{ "format_version": 3, "policy": { "external_id": "221075636980f835be3b8d9d4fe9c21e", "name": "CIS Microsoft Windows 10 Enterprise Benchmark v4.0.0 - Level 1", "version": "1.0.0", "description": "CIS Level 1 (L1) hardening profile for Microsoft Windows 10 Enterprise. Registry-backed Group Policy settings \u2014 account / lockout / audit policy, user rights assignment, security options, administrative templates. Applies only to Windows 10 hosts.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "8af43e130b5d38075cfd9da7f6a80907", "name": "1.1.6 \u2014 (L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'", "description": "(L1) Ensure 'Relax minimum password length limits' is set to 'Enabled'", "rational": "This setting will enable the enforcement of longer and generally stronger passwords or \npassphrases where MFA is not in use.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Account \nPolicies\\Password Policy\\Relax minimum password length limits \n\nNote: This setting is only available within the built-in OS security template of Windows \n10 Release 2004 and Server 2022 (or newer), and is not available via older versions of \nthe OS, or via downloadable Administrative Templates (ADMX/ADML). Therefore, you \nmust...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\System\\CurrentControlSet\\Control\\SAM|RelaxMinimumPasswordLengthLimits", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "35634a1e95583b6f8db91bc212ad9ce6", "name": "2.3.1.1 \u2014 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add o...", "description": "(L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts'", "rational": "Organizations that want to effectively implement identity management policies and \nmaintain firm control of what accounts are used to log onto their computers will probably \nwant to block Microsoft accounts. Organizations may also need to block Microsoft \naccounts in order to meet the requirements of compliance standards that apply to their \ninformation systems.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Users \ncan't add or log on with Microsoft accounts: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Accounts: Block Microsoft accounts", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|NoConnectedUse", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8c0907d00a6c096c26da3e21ad411db8", "name": "2.3.1.3 \u2014 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console ...", "description": "(L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'", "rational": "Blank passwords are a serious threat to computer security and should be forbidden \nthrough both organizational policy and suitable technical measures. In fact, the default \nsettings for Active Directory domains require complex passwords of at least seven \ncharacters. However, if users with the ability to create new accounts bypass your \ndomain-based password policies, they could create accounts...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Accounts: Limit local account use of blank \npasswords to console logon only", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|LimitBlankPasswordUse", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "688e04c74557489a06bff46ee7c5b620", "name": "2.3.2.1 \u2014 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or...", "description": "(L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'", "rational": "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to \ntrack events at a per-system or per-user level. The larger event categories created too \nmany events and the key information that needed to be audited was difficult to find.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Audit: Force audit policy subcategory settings \n(Windows Vista or later) to override audit policy category settings", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|SCENoApplyLegacyAuditPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "51fd4f363f628e10931839089731b4a5", "name": "2.3.2.2 \u2014 (L1) Ensure 'Audit: Shut down system immediately if unable to log security au...", "description": "(L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'", "rational": "If the computer is unable to record events to the Security log, critical evidence or \nimportant troubleshooting information may not be available for review after a security \nincident. Also, an attacker could potentially generate a large volume of Security log \nevents to purposely force a computer shutdown.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Audit: Shut down system immediately if unable to \nlog security audits", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|CrashOnAuditFail", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e54c558c81b2d7031a2efa69dea3ce96", "name": "2.3.6.1 \u2014 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (al...", "description": "(L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'", "rational": "When a computer joins a domain, a computer account is created. After it joins the \ndomain, the computer uses the password for that account to create a secure channel \nwith the Domain Controller for its domain every time that it restarts. Requests that are \nsent on the secure channel are authenticated\u2014and sensitive information such as \npasswords are encrypted\u2014but the channel is not integrity-che...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Digitally encrypt or sign secure \nchannel data (always)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|RequireSignOrSeal", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "cb86765e0a68ec707e665cbf4dfa3eee", "name": "2.3.6.2 \u2014 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possi...", "description": "(L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'", "rational": "When a computer joins a domain, a computer account is created. After it joins the \ndomain, the computer uses the password for that account to create a secure channel \nwith the Domain Controller for its domain every time that it restarts. Requests that are \nsent on the secure channel are authenticated\u2014and sensitive information such as \npasswords are encrypted\u2014but the channel is not integrity-che...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Digitally encrypt secure channel \ndata (when possible)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|SealSecureChannel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "92ca53994ba298a8eca546ce1c82c816", "name": "2.3.6.3 \u2014 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible...", "description": "(L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'", "rational": "When a computer joins a domain, a computer account is created. After it joins the \ndomain, the computer uses the password for that account to create a secure channel \nwith the Domain Controller for its domain every time that it restarts. Requests that are \nsent on the secure channel are authenticated\u2014and sensitive information such as \npasswords are encrypted\u2014but the channel is not integrity-che...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Digitally sign secure channel data \n(when possible)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|SignSecureChannel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9d7e03b37d1bc810ba92922f2f686763", "name": "2.3.6.4 \u2014 (L1) Ensure 'Domain member: Disable machine account password changes' is set ...", "description": "(L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'", "rational": "The default configuration for Windows Server 2003-based computers that belong to a \ndomain is that they are automatically required to change the passwords for their \naccounts every 30 days. If you disable this policy setting, computers that run Windows \nServer 2003 will retain the same passwords as their computer accounts. Computers \nthat are no longer able to automatically change their account...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Disable machine account password \nchanges", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|DisablePasswordCha", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "573905c457fa850529d4e9386c49f82a", "name": "2.3.6.5 \u2014 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '...", "description": "(L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'", "rational": "In Active Directory-based domains, each computer has an account and password just \nlike every user. By default, the domain members automatically change their domain \npassword every 30 days. If you increase this interval significantly, or set it to 0 so that \nthe computers no longer change their passwords, an attacker will have more time to \nundertake a brute force attack to guess the password o...", "remediation": "To establish the recommended configuration via GP, set the following UI path to 30 or \nfewer days, but not 0: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Maximum machine account password age", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters|MaximumPasswordAge", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "47222aa825a8e43bf440dc25d0a0bc9b", "name": "2.3.6.6 \u2014 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session ke...", "description": "(L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'", "rational": "Session keys that are used to establish secure channel communications between \nDomain Controllers and member computers are much stronger in Windows 2000 than \nthey were in previous Microsoft operating systems. Whenever possible, you should take \nadvantage of these stronger session keys to help protect secure channel \ncommunications from attacks that attempt to hijack network sessions and \neaves...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Require strong (Windows 2000 or \nlater) session key", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|RequireStrongKey", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1dde315b7067bf7c80117d43484904c6", "name": "2.3.7.1 \u2014 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disab...", "description": "(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'", "rational": "Microsoft developed this feature to make it easier for users with certain types of physical \nimpairments to log on to computers that run Windows. If users are not required to press \nCTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their \npasswords. If CTRL+ALT+DEL is required before logon, user passwords are \ncommunicated by means of a trusted path. \n\nAn attacker could in...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Do not require CTRL+ALT+DEL \n\nPage 182", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|DisableCAD", "selement": "CONTENT", "condition": "EQUALS", "sinput": "`" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "10a2d3c8bfac19050433cb4b1aaf7ef9", "name": "2.3.7.2 \u2014 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enab...", "description": "(L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'", "rational": "An attacker with access to the console (for example, someone with physical access or \nsomeone who is able to connect to the server through Remote Desktop Services) could \nview the name of the last user who logged on to the server. The attacker could then try \nto guess the password, use a dictionary, or use a brute-force attack to try and log on.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Don't display last signed-in \n\nNote: In older versions of Microsoft Windows, this setting was named Interactive logon: \nDo not display last user name, but it was renamed starting with Windows 10 Release \n1703. \n\nPage 184", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|DontDisplayLas", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9d353137ef38ede2e118d50a12ddb5fa", "name": "2.3.7.3 \u2014 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to ...", "description": "(BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not 0'", "rational": "If a machine is lost or stolen, or if an insider threat attempts a brute force password \nattack against the computer, it is important to ensure that BitLocker will lock the \ncomputer and therefore prevent a successful attack.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 10 or \nfewer invalid logon attempts, but not 0: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Machine account lockout \nthreshold", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|MaxDevicePassw", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "bb5071edcbb393bee19926846bb9fbb8", "name": "2.3.7.4 \u2014 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or f...", "description": "(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'", "rational": "If a user forgets to lock their computer when they walk away it's possible that a \npasserby will hijack it.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 900 or \nfewer seconds, but not 0: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Machine inactivity limit", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|InactivityTime", "selement": "CONTENT", "condition": "EQUALS", "sinput": "9" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1c95309afdde31878d7dcdfa8fadbb01", "name": "2.3.7.5 \u2014 (L1) Configure 'Interactive logon: Message text for users attempting to log on'", "description": "(L1) Configure 'Interactive logon: Message text for users attempting to log on'", "rational": "Displaying a warning message before logon may help prevent an attack by warning the \nattacker about the consequences of their misconduct before it happens. It may also help \nto reinforce corporate policy by notifying employees of the appropriate policy during the \nlogon process. This text is often used for legal reasons\u2014for example, to warn users \nabout the ramifications of misusing company inf...", "remediation": "To establish the recommended configuration via GP, configure the following UI path to a \nvalue that is consistent with the security and operational requirements of your \norganization: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Message text for users \nattempting to log on", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|LegalNoticeTex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "t" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "0b3ff47cc98d68aa66c333d8b8ee331b", "name": "2.3.7.6 \u2014 (L1) Configure 'Interactive logon: Message title for users attempting to log on'", "description": "(L1) Configure 'Interactive logon: Message title for users attempting to log on'", "rational": "Displaying a warning message before logon may help prevent an attack by warning the \nattacker about the consequences of their misconduct before it happens. It may also help \nto reinforce corporate policy by notifying employees of the appropriate policy during the \nlogon process.", "remediation": "To establish the recommended configuration via GP, configure the following UI path to a \nvalue that is consistent with the security and operational requirements of your \norganization: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Message title for users \nattempting to log on", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|LegalNoticeCap", "selement": "CONTENT", "condition": "EQUALS", "sinput": "t" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "cb82052f0cf097183bf705b6dc1f151d", "name": "2.3.7.8 \u2014 (L1) Ensure 'Interactive logon: Prompt user to change password before expirat...", "description": "(L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'", "rational": "Users will need to be warned that their passwords are going to expire, or they may \ninadvertently be locked out of the computer when their passwords expire. This condition \ncould lead to confusion for users who access the network locally, or make it impossible \nfor users to access your organization's network through dial-up or virtual private network \n(VPN) connections.", "remediation": "To establish the recommended configuration via GP, set the following UI path to a value \nbetween 5 and 14 days: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Prompt user to change password \nbefore expiration", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|PasswordExpiryWarning", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5d5aa7844dfa9614368fbe34d1a6753b", "name": "2.3.7.9 \u2014 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock ...", "description": "(L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher", "rational": "Users sometimes forget to lock their workstations when they are away from them, \nallowing the possibility for malicious users to access their computers. If smart cards are \nused for authentication, the computer should automatically lock itself when the card is \nremoved to ensure that only the user with the smart card is accessing resources using \nthose credentials.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Lock \nWorkstation (or, if applicable for your environment, Force Logoff or Disconnect if \na Remote Desktop Services session): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Smart card removal behavior", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|ScRemoveOption", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7f5bbb5ad962b960cc9ff5a79b222e60", "name": "2.3.8.1 \u2014 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)...", "description": "(L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'", "rational": "Session hijacking uses tools that allow attackers who have access to the same network \nas the client or server to interrupt, end, or steal a session in progress. Attackers can \npotentially intercept and modify unsigned SMB packets and then modify the traffic and \nforward it so that the server might perform undesirable actions. Alternatively, the \nattacker could pose as the server or client afte...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network client: Digitally sign \ncommunications (always)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters|RequireSe", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a54efa159ad4408518219087380c78b3", "name": "2.3.8.2 \u2014 (L1) Ensure 'Microsoft network client: Digitally sign communications (if serv...", "description": "(L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled'", "rational": "Session hijacking uses tools that allow attackers who have access to the same network \nas the client or server to interrupt, end, or steal a session in progress. Attackers can \npotentially intercept and modify unsigned SMB packets and then modify the traffic and \nforward it so that the server might perform undesirable actions. Alternatively, the \nattacker could pose as the server or client afte...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network client: Digitally sign \ncommunications (if server agrees)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters|EnableSec", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "f2af423c30ca8d69e1dae7d34ca1a808", "name": "2.3.8.3 \u2014 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-par...", "description": "(L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'", "rational": "If you enable this policy setting, the server can transmit passwords in plaintext across \nthe network to other computers that offer SMB services, which is a significant security \nrisk. These other computers may not use any of the SMB security mechanisms that are \nincluded with Windows Server 2003.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network client: Send unencrypted password \nto third-party SMB servers", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters|EnablePla", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "bb89acbf639732d818aa29e3bb63357f", "name": "2.3.9.1 \u2014 (L1) Ensure 'Microsoft network server: Amount of idle time required before su...", "description": "(L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'", "rational": "Each SMB session consumes server resources, and numerous null sessions will slow \nthe server or possibly cause it to fail. An attacker could repeatedly establish SMB \nsessions until the server's SMB services become slow or unresponsive.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 15 or \nfewer minute(s): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network server: Amount of idle time \nrequired before suspending session", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|AutoDisconnect", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6efdb3d55a26006393432e0cc7ae0323", "name": "2.3.9.2 \u2014 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)...", "description": "(L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'", "rational": "Session hijacking uses tools that allow attackers who have access to the same network \nas the client or server to interrupt, end, or steal a session in progress. Attackers can \npotentially intercept and modify unsigned SMB packets and then modify the traffic and \nforward it so that the server might perform undesirable actions. Alternatively, the \nattacker could pose as the server or client afte...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network server: Digitally sign \ncommunications (always)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|RequireSecurit", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "20d40debcf28b90c67c3357369d93524", "name": "2.3.9.3 \u2014 (L1) Ensure 'Microsoft network server: Digitally sign communications (if clie...", "description": "(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled'", "rational": "Session hijacking uses tools that allow attackers who have access to the same network \nas the client or server to interrupt, end, or steal a session in progress. Attackers can \npotentially intercept and modify unsigned SMB packets and then modify the traffic and \nforward it so that the server might perform undesirable actions. Alternatively, the \nattacker could pose as the server or client afte...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network server: Digitally sign \ncommunications (if client agrees)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|EnableSecurity", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "29b9e79f431897888698727b98a30d73", "name": "2.3.9.4 \u2014 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours ex...", "description": "(L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'", "rational": "If your organization configures logon hours for users, then it makes sense to enable this \npolicy setting. Otherwise, users who should not have access to network resources \noutside of their logon hours may actually be able to continue to use those resources \nwith sessions that were established during allowed hours.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network server: Disconnect clients when \nlogon hours expire", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|enableforcedlo", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8fb96a278bbffe272c5e0beddd14c096", "name": "2.3.9.5 \u2014 (L1) Ensure 'Microsoft network server: Server SPN target name validation leve...", "description": "(L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher", "rational": "The identity of a computer can be spoofed to gain unauthorized access to network \nresources.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Accept \nif provided by client (configuring to Required from client also conforms to the \nbenchmark): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network server: Server SPN target name \nvalidation level", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|SMBServerNameH", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "67f5c5d8f6556dcdf78b8c87c7a3ba94", "name": "2.3.10.2 \u2014 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accoun...", "description": "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'", "rational": "An unauthorized user could anonymously list account names and use the information to \nattempt to guess passwords or perform social engineering attacks. (Social engineering \nattacks try to deceive users in some way to obtain passwords or some form of security \ninformation.)", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Do not allow anonymous enumeration \nof SAM accounts", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|RestrictAnonymousSAM", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3c810d7aa432c08b85c1474ed6ad2914", "name": "2.3.10.3 \u2014 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accoun...", "description": "(L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'", "rational": "An unauthorized user could anonymously list account names and shared resources and \nuse the information to attempt to guess passwords or perform social engineering \nattacks. (Social engineering attacks try to deceive users in some way to obtain \npasswords or some form of security information.)", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Do not allow anonymous enumeration \nof SAM accounts and shares", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|RestrictAnonymous", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "65c6986e937554359b847fad581de448", "name": "2.3.10.4 \u2014 (L1) Ensure 'Network access: Do not allow storage of passwords and credential...", "description": "(L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'", "rational": "Passwords that are cached can be accessed by the user when logged on to the \ncomputer. Although this information may sound obvious, a problem can arise if the user \nunknowingly executes hostile code that reads the passwords and forwards them to \nanother, unauthorized user.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Do not allow storage of passwords \nand credentials for network authentication", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|DisableDomainCreds", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "267d75b7edeb58b0bf84646a8807c109", "name": "2.3.10.5 \u2014 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous user...", "description": "(L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'", "rational": "An unauthorized user could anonymously list account names and shared resources and \nuse the information to attempt to guess passwords, perform social engineering attacks, \nor launch DoS attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Let Everyone permissions apply to \nanonymous users", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|EveryoneIncludesAnonymous", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b0cb4866b75d747cdd1ba791a955c235", "name": "2.3.10.6 \u2014 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is...", "description": "(L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'", "rational": "Limiting named pipes that can be accessed anonymously will reduce the attack surface \nof the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n (i.e. None): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Named Pipes that can be accessed \nanonymously", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|NullSessionPip", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9e4ad07d49b3c0e5eaec7f765130ff24", "name": "2.3.10.7 \u2014 (L1) Ensure 'Network access: Remotely accessible registry paths' is configured", "description": "(L1) Ensure 'Network access: Remotely accessible registry paths' is configured", "rational": "The registry is a database that contains computer configuration information, and much \nof the information is sensitive. An attacker could use this information to facilitate \nunauthorized activities. To reduce the risk of such an attack, suitable ACLs are \nassigned throughout the registry to help protect it from access by unauthorized users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nSystem\\CurrentControlSet\\Control\\ProductOptions \nSystem\\CurrentControlSet\\Control\\Server Applications \nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Remotely accessible registry paths", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedExactPa ths|Machine", "selement": "CONTENT", "condition": "EQUALS", "sinput": "S" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "f94c8dc4c3a010b97be8e49802171ffa", "name": "2.3.10.8 \u2014 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths...", "description": "(L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured", "rational": "The registry contains sensitive computer configuration information that could be used by \nan attacker to facilitate unauthorized activities. The fact that the default ACLs assigned \nthroughout the registry are fairly restrictive and help to protect the registry from access \nby unauthorized users reduces the risk of such an attack. \n\nPage 237", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nSystem\\CurrentControlSet\\Control\\Print\\Printers \nSystem\\CurrentControlSet\\Services\\Eventlog \n\nSOFTWARE\\Microsoft\\OLAP Server \n\nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print \nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows \nSystem\\CurrentControlSet\\Control\\ContentIndex \nSystem\\CurrentControlSet\\Control\\Terminal Server \nSystem\\CurrentControlSet\\Control\\Terminal Server\\UserConfig \nSystem\\CurrentControlSet...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedPaths|M", "selement": "CONTENT", "condition": "EQUALS", "sinput": "S" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "480ab882a220c233602c83dcb584edaa", "name": "2.3.10.9 \u2014 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Sha...", "description": "(L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'", "rational": "Null sessions are a weakness that can be exploited through shares (including the \ndefault shares) on computers in your environment. \n\nPage 241", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Restrict anonymous access to Named \nPipes and Shares", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|RestrictNullSe", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4b1342ff4b340c51819476d6d764bb87", "name": "2.3.10.10 \u2014 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to...", "description": "(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'", "rational": "To ensure that an unauthorized user cannot anonymously list local account names or \ngroups and use the information to attempt to guess passwords or perform social \nengineering attacks. (Social engineering attacks try to deceive users in some way to \nobtain passwords or some form of security information.)", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nAdministrators: Remote Access: Allow: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Restrict clients allowed to make \nremote calls to SAM", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|restrictremotesam", "selement": "CONTENT", "condition": "EQUALS", "sinput": "O" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7aad7dac682c86cafc6fd5d28de6f879", "name": "2.3.10.11 \u2014 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set ...", "description": "(L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'", "rational": "It is very dangerous to allow any values in this setting. Any shares that are listed can be \naccessed by any network user, which could lead to the exposure or corruption of \nsensitive data.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n (i.e. None): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Shares that can be accessed \nanonymously", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|NullSessionSha", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7db511da151a40a638f28196df71d989", "name": "2.3.10.12 \u2014 (L1) Ensure 'Network access: Sharing and security model for local accounts' i...", "description": "(L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'", "rational": "With the Guest only model, any user who can authenticate to your computer over the \nnetwork does so with guest privileges, which probably means that they will not have \nwrite access to shared resources on that computer. Although this restriction does \nincrease security, it makes it more difficult for authorized users to access shared \nresources on those computers because ACLs on those resources...