{ "format_version": 3, "policy": { "external_id": "68cd8ad121edf9a88bf34dd59e908ddc", "name": "CIS Microsoft Windows 11 Enterprise Benchmark v5.0.1 - Level 1", "version": "1.0.0", "description": "CIS Level 1 (L1) hardening profile for Microsoft Windows 11 Enterprise. Registry-backed Group Policy settings \u2014 account / lockout / audit policy, user rights assignment, security options, administrative templates. Applies only to Windows 11 hosts.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "afb3c4a7616a825d786d88f926faba04", "name": "1.1.6 \u2014 Ensure 'Relax minimum password length limits' is set to 'Enabled'", "description": "Ensure 'Relax minimum password length limits' is set to 'Enabled'", "rational": "This setting will enable the enforcement of longer and generally stronger passwords or \npassphrases where MFA is not in use.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Account \nPolicies\\Password Policy\\Relax minimum password length limits \n\nNote: This setting is only available within the built-in OS security template of Windows \n10 Release 2004 and Server 2022 (or newer), and is not available via older versions of \nthe OS, or via downloadable Administrative Templates (ADMX/ADML). Therefore, you \nmust...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\System\\CurrentControlSet\\Control\\SAM|RelaxMinimumPasswordLengthLimits", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c3056e492477e0307757832e796c8aa6", "name": "2.3.1.2 \u2014 Ensure 'Accounts: Limit local account use of blank passwords to console logon...", "description": "Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled'", "rational": "Blank passwords are a serious threat to computer security and should be forbidden \nthrough both organizational policy and suitable technical measures. In fact, the default \nsettings for Active Directory domains require complex passwords of at least seven \ncharacters. However, if users with the ability to create new accounts bypass your \ndomain-based password policies, they could create accounts...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 149 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Accounts: Limit local account use of blank \npasswords to console logon only", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|LimitBlankPasswordUse", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "235085d6c84cbc8ba4fd00b9267dea41", "name": "2.3.2.1 \u2014 Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or late...", "description": "Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' is set to 'Enabled'", "rational": "Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to \ntrack events at a per-system or per-user level. The larger event categories created too \nmany events and the key information that needed to be audited was difficult to find.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 156 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Audit: Force audit policy subcategory settings \n(Windows Vista or later) to override audit policy category settings", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|SCENoApplyLegacyAuditPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "593fea83178a5e08f350ac8c9ffbd3ac", "name": "2.3.2.2 \u2014 Ensure 'Audit: Shut down system immediately if unable to log security audits'...", "description": "Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled'", "rational": "If the Audit: Shut down system immediately if unable to log security audits setting is \nenabled, unplanned system failures can occur. The administrative burden can be \nsignificant, especially if the Retention method for the Security log to Do not overwrite \nevents (clear log manually) is configured. This configuration causes a repudiation threat \n(a backup operator could deny that they backed u...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Audit: Shut down system immediately if unable to \nlog security audits", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|CrashOnAuditFail", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a49602f974dda096ac7111fc0c292649", "name": "2.3.6.1 \u2014 Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)...", "description": "Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'", "rational": "When a computer joins a domain, a computer account is created. After it joins the \ndomain, the computer uses the password for that account to create a secure channel \nwith the Domain Controller for its domain every time that it restarts. Requests that are \nsent on the secure channel are authenticated\u2014and sensitive information such as \npasswords are encrypted\u2014but the channel is not integrity-che...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Digitally encrypt or sign secure \nchannel data (always)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|RequireSignOrSeal", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "825700dfeea9a747510d4218a7fda763", "name": "2.3.6.2 \u2014 Ensure 'Domain member: Digitally encrypt secure channel data (when possible)'...", "description": "Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'", "rational": "When a computer joins a domain, a computer account is created. After it joins the \ndomain, the computer uses the password for that account to create a secure channel \nwith the Domain Controller for its domain every time that it restarts. Requests that are \nsent on the secure channel are authenticated\u2014and sensitive information such as \npasswords are encrypted\u2014but the channel is not integrity-che...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 166 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Digitally encrypt secure channel \ndata (when possible)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|SealSecureChannel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "cd8c43af474ef29ae73a8cd50b1deaa5", "name": "2.3.6.3 \u2014 Ensure 'Domain member: Digitally sign secure channel data (when possible)' is...", "description": "Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'", "rational": "When a computer joins a domain, a computer account is created. After it joins the \ndomain, the computer uses the password for that account to create a secure channel \nwith the Domain Controller for its domain every time that it restarts. Requests that are \nsent on the secure channel are authenticated\u2014and sensitive information such as \npasswords are encrypted\u2014but the channel is not integrity-che...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 168 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Digitally sign secure channel data \n(when possible)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|SignSecureChannel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ad09bf767d6a4a6f3522ac7b4a11f0cf", "name": "2.3.6.4 \u2014 Ensure 'Domain member: Disable machine account password changes' is set to 'D...", "description": "Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'", "rational": "If a system does not change their password, there are security risks because the \nsecurity channel is used for pass-through authentication. If a threat actor discovers a \npassword, the actor can potentially perform pass-through authentication to the domain \ncontroller.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nPage 170 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Disable machine account password \nchanges", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|DisablePasswordCha", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0b8a6557678bb1a960d6216e43407a53", "name": "2.3.6.5 \u2014 Ensure 'Domain member: Maximum machine account password age' is set to '30 or...", "description": "Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'", "rational": "In Active Directory-based domains, each computer has an account and password just \nlike every user. By default, the domain members automatically change their domain \npassword every 30 days. If this interval is increased significantly or set it to 0 so that the \ncomputers no longer change their passwords, a threat actor will have more time to \nundertake a brute force attack to guess the password...", "remediation": "To establish the recommended configuration via GP, set the following UI path to 30 or \nfewer days, but not 0: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Maximum machine account password age", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\System\\CurrentControlSet\\Services\\Netlogon\\Parameters|MaximumPasswordAge", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9f62ce24cac69cdab9ddab95cc2f7ad1", "name": "2.3.6.6 \u2014 Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is...", "description": "Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'", "rational": "Session keys that are used to establish secure channel communications between \nDomain Controllers and member computers are much stronger in Windows 2000 than \nthey were in previous Microsoft operating systems. Whenever possible, these stronger \nsession keys should be used to help protect secure channel communications from \nattacks that attempt to hijack network sessions and eavesdropping. \n\nEav...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 174 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Domain member: Require strong (Windows 2000 or \nlater) session key", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters|RequireStrongKey", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "eaea68524a98f88aeec1e0b4787ce0cf", "name": "2.3.7.2 \u2014 Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'", "description": "Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'", "rational": "A threat actor with access to the console (for example, someone with physical access or \nsomeone who is able to connect to the server through Remote Desktop Services) could \nview the name of the last user who logged on to the server. The threat actor could then \ntry to guess the password, use a dictionary, or use a brute-force attack to try and log on.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Don't display last signed-in \n\nNote: In older versions of Microsoft Windows, this setting was named Interactive logon: \nDo not display last user name, but it was renamed starting with Windows 10 Release \n1703. \n\nPage 179", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|DontDisplayLas", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "935dc85a5ee0751ccf8de5b1d138e0fe", "name": "2.3.7.3 \u2014 Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer ...", "description": "Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'", "rational": "If a user forgets to lock their computer when they walk away it's possible that a \npasserby will hijack it.