templates\System: Logon - Don’t Display the Getting Started Welcome Screen at Logon.
Enabled
Disabled
Enabled
Enabled
Enabled
Always Use Classic Logon
Computer Configuration\Administrative Templates\System: Logon - Always Use Classic Logon.
GPO
Computer Configuration\Administrative Templates\System\Logon
CCE-4813-2
CCE-231
Don’t Display the Getting Started Welcome Screen at Logon
Computer Configuration\Administrative Templates\System: Logon - Don’t Display the Getting Started Welcome Screen at Logon.
GPO
Computer Configuration\Administrative Templates\System\Logon
CCE-2781-3
CCE-1020
Computer_Configuration - Administrative_Templates - System - Power Management - Sleep settings
todo - description needed
Require a Password when a Computer Wakes (On Battery)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings - Require a Password when a Computer Wakes (On Battery).
Enabled
Disabled
Enabled
Require a Password when a Computer Wakes (Plugged)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings - Require a Password when a Computer Wakes (Plugged).
Enabled
Disabled
Enabled
Require a Password when a Computer Wakes (On Battery)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings - Require a Password when a Computer Wakes (On Battery).
GPO
Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings
CCE-2821-7
CCE-346
Require a Password when a Computer Wakes (Plugged)
Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings - Require a Password when a Computer Wakes (Plugged).
GPO
Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings
CCE-3469-4
CCE-1011
Computer_Configuration - Administrative_Templates - System: Remote Assistance
todo - description needed
Offer Remote Assistance
Computer Configuration\Administrative Templates\System: Remote Assistance - Offer Remote Assistance.
Disabled
Not Configured
Disabled
Enabled
Solicited Remote Assistance
Computer Configuration\Administrative Templates\System: Remote Assistance - Solicited Remote Assistance.
Disabled
Not Configured
Disabled
Enabled
Turn on session logging
Computer Configuration\Administrative Templates\System: Remote Assistance - Turn on session logging.
Enabled
Disabled
Enabled
Offer Remote Assistance
Computer_Configuration - Administrative_Templates - System: Remote Assistance - Offer Remote Assistance.
GPO
Computer Configuration\Administrative Templates\System\Remote Assistance
CCE-3217-7
CCE-434
Solicited Remote Assistance
Computer_Configuration - Administrative_Templates - System: Remote Assistance - Solicited Remote Assistance.
GPO
Computer Configuration\Administrative Templates\System\Remote Assistance
CCE-3323-3
CCE-859
Turn on session logging
Computer_Configuration - Administrative_Templates - System: Remote Assistance - Turn on session logging.
GPO
Computer Configuration\Administrative Templates\System\Remote Assistance
CCE-3271-4
CCE-835
Computer_Configuration - Administrative_Templates - System: Remote Procedure Call
todo - description needed
Restrictions for Unauthenticated RPC clients
Computer Configuration\Administrative Templates\System: Remote Assistance - Restrictions for Unauthenticated RPC clients. (Enabled: Authenticated = 1)
1
0
1
2
RPC Endpoint Mapper Client Authentication
Computer Configuration\Administrative Templates\System: Remote Assistance - RPC Endpoint Mapper Client Authentication.
Enabled
Disabled
Enabled
Restrictions for Unauthenticated RPC clients
Computer_Configuration - Administrative_Templates - System: Remote Assistance - Restrictions for Unauthenticated RPC clients.
GPO
Computer Configuration\Administrative Templates\System\Remote Procedure Call
CCE-3160-9
CCE-423
RPC Endpoint Mapper Client Authentication
Computer_Configuration - Administrative_Templates - System: Remote Assistance - RPC Endpoint Mapper Client Authentication.