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nClassic - local users authenticate as themselves: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Sharing and security model for \nlocal accounts", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|ForceGuest", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9115b1f641f1a4d634610e540b698cc7", "name": "2.3.11.1 \u2014 (L1) Ensure 'Network security: Allow Local System to use computer identity fo...", "description": "(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'", "rational": "When connecting to computers running versions of Windows earlier than Windows Vista \nor Windows Server 2008 (non-R2), services running as Local System and using \nSPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if \nyou are connecting to a computer running Windows Server 2008 or Windows Vista, \nthen a system service uses either the computer identity or a NULL sessi...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Allow Local System to use \ncomputer identity for NTLM", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|UseMachineId", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ce866190fe871a7fa9430945812bd455", "name": "2.3.11.2 \u2014 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is se...", "description": "(L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'", "rational": "NULL sessions are less secure because by definition they are unauthenticated.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Allow LocalSystem NULL session \nfallback", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|AllowNullSessionFallback", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "aa9c8004b183937cc715556121dacc6a", "name": "2.3.11.3 \u2014 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this co...", "description": "(L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'", "rational": "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be \nmanaged centrally in most managed networks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network Security: Allow PKU2U authentication \nrequests to this computer to use online identities", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\pku2u|AllowOnlineID", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "56fd93fc7334280d70b42f8bdfd5e17a", "name": "2.3.11.4 \u2014 (L1) Ensure 'Network security: Configure encryption types allowed for Kerbero...", "description": "(L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'", "rational": "The strength of each encryption algorithm varies from one to the next, choosing \nstronger algorithms will reduce the risk of compromise however doing so may cause \nissues when the computer attempts to authenticate with systems that do not support \nthem.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nAES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Configure encryption types \nallowed for Kerberos", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Param eters|SupportedEncryptionTypes", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "47acfafb19a9345129bf399c8fa5c56c", "name": "2.3.11.5 \u2014 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next pa...", "description": "(L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'", "rational": "The SAM file can be targeted by attackers who seek access to username and password \nhashes. Such attacks use special tools to crack passwords, which can then be used to \nimpersonate users and gain access to resources on your network. These types of \nattacks will not be prevented if you enable this policy setting, but it will be much more \ndifficult for these types of attacks to succeed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Do not store LAN Manager hash \nvalue on next password change", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|NoLMHash", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "24c7d180de9bf7a8db7f764f7e57b8e4", "name": "2.3.11.7 \u2014 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'S...", "description": "(L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'", "rational": "Windows 2000 and Windows XP clients were configured by default to send LM and \nNTLM authentication responses (Windows 95-based and Windows 98-based clients \nonly send LM). The default settings in OSes predating Windows Vista / Windows Server \n2008 (non-R2) allowed all clients to authenticate with servers and use their resources. \nHowever, this meant that LM responses - the weakest form of authe...", "remediation": "To establish the recommended configuration via GP, set the following UI path to: Send \nNTLMv2 response only. Refuse LM & NTLM: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: LAN Manager authentication level", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|LmCompatibilityLevel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "5" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5ba6dc51996e4c69be4fd747757dd5ce", "name": "2.3.11.8 \u2014 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'N...", "description": "(L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher", "rational": "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder \ncaptures the packets between the client and server, modifies them, and then forwards \nthem to the server. For an LDAP server, this susceptibility means that an attacker could \ncause a server to make decisions that are based on false or altered data from the LDAP \nqueries. To lower this risk in your networ...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nNegotiate signing (configuring to Require signing also conforms to the \nbenchmark): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: LDAP client signing requirements", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LDAP|LDAPClientIntegrity", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "75a6aa0e09d279eb876d3e0753a9a9b8", "name": "2.3.11.9 \u2014 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (i...", "description": "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'", "rational": "You can enable both options for this policy setting to help protect network traffic that \nuses the NTLM Security Support Provider (NTLM SSP) from being exposed or \ntampered with by an attacker who has gained access to the same network. In other \nwords, these options help protect against man-in-the-middle attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nRequire NTLMv2 session security, Require 128-bit encryption: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Minimum session security for NTLM \nSSP based (including secure RPC) clients", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|NTLMMinClientSec", "selement": "CONTENT", "condition": "EQUALS", "sinput": "5" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "868046da727c65f94e3dd352237d6f4a", "name": "2.3.11.10 \u2014 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (i...", "description": "(L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'", "rational": "You can enable all of the options for this policy setting to help protect network traffic that \nuses the NTLM Security Support Provider (NTLM SSP) from being exposed or \ntampered with by an attacker who has gained access to the same network. That is, \nthese options help protect against man-in-the-middle attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nRequire NTLMv2 session security, Require 128-bit encryption: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Minimum session security for NTLM \nSSP based (including secure RPC) servers", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|NTLMMinServerSec", "selement": "CONTENT", "condition": "EQUALS", "sinput": "5" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ebee40b151f0900f64b88a839fc8f168", "name": "2.3.11.11 \u2014 (L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is...", "description": "(L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'", "rational": "Auditing and monitoring NTLM traffic can assist in identifying systems using this \noutdated authentication protocol, so they can be remediated to using a more secure \nprotocol, such as Kerberos. The log information gathered can also assist in forensic \ninvestigations after a malicious attack. \n\nNTLM and NTLMv2 authentication is vulnerable to various attacks, including SMB relay, \nman-in-the-mid...", "remediation": "To establish the recommended configuration via GP, set the following UI path to Enable \nauditing for all accounts: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Restrict NTLM: Audit Incoming \nNTLM Traffic", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|AuditReceivingNTLMTraffic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3ebbc098aed0896ddb98e435f32d801f", "name": "2.3.11.12 \u2014 (L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote...", "description": "(L1) Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher", "rational": "Auditing and monitoring NTLM traffic can assist in identifying systems using this \noutdated authentication protocol, so they can be remediated to using a more secure \nprotocol, such as Kerberos. The log information gathered can also assist in forensic \ninvestigations after a malicious attack. \n\nNTLM and NTLMv2 authentication is vulnerable to various attacks, including SMB relay, \nman-in-the-mid...", "remediation": "To establish the recommended configuration via GP, set the following UI path to Audit \nall or higher: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Restrict NTLM: Outgoing NTLM \ntraffic to remote servers", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|RestrictSendingNTLMTraffic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e0bf7a8cf2874eaac63543ed6f198777", "name": "2.3.15.1 \u2014 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsy...", "description": "(L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'", "rational": "Because Windows is case-insensitive but the POSIX subsystem will support case \nsensitivity, failure to enable this policy setting would make it possible for a user of that \nsubsystem to create a file with the same name as another file but with a different mix of \nupper and lower case letters. Such a situation could potentially confuse users when \nthey try to access such files from normal Win32...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\System objects: Require case insensitivity for non-\nWindows subsystems", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel|ObCaseInsensitive", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "255c146b0642bfc97ded1f745d42f30a", "name": "2.3.15.2 \u2014 (L1) Ensure 'System objects: Strengthen default permissions of internal syste...", "description": "(L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'", "rational": "This setting determines the strength of the default DACL for objects. Windows maintains \na global list of shared computer resources so that objects can be located and shared \namong processes. Each type of object is created with a default DACL that specifies who \ncan access the objects and with what permissions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\System objects: Strengthen default permissions of \ninternal system objects (e.g. Symbolic Links)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager|ProtectionMode", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "072d669acd36fc36f5c14b6f53aa56ac", "name": "2.3.17.1 \u2014 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Admin...", "description": "(L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'", "rational": "One of the risks that the User Account Control feature introduced with Windows Vista is \ntrying to mitigate is that of malicious software running under elevated credentials without \nthe user or administrator being aware of its activity. An attack vector for these programs \nwas to discover the password of the account named \"Administrator\" because that user \naccount was created for all installati...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Admin Approval Mode for the \nBuilt-in Administrator account", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|FilterAdminist", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "c31f0cbe1365bb36e70fa790694c63c1", "name": "2.3.17.2 \u2014 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for admin...", "description": "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher", "rational": "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate \nis that of malicious software running under elevated credentials without the user or \nadministrator being aware of its activity. This setting raises awareness to the \nadministrator of elevated privilege operations and permits the administrator to prevent a \nmalicious program from elevating its privilege w...", "remediation": "To establish the recommended configuration via GP, set the following UI path to Prompt \nfor consent on the secure desktop or Prompt for credentials on the \nsecure desktop: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Behavior of the elevation \nprompt for administrators in Admin Approval Mode", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|ConsentPromptB", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "91a7b6518cfd24231f65e4f078b312ad", "name": "2.3.17.3 \u2014 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for stand...", "description": "(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'", "rational": "One of the risks that the User Account Control feature introduced with Windows Vista is \ntrying to mitigate is that of malicious programs running under elevated credentials \nwithout the user or administrator being aware of their activity. This setting raises \nawareness to the user that a program requires the use of elevated privilege operations \nand requires that the user be able to supply admi...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nAutomatically deny elevation requests: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Behavior of the elevation \nprompt for standard users", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|ConsentPromptB", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "fa0c80d98338597f11e155cce2a1fcd5", "name": "2.3.17.4 \u2014 (L1) Ensure 'User Account Control: Detect application installations and promp...", "description": "(L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'", "rational": "Some malicious software will attempt to install itself after being given permission to run. \nFor example, malicious software with a trusted application shell. The user may have \ngiven permission for the program to run because the program is trusted, but if they are \nthen prompted for installation of an unknown component this provides another way of \ntrapping the software before it can do damage", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Detect application \ninstallations and prompt for elevation", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableInstalle", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "2bd582842e6c8bd3ec23c6fcb70d467a", "name": "2.3.17.5 \u2014 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that ar...", "description": "(L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'", "rational": "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation \n(UIPI) restrictions when an application is elevated in privilege from a standard user to an \nadministrator. This is required to support accessibility features such as screen readers \nthat are transmitting user interfaces to alternative forms. A process that is started with \nUIAccess rights has the following a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Only elevate UIAccess \napplications that are installed in secure locations", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableSecureUI", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9f47cae09e3b1bed1bb9b07edc633b44", "name": "2.3.17.6 \u2014 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval M...", "description": "(L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'", "rational": "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be \nused and any security benefits and risk mitigations that are dependent on UAC will not \nbe present on the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Run all administrators in \nAdmin Approval Mode", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableLUA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a311619a5dea27223c05f1fbaa2c9f2a", "name": "2.3.17.7 \u2014 (L1) Ensure 'User Account Control: Switch to the secure desktop when promptin...", "description": "(L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'", "rational": "Standard elevation prompt dialog boxes can be spoofed, which may cause users to \ndisclose their passwords to malicious software. The secure desktop presents a very \ndistinct appearance when prompting for elevation, where the user desktop dims, and \nthe elevation prompt UI is more prominent. This increases the likelihood that users who \nbecome accustomed to the secure desktop will recognize a sp...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Switch to the secure desktop \nwhen prompting for elevation", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|PromptOnSecure", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "83ea6d6621c082bd6951455ffc265660", "name": "2.3.17.8 \u2014 (L1) Ensure 'User Account Control: Virtualize file and registry write failure...", "description": "(L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'", "rational": "This setting reduces vulnerabilities by ensuring that legacy applications only write data \nto permitted locations.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Virtualize file and registry \nwrite failures to per-user locations", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableVirtuali", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "f571dd1ab827e343a2ed4c57d710b72c", "name": "5.3 \u2014 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'", "description": "(L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'", "rational": "This is a legacy service - its sole purpose is to maintain a list of computers and their \nnetwork shares in the environment (i.e. \"Network Neighborhood\"). If enabled, it \ngenerates a lot of unnecessary traffic, including \"elections\" to see who gets to be the \n\"master browser\". This noisy traffic could also aid malicious attackers in discovering \nonline machines, because the service also allows...", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Computer Browser", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Browser|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3e48ae09594b44880f4fe6dd0afdc86a", "name": "5.7 \u2014 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Insta...", "description": "(L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'", "rational": "Hosting a website from a workstation is an increased security risk, as the attack surface \nof that workstation is then greatly increased. If proper security mitigations are not \nfollowed, the chance of successful attack increases significantly. \n\nNote: This security concern applies to any web server application installed on a \nworkstation, not just IIS.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\IIS Admin Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\IISADMIN|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "0bfcbaba628066e646d55c8c5d73028a", "name": "5.8 \u2014 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not I...", "description": "(L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'", "rational": "Infrared connections can potentially be a source of data compromise - especially via the \nautomatic \"file transfer application\" functionality. Enterprise-managed systems should \nutilize a more secure method of connection than infrared.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Infrared monitor service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\irmon|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b5aff442ab3c417bc0114155319b7b68", "name": "5.11 \u2014 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'", "description": "(L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed'", "rational": "The Linux Subsystem (LXSS) Manager allows full system access to Linux applications \non Windows, including the file system. While this can certainly have some functionality \nand performance benefits for running those applications, it also creates new security \nrisks in the event that a hacker injects malicious code into a Linux application. For best \nsecurity, it is preferred to run Linux applic...", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\LxssManager", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LxssManager|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "96b2d2685abb7c2160f962c67dddd304", "name": "5.12 \u2014 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Ins...", "description": "(L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'", "rational": "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an \nincreased security risk, as the attack surface of that workstation is then greatly \nincreased. \n\nNote: This security concern applies to any FTP server application installed on a \nworkstation, not just IIS.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Microsoft FTP Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\FTPSVC|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "bf2f100ec7d949970378f5b4d15ec115", "name": "5.14 \u2014 (L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'", "description": "(L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'", "rational": "Hosting an SSH server from a workstation is an increased security risk, as the attack \nsurface of that workstation is then greatly increased. \n\nNote: This security concern applies to any SSH server application installed on a \nworkstation, not just the one supplied with Windows.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\OpenSSH SSH Server", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\sshd|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6e3a53b6ed913dc63889ca2eade77619", "name": "5.25 \u2014 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Dis...", "description": "(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'", "rational": "This is a legacy service that has no value or purpose other than application compatibility \nfor very old software. It should be disabled unless there is a specific old application still \nin use on the system that requires it.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Remote Procedure Call (RPC) Locator", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\RpcLocator|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "dfa47f254890105f6fab63f3c3c53056", "name": "5.27 \u2014 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'", "description": "(L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'", "rational": "This service's main purpose is to provide Windows router functionality - this is not an \nappropriate use of workstations in an enterprise managed environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Routing and Remote Access", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\RemoteAccess|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "15f7d20e4c65138911f034de5378bea0", "name": "5.29 \u2014 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not I...", "description": "(L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'", "rational": "The Simple TCP/IP Services have very little purpose in a modern enterprise \nenvironment - allowing them might increase exposure and risk for attack.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Simple TCP/IP Services", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\simptcp|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "805d3fa780e525a952065528f5dc8a4d", "name": "5.31 \u2014 (L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disab...", "description": "(L1) Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'", "rational": "Allowing the use of a remotely accessible command prompt that provides the ability to \nperform remote management tasks on a computer is a security risk.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Special Administration Console Helper", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\sacsvr|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ef236d9be9d1ca100c5e88d3f8d0b373", "name": "5.32 \u2014 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'", "description": "(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'", "rational": "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and \nattachment to network devices. Note that UPnP is different than regular Plug n Play \n(PnP). Workstations should not be advertising their services (or automatically \ndiscovering and connecting to networked services) in a security-conscious enterprise \nmanaged environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\SSDP Discovery", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SSDPSRV|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "cc8e2dd18a19fab7f912e585729ee5cb", "name": "5.33 \u2014 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'", "description": "(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'", "rational": "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and \nattachment to network devices. Notes that UPnP is different than regular Plug n Play \n(PnP). Workstations should not be advertising their services (or automatically \ndiscovering and connecting to networked services) in a security-conscious enterprise \nmanaged environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\UPnP Device Host", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\upnphost|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "088c48c60ad6b530c009fc5da09f84c7", "name": "5.34 \u2014 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Ins...", "description": "(L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'", "rational": "Remote web administration of IIS on a workstation is an increased security risk, as the \nattack surface of that workstation is then greatly increased. If proper security mitigations \nare not followed, the chance of successful attack increases significantly.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Web Management Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WMSvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "c1a3a0988a6895af1681c916bad09790", "name": "5.37 \u2014 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is...", "description": "(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'", "rational": "Network sharing of media from Media Player has no place in an enterprise managed \nenvironment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Windows Media Player Network Sharing Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WMPNetworkSvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3757b4dafcac4a4209ce983e3bcbffa6", "name": "5.38 \u2014 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'", "description": "(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'", "rational": "The capability to run a mobile hotspot from a domain-connected computer could easily \nexpose the internal network to wardrivers or other hackers.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Windows Mobile Hotspot Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\icssvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "f78f6c34ce5b589563aa634cad864544", "name": "5.43 \u2014 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' ...", "description": "(L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'", "rational": "Hosting a website from a workstation is an increased security risk, as the attack surface \nof that workstation is then greatly increased. If proper security mitigations are not \nfollowed, the chance of successful attack increases significantly. \n\nNote: This security concern applies to any web server application installed on a \nworkstation, not just IIS.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\World Wide Web Publishing Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\W3SVC|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "190db8971203934b6e5be7a7201d95ed", "name": "5.44 \u2014 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disab...", "description": "(L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'", "rational": "Xbox Live is a gaming service and has no place in an enterprise managed environment \n(perhaps unless it is a gaming company).", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Xbox Accessory Management Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\XboxGipSvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d2ff6536150250ab3c61cf4b02030fc4", "name": "5.45 \u2014 (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'", "description": "(L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'", "rational": "Xbox Live is a gaming service and has no place in an enterprise managed environment \n(perhaps unless it is a gaming company).", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Xbox Live Auth Manager", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\XblAuthManager|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8d962d3e02cc62436a591f76b57cc52f", "name": "5.46 \u2014 (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'", "description": "(L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'", "rational": "Xbox Live is a gaming service and has no place in an enterprise managed environment \n(perhaps unless it is a gaming company).", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Xbox Live Game Save", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "61f53b9022c6c43f1fb2ea8cbac48e60", "name": "5.47 \u2014 (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'", "description": "(L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'", "rational": "Xbox Live is a gaming service and has no place in an enterprise managed environment \n(perhaps unless it is a gaming company).", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Xbox Live Networking Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "0fdb6c100cb288a38dd16ef2f74c4cc7", "name": "9.1.1 \u2014 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recomme...", "description": "(L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'", "rational": "If the firewall is turned off all traffic will be able to access the system and an attacker \nmay be more easily able to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to On \n(recommended): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain \nProfile\\Firewall state", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile|EnableFirewall", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "cb2cf04a5980c60770ef1e55150cd301", "name": "9.1.2 \u2014 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block ...", "description": "(L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'", "rational": "If the firewall allows all traffic to access the system then an attacker may be more easily \nable to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Block \n(default): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Inbound \nconnections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile|DefaultInbound", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8756ec835a87aa29fef542c11e56a75d", "name": "9.1.3 \u2014 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is s...", "description": "(L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'", "rational": "Firewall notifications can be complex and may confuse the end users, who would not be \nable to address the alert.", "remediation": "To establish the recommended configuration via GP, set the following UI path to No: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain \nProfile\\Settings Customize\\Display a notification", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile|DisableNotific", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "19a40d54f5053cc80616969869242598", "name": "9.1.4 \u2014 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%...", "description": "(L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log'", "rational": "If Windows Firewall events are not recorded it may be difficult or impossible for \nAdministrators to analyze system issues or unauthorized activities of malicious users. \n\nMicrosoft stores all firewall events as one file on the system (pfirewall.log). To \nimprove logging, separate each firewall profile (domain, private, public) into its own \ndistinct log file (domainfw.log, privatefw.log, publi...