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 900 or \nfewer seconds, but not 0: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Machine inactivity limit", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|InactivityTime", "selement": "CONTENT", "condition": "EQUALS", "sinput": "9" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "7f7f171351fa94709fa8bd0a68f33588", "name": "2.3.7.4 \u2014 Configure 'Interactive logon: Message text for users attempting to log on'", "description": "Configure 'Interactive logon: Message text for users attempting to log on'", "rational": "Displaying a warning message before logon may help prevent malicious logins by a \nthreat actor warning of the consequences of their misconduct. \n\nIt also helps to reinforce corporate policy by notifying employees of the appropriate \npolicy during the logon process. This text is often used for legal reasons, for example, to \nwarn users about the ramifications of misusing company information or t...", "remediation": "To establish the recommended configuration via GP, configure the following UI path to a \nvalue that is consistent with the security and operational requirements of your \norganization: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Message text for users \nattempting to log on", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|LegalNoticeTex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "t" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6e809cf5039c287039333cdbbc442a79", "name": "2.3.7.5 \u2014 Configure 'Interactive logon: Message title for users attempting to log on'", "description": "Configure 'Interactive logon: Message title for users attempting to log on'", "rational": "Displaying a warning message before logon may help prevent malicious logins by a \nthreat actor warning of the consequences of their misconduct. \n\nIt also helps to reinforce corporate policy by notifying employees of the appropriate \npolicy during the logon process. This text is often used for legal reasons, for example, to \nwarn users about the ramifications of misusing company information or t...", "remediation": "To establish the recommended configuration via GP, configure the following UI path to a \nvalue that is consistent with the security and operational requirements of your \norganization: \n\nPage 185 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Message title for users \nattempting to log on", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|LegalNoticeCap", "selement": "CONTENT", "condition": "EQUALS", "sinput": "t" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c56193b008c0cee3545f54a4a5ebc6fb", "name": "2.3.7.7 \u2014 Ensure 'Interactive logon: Prompt user to change password before expiration' ...", "description": "Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'", "rational": "Users will need to be warned that their passwords are going to expire, or they may \ninadvertently be locked out of the computer when their passwords expire. This condition \ncould lead to confusion for users who access the network locally, or make it impossible \nfor users to access your organization's network through dial-up or virtual private network \n(VPN) connections.", "remediation": "To establish the recommended configuration via GP, set the following UI path to a value \nbetween 5 and 14 days: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Prompt user to change password \nbefore expiration", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|PasswordExpiryWarning", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c156074af8c17c4b4f29a3bc8c6f4aa7", "name": "2.3.7.8 \u2014 Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Works...", "description": "Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher", "rational": "Users sometimes forget to lock their workstations when they are away from them, \nallowing the possibility for threat actors to access their computers. If smart cards are \nused for authentication, the computer should automatically lock itself when the card is \nremoved to ensure that only the user with the smart card is accessing resources using \nthose credentials.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Lock \nWorkstation, Force Logoff or Disconnect if a Remote Desktop Services \nsession: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Interactive logon: Smart card removal behavior", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|ScRemoveOption", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6ee5d364e4a9e9ef67fbcee61f43dbd2", "name": "2.3.8.1 \u2014 Ensure 'Microsoft network client: Digitally sign communications (always)' is ...", "description": "Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled'", "rational": "Session hijacking uses tools that allow threat actors who have access to the same \nnetwork as the client or server to interrupt, end, or steal a session in progress. threat \nactors can potentially intercept and modify unsigned SMB packets and then modify the \ntraffic and forward it so that the server might perform undesirable actions. Alternatively, \nthe threat actors could pose as the server o...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network client: Digitally sign \ncommunications (always)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters|RequireSe", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "358a2dd6bc2d057523d83fc86a500ae1", "name": "2.3.8.2 \u2014 Ensure 'Microsoft network client: Send unencrypted password to third-party SM...", "description": "Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled'", "rational": "If you enable this policy setting, the server can transmit passwords in plaintext across \nthe network to other computers that offer SMB services, which is a significant security \nrisk. These other computers may not use any of the SMB security mechanisms that are \nincluded with Windows Server 2003.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nPage 196 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network client: Send unencrypted password \nto third-party SMB servers", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanWorkstation\\Parameters|EnablePla", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b98ec1ec3a4e757a29537e5fc62f536c", "name": "2.3.9.1 \u2014 Ensure 'Microsoft network server: Amount of idle time required before suspend...", "description": "Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer minute(s)'", "rational": "Each SMB session consumes server resources, and numerous null sessions will slow \nthe server or possibly cause it to fail. A threat actor could repeatedly establish SMB \nsessions until the server's SMB services become slow or unresponsive.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 15 or \nfewer minute(s): \n\nPage 199 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network server: Amount of idle time \nrequired before suspending session", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|AutoDisconnect", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "cc9817c2c22176177e3c3e8895ae6302", "name": "2.3.9.2 \u2014 Ensure 'Microsoft network server: Digitally sign communications (always)' is ...", "description": "Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled'", "rational": "Session hijacking uses tools that allow threat actors who have access to the same \nnetwork as the client or server to interrupt, end, or steal a session in progress. Threat \nActors can potentially intercept and modify unsigned SMB packets and then modify the \ntraffic and forward it so that the server might perform undesirable actions. Alternatively, \nthe threat actor could pose as the server or...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network server: Digitally sign \ncommunications (always)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|RequireSecurit", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c840e46ef9acd6f82ef00edef5682618", "name": "2.3.9.3 \u2014 Ensure 'Microsoft network server: Disconnect clients when logon hours expire'...", "description": "Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled'", "rational": "If your organization configures logon hours for users, then it makes sense to enable this \npolicy setting. Otherwise, users who should not have access to network resources \noutside of their logon hours may actually be able to continue to use those resources \nwith sessions that were established during allowed hours.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 203 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network server: Disconnect clients when \nlogon hours expire", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|enableforcedlo", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "dfdb90e337332f47c19be101a44b91ec", "name": "2.3.9.4 \u2014 Ensure 'Microsoft network server: Server SPN target name validation level' is...", "description": "Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or higher", "rational": "The identity of a computer can be spoofed to gain unauthorized access to network \nresources.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Accept \nif provided by client or Required from client: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Microsoft network server: Server SPN target name \nvalidation level", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|SMBServerNameH", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "124a2b0c1acfdb7f3df1e8e891ad1d7f", "name": "2.3.10.2 \u2014 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' i...", "description": "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled'", "rational": "An unauthorized user could anonymously list account names and use the information to \nattempt to guess passwords or perform social engineering attacks. (Social engineering \nattacks try to deceive users in some way to obtain passwords or some form of security \ninformation.)", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 210 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Do not allow anonymous enumeration \nof SAM accounts", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|RestrictAnonymousSAM", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "41b3274bd505c54a4f6be569672ad903", "name": "2.3.10.3 \u2014 Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts an...", "description": "Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled'", "rational": "An unauthorized user could anonymously list account names and shared resources and \nuse the information to attempt to guess passwords or perform social engineering \nattacks. (Social engineering attacks try to deceive users in some way to obtain \npasswords or some form of security information.)", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 212 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Do not allow anonymous enumeration \nof SAM accounts and shares", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|RestrictAnonymous", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "225452ff22cbe68b7b1545c839860550", "name": "2.3.10.4 \u2014 Ensure 'Network access: Do not allow storage of passwords and credentials for...", "description": "Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to 'Enabled'", "rational": "Passwords that are cached can be accessed by the user when logged on to the \ncomputer. Although this information may sound obvious, a problem can arise if the user \nunknowingly executes hostile code that reads the passwords and forwards them to \nanother, unauthorized user.