GPO
Computer Configuration\Administrative Templates\System\Remote Procedure Call
CCE-3394-4
CCE-145
Disable Components Settings
todo - description needed
Disable ISATAP, Teredo, and 6to4 tunneling protocols
todo - description needed
1
1
2
4
8
10
16
17
32
255
Disable ISATAP, Teredo, and 6to4 tunneling protocols
Disable ISATAP, Teredo, and 6to4 tunneling protocols
Computer Configuration - Administrative Templates - Windows Components
todo - description needed
Autoplay Policies
Computer Configuration\Administrative Templates\Windows Components: Autoplay Policies
Turn off Autoplay
Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies: Turn off Autoplay.
GPO
Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies
CCE-2719-3
CCE-44
Credential User Interface
Computer Configuration\Administrative Templates\Windows Components: Credential User Interface
Enumerate administrator accounts on elevation
Computer Configuration\Administrative Templates\Windows Components\Credential User Interface: Enumerate administrator accounts on elevation.
Not Configured
Disabled
Enabled
Enumerate administrator accounts on elevation
Computer Configuration\Administrative Templates\Windows Components\Credential User Interface: Enumerate administrator accounts on elevation.
GPO
Computer Configuration\Administrative Templates\Windows Components\Credential User Interface
CCE-2471-1
CCE-935
Digial Locker
Computer Configuration\Administrative Templates\Windows Components: Digial Locker
Do not allow Digital Locker to run
Computer Configuration\Administrative Templates\Windows Components\Digial Locker: Do not allow Digital Locker to run.
Enabled
Disabled
Enabled
Do not allow Digital Locker to run
Computer Configuration\Administrative Templates\Windows Components\Digial Locker: Do not allow Digital Locker to run.
GPO
Computer Configuration\Administrative Templates\Windows Components\Digital Locker
CCE-3482-7
CCE-1747
Event Log Service Settings
Windows Vista records information about significant events in four logs: the Application Log, the Security Log, the Setup Log, and the System Log. The logs contain error messages, audit information, and other records of activity on the system. The logs can be used not only to identify suspicious and malicious behavior and investigate security incidents, but also to assist in troubleshooting system and application problems. It is important to specify the maximum log size because if it is too low, the system will not have much room for storing information on system activity.
Maximum Application Log Size
The value defines the maximum size (in KB) of the application log.
32768
16384
32768
81920
Maximum Security Log Size
The value defines the maximum size (in KB) of the security log.
81920
16384
32768
81920
Maximum Setup Log Size
The value defines the maximum size (in KB) of the setup log.
32768
16384
32768
81920
Maximum System Log Size
The value defines the maximum size (in KB) of the system log.
32768
16384
32768
81920
Maximum Application Log Size
Maximum Application Log Size
GPO
Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application
CCE-3015-5
CCE-185
Maximum Security Log Size
Maximum Security Log Size
GPO
Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security
CCE-3302-7
CCE-757
Maximum Setup Log Size
Maximum Setup Log Size
GPO
Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup
CCE-4086-5
CCE-262
Maximum System Log Size
Maximum System Log Size
GPO
Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System
CCE-3165-8
CCE-735
Game Explorer
Computer Configuration\Administrative Templates\Windows Components: Game Explorer
Turn Off Downloading of Game Information
Computer Configuration\Administrative Templates\Windows Components\Game Explorer: Turn Off Downloading of Game Information.
Enabled
Disabled
Enabled
Turn Off Downloading of Game Information
Computer Configuration\Administrative Templates\Windows Components\Game Explorer: Turn Off Downloading of Game Information.
GPO
Computer Configuration\Administrative Templates\Windows Components\Game Explorer
CCE-2755-7
CCE-1778
Internet Information Services
Internet Information Services
Prevent IIS Installation
This blocks even local Administrators from adding local web services to the Vista client
1
0
1
1
1
1
1
Prevent IIS Installation
This blocks even local Administrators from adding local web services to the XP client
GPO
Computer Configuration\Administrative Templates\Windows Components\Internet Information Services
CCE-3288-8
CCE-474
NetMeeting
Computer Configuration\Administrative Templates\Windows Components: NetMeeting
Disable remote Desktop Sharing
Computer Configuration\Administrative Templates\Windows Components\NetMeeting: Disable remote Desktop Sharing.