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n%SystemRoot%\\System32\\logfiles\\firewall\\domainfw.log: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Logging \nCustomize\\Name", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging|LogFil", "selement": "CONTENT", "condition": "EQUALS", "sinput": "%" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "2223c671dea195b89fb632aa008dceab", "name": "9.1.5 \u2014 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '1...", "description": "(L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 16,384 \nKB or greater: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Logging \nCustomize\\Size limit (KB)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging|LogFil", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "13e273408af01bacb6c710ef824878b1", "name": "9.1.6 \u2014 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set t...", "description": "(L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Logging \nCustomize\\Log dropped packets", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging|LogDro", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1e741e3869b2ec19ca1e50937673a82b", "name": "9.1.7 \u2014 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' i...", "description": "(L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Logging \nCustomize\\Log successful connections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging|LogSuc", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6b943a64ffd85fad96f851264b111599", "name": "9.2.1 \u2014 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recomm...", "description": "(L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'", "rational": "If the firewall is turned off all traffic will be able to access the system and an attacker \nmay be more easily able to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to On \n(recommended): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Firewall state", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile|EnableFirewal", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "544a3f12dd87bce1f8b070e13d938489", "name": "9.2.2 \u2014 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block...", "description": "(L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'", "rational": "If the firewall allows all traffic to access the system then an attacker may be more easily \nable to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Block \n(default): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Inbound connections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile|DefaultInboun", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "892cf95c3f0b5b800559ff62b6642e8c", "name": "9.2.3 \u2014 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is ...", "description": "(L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'", "rational": "Firewall notifications can be complex and may confuse the end users, who would not be \nable to address the alert.", "remediation": "To establish the recommended configuration via GP, set the following UI path to No: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Settings Customize\\Display a notification", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile|DisableNotifi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "234ce00207f35639dd4631524061d29e", "name": "9.2.4 \u2014 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot...", "description": "(L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log'", "rational": "If Windows Firewall events are not recorded it may be difficult or impossible for \nAdministrators to analyze system issues or unauthorized activities of malicious users. \n\nMicrosoft stores all firewall events as one file on the system (pfirewall.log). To \nimprove logging, separate each firewall profile (domain, private, public) into its own \ndistinct log file (domainfw.log, privatefw.log, publi...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n%SystemRoot%\\System32\\logfiles\\firewall\\privatefw.log: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Logging Customize\\Name", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging|LogFi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "%" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6095c5669aceb0135fc63eb3329d02c2", "name": "9.2.5 \u2014 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '...", "description": "(L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 16,384 \nKB or greater: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Logging Customize\\Size limit (KB)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging|LogFi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "887b616e3040f339cdec255217d88e43", "name": "9.2.6 \u2014 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set ...", "description": "(L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Logging Customize\\Log dropped packets", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging|LogDr", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "98cdf52978301ea1e7d99d104298ec31", "name": "9.2.7 \u2014 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' ...", "description": "(L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Logging Customize\\Log successful connections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging|LogSu", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "c340e7a6676dc4ce02de7bb93447ca15", "name": "9.3.1 \u2014 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recomme...", "description": "(L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'", "rational": "If the firewall is turned off all traffic will be able to access the system and an attacker \nmay be more easily able to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to On \n(recommended): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public \nProfile\\Firewall state", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|EnableFirewall", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "25782fd7a1bd3a154fef006df2473514", "name": "9.3.2 \u2014 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block ...", "description": "(L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'", "rational": "If the firewall allows all traffic to access the system then an attacker may be more easily \nable to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Block \n(default): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Inbound \nconnections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|DefaultInbound", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6cd9594f81be6179da7d43a1022514cc", "name": "9.3.3 \u2014 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is s...", "description": "(L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'", "rational": "Some organizations may prefer to avoid alarming users when firewall rules block certain \ntypes of network activity. However, notifications can be helpful when troubleshooting \nnetwork issues involving the firewall.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 'No': \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public \nProfile\\Settings Customize\\Display a notification", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|DisableNotific", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "526ebe20a5c96555f66b309866fe775a", "name": "9.3.4 \u2014 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' ...", "description": "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'", "rational": "When in the Public profile, there should be no special local firewall exceptions per \ncomputer. These settings should be managed by a centralized policy.", "remediation": "To establish the recommended configuration via GP, set the following UI path to No: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public \nProfile\\Settings Customize\\Apply local firewall rules", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|AllowLocalPoli", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4756eeb0730a3ebf5c7a4b1978b72902", "name": "9.3.5 \u2014 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection secur...", "description": "(L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'", "rational": "Users with administrative privileges might create firewall rules that expose the system to \nremote attack.", "remediation": "To establish the recommended configuration via GP, set the following UI path to No: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public \nProfile\\Settings Customize\\Apply local connection security rules", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|AllowLocalIPse", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e9a856c36fa2357cea69875c8d52cb83", "name": "9.3.6 \u2014 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%...", "description": "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log'", "rational": "If Windows Firewall events are not recorded it may be difficult or impossible for \nAdministrators to analyze system issues or unauthorized activities of malicious users. \n\nMicrosoft stores all firewall events as one file on the system (pfirewall.log). To \nimprove logging, separate each firewall profile (domain, private, public) into its own \ndistinct log file (domainfw.log, privatefw.log, publi...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n%SystemRoot%\\System32\\logfiles\\firewall\\publicfw.log: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Logging \nCustomize\\Name", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging|LogFil", "selement": "CONTENT", "condition": "EQUALS", "sinput": "%" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "58e287262b148a146685bd81f914d2e2", "name": "9.3.7 \u2014 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '1...", "description": "(L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 16,384 \nKB or greater: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Logging \nCustomize\\Size limit (KB)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging|LogFil", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6a18cadd5d56606fe14da056e47c0ca3", "name": "9.3.8 \u2014 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set t...", "description": "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Logging \nCustomize\\Log dropped packets", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging|LogDro", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4ab6dcae65f8de02e3be45624d3ced02", "name": "9.3.9 \u2014 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' i...", "description": "(L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Logging \nCustomize\\Log successful connections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging|LogSuc", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ecb075ddead34fe3f5725f12990a98f6", "name": "18.1.1.1 \u2014 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'", "description": "(L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'", "rational": "Disabling the lock screen camera extends the protection afforded by the lock screen to \ncamera features.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Control \nPanel\\Personalization\\Prevent enabling lock screen camera \n\nNote: This Group Policy path is provided by the Group Policy template \nControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & \nServer 2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization|NoLockScreenCamera", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "61f345723c1f9e6dd5d269e5f3780f2c", "name": "18.1.1.2 \u2014 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'", "description": "(L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'", "rational": "Disabling the lock screen slide show extends the protection afforded by the lock screen \nto slide show contents.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Control \nPanel\\Personalization\\Prevent enabling lock screen slide show \n\nNote: This Group Policy path is provided by the Group Policy template \nControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization|NoLockScreenSlidesho", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "36f5a9122589f2896ccfbb8cde41c51f", "name": "18.1.2.2 \u2014 (L1) Ensure 'Allow users to enable online speech recognition services' is set...", "description": "(L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'", "rational": "If this setting is Enabled sensitive information could be stored in the cloud or sent to \nMicrosoft.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Control \nPanel\\Regional and Language Options\\Allow users to enable online speech \nrecognition services \n\nNote: This Group Policy path is provided by the Group Policy template \nGlobalization.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates (or newer). \n\nNote #2: In older Microsoft Windows Admin...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\InputPersonalization|AllowInputPersonalizati", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5a76c96a2fbfa968cd84489f28b018ad", "name": "18.4.1 \u2014 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is s...", "description": "(L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'", "rational": "Local accounts are at high risk for credential theft when the same account and \npassword is configured on multiple systems. Ensuring this policy is Enabled significantly \nreduces that risk.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Apply UAC restrictions to local accounts on network logons \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|LocalAccountTo", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a3cc28f09eeb4a0e16d78ed4707163b0", "name": "18.4.2 \u2014 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driv...", "description": "(L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'", "rational": "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and \nno longer used on modern networks, as it is a 30 year old design that is much more \nvulnerable to attacks then much newer designs such as SMBv2 and SMBv3. \n\nMore information on this can be found at the following links: \n\nStop using SMB1 | Storage at Microsoft \n\nDisable SMB v1 in Managed Environments with Group P...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Disable driver (recommended): \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Configure SMB v1 client driver \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "42ec633e62d3ab6462d61d930ccd36d1", "name": "18.4.3 \u2014 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'", "description": "(L1) Ensure 'Configure SMB v1 server' is set to 'Disabled'", "rational": "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and \nno longer used on modern networks, as it is a 30 year old design that is much more \nvulnerable to attacks then much newer designs such as SMBv2 and SMBv3. \n\nMore information on this can be found at the following links: \n\nStop using SMB1 | Storage at Microsoft \n\nDisable SMB v1 in Managed Environments with Group P...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Configure SMB v1 server \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters|SMB1", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6993a8e5035c8cdc0d2df37a36353638", "name": "18.4.4 \u2014 (L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'", "description": "(L1) Ensure 'Enable Certificate Padding' is set to 'Enabled'", "rational": "A remote code execution vulnerability exists in the way that the WinVerifyTrust function \nhandles Windows Authenticode signature verification for portable executable (PE) files. \nFor more information on this vulnerability, visit CVE-2013-3900 - Security Update Guide \n- Microsoft - WinVerifyTrust Signature Validation Vulnerability.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Enable Certificate Padding \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Wintrust\\Config|EnableCertPaddingCheck", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "641334d9f1457f73a7eac336ff34f175", "name": "18.4.5 \u2014 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP...", "description": "(L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'", "rational": "This feature is designed to block exploits that use the Structured Exception Handler \n(SEH) overwrite technique. This protection mechanism is provided at run-time. \nTherefore, it helps protect applications regardless of whether they have been compiled \nwith the latest improvements, such as the /SAFESEH option.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Enable Structured Exception Handling Overwrite Protection (SEHOP) \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link. \n\nMore information is available at MSKB 956607: How to enable Structured Exception \nHand...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel|DisableExceptionChainValidation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6e2089ec2d1577676bb789afe3c0750a", "name": "18.4.6 \u2014 (L1) Ensure 'LSA Protection' is set to 'Enabled'", "description": "(L1) Ensure 'LSA Protection' is set to 'Enabled'", "rational": "The Windows 8.1 operating system (or newer) provides additional protection for the \nLSA to prevent reading memory and code injection by non-protected processes. \nEnabling this setting provides added security for the credentials that LSA stores and \nmanages.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\LSA Protection \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link. \n\nPage 540", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|RunAsPPL", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "039a646ef76ee4d9e38535c7a7bb9910", "name": "18.4.7 \u2014 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recomm...", "description": "(L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'", "rational": "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, \nsetting the node type to P-node (point-to-point) will prevent the system from sending out \nNetBIOS broadcasts.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: P-node (recommended): \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\NetBT NodeType configuration \n\nNote: This change does not take effect until the computer has been restarted. \n\nNote #2: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link. \nPlease note that th...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters|NodeType", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a43e0a775d201bb2e99c8f70247d7c41", "name": "18.4.8 \u2014 (L1) Ensure 'WDigest Authentication' is set to 'Disabled'", "description": "(L1) Ensure 'WDigest Authentication' is set to 'Disabled'", "rational": "Preventing the plaintext storage of credentials in memory may reduce opportunity for \ncredential theft.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\WDigest Authentication (disabling may require KB2871997) \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link. \n\nPage 545", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest|UseLogonCrede", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9604dd025c4b4697a07a7dff61c2bcf5", "name": "18.5.1 \u2014 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'", "description": "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'", "rational": "If you configure a computer for automatic logon, anyone who can physically gain access \nto the computer can also gain access to everything that is on the computer, including \nany network or networks that the computer is connected to. Also, if you enable \nautomatic logon, the password is stored in the registry in plaintext. The specific registry \nkey that stores this setting is remotely readable...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(AutoAdminLogon) Enable Automatic Logon \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Security Guidance blog", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|AutoAdminLogon", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "596ee1cdc7b14527b0dddc3ff6a88f7d", "name": "18.5.2 \u2014 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection ...", "description": "(L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'", "rational": "An attacker could use source routed packets to obscure their identity and location. \nSource routing allows a computer that sends a packet to specify the route that the \npacket takes.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Highest protection, source routing is completely disabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(DisableIPSourceRouting IPv6) IP source routing protection level \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsof...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters|DisableIPSourceRouti", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9dcfc931602132147a77df5962a930ac", "name": "18.5.3 \u2014 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level...", "description": "(L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'", "rational": "An attacker could use source routed packets to obscure their identity and location. \nSource routing allows a computer that sends a packet to specify the route that the \npacket takes.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Highest protection, source routing is completely disabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(DisableIPSourceRouting) IP source routing protection level \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Sec...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters|DisableIPSourceRoutin", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a6f048ec33e139d7c570f47ed9bb8ab5", "name": "18.5.5 \u2014 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF ...", "description": "(L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'", "rational": "This behavior is expected. The problem is that the 10 minute time-out period for the \nICMP redirect-plumbed routes temporarily creates a network situation in which traffic \nwill no longer be routed properly for the affected host. Ignoring such ICMP redirects will \nlimit the system's exposure to attacks that will impact its ability to participate on the \nnetwork.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Security Guidance blog", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters|EnableICMPRedirect", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "32d0b3bc5361fbd174364f9c38187df8", "name": "18.5.7 \u2014 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIO...", "description": "(L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'", "rational": "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to \nspoofing. Spoofing makes a transmission appear to come from a user other than the \nuser who performed the action. A malicious user could exploit the unauthenticated \nnature of the protocol to send a name-conflict datagram to a target computer, which \nwould cause the computer to relinquish its name and not...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release \nrequests except from WINS servers \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Security Guid...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters|NoNameReleaseOnDemand", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "62357efddb0f43b683f6e62e1f2fcea8", "name": "18.5.9 \u2014 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to ...", "description": "(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'", "rational": "If a user unknowingly executes hostile code that was packaged with additional files that \ninclude modified versions of system DLLs, the hostile code could load its own versions \nof those DLLs and potentially increase the type and degree of damage the code can \nrender.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(SafeDllSearchMode) Enable Safe DLL search mode \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Security Guidance blog", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager|SafeDllSearchMode", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "43c836ec9684732ae7cd0e80fb87dea6", "name": "18.5.10 \u2014 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the scr...", "description": "(L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires' is set to 'Enabled: 5 or fewer seconds'", "rational": "The default grace period that is allowed for user movement before the screen saver lock \ntakes effect is five seconds. If you leave the default grace period configuration, your \ncomputer is vulnerable to a potential attack from someone who could approach the \nconsole and attempt to log on to the computer before the lock takes effect. An entry to \nthe registry can be made to adjust the length of...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 5 or fewer seconds: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(ScreenSaverGracePeriod) The time in seconds before the screen saver grace \nperiod expires \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Security Gu...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|ScreenSaverGracePeriod", "selement": "CONTENT", "condition": "EQUALS", "sinput": "5" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "f3bc6edc22e7c255d4eef836293b8f0a", "name": "18.5.13 \u2014 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event ...", "description": "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'", "rational": "If the Security log reaches 90 percent of its capacity and the computer has not been \nconfigured to overwrite events as needed, more recent events will not be written to the \nlog. If the log reaches its capacity and the computer has been configured to shut down \nwhen it can no longer record events to the Security log, the computer will shut down and \nwill no longer be available to provide netwo...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 90% or less: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(WarningLevel) Percentage threshold for the security event log at which the \nsystem will generate a warning \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft S...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Security|WarningLevel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "9" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ca80875c0ff7f844f6aae217686b3fc9", "name": "18.6.4.1 \u2014 (L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'", "description": "(L1) Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'", "rational": "An attacker can listen on a network over UDP port 5353 and respond to them, tricking \nthe host into thinking that it knows the location of the requested system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\DNS \nClient\\Configure multicast DNS (mDNS) protocol \n\nNote: This Group Policy path is provided by the Group Policy template \nDnsClient.admx/adml that is included with the Microsoft Windows 11 Release 24H2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient|EnableMDNS", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3fda93ea0d12368d43122dfcceb76c5a", "name": "18.6.4.2 \u2014 (L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS ...", "description": "(L1) Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'", "rational": "NetBIOS does not perform authentication and can allow remote attackers to cause a \ndenial of service by sending spoofed Name Conflicts or Name Release datagrams. This \nis also known as \"NetBIOS Name Server Protocol Spoofing\". Preventing the use of \nNetBIOS on public networks reduces the attack surface.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Disable NetBIOS name resolution on public networks: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\DNS \nClient\\Configure NetBIOS settings \n\nNote: This Group Policy path is provided by the Group Policy template \nDnsClient.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer). \n\nPage 577", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient|EnableNetbios", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5e438b69a81447c52a6b56fa62712586", "name": "18.6.4.4 \u2014 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'", "description": "(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled'", "rational": "An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS \n(UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows \nthe location of the requested system. \n\nNote: To completely mitigate local name resolution poisoning, in addition to this setting, \nthe properties of each installed NIC should also be set to Disable NetBIOS over \nTCP/IP (on the WINS t...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\DNS \nClient\\Turn off multicast name resolution \n\nNote: This Group Policy path is provided by the Group Policy template \nDnsClient.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 \n(non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient|EnableMulticast", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "07633f1617396e3a995785d10910ccbe", "name": "18.6.8.1 \u2014 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'", "description": "(L1) Ensure 'Enable insecure guest logons' is set to 'Disabled'", "rational": "Insecure guest logons are used by file servers to allow unauthenticated access to \nshared folders.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nWorkstation\\Enable insecure guest logons \n\nNote: This Group Policy path is provided by the Group Policy template \nLanmanWorkstation.admx/adml that is included with the Microsoft Windows 10 \nRelease 1511 Administrative Templates (or newer). \n\nPage 587", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation|AllowInsecureGuest", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4c68ce286085faaec8f99ee925785c53", "name": "18.6.11.2 \u2014 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on you...", "description": "(L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'", "rational": "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access \nControl (MAC) bridge, enabling them to connect two or more physical network \nsegments together. A Network Bridge thus allows a computer that has connections to \ntwo different networks to share data between those networks. \n\nIn an enterprise managed environment, where there is a need to control network traffic...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Network \nConnections\\Prohibit installation and configuration of Network Bridge on your \nDNS domain network \n\nNote: This Group Policy path is provided by the Group Policy template \nNetworkConnections.