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Do not allow storage of passwords \nand credentials for network authentication", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|DisableDomainCreds", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "4c421787a42d7751db0d549d4190a142", "name": "2.3.10.5 \u2014 Ensure 'Network access: Let Everyone permissions apply to anonymous users' is...", "description": "Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled'", "rational": "An unauthorized user could anonymously list account names and shared resources and \nuse the information to attempt to guess passwords, perform social engineering attacks, \nor launch DoS attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Let Everyone permissions apply to \nanonymous users", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|EveryoneIncludesAnonymous", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "554a206b69ff4325e334f52731bd4f6e", "name": "2.3.10.6 \u2014 Ensure 'Network access: Named Pipes that can be accessed anonymously' is set ...", "description": "Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None'", "rational": "Limiting named pipes that can be accessed anonymously will reduce the attack surface \nof the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n (i.e. None): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Named Pipes that can be accessed \nanonymously", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|NullSessionPip", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "89e78821ad811580cde77883fb4f8b0d", "name": "2.3.10.7 \u2014 Ensure 'Network access: Remotely accessible registry paths' is configured", "description": "Ensure 'Network access: Remotely accessible registry paths' is configured", "rational": "The registry is a database that contains computer configuration information, and much \nof the information is sensitive. A threat actor could use this information to facilitate \nunauthorized activities. To reduce the risk of such an attack, suitable ACLs are \nassigned throughout the registry to help protect it from access by unauthorized users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nSystem\\CurrentControlSet\\Control\\ProductOptions \nSystem\\CurrentControlSet\\Control\\Server Applications \nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Remotely accessible registry paths", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedExactPa ths|Machine", "selement": "CONTENT", "condition": "EQUALS", "sinput": "S" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f0ae9023a5c3bb4519868c7d31101f19", "name": "2.3.10.8 \u2014 Ensure 'Network access: Remotely accessible registry paths and sub-paths' is ...", "description": "Ensure 'Network access: Remotely accessible registry paths and sub-paths' is configured", "rational": "The registry contains sensitive computer configuration information that could be used by \na threat actor to facilitate unauthorized activities. The fact that the default ACLs \nassigned throughout the registry are fairly restrictive and help to protect the registry \nfrom access by unauthorized users reduces the risk of such an attack.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nSystem\\CurrentControlSet\\Control\\Print\\Printers \nSystem\\CurrentControlSet\\Services\\Eventlog SOFTWARE\\Microsoft\\OLAP \nServer SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print \nSOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows \nSystem\\CurrentControlSet\\Control\\ContentIndex \nSystem\\CurrentControlSet\\Control\\Terminal Server \nSystem\\CurrentControlSet\\Control\\Terminal Server\\UserConfig \nSystem\\CurrentControlSet\\Co...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurePipeServers\\Winreg\\AllowedPaths|M", "selement": "CONTENT", "condition": "EQUALS", "sinput": "S" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f9998a7078d27cd67783c91575c55ab5", "name": "2.3.10.9 \u2014 Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' ...", "description": "Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled'", "rational": "Null sessions are a weakness that can be exploited through shares (including the \ndefault shares) on computers in your environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Restrict anonymous access to Named \nPipes and Shares", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|RestrictNullSe", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ff9ac657a11b1f697e923c19b837acc9", "name": "2.3.10.10 \u2014 Ensure 'Network access: Restrict clients allowed to make remote calls to SAM'...", "description": "Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow'", "rational": "To ensure that an unauthorized user cannot anonymously list local account names or \ngroups and use the information to attempt to guess passwords or perform social \nengineering attacks. (Social engineering attacks try to deceive users in some way to \nobtain passwords or some form of security information.)", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nAdministrators: Remote Access: Allow: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Restrict clients allowed to make \nremote calls to SAM", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|restrictremotesam", "selement": "CONTENT", "condition": "EQUALS", "sinput": "O" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "34c6132152722ec87271f7fa17169ed4", "name": "2.3.10.11 \u2014 Ensure 'Network access: Shares that can be accessed anonymously' is set to 'N...", "description": "Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None'", "rational": "It is very dangerous to allow any values in this setting. Any shares that are listed can be \naccessed by any network user, which could lead to the exposure or corruption of \nsensitive data.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n (i.e. None): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Shares that can be accessed \nanonymously", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanManServer\\Parameters|NullSessionSha", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "44b163f632e0b1958e0c5c1b3c94e8d3", "name": "2.3.10.12 \u2014 Ensure 'Network access: Sharing and security model for local accounts' is set...", "description": "Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate as themselves'", "rational": "With the Guest only model, any user who can authenticate to your computer over the \nnetwork does so with guest privileges, which probably means that they will not have \nwrite access to shared resources on that computer. Although this restriction does \nincrease security, it makes it more difficult for authorized users to access shared \nresources on those computers because ACLs on those resources...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nClassic - local users authenticate as themselves: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network access: Sharing and security model for \nlocal accounts", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|ForceGuest", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0c23bc6a699cf451af4bad50d3e29a96", "name": "2.3.11.1 \u2014 Ensure 'Network security: Allow Local System to use computer identity for NTL...", "description": "Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled'", "rational": "When connecting to computers running versions of Windows earlier than Windows Vista \nor Windows Server 2008 (non-R2), services running as Local System and using \nSPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if \nyou are connecting to a computer running Windows Server 2008 or Windows Vista, \nthen a system service uses either the computer identity or a NULL sessi...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 234 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Allow Local System to use \ncomputer identity for NTLM", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|UseMachineId", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "25e917df3949b2a8b62f667216ac87dd", "name": "2.3.11.2 \u2014 Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to ...", "description": "Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled'", "rational": "NULL sessions are less secure because by definition they are unauthenticated.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Allow LocalSystem NULL session \nfallback", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|AllowNullSessionFallback", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9ee1fdcd08ffa203eca101d62d88dba3", "name": "2.3.11.3 \u2014 Ensure 'Network Security: Allow PKU2U authentication requests to this compute...", "description": "Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to 'Disabled'", "rational": "The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be \nmanaged centrally in most managed networks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network Security: Allow PKU2U authentication \nrequests to this computer to use online identities", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\pku2u|AllowOnlineID", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "51496e14d3b86b0926de89423cbffc72", "name": "2.3.11.4 \u2014 Ensure 'Network security: Configure encryption types allowed for Kerberos' is...", "description": "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'", "rational": "The strength of each encryption algorithm varies from one to the next, choosing \nstronger algorithms will reduce the risk of compromise however doing so may cause \nissues when the computer attempts to authenticate with systems that do not support \nthem.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nAES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Configure encryption types \nallowed for Kerberos", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Param eters|SupportedEncryptionTypes", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "353bee3dd35bba26024708902d879478", "name": "2.3.11.6 \u2014 Ensure 'Network security: LAN Manager authentication level' is set to 'Send N...", "description": "Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM & NTLM'", "rational": "Windows 2000 and Windows XP clients were configured by default to send LM and \nNTLM authentication responses (Windows 95-based and Windows 98-based clients \nonly send LM). The default settings in OSes predating Windows Vista / Windows Server \n2008 (non-R2) allowed all clients to authenticate with servers and use their resources. \nHowever, this meant that LM responses - the weakest form of authe...", "remediation": "To establish the recommended configuration via GP, set the following UI path to: Send \nNTLMv2 response only. Refuse LM & NTLM: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: LAN Manager authentication level", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa|LmCompatibilityLevel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "5" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "50bb7021adc4e50ce0e374014fee1d7e", "name": "2.3.11.7 \u2014 Ensure 'Network security: LDAP client encryption requirements' is set to 'Neg...", "description": "Ensure 'Network security: LDAP client encryption requirements' is set to 'Negotiate sealing' or higher", "rational": "Unencrypted network traffic is susceptible to man-in-the-middle attacks in which an \nintruder captures the packets between the client and server, modifies them, and then \nforwards them to the server. For an LDAP server, this susceptibility means that a threat \ncould cause a server to make decisions that are based on false or altered data from the \nLDAP queries. To lower this risk in your networ...