Not Configured
Disabled
Enabled
Disable remote Desktop Sharing
Computer Configuration\Administrative Templates\Windows Components\NetMeeting: Disable remote Desktop Sharing.
GPO
Computer Configuration\Administrative Templates\Windows Components\NetMeeting
CCE-3082-5
CCE-232
Online Assistance
Online Assistance
Turn off Untrusted Content
Specifies whether untrusted content is rendered. By default, the Help viewer renders untrusted assistance content pages with the exception of active links. Active links, such as ShellExecute and Guided Help, are rendered as text and are not clickable.
1
0
1
Turn off Untrusted Content
Specifies whether untrusted content is rendered. By default, the Help viewer renders untrusted assistance content pages with the exception of active links. Active links, such as ShellExecute and Guided Help, are rendered as text and are not clickable.
GPO
Computer Configuration\Administrative Templates\Windows Components\Online Assistance
CCE-3046-0
CCE-95
Search
Search
Allow indexing of encrypted files
Allow indexing of encrypted files
Disabled
Disabled
Enabled
Prevent indexing uncached Exchange folders
Prevent indexing uncached Exchange folders
Enabled
Disabled
Enabled
Allow indexing of encrypted files
Allow indexing of encrypted files
GPO
Computer Configuration\Administrative Templates\Windows Components\Search
CCE-3376-1
CCE-1049
Prevent indexing uncached Exchange folders
Prevent indexing uncached Exchange folders
GPO
Computer Configuration\Administrative Templates\Windows Components\Search
CCE-3143-5
CCE-1058
Terminal Services
Computer Configuration\Administrative Templates\Windows Components: Terminal Services
Do not allow passwords to be saved
Do not allow passwords to be saved
Enabled
Not Configured
Disabled
Enabled
Do not allow drive redirection
Do not allow drive redirection
Enabled
Not Configured
Disabled
Enabled
Always prompt client for password upon connection
Always prompt client for password upon connection
Not Configured
Disabled
Enabled
Set client connection encryption level
Set client connection encryption level
3
1
2
3
Set a time limit for disconnected sessions
You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging off and ending the session. (1 min)
60000
60000
Set a time limit for active but idle Terminal Services sessions
This policy setting allows you to specify the maximum amount of time that an active Terminal Services session can be idle (without user input) before it is automatically disconnected. (15 min)
900000
900000
Do not allow passwords to be saved
The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client
CCE-2975-1
CCE-976
Do not allow drive redirection
The "Do not allow drive redirection" setting should be configured correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection
CCE-4501-3
CCE-648
Always prompt client for password upon connection
The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security
CCE-3429-8
CCE-855
Set client connection encryption level
The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security
CCE-4866-0
CCE-397
Set a time limit for disconnected sessions
The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits
CCE-5007-0
CCE-920
Set a time limit for active but idle Terminal Services sessions
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.
GPO
Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits
CCE-4267-1
CCE-123
Windows Defender
Windows Defender
Configure Microsoft SpyNet Reporting
When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information.
0
0
1
Configure Microsoft SpyNet Reporting
When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Defender
CCE-4761-3
CCE-312
Windows Error Reporting
Windows Error Reporting
Disable Logging
If this setting is enabled Windows Error Reporting events will not be logged to the system event log.
0
0
1
Disable Windows Error Reporting
If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Problem Reports and Solutions control panel.
1
0
1
Display Error Notification
todo - description needed
1
1
0
Do Not Send Additional Data
If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user.