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates. \n\nPage 598", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections|NC_AllowNetBridge_NLA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3ea18b56a49912d361f879297e555a12", "name": "18.6.11.3 \u2014 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain n...", "description": "(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'", "rational": "Non-administrators should not be able to turn on the Mobile Hotspot feature and open \ntheir Internet connectivity up to nearby mobile devices.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Network \nConnections\\Prohibit use of Internet Connection Sharing on your DNS domain \nnetwork \n\nNote: This Group Policy path is provided by the Group Policy template \nNetworkConnections.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections|NC_ShowSharedAccessUI", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7226660df3c770be71aaa5dcadf114e4", "name": "18.6.11.4 \u2014 (L1) Ensure 'Require domain users to elevate when setting a network's locatio...", "description": "(L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'", "rational": "Allowing regular users to set a network location increases the risk and attack surface.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Network \nConnections\\Require domain users to elevate when setting a network's location \n\nNote: This Group Policy path is provided by the Group Policy template \nNetworkConnections.admx/adml that is included with the Microsoft Windows 7 & \nServer 2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections|NC_StdDomainUserSetLocation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "73ea6e15a57397a127fa5c0dcaaa82dd", "name": "18.6.21.1 \u2014 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet ...", "description": "(L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'", "rational": "Preventing bridged network connections can help prevent a user unknowingly allowing \ntraffic to route between internal and external networks, which risks exposure to sensitive \ninternal data.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 3 = Prevent Wi-Fi when on Ethernet: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Windows \nConnection Manager\\Minimize the number of simultaneous connections to the \nInternet or a Windows Domain \n\nNote: This Group Policy path is provided by the Group Policy template WCM.admx/adml \nthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative \nTemplates. It was...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy|fMinimizeConnecti", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8f2741a803943dfc89cb0ec70ad92c0d", "name": "18.6.21.2 \u2014 (L1) Ensure 'Prohibit connection to non-domain networks when connected to dom...", "description": "(L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'", "rational": "The potential concern is that a user would unknowingly allow network traffic to flow \nbetween the insecure public network and the enterprise managed network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Windows \nConnection Manager\\Prohibit connection to non-domain networks when connected \nto domain authenticated network \n\nNote: This Group Policy path is provided by the Group Policy template WCM.admx/adml \nthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative \nTemplates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy|fBlockNonDomain", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8b5eefbc57e9b1658c2eda5f97ab3647", "name": "18.6.23.2.1 \u2014 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspot...", "description": "(L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'", "rational": "Automatically connecting to an open hotspot or network can introduce the system to a \nrogue network with malicious intent.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\WLAN \nService\\WLAN Settings\\Allow Windows to automatically connect to suggested \nopen hotspots, to networks shared by contacts, and to hotspots offering paid \nservices \n\nNote: This Group Policy path is provided by the Group Policy template \nwlansvc.admx/adml that is included with the Microsoft Windows 10 Release 1511 \nAdministrative Temp...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config|AutoConnectAllowedOE", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4312de89a514b03a74faa739b45f7018", "name": "18.7.1 \u2014 (L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Dis...", "description": "(L1) Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'", "rational": "Disabling the ability for the Print Spooler service to accept client connections mitigates \nremote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other \nremote Print Spooler attacks. However, this recommendation does not mitigate against \nlocal attacks on the Print Spooler service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Allow Print \nSpooler to accept client connections \n\nNote: This Group Policy path is provided by the Group Policy template \nprinting2.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 626", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers|RegisterSpoolerRemoteRpcEndPoint", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5207c447c5f5fff11cab4deceeeadfc3", "name": "18.7.2 \u2014 (L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Gua...", "description": "(L1) Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'", "rational": "This setting prevents non-administrators from redirecting files within the print spooler \nprocess.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Redirection Guard Enabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRedirection Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers|RedirectionguardPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a48ccc500a93cc33e15f78b5e450cd94", "name": "18.7.3 \u2014 (L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing ...", "description": "(L1) Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'", "rational": "This setting prevents the use of named pipes for RPC connections to the print spooler \nand forces the use of TCP which is a more secure communication method.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: RPC over TCP: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC connection settings: Protocol to use for outgoing RPC connections \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|RpcUseNamedPipeProtocol", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "418a5c6aad4fc4a478d61aca76d32641", "name": "18.7.4 \u2014 (L1) Ensure 'Configure RPC connection settings: Use authentication for outgoi...", "description": "(L1) Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'", "rational": "This setting can prevent the use of named pipes for RPC connections to the print \nspooler and forces the use of TCP which is a more secure communication method.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Default: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC connection settings: Use authentication for outgoing RPC connections \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|RpcAuthentication", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7cd0762cb6e72c08deb445de5408859a", "name": "18.7.5 \u2014 (L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming...", "description": "(L1) Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'", "rational": "This setting can prevent the use of named pipes for RPC connections to the print \nspooler and forces the use of TCP which is a more secure communication method.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: RCP over TCP: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC listener settings: Configure protocol options for incoming RPC \nconnections \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|RpcProtocols", "selement": "CONTENT", "condition": "EQUALS", "sinput": "5" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a0a69242f0f81effc87a1332cc4626dc", "name": "18.7.6 \u2014 (L1) Ensure 'Configure RPC listener settings: Authentication protocol to use ...", "description": "(L1) Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher", "rational": "This setting can prevent the use of named pipes for RPC connections to the print \nspooler and forces the use of TCP which is a more secure communication method.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Negotiate or higher: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC listener settings: Configure protocol options for incoming RPC \nconnections \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|ForceKerberosForRpc", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "13207617d8f2e495554436d2b774b73d", "name": "18.7.7 \u2014 (L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'", "description": "(L1) Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'", "rational": "Using dynamic ports for printing makes it more difficult for an attacker to know which \nport is being used and therefore which port to attack.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 0: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC over TCP port \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|RpcTcpPort", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d0229d5e26551410ef4111fee3c79d83", "name": "18.7.8 \u2014 (L1) Ensure 'Configure RPC packet level privacy setting for incoming connecti...", "description": "(L1) Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'", "rational": "A security bypass vulnerability (CVE-2021-1678 | Windows Print Spooler Spoofing \nVulnerability) exists in the way the Printer RPC binding handles authentication for the \nremote Winspool interface. Enabling the RPC packet level privacy setting for incoming \nconnections enforces the server-side to increase the authentication level to minimize \nthis vulnerability.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Configure RPC packet level privacy setting for incoming connections \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print|RpcAuthnLevelPrivacyEnabled", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5b47aa0e71721316afaa30bffd3538e6", "name": "18.7.9 \u2014 (L1) Ensure 'Limits print driver installation to Administrators' is set to 'E...", "description": "(L1) Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'", "rational": "Restricting the installation of print drives to Administrators can help mitigate the \nPrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled. \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Limits \nprint driver installation to Administrators \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 10 Release 21H2 \nAdministrative Templates (or newer). \n\nPage 642", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint|RestrictDriverInstallationToAdministrators", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7c5b5ee5440df68c49038045e653edd0", "name": "18.7.10 \u2014 (L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: L...", "description": "(L1) Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'", "rational": "A Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-36958) \nexists when the Windows Print Spooler service improperly performs privileged file \noperations. An attacker who successfully exploits this vulnerability could run arbitrary \ncode with SYSTEM privileges and then install programs; view, change, or delete data; \nor create new accounts with full user rights.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Limit Queue-specific files to Color profiles: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Manage \nprocessing of Queue-specific files \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer). \n\nPage 644", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers|CopyFilesPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "503164c35991bd49445f3a58dcb1d16c", "name": "18.7.11 \u2014 (L1) Ensure 'Point and Print Restrictions: When installing drivers for a new ...", "description": "(L1) Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'", "rational": "Enabling Windows User Account Control (UAC) for the installation of new print drivers \ncan help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print \nSpooler attacks. \n\nAlthough the Point and Print default driver installation behavior overrides this setting, it \nis important to configure this as a backstop in the event that behavior is reversed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Show warning and elevation prompt: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Point and \nPrint Restrictions: When installing drivers for a new connection \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint|NoWarningNoElevationOnInstall", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1b601710f412af2236236cf6b825c4d7", "name": "18.7.12 \u2014 (L1) Ensure 'Point and Print Restrictions: When updating drivers for an exist...", "description": "(L1) Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'", "rational": "Enabling Windows User Account Control (UAC) for updating existing print drivers can \nhelp mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print \nSpooler attacks. \n\nAlthough the Point and Print default driver installation behavior overrides this setting, it \nis important to configure this as a backstop in the event that behavior is reversed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Show warning and elevation prompt: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Point and \nPrint Restrictions: When updating drivers for an existing connection \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint|UpdatePromptSettings", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "29356f6b533155b38863de1c1f9fcaba", "name": "18.9.3.1 \u2014 (L1) Ensure 'Include command line in process creation events' is set to 'Enab...", "description": "(L1) Ensure 'Include command line in process creation events' is set to 'Enabled'", "rational": "Capturing process command line information in event logs can be very valuable when \nperforming forensic investigations of attack incidents.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Audit Process \nCreation\\Include command line in process creation events \n\nNote: This Group Policy path is provided by the Group Policy template \nAuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit|ProcessC", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "43c436dde540582bed2516d55c927c8b", "name": "18.9.4.1 \u2014 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated...", "description": "(L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'", "rational": "This setting is important to mitigate the CredSSP encryption oracle vulnerability, for \nwhich information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | \nCredSSP Remote Code Execution Vulnerability. All versions of Windows from Windows \nVista onwards are affected by this vulnerability, and will be compatible with this \nrecommendation provided that they have been patched at least th...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Force Updated Clients: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Credentials \nDelegation\\Encryption Oracle Remediation \n\nNote: This Group Policy path is provided by the Group Policy template \nCredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1803 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\CredSSP\\Parame ters|AllowEncryptionOracle", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8c5c5918abec6965e91557dfe3843d9a", "name": "18.9.4.2 \u2014 (L1) Ensure 'Remote host allows delegation of non- exportable credentials' is...", "description": "(L1) Ensure 'Remote host allows delegation of non- exportable credentials' is set to 'Enabled'", "rational": "Restricted Admin Mode was designed to help protect administrator accounts by \nensuring that reusable credentials are not stored in memory on remote devices that \ncould potentially be compromised. Windows Defender Remote Credential Guard helps \nyou protect your credentials over a Remote Desktop connection by redirecting Kerberos \nrequests back to the device that is requesting the connection. Bot...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Credentials \nDelegation\\Remote host allows delegation of non-exportable credentials \n\nNote: This Group Policy path is provided by the Group Policy template \nCredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1703 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation|AllowProtected", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1ed5133d9a334d072d7e59f00cdbcc2c", "name": "18.9.5.1 \u2014 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'", "description": "(NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'", "rational": "Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based \nsecurity. Previous versions of Windows stored secrets in the Local Security Authority \n(LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its \nprocess memory. With Windows Defender Credential Guard enabled, the LSA process \nin the operating system talks to a new component called...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|EnableVirtualizationBase", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8c591ee85f8adbb3dad0b79ccadca589", "name": "18.9.5.2 \u2014 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security ...", "description": "(NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher", "rational": "Secure Boot can help reduce the risk of bootloader attacks and in conjunction with DMA \nprotections to help protect data from being scraped from memory. \n\nPage 665", "remediation": "To establish the recommended configuration via GP, set the following UI path to Secure \nBoot or Secure Boot and DMA Protection: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Select Platform Security Level \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|RequirePlatformSecurityF", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "154369b233e9a3e87c18dc9118143565", "name": "18.9.5.3 \u2014 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Prot...", "description": "(NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'", "rational": "The Enabled with UEFI lock option ensures that Virtualization Based Protection of \nCode Integrity cannot be disabled remotely. \n\nPage 668", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled with UEFI lock: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Virtualization Based Protection \nof Code Integrity \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|HypervisorEnforcedCodeIn", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "fca3b8f1d2efc804b870bb1f49c5cfe8", "name": "18.9.5.4 \u2014 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attri...", "description": "(NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'", "rational": "This setting will help protect this control from being enabled on a system that is not \ncompatible which could lead to a crash or data loss.", "remediation": "To establish the recommended configuration via GP, set the following UI path to TRUE: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Require UEFI Memory Attributes \nTable \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1703 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|HVCIMATRequired", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "c113743f46f17b0be6bef8dcf1984cc5", "name": "18.9.5.5 \u2014 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configur...", "description": "(NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'", "rational": "The Enabled with UEFI lock option ensures that Credential Guard cannot be \ndisabled remotely. \n\nPage 673", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled with UEFI lock: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Credential Guard Configuration \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|LsaCfgFlags", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "822de564ebff53735a3ae0778d008aa2", "name": "18.9.5.6 \u2014 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configurati...", "description": "(NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'", "rational": "Secure Launch changes the way Windows boots to use Intel Trusted Execution \nTechnology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits \nfrom being able to impact the security of the Windows Virtualization Based Security \nenvironment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Secure Launch Configuration \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 \n& Server 2019 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|ConfigureSystemGuardLaun", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e7a454ec4dfdd4604eb02a87ac53da7c", "name": "18.9.7.1.1 \u2014 (BL) Ensure 'Prevent installation of devices that match any of these device I...", "description": "(BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled'", "rational": "A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) \nattacks when the computer is turned on or is in the Standby power state - this includes \nwhen the workstation is locked. \n\nBitLocker with TPM-only authentication lets a computer enter the power-on state without \nany pre-boot authentication. Therefore, an attacker may be able to perform DMA \nattacks. \n\nThis issue is...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nInstallation\\Device Installation Restrictions\\Prevent installation of devices \nthat match any of these device IDs \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceInstallation.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions|DenyDevic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "40c4da83c828ab4372ed81715017f539", "name": "18.9.7.1.2 \u2014 (BL) Ensure 'Prevent installation of devices that match any of these device I...", "description": "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs' is set to 'PCI\\CC_0C0A'", "rational": "A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) \nattacks when the computer is turned on or is in the Standby power state - this includes \nwhen the workstation is locked. \n\nBitLocker with TPM-only authentication lets a computer enter the power-on state without \nany pre-boot authentication. Therefore, an attacker may be able to perform DMA \nattacks. \n\nThis issue is...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled, and add PCI\\CC_0C0A to the Device IDs list: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nInstallation\\Device Installation Restrictions\\Prevent installation of devices \nthat match any of these device IDs \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceInstallation.admx/adml that is included with all versions of the Microsoft \nWindows Administrati...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions\\DenyDevic eIDs|1", "selement": "CONTENT", "condition": "EQUALS", "sinput": "P" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4b2f60b7159544ef300e71492b43365d", "name": "18.9.7.1.3 \u2014 (BL) Ensure 'Prevent installation of devices that match any of these device I...", "description": "(BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.' is set to 'True' (checked)", "rational": "A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) \nattacks when the computer is turned on or is in the Standby power state - this includes \nwhen the workstation is locked. \n\nBitLocker with TPM-only authentication lets a computer enter the power-on state without \nany pre-boot authentication. Therefore, an attacker may be able to perform DMA \nattacks. \n\nThis issue is...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled, and check the Also apply to matching devices that are already \ninstalled. checkbox: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nInstallation\\Device Installation Restrictions\\Prevent installation of devices \nthat match any of these device IDs \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceInstallation.admx/adml that is included with all version...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions|DenyDevic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9d3d2de9616c74b36f08d9d9b35e90f8", "name": "18.9.7.1.4 \u2014 (BL) Ensure 'Prevent installation of devices using drivers that match these d...", "description": "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'", "rational": "A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) \nattacks when the computer is turned on or is in the Standby power state - this includes \nwhen the workstation is locked. \n\nBitLocker with TPM-only authentication lets a computer enter the power-on state without \nany pre-boot authentication. Therefore, an attacker may be able to perform DMA \nattacks. \n\nThis issue is...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nInstallation\\Device Installation Restrictions\\Prevent installation of devices \nusing drivers that match these device setup classes \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceInstallation.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions|DenyDevic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "39f36000397060537040ab5048cbd0e2", "name": "18.9.7.1.6 \u2014 (BL) Ensure 'Prevent installation of devices using drivers that match these d...", "description": "(BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.' is set to 'True' (checked)", "rational": "A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) \nattacks when the computer is turned on or is in the Standby power state - this includes \nwhen the workstation is locked. \n\nBitLocker with TPM-only authentication lets a computer enter the power-on state without \nany pre-boot authentication. Therefore, an attacker may be able to perform DMA \nattacks. \n\nThis issue is...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled, and check the Also apply to matching devices that are already \ninstalled. checkbox: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nInstallation\\Device Installation Restrictions\\Prevent installation of devices \nusing drivers that match these device setup classes \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceInstallation.admx/adml that is included...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions|DenyDevic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6842c16a0b58043ce4b2281d2d9d3b18", "name": "18.9.7.2 \u2014 (L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to '...", "description": "(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled'", "rational": "Installation of software should be conducted by an authorized system administrator and \nnot a standard user. Allowing automatic third-party software installations under the \ncontext of the SYSTEM account has potential for allowing unauthorized access via \nbackdoors or installation software bugs.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nInstallation\\Prevent device metadata retrieval from the Internet \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceInstallation.admx/adml that is included with the Microsoft Windows 7 & \nServer 2008 R2 Administrative Templates, or with the Group Policy template \nDeviceSetup.admx/adml that is included wi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata|PreventDeviceMetadataFromNetwork", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a49726cf459cbd7efde47df6e2adec41", "name": "18.9.13.1 \u2014 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Goo...", "description": "(L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'", "rational": "This policy setting helps reduce the impact of malware that has already infected your \nsystem.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Good, unknown and bad but critical: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Early Launch \nAntimalware\\Boot-Start Driver Initialization Policy \n\nNote: This Group Policy path is provided by the Group Policy template \nEarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server \n2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch|DriverLoadPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9e182ebfb7cb10087cc763ae3254786c", "name": "18.9.19.6 \u2014 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled'", "description": "(L1) Ensure 'Continue experiences on this device' is set to 'Disabled'", "rational": "A cross-device experience is when a system can access app and send messages to \nother devices. In an enterprise managed environment only trusted systems should be \ncommunicating within the network. Access to any other system should be prohibited.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Group \nPolicy\\Continue experiences on this device \n\nNote: This Group Policy path is provided by the Group Policy template \nGroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 \n& Server 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|EnableCdp", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ccc02ff3f24d378a545a1fdb3e4d6445", "name": "18.9.19.7 \u2014 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'", "description": "(L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'", "rational": "This setting ensures that group policy changes take effect more quickly, as compared to \nwaiting until the next user logon or system restart.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Group \nPolicy\\Turn off background refresh of Group Policy \n\nNote: This Group Policy path is provided by the Group Policy template \nGroupPolicy.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|DisableBkGndGr", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9a38bbd2d2afd6f38f58311a1983662c", "name": "18.9.20.1.2 \u2014 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enab...", "description": "(L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'", "rational": "Users might download drivers that include malicious code.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Internet \nCommunication Management\\Internet Communication settings\\Turn off downloading \nof print drivers over HTTP \n\nNote: This Group Policy path is provided by the Group Policy template ICM.admx/adml \nthat is included with all versions of the Microsoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers|DisableWebPnPDownload", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "433315a6813fce7f8e83f2360fde503b", "name": "18.9.20.1.6 \u2014 (L1) Ensure 'Turn off Internet download for Web publishing and online orderin...", "description": "(L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'", "rational": "Although the risk is minimal, enabling this setting will reduce the possibility of a user \nunknowingly downloading malicious content through this feature.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Internet \nCommunication Management\\Internet Communication settings\\Turn off Internet \ndownload for Web publishing and online ordering wizards \n\nNote: This Group Policy path is provided by the Group Policy template ICM.admx/adml \nthat is included with all versions of the Microsoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|NoWebService", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "76c816a46aa316d798e160e2b43c84a1", "name": "18.9.24.1 \u2014 (BL) Ensure 'Enumeration policy for external devices incompatible with Kernel...", "description": "(BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'", "rational": "Device memory sandboxing allows the OS to leverage the I/O Memory Management \nUnit (IOMMU) of a device to block unpermitted I/O, or memory access, by the \nperipheral.