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nNegotiate sealing or Require sealing: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: LDAP client encryption \nrequirements", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LDAP|LDAPClientConfidentiality", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "07b9c0a809bc0363ce362126f7beff18", "name": "2.3.11.8 \u2014 Ensure 'Network security: LDAP client signing requirements' is set to 'Negoti...", "description": "Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher", "rational": "Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder \ncaptures the packets between the client and server, modifies them, and then forwards \nthem to the server. For an LDAP server, this susceptibility means that a threat actor \ncould cause a server to make decisions that are based on false or altered data from the \nLDAP queries. To lower this risk a network,...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nNegotiate signing or Require signing: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: LDAP client signing requirements", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LDAP|LDAPClientIntegrity", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "97af980e5368c9fbcedb7a549d22b9fb", "name": "2.3.11.9 \u2014 Ensure 'Network security: Minimum session security for NTLM SSP based (includ...", "description": "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption'", "rational": "Enable both options for this policy setting to help protect network traffic that uses the \nNTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by \na threat actor who has gained access to the same network. These options help protect \nagainst man-in-the-middle attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nRequire NTLMv2 session security, Require 128-bit encryption: \n\nPage 251 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Minimum session security for NTLM \nSSP based (including secure RPC) clients", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|NTLMMinClientSec", "selement": "CONTENT", "condition": "EQUALS", "sinput": "5" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "57cd9eb6fe9ab6f24e5660343d9426ff", "name": "2.3.11.10 \u2014 Ensure 'Network security: Minimum session security for NTLM SSP based (includ...", "description": "Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption'", "rational": "Enable all of the options for this policy setting to help protect network traffic that uses \nthe NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with \nby a threat actor who has gained access to the same network. These options help \nprotect against man-in-the-middle attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nRequire NTLMv2 session security, Require 128-bit encryption: \n\nPage 253 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Minimum session security for NTLM \nSSP based (including secure RPC) servers", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|NTLMMinServerSec", "selement": "CONTENT", "condition": "EQUALS", "sinput": "5" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1010cf02b277c93f1b6f37d5c504d40f", "name": "2.3.11.11 \u2014 Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set ...", "description": "Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts'", "rational": "Auditing and monitoring NTLM traffic can assist in identifying systems using this \noutdated authentication protocol, so they can be remediated to using a more secure \nprotocol, such as Kerberos. The log information gathered can also assist in forensic \ninvestigations after a malicious attack. \n\nNTLM and NTLMv2 authentication is vulnerable to various attacks, including SMB relay, \nman-in-the-mid...", "remediation": "To establish the recommended configuration via GP, set the following UI path to Enable \nauditing for all accounts: \n\nPage 255 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Restrict NTLM: Audit Incoming \nNTLM Traffic", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|AuditReceivingNTLMTraffic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8097808e8eba07d4feb366153b216c32", "name": "2.3.11.12 \u2014 Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote serv...", "description": "Ensure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' is set to 'Audit all' or higher", "rational": "Auditing and monitoring NTLM traffic can assist in identifying systems using this \noutdated authentication protocol, so they can be remediated to using a more secure \nprotocol, such as Kerberos. The log information gathered can also assist in forensic \ninvestigations after a malicious attack. \n\nNTLM and NTLMv2 authentication is vulnerable to various attacks, including SMB relay, \nman-in-the-mid...", "remediation": "To establish the recommended configuration via GP, set the following UI path to Audit \nall or Deny All: \n\nPage 257 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\Network security: Restrict NTLM: Outgoing NTLM \ntraffic to remote servers", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0|RestrictSendingNTLMTraffic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "7aad910f4abb196619a8d7f73550970e", "name": "2.3.15.1 \u2014 Ensure 'System objects: Require case insensitivity for non-Windows subsystems...", "description": "Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled'", "rational": "Because Windows is case-insensitive but the POSIX subsystem will support case \nsensitivity, failure to enable this policy setting would make it possible for a user of that \nsubsystem to create a file with the same name as another file but with a different mix of \nupper and lower case letters. Such a situation could potentially confuse users when \nthey try to access such files from normal Win32...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 263 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\System objects: Require case insensitivity for non-\nWindows subsystems", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel|ObCaseInsensitive", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f8014c4af4b51cc97325366ef8a9ee5c", "name": "2.3.15.2 \u2014 Ensure 'System objects: Strengthen default permissions of internal system obj...", "description": "Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to 'Enabled'", "rational": "This setting determines the strength of the default DACL for objects. Windows maintains \na global list of shared computer resources so that objects can be located and shared \namong processes. Each type of object is created with a default DACL that specifies who \ncan access the objects and with what permissions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 265 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\System objects: Strengthen default permissions of \ninternal system objects (e.g. Symbolic Links)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager|ProtectionMode", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d7d947221d2f6d74e0a0767305c70ca4", "name": "2.3.17.1 \u2014 Ensure 'User Account Control: Admin Approval Mode for the Built-in Administra...", "description": "Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled'", "rational": "One of the risks that the User Account Control feature introduced with Windows Vista is \ntrying to mitigate is that of malicious software running under elevated credentials without \nthe user or administrator being aware of its activity. An attack vector for these programs \nwas to discover the password of the account named \"Administrator\" because that user \naccount was created for all installati...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Admin Approval Mode for the \nBuilt-in Administrator account", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|FilterAdminist", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "fd4d255e89c084626a4dd70e5749c12c", "name": "2.3.17.2 \u2014 Ensure 'User Account Control: Behavior of the elevation prompt for administra...", "description": "Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' or higher", "rational": "One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate \nis that of malicious software running under elevated credentials without the user or \nadministrator being aware of its activity. This setting raises awareness to the \nadministrator of elevated privilege operations and permits the administrator to prevent a \nmalicious program from elevating its privilege w...", "remediation": "To establish the recommended configuration via GP, set the following UI path to Prompt \nfor consent on the secure desktop or Prompt for credentials on the \nsecure desktop: \n\nPage 270 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Behavior of the elevation \nprompt for administrators in Admin Approval Mode", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|ConsentPromptB", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "773d2cbe37f19c45f659be35e46490e1", "name": "2.3.17.3 \u2014 Ensure 'User Account Control: Behavior of the elevation prompt for standard u...", "description": "Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests'", "rational": "One of the risks that the User Account Control feature introduced with Windows Vista is \ntrying to mitigate is that of malicious programs running under elevated credentials \nwithout the user or administrator being aware of their activity. This setting raises \nawareness to the user that a program requires the use of elevated privilege operations \nand requires that the user be able to supply admi...