1
0
1
Disable Logging
If this setting is enabled Windows Error Reporting events will not be logged to the system event log.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting
CCE-4915-5
CCE-959
Disable Windows Error Reporting
If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Problem Reports and Solutions control panel.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting
CCE-5034-4
CCE-803
Display Error Notification
The "Display Error Notification" setting should be configured correctly.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting
CCE-4919-7
CCE-259
Do Not Send Additional Data
If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting
CCE-4089-9
CCE-798
Windows Explorer Settings
Windows Explorer
Turn off Heap termination on corruption
Turn off Heap termination on corruption
0
0
1
Turn off shell protocol protected mode
Turn off shell protocol protected mode
0
0
1
Turn off Heap termination on corruption
Turn off Heap termination on corruption
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Explorer
CCE-2962-9
CCE-384
Turn off shell protocol protected mode
Turn off shell protocol protected mode
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Explorer
CCE-3125-2
CCE-480
Windows Installer Settings
Windows Installer
Disable IE security prompt for Windows Installer scripts
Disable IE security prompt for Windows Installer scripts
0
0
1
Enable user control over installs
Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer.
0
0
1
Prohibit non-administrators from applying vendor signed updates
This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
1
0
1
Disable IE security prompt for Windows Installer scripts
Disable IE security prompt for Windows Installer scripts
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
CCE-4991-6
CCE-261
Enable user control over installs
Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
CCE-4629-2
CCE-415
Prohibit non-administrators from applying vendor signed updates
This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Installer
CCE-3398-5
CCE-612
Windows Logon Optionsr
Windows Logon Options
Report when logon server was not available during user logon
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information.
1
0
1
Report Logon Server Not Available During User logon
This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options
CCE-3341-5
CCE-392
Windows Mail
Windows Mail
Turn off the communities features
Windows Mail will not check your newsgroup servers for Communities support.
1
0
1
Turn off Windows Mail application
Denies or allows access to the Windows Mail application. If you enable this setting, access to the Windows Mail application is denied. If you disable or do not configure this setting, access to the Windows Mail application is allowed.
0
1
0
0
0
0
0
Turn off the communities features
Windows Mail will not check your newsgroup servers for Communities support.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Mail
CCE-2521-3
CCE-96
Turn off Windows Mail application
Denies or allows access to the Windows Mail application. If you enable this setting, access to the Windows Mail application is denied. If you disable or do not configure this setting, access to the Windows Mail application is allowed.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Mail
CCE-2525-4
CCE-331
Windows Media Digital Rights Management
Windows Media Digital Rights Management
Prevent Windows Media DRM Internet Access
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.
1
0
1
Prevent Windows Media DRM Internet Access
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management
CCE-3486-8
CCE-1089
Windows Media Player Settings
todo - description needed
do_not_show_first_use_dialog_boxes
todo - description needed
1
0
1
prevent_automatic_updates
todo - description needed
1
0
1
Do Not Show First Use Dialog Boxes
The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Media Player
CCE-4405-7
CCE-1140
Prevent Automatic Updates
The "Disable Media Player for automatic updates" policy should be set correctly.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Media Player
CCE-4898-3
CCE-455
Windows Meeting Space
Windows Meeting Space
Turn off Windows Meeting Space
Windows Meeting Space is a feature that enables quick, face-to-face collaboration for sharing programs and handouts and for passing notes. If you enable this setting, Windows Meeting Space will be turned off.
1
0
1
Turn off Windows Meeting Space
Windows Meeting Space is a feature that enables quick, face-to-face collaboration for sharing programs and handouts and for passing notes. If you enable this setting, Windows Meeting Space will be turned off.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Meeting Space
CCE-2557-7
CCE-992
Windows Messenger
Computer Configuration\Administrative Templates\Windows Components: Windows Messenger
Do not allow Windows Messenger to be run
Do not allow Windows Messenger to be run
Not Configured
Disabled
Enabled
do_not_automatically_start_windows_messenger_initially
todo - description needed
1
0
1
Do not allow Windows Messenger to be run
Do not allow Windows Messenger to be run
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Messenger
CCE-3316-7
CCE-729
Do not automatically start Windows Messenger initially
The "Do Not Automatically Start Windows Messenger" policy should be set correctly.