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Block All: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Kernel DMA \nProtection\\Enumeration policy for external devices incompatible with Kernel \nDMA Protection \n\nNote: This Group Policy path is provided by the Group Policy template \nDmaGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & \nServer 2019 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Kernel DMA Protection|DeviceEnumerationPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "203c4900645bcc1d82305b12f541f674", "name": "18.9.25.1 \u2014 (L1) Ensure 'Configure password backup directory' is set to 'Enabled: Active ...", "description": "(L1) Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if an \nattacker manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to instantl...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Active Directory or Enabled: Azure Active Directory: \n\nComputer Configuration\\Policies\\Administrative \nTemplates\\System\\LAPS\\Configure password backup directory \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|BackupDirectory", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1f4cf725fb9a10c1d6cdea87d08bbbe4", "name": "18.9.25.2 \u2014 (L1) Ensure 'Do not allow password expiration time longer than required by po...", "description": "(L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if an \nattacker manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to instantl...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Do not \nallow password expiration time longer than required by policy \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n23H2 Administrative Templates v2.0 (or newer). \n\nNote #2: This setting also existed in the Mi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PasswordExpirati", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9e98c6a8781043d3a5d4d40351e00c76", "name": "18.9.25.3 \u2014 (L1) Ensure 'Enable password encryption' is set to 'Enabled'", "description": "(L1) Ensure 'Enable password encryption' is set to 'Enabled'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if an \nattacker manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to instantl...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Enable \npassword encryption \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|ADPasswordEncryp", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8fa18a036052fbdc31a1781114989ffe", "name": "18.9.25.4 \u2014 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Larg...", "description": "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if an \nattacker manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to instantl...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled, and configure the Password Complexity option to Large letters + small \nletters + numbers + special characters: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Password \nSettings \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3....", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PasswordComplexi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1296de89bea7652831b036eafabcbd52", "name": "18.9.25.5 \u2014 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'", "description": "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if an \nattacker manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to instantl...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled, and configure the Password Length option to 15 or more: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Password \nSettings \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PasswordLength", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "46dde8532c59c2deca7b78c3273509d3", "name": "18.9.25.6 \u2014 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 o...", "description": "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if an \nattacker manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to instantl...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled, and configure the Password Age (Days) option to 30 or fewer: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Password \nSettings \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PasswordAgeDays", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3acfd322d9d7d6a13a19568da33cb411", "name": "18.9.25.7 \u2014 (L1) Ensure 'Post-authentication actions: Grace period (hours)' is set to 'En...", "description": "(L1) Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if an \nattacker manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to instantl...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 8 or fewer hours, but not 0: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Post-\nauthentication actions: Grace period (hours) \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PostAuthenticati", "selement": "CONTENT", "condition": "EQUALS", "sinput": "8" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4eab9492155cb0e405b0fc5e3e115b95", "name": "18.9.25.8 \u2014 (L1) Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset ...", "description": "(L1) Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if an \nattacker manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to instantl...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Reset the password and logoff the managed account or higher: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Post-\nauthentication actions: Actions \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PostAuthenticati", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7f2f172eaf937bf381101fb037ed8419", "name": "18.9.26.1 \u2014 (L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Di...", "description": "(L1) Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'", "rational": "Vulnerabilities exist where attackers are able to intercept logon credentials via SSP/AP. \nDisabling Custom SSPs and APs to be loaded into LSASS minimizes this vulnerability.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Local \nSecurity Authority\\Allow Custom SSPs and APs to be loaded into LSASS \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LocalSecurityAuthority.admx/adml that is included with the Microsoft \nWindows 11 Release 22H2 Administrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|AllowCustomSSPsAPs", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "2d72edeedd997a0d76b459ca2905cc29", "name": "18.9.26.2 \u2014 (NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabl...", "description": "(NG) Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'", "rational": "Provides added security for the credentials that LSA stores and manages. Enabling this \nsetting with UEFI Lock prevents the setting from being changed remotely.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Enabled with UEFI Lock: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Local \nSecurity Authority\\Configures LSASS to run as a protected process \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LocalSecurityAuthority.admx/adml that is included with the Microsoft \nWindows 11 Release 22H2 Administrative Templates v1.0 (or newer). \n\nNote...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|RunAsPPL", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d190d9c39750f41cc8f3532688c89915", "name": "18.9.28.1 \u2014 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'E...", "description": "(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'", "rational": "An attacker with access to the console (for example, someone with physical access or \nsomeone who is able to connect to the workstation through Remote Desktop Services) \ncould view the name of the last user who logged on to the server. The attacker could \nthen try to guess the password, use a dictionary, or use a brute-force attack to try and \nlog on.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block \nuser from showing account details on sign-in \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 10 Release 1607 & \nServer 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|BlockUserFromShowingAccountDe", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ee576d1a90de0b375126ac389371cdeb", "name": "18.9.28.2 \u2014 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled'", "description": "(L1) Ensure 'Do not display network selection UI' is set to 'Enabled'", "rational": "An unauthorized user could disconnect the PC from the network or can connect the PC \nto other available networks without signing into Windows.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not \ndisplay network selection UI \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|DontDisplayNetworkSelectionUI", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8ca90941f0bfcc3b7245531354268e03", "name": "18.9.28.3 \u2014 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is ...", "description": "(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled'", "rational": "A malicious user could use this feature to gather account names of other users, that \ninformation could then be used in conjunction with other types of attacks such as \nguessing passwords or social engineering. The value of this countermeasure is small \nbecause a user with domain credentials could gather the same account information \nusing other methods.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not \nenumerate connected users on domain-joined computers \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|DontEnumerateConnectedUsers", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6e06cc76bba49c18f574b11f677de656", "name": "18.9.28.4 \u2014 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Dis...", "description": "(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'", "rational": "A malicious user could use this feature to gather account names of other users, that \ninformation could then be used in conjunction with other types of attacks such as \nguessing passwords or social engineering. The value of this countermeasure is small \nbecause a user with domain credentials could gather the same account information \nusing other methods.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative \nTemplates\\System\\Logon\\Enumerate local users on domain-joined computers \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|EnumerateLocalUsers", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "db97959d338ce168013c00bca7d1a1f8", "name": "18.9.28.5 \u2014 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'", "description": "(L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'", "rational": "App notifications might display sensitive business or personal data.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn \noff app notifications on the lock screen \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|DisableLockScreenAppNotificat", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6335c5af881e2ebc35e5dd17d01fdbc9", "name": "18.9.28.6 \u2014 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'", "description": "(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'", "rational": "Picture passwords bypass the requirement for a typed complex password. In a shared \nwork environment, a simple shoulder surf where someone observed the on-screen \ngestures would allow that person to gain access to the system without the need to know \nthe complex password. Vertical monitor screens with an image are much more visible at \na distance than horizontal key strokes, increasing the like...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn \noff picture password sign-in \n\nNote: This Group Policy path is provided by the Group Policy template \nCredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer). \n\nPage 785", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|BlockDomainPicturePassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d627bd6574d21b9f319df4bde97924b3", "name": "18.9.28.7 \u2014 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'", "description": "(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'", "rational": "A PIN is created from a much smaller selection of characters than a password, so in \nmost cases a PIN will be much less robust than a password.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on \nconvenience PIN sign-in \n\nNote: This Group Policy path is provided by the Group Policy template \nCredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer). \n\nNote #2: In older Microsoft Windows Administrative Templates, this setting was initiall...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|AllowDomainPINLogon", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "0c01a1872fed4b6c5d0c1b4bd85d6398", "name": "18.9.33.6.1 \u2014 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)...", "description": "(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled'", "rational": "Disabling this setting ensures that the computer will not be accessible to attackers over \na WLAN network while left unattended, on battery and in a sleep state.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Allow network connectivity during connected-standby \n(on battery) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 10 Release 1607 & \nServer 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\f15576e8-98b7-4186-b944- eafa664402d9|DCSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1024cd0d197dbf84507178ce43340dac", "name": "18.9.33.6.2 \u2014 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)...", "description": "(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled'", "rational": "Disabling this setting ensures that the computer will not be accessible to attackers over \na WLAN network while left unattended, plugged in and in a sleep state.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Allow network connectivity during connected-standby \n(plugged in) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 10 Release 1607 & \nServer 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\f15576e8-98b7-4186-b944- eafa664402d9|ACSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "574fae29925a4806b2c5576df733423e", "name": "18.9.33.6.3 \u2014 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set ...", "description": "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'", "rational": "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such \nas the BitLocker volume encryption key. An attacker finding a computer in sleep states \n(S1-S3) could directly attack the memory of the computer and gain access to the \nsecrets through techniques such as RAM reminisce and direct memory access (DMA).", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (on \nbattery) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer). \n\nPage 800", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\abfc2519-3608-4c2a-94ea- 171b0ed546ab|DCSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a6c7624d96a729d77b73702ea416dfe1", "name": "18.9.33.6.4 \u2014 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set ...", "description": "(BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'", "rational": "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such \nas the BitLocker volume encryption key. An attacker finding a computer in sleep states \n(S1-S3) could directly attack the memory of the computer and gain access to the \nsecrets through techniques such as RAM reminisce and direct memory access (DMA).", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (plugged \nin) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer). \n\nPage 802", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\abfc2519-3608-4c2a-94ea- 171b0ed546ab|ACSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9c1b7cafb676cad13477618605482f4e", "name": "18.9.33.6.5 \u2014 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to...", "description": "(L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'", "rational": "Enabling this setting ensures that anyone who wakes an unattended computer from \nsleep state will have to provide logon credentials before they can access the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Require a password when a computer wakes (on \nbattery) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5- f7d2daa51f51|DCSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a63b6246e216c7251a193cc63e6df0cf", "name": "18.9.33.6.6 \u2014 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to...", "description": "(L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'", "rational": "Enabling this setting ensures that anyone who wakes an unattended computer from \nsleep state will have to provide logon credentials before they can access the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Require a password when a computer wakes (plugged \nin) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5- f7d2daa51f51|ACSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "0fc344a9c771595309921d22c93ff0c2", "name": "18.9.35.1 \u2014 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'", "description": "(L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'", "rational": "A user might be tricked and accept an unsolicited Remote Assistance offer from a \nmalicious user.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Remote \nAssistance\\Configure Offer Remote Assistance \n\nNote: This Group Policy path is provided by the Group Policy template \nRemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fAllowUnsolicited", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e41adadd0bc0893a82f304ea70814101", "name": "18.9.35.2 \u2014 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'", "description": "(L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'", "rational": "There is slight risk that a rogue administrator will gain access to another user's desktop \nsession, however, they cannot connect to a user's computer unannounced or control it \nwithout permission from the user. When an expert tries to connect, the user can still \nchoose to deny the connection or give the expert view-only privileges. The user must \nexplicitly click the Yes button to allow the e...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Remote \nAssistance\\Configure Solicited Remote Assistance \n\nNote: This Group Policy path is provided by the Group Policy template \nRemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer). \n\nPage 811", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fAllowToGetHelp", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6d9489de2a16194227fe3d20569011c2", "name": "18.9.36.1 \u2014 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Ena...", "description": "(L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'", "rational": "Anonymous access to RPC services could result in accidental disclosure of information \nto unauthenticated users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Remote \nProcedure Call\\Enable RPC Endpoint Mapper Client Authentication \n\nNote: This Group Policy path is provided by the Group Policy template RPC.admx/adml \nthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative \nTemplates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc|EnableAuthEpResolution", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d0161f62835fa73dc6f090a7eb9eb7d5", "name": "18.9.36.2 \u2014 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authen...", "description": "(L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'", "rational": "Unauthenticated RPC communication can create a security vulnerability.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Authenticated: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Remote \nProcedure Call\\Restrict Unauthenticated RPC clients \n\nNote: This Group Policy path is provided by the Group Policy template RPC.admx/adml \nthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative \nTemplates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc|RestrictRemoteClients", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "95dc6b2f32bd1a40f5517194c6143934", "name": "18.9.51.1.1 \u2014 (L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'", "description": "(L1) Ensure 'Enable Windows NTP Client' is set to 'Enabled'", "rational": "A reliable and accurate account of time is important for a number of services and \nsecurity requirements, including but not limited to distributed applications, authentication \nservices, multi-user databases and logging services. The use of an NTP client (with \nsecure operation) establishes functional accuracy and is a focal point when reviewing \nsecurity relevant events.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Windows Time \nService\\Time Providers\\Enable Windows NTP Client \n\nNote: This Group Policy path is provided by the Group Policy template \nW32Time.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 832", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\W32Time\\TimeProviders\\NtpClient|Enabled", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "75697f3f221cbef48a0838fe87bfadce", "name": "18.9.51.1.2 \u2014 (L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled'", "description": "(L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled'", "rational": "The configuration of proper time synchronization is critically important in an enterprise \nmanaged environment both due to the sensitivity of Kerberos authentication timestamps \nand also to ensure accurate security logging. This should be done through a known \nNTP server. Member servers and workstations should not typically be time sources for \nother clients.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Windows Time \nService\\Time Providers\\Enable Windows NTP Server \n\nNote: This Group Policy path is provided by the Group Policy template \nW32Time.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\W32Time\\TimeProviders\\NtpServer|Enabled", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a492831720d3b4a41d5fe4b587f9fabb", "name": "18.10.4.2 \u2014 (L1) Ensure 'Not allow per-user unsigned packages to install by default (requ...", "description": "(L1) Ensure 'Not allow per-user unsigned packages to install by default (requires explicitly allow per install)' is set to 'Enabled'", "rational": "In a corporate managed environment, application installations should be managed \ncentrally by IT staff, not by end users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\App Package Deployment\\Not allow per-user unsigned packages to \ninstall by default (requires explicitly allow per install) \n\nNote: This Group Policy path is provided by the Group Policy template \nAppxPackageManager.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer). \n\nPag...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx|DisablePerUserUnsignedPackagesB", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "aeb18f7f533a42b8ea8ec1a6beb4eb7e", "name": "18.10.4.3 \u2014 (L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' i...", "description": "(L1) Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'", "rational": "In a corporate managed environment, application installations should be managed \ncentrally by IT staff, not by end users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\App Package Deployment\\Prevent non-admin users from installing \npackaged Windows apps \n\nNote: This Group Policy path is provided by the Group Policy template \nAppxPackageManager.admx/adml that is included with the Microsoft Windows 10 \nRelease 2004 Administrative Templates (or newer). \n\nPage 841", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx|BlockNonAdminUserInstall", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "228ae8204c7ae6bc87dd3a19b57c5626", "name": "18.10.5.1 \u2014 (L1) Ensure 'Let Windows apps activate with voice while the system is locked'...", "description": "(L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'", "rational": "Access to any computer resource should not be allowed when the device is locked.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Force Deny: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\App Privacy\\Let Windows apps activate with voice while the system \nis locked \n\nNote: This Group Policy path is provided by the Group Policy template \nAppPrivacy.admx/adml that is included with the Microsoft Windows 10 Release 1903 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy|LetAppsActivateWithVoiceA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "118351db564ce780d1cc69f6d6cbfc0e", "name": "18.10.6.1 \u2014 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'", "description": "(L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'", "rational": "Enabling this setting allows an organization to use their enterprise user accounts \ninstead of using their Microsoft accounts when accessing Windows store apps. This \nprovides the organization with greater control over relevant credentials. Microsoft \naccounts cannot be centrally managed and as such enterprise credential security \npolicies cannot be applied to them, which could put any informat...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\App runtime\\Allow Microsoft accounts to be optional \n\nNote: This Group Policy path is provided by the Group Policy template \nAppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 847", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|MSAOptional", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e33c9c74419a4d6fd063f0f64016478b", "name": "18.10.8.1 \u2014 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'", "description": "(L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'", "rational": "An attacker could use this feature to launch a program to damage a client computer or \ndata on the computer.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\AutoPlay Policies\\Disallow Autoplay for non-volume devices \n\nNote: This Group Policy path is provided by the Group Policy template \nAutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 \n(non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer|NoAutoplayfornonVolume", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5ed75e75d122f9925fae762e13230082", "name": "18.10.8.2 \u2014 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not...", "description": "(L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'", "rational": "Prior to Windows Vista, when media containing an autorun command is inserted, the \nsystem will automatically execute the program without user intervention. This creates a \nmajor security concern as code may be executed without user's knowledge. The default \nbehavior starting with Windows Vista is to prompt the user whether autorun command is \nto be run. The autorun command is represented as a h...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Do not execute any autorun commands: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\AutoPlay Policies\\Set the default behavior for AutoRun \n\nNote: This Group Policy path is provided by the Group Policy template \nAutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 \n(non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|NoAutorun", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3c358557b4035431a74d489d2c5ce1ed", "name": "18.10.8.3 \u2014 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'", "description": "(L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'", "rational": "An attacker could use this feature to launch a program to damage a client computer or \ndata on the computer.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: All drives: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\AutoPlay Policies\\Turn off Autoplay \n\nNote: This Group Policy path is provided by the Group Policy template \nAutoPlay.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 856", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|NoDriveTypeA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e90d11ef7da6ee74496a03a959ca6767", "name": "18.10.9.1.1 \u2014 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'", "description": "(L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'", "rational": "Enterprise managed environments are now supporting a wider range of mobile devices, \nincreasing the security on these devices will help protect against unauthorized access \non your network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing \n\nNote: This Group Policy path is provided by the Group Policy template \nBiometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 \nAdministrative Templates (or newer). \n\nNote #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Serv...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Biometrics\\FacialFeatures|EnhancedAntiSpoofi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e17bded5c42d28e1b11a119c80641c7e", "name": "18.10.10.1.1 \u2014 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earli...", "description": "(BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'", "rational": "By default BitLocker virtualizes FAT formatted drives to permit access via the BitLocker \nTo Go Reader on previous versions of Windows. Additionally the BitLocker To Go \nReader application is applied to the unencrypted portion of the drive. \n\nThe BitLocker To Go Reader application, like any other application, is subject to \nspoofing and could be a mechanism to propagate malware.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Allow access to \nBitLocker-protected fixed data drives from earlier versions of Windows \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or n...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVDiscoveryVolumeType", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b8994d4622016933ab8e2749a1bfe393", "name": "18.10.10.1.2 \u2014 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is...", "description": "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVRecovery", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a196d2368e4b0f17078a1c70af5b6c22", "name": "18.10.10.1.3 \u2014 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Al...", "description": "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Allow data recovery agent \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVManageDRA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "cbc33f57ba27980687986a2e3a495752", "name": "18.10.10.1.4 \u2014 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Re...", "description": "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Allow 48-digit recovery password or Enabled: Require 48-digit \nrecovery password: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Recovery Password \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included wit...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVRecoveryPassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "25a1f192c62969d8830573aabb5c35e3", "name": "18.10.10.1.5 \u2014 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Re...", "description": "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or higher", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Allow 256-bit recovery key or Enabled: Require 256-bit recovery \nkey: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Recovery Key \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft W...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVRecoveryKey", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "63465192d7d651657648ae49152c67df", "name": "18.10.10.1.6 \u2014 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Om...", "description": "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Omit recovery options from the \nBitLocker setup wizard \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & S...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVHideRecoveryPage", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "23312e6e225641d331748df2af85919f", "name": "18.10.10.1.7 \u2014 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Sa...", "description": "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Save BitLocker recovery information \nto AD DS for fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microso...