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nAutomatically deny elevation requests: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Behavior of the elevation \nprompt for standard users", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|ConsentPromptB", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "de5069a4117ce35c6df245af1435cc24", "name": "2.3.17.4 \u2014 Ensure 'User Account Control: Detect application installations and prompt for...", "description": "Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled'", "rational": "Some malicious software will attempt to install itself after being given permission to run. \nFor example, malicious software with a trusted application shell. The user may have \ngiven permission for the program to run because the program is trusted, but if they are \nthen prompted for installation of an unknown component this provides another way of \ntrapping the software before it can do damage", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 274 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Detect application \ninstallations and prompt for elevation", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableInstalle", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ddc90c5992fc91009139e22bd58d1944", "name": "2.3.17.5 \u2014 Ensure 'User Account Control: Only elevate UIAccess applications that are ins...", "description": "Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'Enabled'", "rational": "UIAccess Integrity allows an application to bypass User Interface Privilege Isolation \n(UIPI) restrictions when an application is elevated in privilege from a standard user to an \nadministrator. This is required to support accessibility features such as screen readers \nthat are transmitting user interfaces to alternative forms. A process that is started with \nUIAccess rights has the following a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Only elevate UIAccess \napplications that are installed in secure locations", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableSecureUI", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "07fec3f41763ac637eecf2b98e9dc353", "name": "2.3.17.6 \u2014 Ensure 'User Account Control: Run all administrators in Admin Approval Mode' ...", "description": "Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled'", "rational": "This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be \nused and any security benefits and risk mitigations that are dependent on UAC will not \nbe present on the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 278 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Run all administrators in \nAdmin Approval Mode", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableLUA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "fd93a1bf128e015ca2cb5c23f88cc681", "name": "2.3.17.7 \u2014 Ensure 'User Account Control: Switch to the secure desktop when prompting for...", "description": "Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled'", "rational": "Standard elevation prompt dialog boxes can be spoofed, which may cause users to \ndisclose their passwords to malicious software. The secure desktop presents a very \ndistinct appearance when prompting for elevation, where the user desktop dims, and \nthe elevation prompt UI is more prominent. This increases the likelihood that users who \nbecome accustomed to the secure desktop will recognize a sp...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Switch to the secure desktop \nwhen prompting for elevation", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|PromptOnSecure", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "427b988459cf443a4d9d079e4bc547d6", "name": "2.3.17.8 \u2014 Ensure 'User Account Control: Virtualize file and registry write failures to ...", "description": "Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled'", "rational": "This setting reduces vulnerabilities by ensuring that legacy applications only write data \nto permitted locations.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nPage 282 \n\n\fComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Local \nPolicies\\Security Options\\User Account Control: Virtualize file and registry \nwrite failures to per-user locations", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableVirtuali", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6048c88d337d9437ee98b9065a50b908", "name": "5.3 \u2014 Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'", "description": "Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed'", "rational": "This is a legacy service - its sole purpose is to maintain a list of computers and their \nnetwork shares in the environment (i.e. \"Network Neighborhood\"). If enabled, it \ngenerates a lot of unnecessary traffic, including \"elections\" to see who gets to be the \n\"master browser\". This noisy traffic could also aid malicious threat actors in discovering \nonline machines, because the service also all...", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Computer Browser", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Browser|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6cb5aa7640eb4430439f608ed5375844", "name": "5.7 \u2014 Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'", "description": "Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed'", "rational": "Hosting a website from a workstation is an increased security risk, as the attack surface \nof that workstation is then greatly increased. If proper security mitigations are not \nfollowed, the chance of successful attack increases significantly. \n\nNote: This security concern applies to any web server application installed on a \nworkstation, not just IIS.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\IIS Admin Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\IISADMIN|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "84f5b73422e3a8d823ed9e398ae2af2f", "name": "5.8 \u2014 Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Instal...", "description": "Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed'", "rational": "Infrared connections can potentially be a source of data compromise - especially via the \nautomatic \"file transfer application\" functionality. Enterprise-managed systems should \nutilize a more secure method of connection than infrared.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Infrared monitor service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\irmon|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "de937604019df8925f2144bfc4ac3f78", "name": "5.10 \u2014 Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'", "description": "Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed'", "rational": "Hosting an FTP server (especially a non-secure FTP server) from a workstation is an \nincreased security risk, as the attack surface of that workstation is then greatly \nincreased. \n\nNote: This security concern applies to any FTP server application installed on a \nworkstation, not just IIS.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Microsoft FTP Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\FTPSVC|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f164a70118462ddf1e2644734be3515a", "name": "5.12 \u2014 Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'", "description": "Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed'", "rational": "Hosting an SSH server from a workstation is an increased security risk, as the attack \nsurface of that workstation is then greatly increased. \n\nNote: This security concern applies to any SSH server application installed on a \nworkstation, not just the one supplied with Windows.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\OpenSSH SSH Server", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\sshd|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f0a87f1d4fa2767eae1a3556148fae8e", "name": "5.23 \u2014 Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'", "description": "Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled'", "rational": "This is a legacy service that has no value or purpose other than application compatibility \nfor very old software. It should be disabled unless there is a specific old application still \nin use on the system that requires it.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Remote Procedure Call (RPC) Locator", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\RpcLocator|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "bf4f847492a9d3707144fae4affa27b1", "name": "5.25 \u2014 Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'", "description": "Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled'", "rational": "This service's main purpose is to provide Windows router functionality - this is not an \nappropriate use of workstations in an enterprise managed environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Routing and Remote Access", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\RemoteAccess|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1dd988212de4ad67129cced9486b253e", "name": "5.27 \u2014 Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Instal...", "description": "Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed'", "rational": "The Simple TCP/IP Services have very little purpose in a modern enterprise \nenvironment - allowing them might increase exposure and risk for attack.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Simple TCP/IP Services", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\simptcp|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "4d98ac05fd4c705580963abf6bdd2604", "name": "5.29 \u2014 Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' ...", "description": "Ensure 'Special Administration Console Helper (sacsvr)' is set to 'Disabled' or 'Not Installed'", "rational": "Allowing the use of a remotely accessible command prompt that provides the ability to \nperform remote management tasks on a computer is a security risk.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Special Administration Console Helper", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\sacsvr|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "39aaea2c747661eb10e7a91a07d9d7b2", "name": "5.30 \u2014 Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'", "description": "Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled'", "rational": "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and \nattachment to network devices. Note that UPnP is different than regular Plug n Play \n(PnP). Workstations should not be advertising their services (or automatically \ndiscovering and connecting to networked services) in a security-conscious enterprise \nmanaged environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\SSDP Discovery", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SSDPSRV|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c552b6f3d47f7f4d9730850e486e68df", "name": "5.31 \u2014 Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'", "description": "Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled'", "rational": "Universal Plug n Play (UPnP) is a real security risk - it allows automatic discovery and \nattachment to network devices. Notes that UPnP is different than regular Plug n Play \n(PnP). Workstations should not be advertising their services (or automatically \ndiscovering and connecting to networked services) in a security-conscious enterprise \nmanaged environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\UPnP Device Host", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\upnphost|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "27d6b54252cc50ffbf34d0c32f63dc9e", "name": "5.32 \u2014 Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'", "description": "Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed'", "rational": "Remote web administration of IIS on a workstation is an increased security risk, as the \nattack surface of that workstation is then greatly increased. If proper security mitigations \nare not followed, the chance of successful attack increases significantly.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Web Management Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WMSvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b238fd2f7db83aca7a76d6f1660b5ac5", "name": "5.35 \u2014 Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set ...", "description": "Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed'", "rational": "Network sharing of media from Media Player has no place in an enterprise managed \nenvironment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Windows Media Player Network Sharing Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\WMPNetworkSvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "098e39082f9b4909a69455e4487137ae", "name": "5.36 \u2014 Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'", "description": "Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled'", "rational": "The capability to run a mobile hotspot from a domain-connected computer could easily \nexpose the internal network to wardrivers or other hackers.