GPO
Computer Configuration\Administrative Templates\Windows Components\Windows Messenger
CCE-4797-7
CCE-309
Local User Policy Settings
todo - description needed
Local User Policy: Control Panel
todo - description needed
Password protect the screen saver
Password protect the screen saver
Enabled
Enabled
Screen Saver timeout
Specifies how much user idle time must elapse before the screen saver is launched. When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.
900
900
Password protect the screen saver
Determines whether screen savers used on the computer are password protected. If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.
GPO
User Configuration\Administrative Templates\Control Panel\Display
CCE-4290-3
CCE-949
Screen Saver timeout
Specifies how much user idle time must elapse before the screen saver is launched. When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.
GPO
User Configuration\Administrative Templates\Control Panel\Display
CCE-3050-2
CCE-830
Power Management settings
todo - description needed
Prompt for password on resume from hibernate / suspend
Prompt for password on resume from hibernate / suspend
Enabled
Enabled
Prompt for password on resume from hibernate / suspend
This settings allows you to configure client computers to always lock when resuming from a hibernate or suspend. If you enable this setting, the client computer is locked when it is resumed from a suspend or hibernate state.
GPO
User Configuration\Administrative Templates\System\Power Management
CCE-3169-0
CCE-509
Attachment Manager Settings
todo - description needed
Do not preserve zone information in file attachments
Do not preserve zone information in file attachments
Disabled
Disabled
Enabled
Hide mechanisms to remove zone information
Hide mechanisms to remove zone information
Enabled
Disabled
Enabled
Notify antivirus programs when opening attachments
Notify antivirus programs when opening attachments
Enabled
Disabled
Enabled
Do not preserve zone information in file attachments
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (i.e. restricted, Internet, intranet, local).
GPO
User Configuration\Administrative Templates\Windows Components\Attachment Manager
CCE-3437-1
CCE-12
Hide mechanisms to remove zone information
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file’s property sheet or by using a check box in the security warning dialog.
GPO
User Configuration\Administrative Templates\Windows Components\Attachment Manager
CCE-2979-3
CCE-58
Notify antivirus programs when opening attachments
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified.
GPO
User Configuration\Administrative Templates\Windows Components\Attachment Manager
CCE-3300-1
CCE-372
Network Sharing Settings
todo - description needed
Prevent users from sharing files within their profile
Prevent users from sharing files within their profile
Enabled
Disabled
Enabled
Prevent users from sharing files within their profile
By default users are allowed to share files within their profile to other users on their network once an administrator opts in the computer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.
GPO
User Configuration\Administrative Templates\Windows Components\Network Sharing
CCE-5070-8
CCE-1144
Internet Communication settings
todo - description needed
Turn off Help Ratings
Specifies whether users can provide ratings for Help content.
0
-1
0
1
Turn off Help Experience Improvement Program
Specifies whether users can participate in the Help Experience Improvement program.
0
-1
0
1
Turn off Help Ratings
Specifies whether users can provide ratings for Help content.
GPO
User Configuration | Administrative Templates | System | Internet Communication Management | Internet Communication settings
CCE-4851-2
CCE-1109
Turn off Help Experience Improvement Program
Specifies whether users can participate in the Help Experience Improvement program.
GPO
User Configuration | Administrative Templates | System | Internet Communication Management | Internet Communication settings
CCE-5239-9
CCE-174
Audit Policy Group
Windows Vista give more control over individual audit policy through subcategories that were not available in earlier versions of Windows operating systems.