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "22211129b3500c1c802eee303b6525df", "name": "18.10.10.1.8 \u2014 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Co...", "description": "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Backup recovery passwords and key packages: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Configure storage of BitLocker \nrecovery information to AD DS: \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is inclu...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVActiveDirectoryInfoToStore", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9bd964a17f57993b4c695e3ecb67c767", "name": "18.10.10.1.9 \u2014 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do...", "description": "(BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Do not enable BitLocker until \nrecovery information is stored to AD DS for fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVRequireActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "77884a88966452d098b268aac9c75902", "name": "18.10.10.1.10 \u2014 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives...", "description": "(BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'", "rational": "From a security perspective hardware-based encryption may introduce vulnerabilities in \nthe hardware encryption of certain self-encrypting drives (SEDs), if the vendor and/or \nuser has not updated the firmware to remediate the vulnerability. For more information \nvisit ADV180028 - Security Update Guide - Microsoft - Guidance for configuring \nBitLocker to enforce software encryption.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Configure use of \nhardware-based encryption for fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVHardwareEncryption", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "87dc7fc68b58580187807a96feea2155", "name": "18.10.10.1.11 \u2014 (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Dis...", "description": "(BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'", "rational": "Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly \nattempting to unlock a drive. Since this type of BitLocker password does include anti-\ndictionary attack protections provided by a TPM, for example, there is no mechanism to \nslow down rapid brute-force attacks against them.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Configure use of \npasswords for fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer). \n\nPage 883", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVPassphrase", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "2d8e03be3398d7f879f3ad93912f9521", "name": "18.10.10.1.12 \u2014 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'En...", "description": "(BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'", "rational": "A drive can be compromised by guessing or finding the authentication information used \nto access the drive. For example, a password could be guessed, or a drive set to \nautomatically unlock could be lost or stolen with the computer it automatically unlocks \nwith.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Configure use of \nsmart cards on fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVAllowUserCert", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6ae9427eb250e6fb3204e0b92467b3b0", "name": "18.10.10.1.13 \u2014 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use o...", "description": "(BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'", "rational": "A drive can be compromised by guessing or finding the authentication information used \nto access the drive. For example, a password could be guessed, or a drive set to \nautomatically unlock could be lost or stolen with the computer it automatically unlocks \nwith.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Configure use of \nsmart cards on fixed data drives: Require use of smart cards on fixed data \ndrives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Ad...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVEnforceUserCert", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5ffceb7c52a6be9d67f93274d8bf48ba", "name": "18.10.10.2.1 \u2014 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'", "description": "(BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'", "rational": "A numeric-only PIN provides less entropy than a PIN that is alpha-numeric. When not \nusing enhanced PIN for startup, BitLocker requires the use of the function keys [F1-F10] \nfor PIN entry since the PIN is entered in the pre-OS environment before localization \nsupport is available. This limits each PIN digit to one of ten possibilities. The TPM has \nan anti-hammering feature that includes a mec...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Allow enhanced \nPINs for startup \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|UseEnhancedPin", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "be0a26c0ca149c30a6ba8eb004a4cd90", "name": "18.10.10.2.2 \u2014 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'", "description": "(BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'", "rational": "Secure Boot ensures that only firmware digitally signed by authorized software \npublishers is loaded during computer startup, which reduces the risk of rootkits and \nother types of malware from gaining control of the system. It also helps provide \nprotection against malicious users booting from an alternate operating system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Allow Secure \nBoot for integrity validation \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSAllowSecureBootForIntegrity", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "12e5a75a7aacb82e6a82007de1311958", "name": "18.10.10.2.3 \u2014 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be re...", "description": "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSRecovery", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "0d17f4508f053f6c92fd417c72d00c3c", "name": "18.10.10.2.4 \u2014 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be re...", "description": "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Allow data \nrecovery agent \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSManageDRA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3be6e9a021c6dac5c324a4ee0c16b899", "name": "18.10.10.2.5 \u2014 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be re...", "description": "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Require 48-digit recovery password: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Recovery \nPassword \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 &...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSRecoveryPassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ce38a78d3b6e91a00d1447d815c49bac", "name": "18.10.10.2.6 \u2014 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be re...", "description": "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Do not allow 256-bit recovery key: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Recovery Key \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSRecoveryKey", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "73559f809ea7cadc81ea6732cb3dba65", "name": "18.10.10.2.7 \u2014 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be re...", "description": "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Omit recovery \noptions from the BitLocker setup wizard \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Micros...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSHideRecoveryPage", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8fcdbae9329161c3c44b41c93b6eb2f5", "name": "18.10.10.2.8 \u2014 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be re...", "description": "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Save BitLocker \nrecovery information to AD DS for operating system drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is inclu...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ecde640b0d32618d29db2c6e2cf07818", "name": "18.10.10.2.9 \u2014 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be re...", "description": "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Store recovery passwords and key packages: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Configure \nstorage of BitLocker recovery information to AD DS: \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/ad...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSActiveDirectoryInfoToStore", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a19c86a07deaae2b95344d9ba6f251ee", "name": "18.10.10.2.10 \u2014 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be re...", "description": "(BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Do not enable \nBitLocker until recovery information is stored to AD DS for operating system \ndrives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncrypti...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSRequireActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7c3ddfceb695f3adecfea6012f3dd520", "name": "18.10.10.2.11 \u2014 (BL) Ensure 'Configure use of hardware-based encryption for operating system ...", "description": "(BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'", "rational": "From a security perspective hardware-based encryption may introduce vulnerabilities in \nthe hardware encryption of certain self-encrypting drives (SEDs), if the vendor and/or \nuser has not updated the firmware to remediate the vulnerability. For more information \nvisit ADV180028 - Security Update Guide - Microsoft - Guidance for configuring \nBitLocker to enforce software encryption.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Configure use \nof hardware-based encryption for operating system drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or new...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSHardwareEncryption", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "c551afa2e31f79798aa32a52d410ca8d", "name": "18.10.10.2.12 \u2014 (BL) Ensure 'Configure use of passwords for operating system drives' is set t...", "description": "(BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled'", "rational": "Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly \nattempting to unlock a drive. Since this type of BitLocker password does not include \nanti-dictionary attack protections provided by a TPM, for example, there is no \nmechanism to slow down rapid brute-force attacks against them.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Configure use \nof passwords for operating system drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSPassphrase", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b78cb3afdd18ea58312e4b51005333af", "name": "18.10.10.2.13 \u2014 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'", "description": "(BL) Ensure 'Require additional authentication at startup' is set to 'Enabled'", "rational": "TPM without use of a PIN will only validate early boot components and does not require \na user to enter any additional authentication information. If a computer is lost or stolen \nin this configuration, BitLocker will not provide any additional measure of protection \nbeyond what is provided by native Windows authentication unless the early boot \ncomponents are tampered with or the encrypted dri...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Require \nadditional authentication at startup \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|UseAdvancedStartup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "64b57e031859afc060a416d658d9b539", "name": "18.10.10.2.14 \u2014 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker wi...", "description": "(BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'Enabled: False'", "rational": "TPM without use of a PIN will only validate early boot components and does not require \na user to enter any additional authentication information. If a computer is lost or stolen \nin this configuration, BitLocker will not provide any additional measure of protection \nbeyond what is provided by native Windows authentication unless the early boot \ncomponents are tampered with or the encrypted dri...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Require \nadditional authentication at startup: Allow BitLocker without a compatible \nTPM \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Admin...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|EnableBDEWithNoTPM", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "24f691322bdb649c7ee37c4bc19f79f2", "name": "18.10.10.3.1 \u2014 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from e...", "description": "(BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'", "rational": "By default BitLocker virtualizes FAT formatted drives to permit access via the BitLocker \nTo Go Reader on previous versions of Windows. Additionally the BitLocker To Go \nReader application is applied to the unencrypted portion of the drive. \n\nThe BitLocker To Go Reader application, like any other application, is subject to \nspoofing and could be a mechanism to propagate malware.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Allow access to \nBitLocker-protected removable data drives from earlier versions of Windows \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templat...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVDiscoveryVolumeType", "selement": "CONTENT", "condition": "EQUALS", "sinput": "<" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "46bca41d071d97c89ae122cb72c72b5d", "name": "18.10.10.3.2 \u2014 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered...", "description": "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVRecovery", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5616de51c48579ca4370dfd7add28d7e", "name": "18.10.10.3.3 \u2014 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered...", "description": "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Allow data recovery \nagent \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Admin...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVManageDRA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "78a5a1ee1d6c607fc8e71836afc22327", "name": "18.10.10.3.4 \u2014 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered...", "description": "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Do not allow 48-digit recovery password: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Recovery Password \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Serve...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVRecoveryPassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "c15094df12bd525df351c7e72526d119", "name": "18.10.10.3.5 \u2014 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered...", "description": "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Do not allow 256-bit recovery key: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Recovery Key \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVRecoveryKey", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8341d4fa1c8cb0a0d5d197e29e106a61", "name": "18.10.10.3.6 \u2014 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered...", "description": "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Omit recovery options \nfrom the BitLocker setup wizard \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windo...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVHideRecoveryPage", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "29f115a9c97fe2f683ecfbef3835a9f7", "name": "18.10.10.3.7 \u2014 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered...", "description": "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Save BitLocker \nrecovery information to AD DS for removable data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "8be9120533ee175336fb2969b7f9e761", "name": "18.10.10.3.8 \u2014 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered...", "description": "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Backup recovery passwords and key packages: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Configure storage of \nBitLocker recovery information to AD DS: \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVActiveDirectoryInfoToStore", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d7b152c66ec6c8928c42b4be195b4607", "name": "18.10.10.3.9 \u2014 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered...", "description": "(BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Do not enable \nBitLocker until recovery information is stored to AD DS for removable data \ndrives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVRequireActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9711e956474ab23263e74037160e73e3", "name": "18.10.10.3.10 \u2014 (BL) Ensure 'Configure use of hardware-based encryption for removable data dr...", "description": "(BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'", "rational": "From a security perspective hardware-based encryption may introduce vulnerabilities in \nthe hardware encryption of certain self-encrypting drives (SEDs), if the vendor and/or \nuser has not updated the firmware to remediate the vulnerability. For more information \nvisit ADV180028 - Security Update Guide - Microsoft - Guidance for configuring \nBitLocker to enforce software encryption.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Configure use of \nhardware-based encryption for removable data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVHardwareEncryption", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1d8ab08407074fc8117f69be9c1e00ff", "name": "18.10.10.3.11 \u2014 (BL) Ensure 'Configure use of passwords for removable data drives' is set to ...", "description": "(BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'", "rational": "Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly \nattempting to unlock a drive. Since this type of BitLocker password does not include \nanti-dictionary attack protections provided by a TPM, for example, there is no \nmechanism to slow down use of rapid brute-force attacks against them.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Configure use of \npasswords for removable data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVPassphrase", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d42bc460b02be5a8bad40477832bc8c0", "name": "18.10.10.3.12 \u2014 (BL) Ensure 'Configure use of smart cards on removable data drives' is set to...", "description": "(BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'", "rational": "A drive can be compromised by guessing or finding the authentication information used \nto access the drive. For example, a password could be guessed, or a drive set to \nautomatically unlock could be lost or stolen with the computer it automatically unlocks \nwith.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Configure use of \nsmart cards on removable data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVAllowUserCert", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6cf3017261e4b7320ea380b7e3d52435", "name": "18.10.10.3.13 \u2014 (BL) Ensure 'Configure use of smart cards on removable data drives: Require u...", "description": "(BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'", "rational": "A drive can be compromised by guessing or finding the authentication information used \nto access the drive. For example, a password could be guessed, or a drive set to \nautomatically unlock could be lost or stolen with the computer it automatically unlocks \nwith.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Configure use of \nsmart cards on removable data drives: Require use of smart cards on removable \ndata drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVEnforceUserCert", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "c4cb04498a11473bb4ff74fcd7f932bf", "name": "18.10.10.3.14 \u2014 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker...", "description": "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'", "rational": "Users may not voluntarily encrypt removable drives prior to saving important data to the \ndrive.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Deny write access \nto removable drives not protected by BitLocker \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer). \n\nPage 947", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FVE|RDVDenyWriteAccess", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b9bbecd508b768a06911f440b0e8295e", "name": "18.10.10.3.15 \u2014 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker...", "description": "(BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'", "rational": "Restricting write access to BitLocker-protected removable drives that were configured in \nanother organization can hinder legitimate business operations where encrypted data \nsharing is necessary.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Deny write access \nto removable drives not protected by BitLocker: Do not allow write access to \ndevices configured in another organization \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included wit...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVDenyCrossOrg", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b4801e151f10527c67d3aacad920e32a", "name": "18.10.10.4 \u2014 (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to ...", "description": "(BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled'", "rational": "A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) \nattacks when the computer is turned on or is in the Standby power state - this includes \nwhen the workstation is locked. Enabling this setting will help prevent such an attack \nwhile the computer is left unattended.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Disable new DMA devices when this \ncomputer is locked \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 10 Release \n1703 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|DisableExternalDMAUnderLock", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ca575bc1fef57e285d111d0d098f1c85", "name": "18.10.13.1 \u2014 (L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'", "description": "(L1) Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'", "rational": "The use of consumer accounts in an enterprise managed environment is not good \nsecurity practice as it could lead to possible data leakage.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Cloud Content\\Turn off cloud consumer account state content \n\nNote: This Group Policy path is provided by the Group Policy template \nCloudContent.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent|DisableConsumerAccountS", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9bb9ef5a0c959b8f4a98f340ca1b8d29", "name": "18.10.13.3 \u2014 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'", "description": "(L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'", "rational": "Having apps silently install in an enterprise managed environment is not good security \npractice - especially if the apps send data back to a third-party.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Cloud Content\\Turn off Microsoft consumer experiences \n\nNote: This Group Policy path is provided by the Group Policy template \nCloudContent.admx/adml that is included with the Microsoft Windows 10 Release \n1511 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent|DisableWindowsConsumerF", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "cf340b9586a7b738acc3408c818548dc", "name": "18.10.14.1 \u2014 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Ena...", "description": "(L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'", "rational": "If this setting is not configured or disabled then a PIN would not be required when \npairing wireless display devices to the system, increasing the risk of unauthorized use.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: First Time OR Enabled: Always: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Connect\\Require pin for pairing \n\nNote: This Group Policy path is provided by the Group Policy template \nWirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release \n1607 & Server 2016 Administrative Templates (or newer). The new Choose one of \nthe following actions sub-optio...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Connect|RequirePinForPairing", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e8d6468a56fdb992a6a0b47cd494ff31", "name": "18.10.15.1 \u2014 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'", "description": "(L1) Ensure 'Do not display the password reveal button' is set to 'Enabled'", "rational": "This is a useful feature when entering a long and complex password, especially when \nusing a touchscreen. The potential risk is that someone else may see your password \nwhile surreptitiously observing your screen.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Credential User Interface\\Do not display the password reveal \nbutton \n\nNote: This Group Policy path is provided by the Group Policy template \nCredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 \n(non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredUI|DisablePasswordReveal", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "71b934317d1e4781d39bb7706336e9ae", "name": "18.10.15.2 \u2014 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'", "description": "(L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'", "rational": "Users could see the list of administrator accounts, making it slightly easier for a \nmalicious user who has logged onto a console session to try to crack the passwords of \nthose accounts.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Credential User Interface\\Enumerate administrator accounts on \nelevation \n\nNote: This Group Policy path is provided by the Group Policy template \nCredUI.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI|EnumerateAdmin", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "0268b3536f817460f96c4b850b303cf9", "name": "18.10.15.3 \u2014 (L1) Ensure 'Prevent the use of security questions for local accounts' is set...", "description": "(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'", "rational": "Users could establish security questions that are easily guessed or sleuthed by \nobserving the user\u2019s social media accounts, making it easier for a malicious actor to \nchange the local user account password and gain access to the computer as that user \naccount.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Credential User Interface\\Prevent the use of security questions \nfor local accounts \n\nNote: This Group Policy path is provided by the Group Policy template \nCredUI.admx/adml that is included with the Microsoft Windows 10 Release 1903 \nAdministrative Templates (or newer). \n\nPage 971", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|NoLocalPasswordResetQuestions", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "505568d59efb90c8d90b7a0891c61e6c", "name": "18.10.16.1 \u2014 (L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (...", "description": "(L1) Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'", "rational": "Sending any data to a third-party vendor is a security concern and should only be done \non an as needed basis.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Diagnostic data off (not recommended) or Enabled: Send required \ndiagnostic data: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Allow Diagnostic Data \n\nNote: This Group Policy path is provided by the Group Policy template \nDataCollection.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection|AllowTelemetry", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "28540b0c7fda10dc6d8d5121b9aa2d24", "name": "18.10.16.3 \u2014 (L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'", "description": "(L1) Ensure 'Disable OneSettings Downloads' is set to 'Enabled'", "rational": "Sending data to a third-party vendor is a security concern and should only be done on \nan as-needed basis.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Disable OneSettings Downloads \n\nNote: This Group Policy path is provided by the Group Policy template \nDataCollection.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection|DisableOneSettingsDow", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "148af3d2e242b82da559bfca92ac3e86", "name": "18.10.16.4 \u2014 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'", "description": "(L1) Ensure 'Do not show feedback notifications' is set to 'Enabled'", "rational": "Users should not be sending any feedback to third-party vendors in an enterprise \nmanaged environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Do not show feedback \nnotifications \n\nNote: This Group Policy path is provided by the Group Policy template \nFeedbackNotifications.admx/adml that is included with the Microsoft Windows 10 \nRelease 1511 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection|DoNotShowFeedbackNoti", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "9754a9acd3d8822e311906abe0a08e8f", "name": "18.10.16.5 \u2014 (L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'", "description": "(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Enable OneSettings Auditing \n\nNote: This Group Policy path is provided by the Group Policy template \nDataCollection.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection|EnableOneSettingsAudi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "115cf35086150ebf99b57ebf3c8347d7", "name": "18.10.16.6 \u2014 (L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'", "description": "(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled'", "rational": "Sending data to a third-party vendor is a security concern and should only be done on \nan as-needed basis.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Limit Diagnostic Log Collection \n\nNote: This Group Policy path is provided by the Group Policy template \nDataCollection.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer). \n\nPage 985", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection|LimitDiagnosticLogCol", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "fa1fd3c2775881aeab3b232344908310", "name": "18.10.16.7 \u2014 (L1) Ensure 'Limit Dump Collection' is set to 'Enabled'", "description": "(L1) Ensure 'Limit Dump Collection' is set to 'Enabled'", "rational": "Memory dumps can contain sensitive information. Sending this data to a third-party \nvendor is a security concern and should only be done on an as-needed basis.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled. \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Limit Dump Collection \n\nNote: This Group Policy path is provided by the Group Policy template \nDataCollection.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer). \n\nPage 987", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection|LimitDumpCollection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "73dcf07c1c2d8626fc5d1c6f21997b58", "name": "18.10.16.8 \u2014 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'", "description": "(L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled'", "rational": "It can be risky for experimental features to be allowed in an enterprise managed \nenvironment because this can introduce bugs and security holes into systems, making it \neasier for an attacker to gain access. It is generally preferred to only use production-\nready builds.