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Windows Mobile Hotspot Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\icssvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ddb94e495cb1804f04f4637fa7b9d46e", "name": "5.40 \u2014 Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'N...", "description": "Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed'", "rational": "Hosting a website from a workstation is an increased security risk, as the attack surface \nof that workstation is then greatly increased. If proper security mitigations are not \nfollowed, the chance of successful attack increases significantly. \n\nNote: This security concern applies to any web server application installed on a \nworkstation, not just IIS.", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled or ensure the service is not installed. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\World Wide Web Publishing Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\W3SVC|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "3bb0bb7079764e37f24622753510da09", "name": "5.41 \u2014 Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'", "description": "Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled'", "rational": "Xbox Live is a gaming service and has no place in an enterprise managed environment \n(perhaps unless it is a gaming company).", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Xbox Accessory Management Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\XboxGipSvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e66c7c7a521f534b6092683ed19d76cf", "name": "5.42 \u2014 Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'", "description": "Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled'", "rational": "Xbox Live is a gaming service and has no place in an enterprise managed environment \n(perhaps unless it is a gaming company).", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Xbox Live Auth Manager", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\XblAuthManager|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "438a1e3fc91f181ec8c2175cecdd3c40", "name": "5.43 \u2014 Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'", "description": "Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled'", "rational": "Xbox Live is a gaming service and has no place in an enterprise managed environment \n(perhaps unless it is a gaming company).", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Xbox Live Game Save", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\XblGameSave|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6b447a2921f2b0cee01b87d491cde121", "name": "5.44 \u2014 Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'", "description": "Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled'", "rational": "Xbox Live is a gaming service and has no place in an enterprise managed environment \n(perhaps unless it is a gaming company).", "remediation": "To establish the recommended configuration via GP, set the following UI path to: \nDisabled. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\System \nServices\\Xbox Live Networking Service", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\XboxNetApiSvc|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "df20be7ae81f7e6a3fbb2140b34b988f", "name": "9.1.1 \u2014 Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'", "description": "Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)'", "rational": "If the firewall is turned off all traffic will be able to access the system, and a threat actor \nmay be able to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to On \n(recommended): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain \nProfile\\Firewall state", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile|EnableFirewall", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "fd83e783fb70b3f3deede07cac00290e", "name": "9.1.2 \u2014 Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (defa...", "description": "Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)'", "rational": "If the firewall allows all traffic to access the system, then a threat actor may be able to \nremotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Block \n(default): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Inbound \nconnections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile|DefaultInbound", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "7e690a4b1c4cf5860cdfe9cc959e6afc", "name": "9.1.3 \u2014 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to...", "description": "Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'", "rational": "Firewall notifications can be complex and may confuse the end users, who would not be \nable to address the alert.", "remediation": "To establish the recommended configuration via GP, set the following UI path to No: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain \nProfile\\Settings Customize\\Display a notification", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile|DisableNotific", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "62b9da73763abae4df00629116218a69", "name": "9.1.4 \u2014 Ensure 'Windows Firewall: Domain: Logging: Name' is configured", "description": "Ensure 'Windows Firewall: Domain: Logging: Name' is configured", "rational": "If Windows Firewall events are not recorded it may be difficult or impossible for \nAdministrators to analyze system issues or unauthorized activities of threat actors. \n\nMicrosoft stores all firewall events as one file on the system (pfirewall.log). To \nimprove logging, separate each firewall profile (domain, private, public) into its own \ndistinct log file (domainfw.log, privatefw.log, publicf...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n\\.log: \n\nWhere is the location and is the log name specified by the organization. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Logging \nCustomize\\Name", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging|LogFil", "selement": "CONTENT", "condition": "EQUALS", "sinput": "<" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e2c73cb98e00f8803c10ba326d3d7131", "name": "9.1.5 \u2014 Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384...", "description": "Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 16,384 \nKB or greater: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Logging \nCustomize\\Size limit (KB)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging|LogFil", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "bdb260a8512389ca4ec7044ea869a40d", "name": "9.1.6 \u2014 Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'", "description": "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Logging \nCustomize\\Log dropped packets", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging|LogDro", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "fbc52b15f7204fc8184235d4b064113f", "name": "9.1.7 \u2014 Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set...", "description": "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Domain Profile\\Logging \nCustomize\\Log successful connections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\DomainProfile\\Logging|LogSuc", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b330d7308dbf10c0c2001ef421e38982", "name": "9.2.1 \u2014 Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'", "description": "Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)'", "rational": "If the firewall is turned off all traffic will be able to access the system, and a threat actor \nmay be more easily able to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to On \n(recommended): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Firewall state", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile|EnableFirewal", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d47c5797b2cd3bfdc91a2fc89d6cb72a", "name": "9.2.2 \u2014 Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (def...", "description": "Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)'", "rational": "If the firewall allows all traffic to access the system, then a threat actor may be able to \nremotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Block \n(default): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Inbound connections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile|DefaultInboun", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "2009511c231dd7416d879153a5e9c5e1", "name": "9.2.3 \u2014 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set t...", "description": "Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'", "rational": "Firewall notifications can be complex and may confuse the end users, who would not be \nable to address the alert.", "remediation": "To establish the recommended configuration via GP, set the following UI path to No: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Settings Customize\\Display a notification", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile|DisableNotifi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8f30cd40fa0a8d8eab456e4f837c2036", "name": "9.2.4 \u2014 Ensure 'Windows Firewall: Private: Logging: Name' is configured", "description": "Ensure 'Windows Firewall: Private: Logging: Name' is configured", "rational": "If Windows Firewall events are not recorded it may be difficult or impossible for \nAdministrators to analyze system issues or unauthorized activities of threat actors. \n\nMicrosoft stores all firewall events as one file on the system (pfirewall.log). To \nimprove logging, separate each firewall profile (domain, private, public) into its own \ndistinct log file (domainfw.log, privatefw.log, publicf...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n\\.log: \n\nWhere is the location and is the log name specified by the organization. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Logging Customize\\Name", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging|LogFi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "<" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "2e0681b48b9277aec287b570a10e2952", "name": "9.2.5 \u2014 Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,38...", "description": "Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 16,384 \nKB or greater: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Logging Customize\\Size limit (KB)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging|LogFi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "38ef709bf2abccd7ac76d4b36937850f", "name": "9.2.6 \u2014 Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'", "description": "Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Logging Customize\\Log dropped packets", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging|LogDr", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a3e6b8920555ae0f15ccbbb2f03f5c27", "name": "9.2.7 \u2014 Ensure 'Windows Firewall: Private: Logging: Log successful connections' is se...", "description": "Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Private \nProfile\\Logging Customize\\Log successful connections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PrivateProfile\\Logging|LogSu", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "af7c910b0e0dd47517741ac6c642c6cb", "name": "9.3.1 \u2014 Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'", "description": "Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)'", "rational": "If the firewall is turned off all traffic will be able to access the system, and a threat actor \nmay be able to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to On \n(recommended): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public \nProfile\\Firewall state", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|EnableFirewall", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "57d53b073094d418a2f19b34e7450e66", "name": "9.3.2 \u2014 Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (defa...", "description": "Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)'", "rational": "If the firewall allows all traffic to access the system, then a threat actor may be more \neasily able to remotely exploit a weakness in a network service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Block \n(default): \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Inbound \nconnections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|DefaultInbound", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "091559619ef2c5e5e175b75c878f7f45", "name": "9.3.3 \u2014 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to...", "description": "Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'", "rational": "Some organizations may prefer to avoid alarming users when firewall rules block certain \ntypes of network activity. However, notifications can be helpful when troubleshooting \nnetwork issues involving the firewall.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 'No': \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public \nProfile\\Settings Customize\\Display a notification", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|DisableNotific", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ec778782e0c970aebd97f2cc07c69f3e", "name": "9.3.4 \u2014 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is se...", "description": "Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'", "rational": "When in the Public profile, there should be no special local firewall exceptions per \ncomputer. These settings should be managed by a centralized policy.", "remediation": "To establish the recommended configuration via GP, set the following UI path to No: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public \nProfile\\Settings Customize\\Apply local firewall rules", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|AllowLocalPoli", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6c85c3baa3ee37b511da230c77fca6a4", "name": "9.3.5 \u2014 Ensure 'Windows Firewall: Public: Settings: Apply local connection security r...", "description": "Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'", "rational": "Users with administrative privileges might create firewall rules that expose the system to \nremote attack.", "remediation": "To establish the recommended configuration via GP, set the following UI path to No: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public \nProfile\\Settings Customize\\Apply local connection security rules", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile|AllowLocalIPse", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a6b9e3564a3d115e4958a23efbb8b73f", "name": "9.3.6 \u2014 Ensure 'Windows Firewall: Public: Logging: Name' is configured", "description": "Ensure 'Windows Firewall: Public: Logging: Name' is configured", "rational": "If Windows Firewall events are not recorded it may be difficult or impossible for \nAdministrators to analyze system issues or unauthorized activities of threat actors. \n\nMicrosoft stores all firewall events as one file on the system (pfirewall.log). To \nimprove logging, separate each firewall profile (domain, private, public) into its own \ndistinct log file (domainfw.log, privatefw.log, publicf...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \n\\.log: \n\nWhere is the location and is the log name specified by the organization. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Logging \nCustomize\\Name", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging|LogFil", "selement": "CONTENT", "condition": "EQUALS", "sinput": "<" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a058b6b7e501cb3ae62e7855cb222c57", "name": "9.3.7 \u2014 Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384...", "description": "Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 16,384 \nKB or greater: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Logging \nCustomize\\Size limit (KB)", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging|LogFil", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8419e8e00a28aac59b0af7b9bf1a42ab", "name": "9.3.8 \u2014 Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'", "description": "Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes: \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Logging \nCustomize\\Log dropped packets", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging|LogDro", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "019fb1821b3952a059ca4abf1766cf50", "name": "9.3.9 \u2014 Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set...", "description": "Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to Yes. \n\nComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Windows \nDefender Firewall with Advanced Security\\Windows Defender Firewall with \nAdvanced Security\\Windows Defender Firewall Properties\\Public Profile\\Logging \nCustomize\\Log successful connections", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\PublicProfile\\Logging|LogSuc", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "cc09f82d0e85ef285e1681ef29e474b7", "name": "18.1.1.1 \u2014 Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'", "description": "Ensure 'Prevent enabling lock screen camera' is set to 'Enabled'", "rational": "Disabling the lock screen camera extends the protection afforded by the lock screen to \ncamera features.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Control \nPanel\\Personalization\\Prevent enabling lock screen camera \n\nNote: This Group Policy path is provided by the Group Policy template \nControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & \nServer 2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization|NoLockScreenCamera", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "5e53873ca8b73ed9dc13664638058a32", "name": "18.1.1.2 \u2014 Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'", "description": "Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled'", "rational": "Disabling the lock screen slide show extends the protection afforded by the lock screen \nto slide show contents.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Control \nPanel\\Personalization\\Prevent enabling lock screen slide show \n\nNote: This Group Policy path is provided by the Group Policy template \nControlPanelDisplay.admx/adml that is included with the Microsoft Windows 8.1 & \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization|NoLockScreenSlidesho", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f7c9989691109f902cafbfaa49174295", "name": "18.1.2.2 \u2014 Ensure 'Allow users to enable online speech recognition services' is set to '...", "description": "Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled'", "rational": "If this setting is Enabled sensitive information could be stored in the cloud or sent to \nMicrosoft.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Control \nPanel\\Regional and Language Options\\Allow users to enable online speech \nrecognition services \n\nNote: This Group Policy path is provided by the Group Policy template \nGlobalization.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates (or newer). \n\nNote #2: In older Microsoft Windows Admin...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\InputPersonalization|AllowInputPersonalizati", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "53d3be1ea7e3f06f3485f6bad00ec56f", "name": "18.4.1 \u2014 Ensure 'Apply UAC restrictions to local accounts on network logons' is set to...", "description": "Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled'", "rational": "Local accounts are at high risk for credential theft when the same account and \npassword is configured on multiple systems. Ensuring this policy is Enabled significantly \nreduces that risk.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Apply UAC restrictions to local accounts on network logons \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|LocalAccountTo", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "98248f4a756b28684241aa58ea4ff50e", "name": "18.4.2 \u2014 Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (r...", "description": "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)'", "rational": "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and \nno longer used on modern networks, as it is a 30 year old design that is much more \nvulnerable to attacks then much newer designs such as SMBv2 and SMBv3. \n\nMore information on this can be found at the following links: \n\nStop using SMB1 | Storage at Microsoft \n\nDisable SMB v1 in Managed Environments with Group P...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Disable driver (recommended): \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Configure SMB v1 client driver \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\mrxsmb10|Start", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ae3777fdff20a4a3888eec5414cd16c9", "name": "18.4.3 \u2014 Ensure 'Configure SMB v1 server' is set to 'Disabled'", "description": "Ensure 'Configure SMB v1 server' is set to 'Disabled'", "rational": "Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and \nno longer used on modern networks, as it is a 30 year old design that is much more \nvulnerable to attacks then much newer designs such as SMBv2 and SMBv3. \n\nMore information on this can be found at the following links: \n\nStop using SMB1 | Storage at Microsoft \n\nDisable SMB v1 in Managed Environments with Group P...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Configure SMB v1 server \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters|SMB1", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d64b5a989ce9d43aad4ff90550f71485", "name": "18.4.4 \u2014 Ensure 'Enable Certificate Padding' is set to 'Enabled'", "description": "Ensure 'Enable Certificate Padding' is set to 'Enabled'", "rational": "A remote code execution vulnerability exists in the way that the WinVerifyTrust function \nhandles Windows Authenticode signature verification for portable executable (PE) files. \nFor more information on this vulnerability, visit CVE-2013-3900 - Security Update Guide \n- Microsoft - WinVerifyTrust Signature Validation Vulnerability.