Account Management Settings
The Account Management audit category helps you track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.
application-group-management
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
computer-account-management
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
distribution-group-management
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
other-account-management-events
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
security-group-management
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
user-account-management
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Application Group Management
todo - description needed
CCE-4938-7
CCE-801
CCE-4700-1
CCE-1016
Computer Account Management
todo - description needed
CCE-4093-1
CCE-1070
CCE-4228-3
CCE-840
Distribution Group Management
todo - description needed
CCE-4115-2
CCE-515
CCE-4140-0
CCE-1048
Other Account Management Events
todo - description needed
CCE-4916-3
CCE-206
CCE-4783-7
CCE-1202
Security Group Management
todo - description needed
CCE-5048-4
CCE-1118
CCE-4142-6
CCE-369
User Account Management
todo - description needed
CCE-4833-0
CCE-1043
CCE-5097-1
CCE-924
Detailed Tracking Settings
The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so it is typically set to No Auditing. However, this setting can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched.
dpapi-activity
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
process-creation
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
process-termination
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
rpc-events_var
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
DPAPI Activity
todo - description needed
CCE-5000-5
CCE-1413
CCE-4493-3
CCE-699
Process Creation
todo - description needed
CCE-4166-5
CCE-913
CCE-5094-8
CCE-1079
Process Termination
todo - description needed
CCE-4869-4
CCE-416
CCE-4363-8
CCE-1250
RPC Events
todo - description needed
CCE-4891-8
CCE-1219
CCE-4759-7
CCE-1365
DS Access Settings
The DS Access audit category applies only to domain controllers.
detailed-directory-service-replication
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
directory-service-access
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
directory-service-changes
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
directory-service-replication
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Detailed Directory Service Replication
todo - description needed
CCE-5023-7
CCE-207
CCE-4658-1
CCE-1186
Directory Service Access
todo - description needed
CCE-5028-6
CCE-1199
CCE-4931-2
CCE-459
Directory Service Changes
todo - description needed
CCE-5067-4
CCE-317
CCE-4808-2
CCE-982
Directory Service Replication
todo - description needed
CCE-5089-8
CCE-881
CCE-4176-4
CCE-247
Logon Logoff Settings
This audit category generates events that record the creation and destruction of logon sessions. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource.
account-lockout
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
ipsec-extended-mode
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
ipsec-main-mode
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
ipsec-quick-mode
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
logoff
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
logon
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
other-logon-logoff-events
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
special-logon
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Account Lockout
todo - description needed
CCE-4342-2
CCE-1264
CCE-4857-9
CCE-1282
IPsec Extended Mode
todo - description needed
CCE-5011-2
CCE-1028
CCE-4505-4
CCE-362
IPsec Main Mode
todo - description needed
CCE-5016-1
CCE-1207
CCE-4650-8
CCE-351
IPsec Quick Mode
todo - description needed
CCE-5038-5
CCE-1257
CCE-4928-8
CCE-1274
Logoff
todo - description needed
CCE-4703-5
CCE-493
CCE-4183-0
CCE-996
Logon
todo - description needed
CCE-5018-7
CCE-1284
CCE-4423-0
CCE-1097
Other Logon/Logoff Events
todo - description needed
CCE-5163-1
CCE-378
CCE-5066-6
CCE-1208
Special Logon
todo - description needed
CCE-4956-9
CCE-371
CCE-4824-9
CCE-1038
Object Access Settings
By itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL), effectively enabling auditing to take place.
application-generated
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
certification-services
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
file-share
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
file-system
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
filtering-platform-connection
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
filtering-platform-packet-drop
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
handle-manipulation
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
kernel-object
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
other-object-access-events
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
registry
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
sam
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Application Generated
todo - description needed
CCE-5084-9
CCE-1322
CCE-4829-8
CCE-379
Certification Services
todo - description needed
CCE-4714-2
CCE-1345
CCE-4868-6
CCE-1261
File Share
todo - description needed
CCE-4200-2
CCE-1372
CCE-5145-8
CCE-1033
File System
todo - description needed
CCE-4921-3
CCE-1085
CCE-5039-3
CCE-1340
Filtering Platform Connection
todo - description needed
CCE-4568-2
CCE-717
CCE-5079-9
CCE-744
Filtering Platform Packet Drop
todo - description needed
CCE-4947-8
CCE-385
CCE-4335-6
CCE-589
Handle Manipulation
todo - description needed
CCE-4828-0
CCE-1363
CCE-4965-0
CCE-1244
Kernel Object
todo - description needed
CCE-4996-5
CCE-1288
CCE-4885-0
CCE-1305
Other Object Access Events
todo - description needed
CCE-5132-6
CCE-642
CCE-4691-2
CCE-1026
Registry
todo - description needed
CCE-4594-8
CCE-1138
CCE-5087-2
CCE-1283
SAM
todo - description needed
CCE-4616-9
CCE-446
CCE-4982-5
CCE-451
Policy Change Settings
The Policy Change audit category determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself.