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Toggle user control over \nInsider builds \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate AllowBuildPreview.admx/adml that is included with the Microsoft Windows \n10 RTM (Release 1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds|AllowBui", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "12343e79fd374bb1cf8cee10252a7e75", "name": "18.10.17.1 \u2014 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'", "description": "(L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet'", "rational": "Due to privacy concerns and security risks, updates should only be downloaded directly \nfrom Microsoft, or from a trusted machine on the internal network that received its \nupdates from a trusted source and approved by the network administrator.", "remediation": "To establish the recommended configuration via GP, set the following UI path to any \nvalue other than Enabled: Internet (3): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Delivery Optimization\\Download Mode \n\nNote: This Group Policy path is provided by the Group Policy template \nDeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 \nRTM (Release 1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization|DODownloadMode", "selement": "CONTENT", "condition": "EQUALS", "sinput": "a" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "72ce84c5541c85da3aa367579d924a9c", "name": "18.10.18.2 \u2014 (L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'", "description": "(L1) Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'", "rational": "Windows Package Manager is a command line tool can be used to discover, install, \nupgrade, remove and configure applications, and it can be used as a distribution \nchannel for software packages containing tools and applications. Users should not have \naccess to experimental features.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Desktop App Installer\\Enable App Installer Experimental Features \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 22H2 Administrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableExperimentalFeatu", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "44a5d22523041a72675e99dad6b660c5", "name": "18.10.18.3 \u2014 (L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'", "description": "(L1) Ensure 'Enable App Installer Hash Override' is set to 'Disabled'", "rational": "Users should not have the ability to override SHA256 security validation.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Desktop App Installer\\Enable App Installer Hash Override \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 22H2 Administrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableHashOverride", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "af7170397f340b0076cab3ecaa149ce7", "name": "18.10.18.4 \u2014 (L1) Ensure 'Enable App Installer Local Archive Malware Scan Override' is set...", "description": "(L1) Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled'", "rational": "Users should not have the ability to override malware scans.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Desktop App Installer\\Enable App Installer Local Archive Malware \nScan Override \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableLocalArchiveMalwa", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1dfd1ffed43617a0d744259019ffe6c2", "name": "18.10.18.5 \u2014 (L1) Ensure 'Enable App Installer Microsoft Store Source Certificate Validati...", "description": "(L1) Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled'", "rational": "It is important to validate that the Microsoft Store source is not spoofed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Enable App Installer Microsoft Store Source Certificate Validation \nBypass \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableBypassCertificate", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ece4ac13a628f27f0b9a409c20781688", "name": "18.10.18.6 \u2014 (L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'", "description": "(L1) Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'", "rational": "Users should not have the ability to install an application by clicking a link on a website. \nIf an unknown or malicious link is clicked, malicious software could be installed on the \nsystem.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Desktop App Installer\\Enable App Installer ms-appinstaller \nprotocol \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 22H2 Administrative Templates v1.0 (or newer). \n\nPage 1005", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableMSAppInstallerPro", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4e6255306b4fbe23374af95499b050f2", "name": "18.10.26.1.1 \u2014 (L1) Ensure 'Application: Control Event Log behavior when the log file reache...", "description": "(L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", "rational": "If new events are not recorded it may be difficult or impossible to determine the root \ncause of system problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Application\\Control Event Log behavior when the \nlog file reaches its maximum size \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administr...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application|Retention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1f48bd0d29e4fdf199cb42e6887419b9", "name": "18.10.26.1.2 \u2014 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to '...", "description": "(L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 32,768 or greater: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Application\\Specify the maximum log file size \n(KB) \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templat...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application|MaxSize", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "22b11d2a8d5e767469aacea86451a5e3", "name": "18.10.26.2.1 \u2014 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches i...", "description": "(L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", "rational": "If new events are not recorded it may be difficult or impossible to determine the root \ncause of system problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Security\\Control Event Log behavior when the log \nfile reaches its maximum size \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrati...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security|Retention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5852451e13907c1d710340e7e4df5277", "name": "18.10.26.2.2 \u2014 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Ena...", "description": "(L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 196,608 or greater: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Security\\Specify the maximum log file size (KB) \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates,...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security|MaxSize", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b5ec11ed536a1aff68d73612f1959c0d", "name": "18.10.26.3.1 \u2014 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its ...", "description": "(L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", "rational": "If new events are not recorded it may be difficult or impossible to determine the root \ncause of system problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Setup\\Control Event Log behavior when the log \nfile reaches its maximum size \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Setup|Retention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a0cd8f42c1029edb3918707d62d3b1cf", "name": "18.10.26.3.2 \u2014 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enable...", "description": "(L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 32,768 or greater: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Setup\\Specify the maximum log file size (KB) \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates, thi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Setup|MaxSize", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "76d6eba5a19ebc93b44d37d08da6f168", "name": "18.10.26.4.1 \u2014 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its...", "description": "(L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", "rational": "If new events are not recorded it may be difficult or impossible to determine the root \ncause of system problems or the unauthorized activities of malicious users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\System\\Control Event Log behavior when the log \nfile reaches its maximum size \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System|Retention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "65828087dbcc8f1e3c22407b3d81f9ff", "name": "18.10.26.4.2 \u2014 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabl...", "description": "(L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of malicious users", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 32,768 or greater: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\System\\Specify the maximum log file size (KB) \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates, th...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System|MaxSize", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ced9794b58d9128e3f920f0663f68df4", "name": "18.10.29.2 \u2014 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disa...", "description": "(L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'", "rational": "Data Execution Prevention is an important security feature supported by Explorer that \nhelps to limit the impact of certain types of malware.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\File Explorer\\Turn off Data Execution Prevention for Explorer \n\nNote: This Group Policy path is provided by the Group Policy template \nExplorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer|NoDataExecutionPrevention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1b78591e27fcba976fbbcafbfc6fd53d", "name": "18.10.29.3 \u2014 (L1) Ensure 'Do not apply the Mark of the Web tag to files copied from insecu...", "description": "(L1) Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled'", "rational": "MOTW is an important security feature that ensures files from insecure locations are \ntreated with extra caution and are tagged with MOTW. If files are left untagged, users \nand computers could be exposed to security risks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\File Explorer\\Do not apply the Mark of the Web tag to files copied \nfrom insecure sources \n\nNote: This Group Policy path is provided by the Group Policy template \nExplorer.admx/adml that is included with the Microsoft Windows 11 Release 24H2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer|DisableMotWOnInsecurePathCo", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "214d8f63a5dbaab294c6872cce126c74", "name": "18.10.29.4 \u2014 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'", "description": "(L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled'", "rational": "Allowing an application to function after its session has become corrupt increases the \nrisk posture to the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\File Explorer\\Turn off heap termination on corruption \n\nNote: This Group Policy path is provided by the Group Policy template \nExplorer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer|NoHeapTerminationOnCorrupti", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "18c27035d000672ce255aae217cd00f7", "name": "18.10.29.5 \u2014 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'", "description": "(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'", "rational": "Limiting the opening of files and folders to a limited set reduces the attack surface of the \nsystem.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\File Explorer\\Turn off shell protocol protected mode \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsExplorer.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates. \n\nPage 1037", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|PreXPSP2Shel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "1796da4a38aa0dedc79bf04cc7553cb9", "name": "18.10.35.1 \u2014 (L1) Ensure 'Disable Internet Explorer 11 as a standalone browser' is set to ...", "description": "(L1) Ensure 'Disable Internet Explorer 11 as a standalone browser' is set to 'Enabled: Always'", "rational": "Official support for Internet Explorer (IE) 11 desktop applications (workstation) ended on \nJune 22, 2022. Unsupported software could contain vulnerabilities that are left \nunpatched. Unpatched vulnerabilities can lead to application weaknesses that could \nallow attackers to leverage the security vulnerability by running malicious code.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Always: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Internet Explorer\\Disable Internet Explorer 11 as a standalone \nbrowser \n\nNote: This Group Policy path is provided by the Group Policy template \nInetRes.admx/adml that is included with the Microsoft Windows 10 Release 21H1 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main|NotifyDisableIEOptions", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4728913228284485b72c03dca3272129", "name": "18.10.42.1 \u2014 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set...", "description": "(L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'", "rational": "Organizations that want to effectively implement identity management policies and \nmaintain firm control of what accounts are used on their computers will probably want to \nblock Microsoft accounts. Organizations may also need to block Microsoft accounts in \norder to meet the requirements of compliance standards that apply to their information \nsystems.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft accounts\\Block all consumer Microsoft account user \nauthentication \n\nNote: This Group Policy path is provided by the Group Policy template \nMSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 \nAdministrative Templates (or newer). \n\nPage 1050", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\MicrosoftAccount|DisableUserAuth", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e1e8e4ae5ef309fd1846ee58c53bdfad", "name": "18.10.43.4.1 \u2014 (L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'", "description": "(L1) Ensure 'Enable EDR in block mode' is set to 'Enabled'", "rational": "When Microsoft Defender Antivirus is not the primary antivirus product and is running in \npassive mode, EDR in block mode provides added protection against malicious \nartifacts.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Features\\Enable EDR in block mode \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer). \n\nPage 1053", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features|PassiveRemediation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "22cc5b7c962832475dd1877e29ed3f3f", "name": "18.10.43.5.1 \u2014 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS...", "description": "(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'", "rational": "The decision on whether or not to participate in Microsoft MAPS / Microsoft Defender \nAntivirus Cloud Protection Service for malicious software reporting should be made \ncentrally in an enterprise managed environment, so that all computers within it behave \nconsistently in that regard. Configuring this setting to Disabled ensures that the decision \nremains centrally managed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MAPS\\Configure local setting override \nfor reporting to Microsoft MAPS \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 1056", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet|LocalSettingOverrideSpynetReporting", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "935bc025430a5ecc8bf10098b38e2374", "name": "18.10.43.6.1.1 \u2014 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'", "description": "(L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR|ExploitGuard_ASR_Rules", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "76994522cf9191971c90117592d00a3e", "name": "18.10.43.6.1.2 \u2014 (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each...", "description": "(L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nPage 1064", "remediation": "To establish the recommended configuration via GP, set the following UI path so that \n26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-\nb80a7769e899, 56a863a9-875e-4185-98a7-b882c64b5ce5, 5beb7efe-fd9a-4556-\n801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-\n4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-\n7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, \nbe9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-\n5...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|26190899", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a2394f95b3e494faedd8ac0e72ae6a20", "name": "18.10.43.6.3.1 \u2014 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set...", "description": "(L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'", "rational": "This setting can help prevent employees from using any application to access \ndangerous domains that may host phishing scams, exploit-hosting sites, and other \nmalicious content on the Internet.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Block: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network \nProtection\\Prevent users and apps from accessing dangerous websites \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1709 Administrative Templates (...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\windows Defender\\Windows Defender Exploit Guard\\Network Protection|EnableNetworkProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a350af6929141d28745caa824c62a4ed", "name": "18.10.43.7.1 \u2014 (L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'", "description": "(L1) Ensure 'Enable file hash computation feature' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to monitor for suspicious and known malicious activity. \nFile hashes are a reliable way of detecting changes to files, and can speed up the scan \nprocess by skipping files that have not changed since they were last scanned and \ndetermined to be safe. A changed file hash can...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MpEngine\\Enable file hash computation \nfeature \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine|EnableFileHashComputation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "51dace4c90e8f499884cda3dfd9fbc84", "name": "18.10.43.10.1 \u2014 (L1) Ensure 'Configure real-time protection and Security Intelligence Updates...", "description": "(L1) Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled'", "rational": "Critical Windows zero-day patch updates should be applied during OOBE to help \nmitigate against malicious attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Configure real-\ntime protection and Security Intelligence Updates during OOBE \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|OobeEnableRtpAndSigUpdate", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "f353e4f177432d2faf32ad0fe51e883e", "name": "18.10.43.10.2 \u2014 (L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'", "description": "(L1) Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Scan all \ndownloaded files and attachments \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableIOAVProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "603056ba8a8edf132daea3b3737da426", "name": "18.10.43.10.3 \u2014 (L1) Ensure 'Turn off real-time protection' is set to 'Disabled'", "description": "(L1) Ensure 'Turn off real-time protection' is set to 'Disabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn off real-\ntime protection \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableRealtimeMonitoring", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b3f829f9d4df4d7bf81e1c3e44b82fd7", "name": "18.10.43.10.4 \u2014 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'", "description": "(L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on behavior \nmonitoring \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableBehaviorMonitoring", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "df2f8f2b1e968a01deb6d46d36c23947", "name": "18.10.43.10.5 \u2014 (L1) Ensure 'Turn on script scanning' is set to 'Enabled'", "description": "(L1) Ensure 'Turn on script scanning' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on script \nscanning \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableScriptScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3c474c9ddab307770b2497553e5e0d29", "name": "18.10.43.11.1.1.2 \u2014 (L1) Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled:...", "description": "(L1) Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher", "rational": "This feature assists with mitigating brute force attempts by detecting and blocking \nunauthorized sign-ins and sessions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Audit or higher: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Remediation\\Behavioral Network \nBlocks\\Brute-Force Protection\\Configure Remote Encryption Protection Mode \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative T...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Remediation\\Behavioral Network Blocks\\Brute Force Protection|BruteForceProtectionConfiguredState", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7e638a57cf779aa9f520c00ea4d6e135", "name": "18.10.43.13.1 \u2014 (L1) Ensure 'Scan excluded files and directories during quick scans' is set t...", "description": "(L1) Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1'", "rational": "The Real-time Protection feature excludes some files and directories for contextual \nreasons. This setting ensures that these are scanned during a Quick Scan.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan excluded files and \ndirectories during quick scans \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|QuickScanIncludeExclusions", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "138b7e65d3cb754849a4bf8bfc981895", "name": "18.10.43.13.2 \u2014 (L1) Ensure 'Scan packed executables' is set to 'Enabled'", "description": "(L1) Ensure 'Scan packed executables' is set to 'Enabled'", "rational": "Packing executables is a way to compress and create smaller files and can make it \ndifficult to access and analyze the code associated with the executable. This is a \ncommon method to obfuscate malicious executables by bad actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan packed executables \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 and \nServer 2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisablePackedExeScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6bf8428320744456b4cd1dee126bf463", "name": "18.10.43.13.3 \u2014 (L1) Ensure 'Scan removable drives' is set to 'Enabled'", "description": "(L1) Ensure 'Scan removable drives' is set to 'Enabled'", "rational": "It is important to ensure that any present removable drives are always included in any \ntype of scan, as removable drives are more likely to contain malicious software brought \nin to the enterprise managed environment from an external, unmanaged computer.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan removable drives \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisableRemovableDriveScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "65da730e0912fee88af560704836a0fd", "name": "18.10.43.13.4 \u2014 (L1) Ensure 'Trigger a quick scan after X days without any scans' is set to '...", "description": "(L1) Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7'", "rational": "Antivirus scans should be performed on a regular basis so that malicious software can \nbe detected and remediated before malicious activity occurs.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 7 days: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Trigger a quick scan after X \ndays without any scans \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DaysUntilAggressiveCatchupQuickScan", "selement": "CONTENT", "condition": "EQUALS", "sinput": "7" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4d900205641f5c45b7d2f08656ca49ae", "name": "18.10.43.13.5 \u2014 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'", "description": "(L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled'", "rational": "Incoming e-mails should be scanned by an antivirus solution such as Microsoft \nDefender Antivirus, as email attachments are a commonly used attack vector to infiltrate \ncomputers with malicious software.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Turn on e-mail scanning \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisableEmailScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4c50967f420cbebdbed7037cbade2419", "name": "18.10.43.16 \u2014 (L1) Ensure 'Configure detection for potentially unwanted applications' is se...", "description": "(L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'", "rational": "Potentially unwanted applications can increase the risk of your network being infected \nwith malware, cause malware infections to be harder to identify, and can waste IT \nresources in cleaning up the applications. They should be blocked from installation.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Block: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Configure detection for potentially \nunwanted applications \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1809 & Server 2019 Administrative Templates (or newer). \n\nPage 1111", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender|PUAProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ab3515627477ae15c5ec81f32cfd076e", "name": "18.10.43.17 \u2014 (L1) Ensure 'Control whether exclusions are visible to local users' is set to...", "description": "(L1) Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled'", "rational": "Only administrators should be able to view and manage Microsoft Defender Antivirus \nexclusions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Control whether exclusions are \nvisible to local users \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender|HideExclusionsFromLocalUsers", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e4ab50182a45a83e2d5eb37b0753ffa4", "name": "18.10.44.1 \u2014 (NG) Ensure 'Allow auditing events in Microsoft Defender Application Guard' i...", "description": "(NG) Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'", "rational": "Auditing of Microsoft Defender Application Guard events may be useful when \ninvestigating a security incident.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Allow auditing events in \nMicrosoft Defender Application Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1709 \nAdministrative Templates (or newer). \n\nNote #2: In older Microsoft Windows A...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AuditApplicationGuard", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "2524ff1212198db22259b7c3bc98c855", "name": "18.10.44.2 \u2014 (NG) Ensure 'Allow camera and microphone access in Microsoft Defender Applica...", "description": "(NG) Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'", "rational": "In effort to stop sensitive information from being obtained for malicious use, untrusted \nsites within the Microsoft Defender Application Guard container should not be accessing \nthe computers microphone or camera.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Allow camera and microphone \naccess in Microsoft Defender Application Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1809 & \nServer 2019 Administrative Templates (or newer). \n\nNote #2: I...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AllowCameraMicrophoneRedirection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b03299d5da5772e22b768b5a975bda5d", "name": "18.10.44.3 \u2014 (NG) Ensure 'Allow data persistence for Microsoft Defender Application Guard'...", "description": "(NG) Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'", "rational": "The primary purpose of Microsoft Defender Application Guard is to present a \n\"sandboxed container\" for visiting untrusted websites. If data persistence is allowed, \nthen it reduces the effectiveness of the sandboxing, and malicious content will be able \nto remain active in the Microsoft Defender Application Guard container between \nsessions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Allow data persistence for \nMicrosoft Defender Application Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1709 \nAdministrative Templates (or newer). \n\nNote #2: In older Microsoft Window...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AllowPersistence", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a297e88cb5aca1d48bfe60a9808c44d9", "name": "18.10.44.4 \u2014 (NG) Ensure 'Allow files to download and save to the host operating system fr...", "description": "(NG) Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'", "rational": "The primary purpose of Microsoft Defender Application Guard is to present a \n\"sandboxed container\". Potentially malicious files should not be copied to the host OS \nfrom the sandboxed environment, which could put the host at risk.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Allow files to download and \nsave to the host operating system from Microsoft Defender Application Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1803 \nAdministrative Templates (or newe...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|SaveFilesToHost", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "f120300772d441df95dec946afa38f3e", "name": "18.10.44.5 \u2014 (NG) Ensure 'Configure Microsoft Defender Application Guard clipboard setting...", "description": "(NG) Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'", "rational": "The primary purpose of Microsoft Defender Application Guard is to present a \n\"sandboxed container\" for visiting untrusted websites. If the host clipboard is made \navailable to Microsoft Defender Application Guard, a compromised Microsoft Defender \nApplication Guard session will have access to its content, potentially exposing sensitive \ninformation to a malicious website or application. However...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Enable clipboard operation from an isolated session to the \nhost \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Configure Microsoft Defender \nApplication Guard clipboard settings: Clipboard behavior setting \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Wind...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AppHVSIClipboardSettings", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d98584066e0865df30c5849da6f9e8c2", "name": "18.10.44.6 \u2014 (NG) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is...", "description": "(NG) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'", "rational": "Microsoft Defender Application Guard uses Windows Hypervisor to create a virtualized \nenvironment for apps that are configured to use virtualization-based security isolation. \nWhile in isolation, improper user interactions and app vulnerabilities can\u2019t compromise \nthe kernel or any other apps running outside of the virtualized environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Turn on Microsoft Defender \nApplication Guard in Managed Mode \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1703 \nAdministrative Templates (or newer). \n\nNote #2: In older Microsoft Windows...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AllowAppHVSI_ProviderSet", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7e64ee6bf73df14b40b38f6880133bd4", "name": "18.10.51.1 \u2014 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'", "description": "(L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled'", "rational": "Enabling this setting prevents users from accidentally (or intentionally) uploading \nconfidential or sensitive corporate information to the OneDrive cloud service using the \nNext Generation Sync Client. \n\nNote: This security concern applies to any cloud-based file storage application installed \non a workstation, not just the one supplied with Windows.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\OneDrive\\Prevent the usage of OneDrive for file storage \n\nNote: This Group Policy path is provided by the Group Policy template \nSkyDrive.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 \nR2 Administrative Templates (or newer). However, we strongly recommend you only \nuse the version included with the Mi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive|DisableFileSyncNGSC", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "2b35d688f9be5400c889639a9675d132", "name": "18.10.57.2.2 \u2014 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'", "description": "(L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled'", "rational": "An attacker with physical access to the computer may be able to break the protection \nguarding saved passwords. An attacker who compromises a user's account and \nconnects to their computer could use saved passwords to gain access to additional \nhosts.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not \nallow passwords to be saved \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 1145", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|DisablePasswordSaving", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "df909beecfd3b6e8bf1a47caa14732c3", "name": "18.10.57.3.3.3 \u2014 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'", "description": "(L1) Ensure 'Do not allow drive redirection' is set to 'Enabled'", "rational": "Data could be forwarded from the user's Remote Desktop Services session to the user's \nlocal computer without any direct user interaction. Malicious software already present \non a compromised server would have direct and stealthy disk access to the user's local \ncomputer during the Remote Desktop session.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session Host\\Device and \nResource Redirection\\Do not allow drive redirection \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fDisableCdm", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "01866d0e2e2d6fd6bcd61ca4a74ec145", "name": "18.10.57.3.9.1 \u2014 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'", "description": "(L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled'", "rational": "Users have the option to store both their username and password when they create a \nnew Remote Desktop Connection shortcut. If the server that runs Remote Desktop \nServices allows users who have used this feature to log on to the server but not enter \ntheir password, then it is possible that an attacker who has gained physical access to \nthe user's computer could connect to a Remote Desktop Ser...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session \nHost\\Security\\Always prompt for password upon connection \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In the Microsoft Windows Vi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fPromptForPassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "dcde1bda2c50138eb90fada1ef0925f0", "name": "18.10.57.3.9.2 \u2014 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled'", "description": "(L1) Ensure 'Require secure RPC communication' is set to 'Enabled'", "rational": "Allowing unsecure RPC communication can exposes the server to man in the middle \nattacks and data disclosure attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session \nHost\\Security\\Require secure RPC communication \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 1169", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fEncryptRPCTraffic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "cb85a73047807a99fb82e1cd1628f0a0", "name": "18.10.57.3.9.3 \u2014 (L1) Ensure 'Require use of specific security layer for remote (RDP) connecti...", "description": "(L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'", "rational": "The native RDP encryption is now considered a weak protocol, so enforcing the use of \nstronger TLS encryption for all RDP communications between clients and RD Session \nHost servers is preferred.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: SSL: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session \nHost\\Security\\Require use of specific security layer for remote (RDP) \nconnections \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|SecurityLayer", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "80e4e7fbd7254e3db96f8c3b9b4eb13d", "name": "18.10.57.3.9.4 \u2014 (L1) Ensure 'Require user authentication for remote connections by using Netw...", "description": "(L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'", "rational": "Requiring that user authentication occur earlier in the remote connection process \nenhances security.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session \nHost\\Security\\Require user authentication for remote connections by using \nNetwork Level Authentication \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Te...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|UserAuthentication", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d2b8076f03c3ea924cbf9073d7cbaf7b", "name": "18.10.57.3.9.5 \u2014 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High...", "description": "(L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'", "rational": "If Remote Desktop client connections that use low level encryption are allowed, it is \nmore likely that an attacker will be able to decrypt any captured Remote Desktop \nServices network traffic.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: High Level: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set \nclient connection encryption level \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 1175", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|MinEncryptionLevel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ff79c9e26801be2b0c1b96d50ef07815", "name": "18.10.57.3.11.1 \u2014 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'", "description": "(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'", "rational": "Sensitive information could be contained inside the temporary folders and visible to \nother administrators that log into the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary \nFolders\\Do not delete temp folders upon exit \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Wind...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|DeleteTempDirsOnExit", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "11cfae69f4c652fcfcb9c8cf8797af06", "name": "18.10.58.1 \u2014 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'", "description": "(L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled'", "rational": "Allowing attachments to be downloaded through the RSS feed can introduce files that \ncould have malicious intent.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\RSS Feeds\\Prevent downloading of enclosures \n\nNote: This Group Policy path is provided by the Group Policy template \nInetRes.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates, this setting was named \nTurn off downloadi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds|DisableEnclosureDownload", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "49cdd0c7e8b98feadefdb5d91511560c", "name": "18.10.58.2 \u2014 (L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'", "description": "(L1) Ensure 'Turn on Basic feed authentication over HTTP' is set to 'Disabled'", "rational": "Allowing RSS feeds to use Basic authentication over HTTP will transmit user credentials \nin plain text, where they could be intercepted en route by a malicious user.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Administrative Templates\\Windows Components\\RSS \nFeeds\\Turn on Basic feed authentication over HTTP \n\nNote: This Group Policy path is provided by the Group Policy template \nInetRes.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\Software\\Policies\\Microsoft\\Internet Explorer\\Feeds|AllowBasicAuthInClear", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "36958002becc443e8b60dfd755f0b133", "name": "18.10.59.3 \u2014 (L1) Ensure 'Allow Cortana' is set to 'Disabled'", "description": "(L1) Ensure 'Allow Cortana' is set to 'Disabled'", "rational": "If Cortana is enabled, sensitive information could be contained in search history and \nsent out to Microsoft.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Search\\Allow Cortana \n\nNote: This Group Policy path is provided by the Group Policy template \nSearch.admx/adml that is included with the Microsoft Windows 10 RTM (Release \n1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search|AllowCortana", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3f57e15e326a0f9aa5678984e0187667", "name": "18.10.59.4 \u2014 (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'", "description": "(L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled'", "rational": "Access to any computer resource should not be allowed when the device is locked.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Search\\Allow Cortana above lock screen \n\nNote: This Group Policy path is provided by the Group Policy template \nSearch.admx/adml that is included with the Microsoft Windows 10 Release 1607 & \nServer 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search|AllowCortanaAboveLock", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "2294b61825d8581a19bea971a39470f8", "name": "18.10.59.5 \u2014 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'", "description": "(L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled'", "rational": "Indexing and allowing users to search encrypted files could potentially reveal \nconfidential data stored within the encrypted files.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Search\\Allow indexing of encrypted files \n\nNote: This Group Policy path is provided by the Group Policy template \nSearch.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search|AllowIndexingEncryptedStoresOrItems", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4b4e20affab2aa67d4efcc3c2b3b0725", "name": "18.10.59.6 \u2014 (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'", "description": "(L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled'", "rational": "In an enterprise managed environment, allowing Cortana and Search to have access to \nlocation data is unnecessary. Organizations likely do not want this information shared \nout.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Search\\Allow search and Cortana to use location \n\nNote: This Group Policy path is provided by the Group Policy template \nSearch.admx/adml that is included with the Microsoft Windows 10 RTM (Release \n1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search|AllowSearchToUseLocation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "6760a29585e083748a40a9469135d89b", "name": "18.10.66.2 \u2014 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'D...", "description": "(L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'", "rational": "Keeping your system properly patched can help protect against 0 day vulnerabilities.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Store\\Turn off Automatic Download and Install of updates \n\nNote: This Group Policy path is provided by the Group Policy template \nWinStoreUI.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 \nR2 Administrative Templates, or by the Group Policy template \nWindowsStore.admx/adml that is included with the Mi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsStore|AutoDownload", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "cd01c1f8152f3636309ce54ff3f63f59", "name": "18.10.66.3 \u2014 (L1) Ensure 'Turn off the offer to update to the latest version of Windows' i...", "description": "(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'", "rational": "Unplanned OS upgrades can lead to more preventable support calls. The IT department \nshould be managing and approving all upgrades and updates.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Store\\Turn off the offer to update to the latest version of \nWindows \n\nNote: This Group Policy path is provided by the Group Policy template \nWinStoreUI.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 \nR2 Administrative Templates, or by the Group Policy template \nWindowsStore.admx/adml that is included...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsStore|DisableOSUpgrade", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b8a3c24bc551b4a67eba327aaa96e4c3", "name": "18.10.72.1 \u2014 (L1) Ensure 'Allow widgets' is set to 'Disabled'", "description": "(L1) Ensure 'Allow widgets' is set to 'Disabled'", "rational": "Due to privacy concerns, apps and features such as Widgets on the Windows taskbar \nshould be treated as a possible security risk due to the potential of data being sent back \nto third-parties, such as Microsoft.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Widgets\\Allow widgets \n\nNote: This Group Policy path is provided by the Group Policy template \nNewsAndInterests.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Dsh|AllowNewsAndInterests", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3ccd2eebf57c95022796f8961c16d17b", "name": "18.10.76.2.1 \u2014 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn...", "description": "(L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'", "rational": "Windows Defender SmartScreen helps keep PCs safer by warning users before running \nunrecognized programs downloaded from the Internet. However, due to the fact that \nsome information is sent to Microsoft about files and programs run on PCs some \norganizations may prefer to disable it.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Warn and prevent bypass: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender \nSmartScreen \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server \n2012 (non-R2) Administrative Templates (or newer). \n\nNote #2: In old...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|EnableSmartScreen", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "f438c715ad6e7a4527900a8189b5fa59", "name": "18.10.78.1 \u2014 (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is ...", "description": "(L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'", "rational": "If this setting is allowed, users could record and broadcast session info to external sites, \nwhich is both a risk of accidentally exposing sensitive company data (on-screen) outside \nthe company as well as a privacy concern.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Game Recording and Broadcasting\\Enables or disables \nWindows Game Recording and Broadcasting \n\nNote: This Group Policy path is provided by the Group Policy template \nGameDVR.admx/adml that is included with the Microsoft Windows 10 RTM (Release \n1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\GameDVR|AllowGameDVR", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "838cbfd7626600d9f69317eb0a96ade9", "name": "18.10.80.2 \u2014 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallo...", "description": "(L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'", "rational": "Allowing any apps to be accessed while system is locked is not recommended. If this \nfeature is permitted, it should only be accessible once a user authenticates with the \nproper credentials.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: On, but disallow access above lock OR Enabled: Disabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Ink Workspace\\Allow Windows Ink Workspace \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 \nRelease 1607 & Server 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsInkWorkspace|AllowWindowsInkWorkspace", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "3a3e3fe5e65a823c4215fe7469e0da54", "name": "18.10.81.1 \u2014 (L1) Ensure 'Allow user control over installs' is set to 'Disabled'", "description": "(L1) Ensure 'Allow user control over installs' is set to 'Disabled'", "rational": "In an enterprise managed environment, only IT staff with administrative rights should be \ninstalling or changing software on a system. Allowing users the ability to have any \ncontrol over installs can risk unapproved software from being installed or removed from \na system, which could cause the system to become vulnerable to compromise.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Installer\\Allow user control over installs \n\nNote: This Group Policy path is provided by the Group Policy template MSI.admx/adml \nthat is included with all versions of the Microsoft Windows Administrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates, this setting was named \nEnable user con...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer|EnableUserControl", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "206f2c8cd5be8a50e27e1155500b968f", "name": "18.10.81.2 \u2014 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'", "description": "(L1) Ensure 'Always install with elevated privileges' is set to 'Disabled'", "rational": "Users with limited privileges can exploit this feature by creating a Windows Installer \ninstallation package that creates a new local account that belongs to the local built-in \nAdministrators group, adds their current account to the local built-in Administrators \ngroup, installs malicious software, or performs other unauthorized activities.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Installer\\Always install with elevated privileges \n\nNote: This Group Policy path is provided by the Group Policy template MSI.admx/adml \nthat is included with all versions of the Microsoft Windows Administrative Templates. \n\nPage 1234", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer|AlwaysInstallElevated", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d40bc55eabbe5a709fcc04ac42119bf2", "name": "18.10.82.1 \u2014 (L1) Ensure 'Configure the transmission of the user's password in the content...", "description": "(L1) Ensure 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' is set to 'Disabled'", "rational": "MPR is a legacy utility that provides notifications to registered credential managers or \nnetwork providers when there is a logon event, or a password change event. Although \nMPR can be used by legitimate applications, the user's password field of these \nnotifications should be empty to prevent abuse by attackers.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Logon Options\\Configure the transmission of the user's \npassword in the content of MPR notifications sent by winlogon. \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WinLogon.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Tem...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableMPR", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "43f2084f5c733cb0fd80c2fa012d34e4", "name": "18.10.82.2 \u2014 (L1) Ensure 'Sign-in and lock last interactive user automatically after a res...", "description": "(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'", "rational": "Disabling this feature will prevent the caching of user's credentials and unauthorized \nuse of the device, and also ensure the user is aware of the restart.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Logon Options\\Sign-in and lock last interactive user \nautomatically after a restart \n\nNote: This Group Policy path is provided by the Group Policy template \nWinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 \nR2 Administrative Templates (or newer). \n\nNote #2: In older Microsoft Windows Ad...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|DisableAutomat", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "bcfbf4513f1a3c45e1190b39a3b88761", "name": "18.10.89.1.1 \u2014 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'", "description": "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'", "rational": "Basic authentication is less robust than other authentication methods available in \nWinRM because credentials including passwords are transmitted in plain text. An \nattacker who is able to capture packets on the network where WinRM is running may be \nable to determine the credentials used for accessing remote hosts via WinRM.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic \nauthentication \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client|AllowBasic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e8624018922ade42154525d2b0e281e3", "name": "18.10.89.1.2 \u2014 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'", "description": "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'", "rational": "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying \nWinRM messages as they transit the network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted \ntraffic \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client|AllowUnencryptedTraffic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "f392cd4543a271d79aa7e28e4128ec60", "name": "18.10.89.1.3 \u2014 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'", "description": "(L1) Ensure 'Disallow Digest authentication' is set to 'Enabled'", "rational": "Digest authentication is less robust than other authentication methods available in \nWinRM, an attacker who is able to capture packets on the network where WinRM is \nrunning may be able to determine the credentials used for accessing remote hosts via \nWinRM.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest \nauthentication \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client|AllowDigest", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "b12cbec69447bc4690a6fae99b0cb23d", "name": "18.10.89.2.1 \u2014 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled'", "description": "(L1) Ensure 'Allow Basic authentication' is set to 'Disabled'", "rational": "Basic authentication is less robust than other authentication methods available in \nWinRM because credentials including passwords are transmitted in plain text. An \nattacker who is able to capture packets on the network where WinRM is running may be \nable to determine the credentials used for accessing remote hosts via WinRM.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic \nauthentication \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service|AllowBasic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "5a0f80bbd9c6023f4e0a3bf5312975ed", "name": "18.10.89.2.3 \u2014 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'", "description": "(L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled'", "rational": "Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying \nWinRM messages as they transit the network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted \ntraffic \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service|AllowUnencryptedTraffi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "7ee2aa669808d48704780f9d8e894ca9", "name": "18.10.89.2.4 \u2014 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'", "description": "(L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'", "rational": "Although the ability to store RunAs credentials is a convenient feature it increases the \nrisk of account compromise slightly. For example, if you forget to lock your desktop \nbefore leaving it unattended for a few minutes another person could access not only the \ndesktop of your computer but also any hosts you manage via WinRM with cached \nRunAs credentials.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM \nfrom storing RunAs credentials \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with the Microsoft Windows \n8.0 & Server 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service|DisableRunAs", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "054d354d492f393fa1a80bba4735be74", "name": "18.10.91.1 \u2014 (L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'", "description": "(L1) Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'", "rational": "Disabling copy and paste decreases the attack surface exposed by the Windows \nSandbox and possible exposure of untrusted applications to the internal network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Sandbox\\Allow clipboard sharing with Windows Sandbox \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsSandbox.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Sandbox|AllowClipboardRedirection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "d07f8e6575521f7172aae28cfaae192c", "name": "18.10.91.2 \u2014 (L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'", "description": "(L1) Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'", "rational": "Disabling network access decreases the attack surface exposed by the Windows \nSandbox and exposure of untrusted applications to the internal network. \n\nNote: Per Microsoft, enabling networking in the Windows Sandbox can expose \nuntrusted applications to the internal network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Sandbox\\Allow networking in Windows Sandbox \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsSandbox.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer). \n\nPage 1270", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Sandbox|AllowNetworking", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "4fbae3cab6698dde0d67f378845dfc00", "name": "18.10.92.2.1 \u2014 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'", "description": "(L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled'", "rational": "Only authorized IT staff should be able to make changes to the exploit protection \nsettings in order to ensure the organizations specific configuration is not modified.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Security\\App and browser protection\\Prevent users from \nmodifying settings \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft \nWindows 10 Release 1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection|DisallowExploitProtectionOverride", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e902aa243147acf33aff9aca512b9a86", "name": "18.10.93.1.1 \u2014 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic upd...", "description": "(L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'", "rational": "Some security updates require that the computer be restarted to complete an \ninstallation. If the computer cannot restart automatically, then the most recent update \nwill not completely install and no new updates will download to the computer until it is \nrestarted. Without the auto-restart functionality, users who are not security-conscious \nmay choose to indefinitely delay the restart, theref...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Legacy Policies\\No auto-restart with logged on \nusers for scheduled automatic updates installations \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsof...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU|NoAutoRebootWithLog", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "0780b4409e73b23b8725f2c5fd15dda2", "name": "18.10.93.2.1 \u2014 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'", "description": "(L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'", "rational": "Although each version of Windows is thoroughly tested before release, it is possible that \nproblems will be discovered after the products are shipped. The Configure Automatic \nUpdates setting can help you ensure that the computers in your environment will always \nhave the most recent critical operating system updates and service packs installed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage end user experience\\Configure Automatic \nUpdates \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU|NoAutoUpdate", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "15637472940150be5c95f8a707a166ca", "name": "18.10.93.2.2 \u2014 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0...", "description": "(L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'", "rational": "Although each version of Windows is thoroughly tested before release, it is possible that \nproblems will be discovered after the products are shipped. The Configure Automatic \nUpdates setting can help you ensure that the computers in your environment will always \nhave the most recent critical operating system updates and service packs installed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 0 - \nEvery day: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage end user experience\\Configure Automatic \nUpdates: Scheduled install day \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 1281", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU|ScheduledInstallDay", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "e25e0f9d13a1aa8d3559e16b7a89574f", "name": "18.10.93.2.3 \u2014 (L1) Ensure 'Remove access to \u201cPause updates\u201d feature' is set to 'Enabled'", "description": "(L1) Ensure 'Remove access to \u201cPause updates\u201d feature' is set to 'Enabled'", "rational": "In order to ensure security and system updates are applied, system administrators \nshould control when updates are applied to systems.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage end user experience\\Remove access to \u201cPause \nupdates\u201d feature \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 \nRelease 1809 & Server 2019 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|SetDisablePauseUXAcces", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "cebbfb39f883f650b4c203a47b53b64e", "name": "18.10.93.4.1 \u2014 (L1) Ensure 'Manage preview builds' is set to 'Disabled'", "description": "(L1) Ensure 'Manage preview builds' is set to 'Disabled'", "rational": "It can be risky for experimental features to be allowed in an enterprise managed \nenvironment because this can introduce bugs and security holes into systems, making it \neasier for an attacker to gain access. It is generally preferred to only use production-\nready builds.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage updates offered from Windows Update\\Manage \npreview builds \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 \nRelease 1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|ManagePreviewBuildsPol", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "a3744140a575ef290d85c3804645b047", "name": "18.10.93.4.2 \u2014 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is ...", "description": "(L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: 180 or more days'", "rational": "In a production environment, it is preferred to only use software and features that are \npublicly available, after they have gone through rigorous testing in beta.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 180 or more days: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage updates offered from Windows Update\\Select \nwhen Preview Builds and Feature Updates are received \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 \nRelease 1607 & Se...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|DeferFeatureUpdates", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] }, { "external_id": "ab487e5a36605f51043ab936770ea6c1", "name": "18.10.93.4.3 \u2014 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 ...", "description": "(L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'", "rational": "Quality Updates can contain important bug fixes and/or security patches, and should be \ninstalled as soon as possible.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled:0 days: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage updates offered from Windows Update\\Select \nwhen Quality Updates are received \n\nNote: Note: This Group Policy path may not exist by default. It is provided by the Group \nPolicy template WindowsUpdate.admx/adml that is included with the Microsoft \nWindows 10 Release 1607 & Server 2016 Administrative...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|DeferQualityUpdates", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 10" } ] } ] }