policy_change_audit
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
authentication-policy-change
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
authorization-policy-change
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
filtering-platform-policy-change
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
mpssvc-rule-level-policy-change
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
other-policy-change-events
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Audit Policy Change
todo - description needed
CCE-4201-0
CCE-1110
CCE-5137-5
CCE-991
Authentication Policy Change
todo - description needed
CCE-4877-7
CCE-388
CCE-4516-1
CCE-180
Authorization Policy Change
todo - description needed
CCE-5172-2
CCE-187
CCE-5058-3
CCE-448
Filtering Platform Policy Change
todo - description needed
CCE-5177-1
CCE-1042
CCE-4939-5
CCE-1112
MPSSVC Rule-Level Policy Change
todo - description needed
CCE-5181-3
CCE-203
CCE-4204-4
CCE-879
Other Policy Change Events
todo - description needed
CCE-4479-2
CCE-205
CCE-4995-7
CCE-787
Privilege Use Settings
The Privilege Use audit category determines whether to audit each instance of a user exercising a user right. If you configure this value to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. This policy setting can generate a very large number of event records.
non-sensitive-privilege-use
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
other-privilege-use-events
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
sensitive-privilege-use
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
Non Sensitive Privilege Use
todo - description needed
CCE-5114-4
CCE-391
CCE-4990-8
CCE-404
Other Privilege Use Events
todo - description needed
CCE-5131-8
CCE-1203
CCE-4205-1
CCE-406
Sensitive Privilege Use
todo - description needed
CCE-4300-0
CCE-488
CCE-4734-0
CCE-1258
System Settings
The System audit category allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system.
ipsec-driver
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
other-system-events
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
security-state-change
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
security-system-extension
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
system-integrity
todo - description needed
AUDIT_NONE
AUDIT_(SUCCESS|SUCCESS_FAILURE)
AUDIT_(FAILURE|SUCCESS_FAILURE)
AUDIT_SUCCESS_FAILURE
AUDIT_NONE
IPsec Driver
todo - description needed
CCE-4976-7
CCE-1177
CCE-4879-3
CCE-1314
Other System Events
todo - description needed
CCE-4998-1
CCE-1332
CCE-4883-5
CCE-337
Security State Change
todo - description needed
CCE-4535-1
CCE-1121
CCE-5157-3
CCE-1139
Security System Extension
todo - description needed
CCE-5170-6
CCE-1270
CCE-4910-6
CCE-1102
System Integrity
todo - description needed
CCE-5047-6
CCE-856
CCE-4822-3
CCE-336
Security Patches
Securing a given computer has become increasingly important. As such, it is essential to keep a host up to current patch levels to eliminate known vulnerabilities and weaknesses. In conjunction with antivirus software and a personal firewall, patching goes a long way to securing a host against outside attacks and exploitation. Microsoft provides two mechanisms for distributing security updates: Automatic Updates and Microsoft Update. In smaller environments, either method may be sufficient for keeping systems current with patches. Other environments typically have a software change management control process or a patch management program that tests patches before deploying them; distribution may then occur through local Windows Update Services (WUS) or Windows Server Update Services (WSUS) servers, which provide approved security patches for use by the Automatic Updates feature.
Security Patches Up-To-Date
All known security patches have been installed.