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Enable Certificate Padding \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Cryptography\\Wintrust\\Config|EnableCertPaddingCheck", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ae9d514fdfbe64ac4312448788cf1fda", "name": "18.4.5 \u2014 Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is...", "description": "Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled'", "rational": "This feature is designed to block exploits that use the Structured Exception Handler \n(SEH) overwrite technique. This protection mechanism is provided at run-time. \nTherefore, it helps protect applications regardless of whether they have been compiled \nwith the latest improvements, such as the /SAFESEH option.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Enable Structured Exception Handling Overwrite Protection (SEHOP) \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link. \n\nMore information is available at MSKB 956607: How to enable Structured Exception \nHand...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\kernel|DisableExceptionChainValidation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d83a2706d04e6fa8fae236de0b8193b6", "name": "18.4.6 \u2014 Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'", "description": "Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)'", "rational": "In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, \nsetting the node type to P-node (point-to-point) will prevent the system from sending out \nNetBIOS broadcasts.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: P-node (recommended): \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\NetBT NodeType configuration \n\nNote: This change does not take effect until the computer has been restarted. \n\nNote #2: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link. \nPlease note that th...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters|NodeType", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "79701ac20cde630b1643ee887cb0c776", "name": "18.4.7 \u2014 Ensure 'WDigest Authentication' is set to 'Disabled'", "description": "Ensure 'WDigest Authentication' is set to 'Disabled'", "rational": "Preventing the plaintext storage of credentials in memory may reduce opportunity for \ncredential theft.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\WDigest Authentication (disabling may require KB2871997) \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (SecGuide.admx/adml) is required - it is available from Microsoft at this link. \n\nPage 518", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest|UseLogonCrede", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "83c6f5f2bf1161f279c6a470e5b73a59", "name": "18.5.1 \u2014 Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'", "description": "Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon' is set to 'Disabled'", "rational": "If you configure a computer for automatic logon, anyone who can physically gain access \nto the computer can also gain access to everything that is on the computer, including \nany network or networks that the computer is connected to. Also, if you enable \nautomatic logon, the password is stored in the registry in plaintext. The specific registry \nkey that stores this setting is remotely readable...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(AutoAdminLogon) Enable Automatic Logon \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Security Guidance blog", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon|AutoAdminLogon", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c3164e1217f82b6ad6b5edeb5584277a", "name": "18.5.2 \u2014 Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level...", "description": "Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'", "rational": "A threat actor could use source routed packets to obscure their identity and location. \nSource routing allows a computer that sends a packet to specify the route that the \npacket takes.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Highest protection, source routing is completely disabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(DisableIPSourceRouting IPv6) IP source routing protection level \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsof...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters|DisableIPSourceRouti", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "811fa87cfee883c5c489158459312e40", "name": "18.5.3 \u2014 Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is ...", "description": "Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level' is set to 'Enabled: Highest protection, source routing is completely disabled'", "rational": "A threat actor could use source routed packets to obscure their identity and location. \nSource routing allows a computer that sends a packet to specify the route that the \npacket takes.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Highest protection, source routing is completely disabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(DisableIPSourceRouting) IP source routing protection level \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Sec...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters|DisableIPSourceRoutin", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c5d564c22b961c4b3bc70dcc46ebbffd", "name": "18.5.5 \u2014 Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF gener...", "description": "Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled'", "rational": "This behavior is expected. The problem is that the 10 minute time-out period for the \nICMP redirect-plumbed routes temporarily creates a network situation in which traffic \nwill no longer be routed properly for the affected host. Ignoring such ICMP redirects will \nlimit the system's exposure to attacks that will impact its ability to participate on the \nnetwork.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Security Guidance blog", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters|EnableICMPRedirect", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0ff25a6a83eec2c64db9299a7c4e6b2d", "name": "18.5.7 \u2014 Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS nam...", "description": "Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers' is set to 'Enabled'", "rational": "The NetBT protocol is designed not to use authentication, and is therefore vulnerable to \nspoofing. Spoofing makes a transmission appear to come from a user other than the \nuser who performed the action. A threat actor could exploit the unauthenticated nature \nof the protocol to send a name-conflict datagram to a target computer, which would \ncause the computer to relinquish its name and not re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release \nrequests except from WINS servers \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Security Guid...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters|NoNameReleaseOnDemand", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d86b1001bad0b8446e8aea6728dd5ae2", "name": "18.5.9 \u2014 Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enab...", "description": "Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode' is set to 'Enabled'", "rational": "If a user unknowingly executes hostile code that was packaged with additional files that \ninclude modified versions of system DLLs, the hostile code could load its own versions \nof those DLLs and potentially increase the type and degree of damage the code can \nrender.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(SafeDllSearchMode) Enable Safe DLL search mode \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft Security Guidance blog", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager|SafeDllSearchMode", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "84c8e86e323ebe24d771cbe6edfa815b", "name": "18.5.12 \u2014 Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log a...", "description": "Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'", "rational": "If the Security log reaches 90 percent of its capacity and the computer has not been \nconfigured to overwrite events as needed, more recent events will not be written to the \nlog. If the log reaches its capacity and the computer has been configured to shut down \nwhen it can no longer record events to the Security log, the computer will shut down and \nwill no longer be available to provide netwo...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 90% or less: \n\nComputer Configuration\\Policies\\Administrative Templates\\MSS (Legacy)\\MSS: \n(WarningLevel) Percentage threshold for the security event log at which the \nsystem will generate a warning \n\nNote: This Group Policy path does not exist by default. An additional Group Policy \ntemplate (MSS-legacy.admx/adml) is required - it is available from this TechNet blog \npost: The MSS settings \u2013 Microsoft S...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Security|WarningLevel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "9" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8cf84a678ccc633a94478bed050a747b", "name": "18.6.4.1 \u2014 Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'", "description": "Ensure 'Configure multicast DNS (mDNS) protocol' is set to 'Disabled'", "rational": "A threat actor can listen on a network over UDP port 5353 and respond to them, tricking \nthe host into thinking that it knows the location of the requested system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\DNS \nClient\\Configure multicast DNS (mDNS) protocol \n\nNote: This Group Policy path is provided by the Group Policy template \nDnsClient.admx/adml that is included with the Microsoft Windows 11 Release 24H2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient|EnableMDNS", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8841174b27c24db178e03b7c4f742d32", "name": "18.6.4.2 \u2014 Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name ...", "description": "Ensure 'Configure NetBIOS settings' is set to 'Enabled: Disable NetBIOS name resolution on public networks'", "rational": "NetBIOS does not perform authentication and can allow remote threat actors to cause a \ndenial-of-service by sending spoofed Name Conflicts or Name Release datagrams. This \nis also known as \"NetBIOS Name Server Protocol Spoofing\". Preventing the use of \nNetBIOS on public networks reduces the attack surface.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Disable NetBIOS name resolution on public networks: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\DNS \nClient\\Configure NetBIOS settings \n\nNote: This Group Policy path is provided by the Group Policy template \nDnsClient.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer). \n\nPage 548", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient|EnableNetbios", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ed3289f4740d02c6129affa9133d9ea0", "name": "18.6.4.4 \u2014 Ensure 'Turn off multicast name resolution' is set to 'Enabled'", "description": "Ensure 'Turn off multicast name resolution' is set to 'Enabled'", "rational": "A threat actors can listen on a network for these LLMNR (UDP/5355) or NBT-NS \n(UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows \nthe location of the requested system. \n\nNote: To completely mitigate local name resolution poisoning, in addition to this setting, \nthe properties of each installed NIC should also be set to Disable NetBIOS over \nTCP/IP (on the WI...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\DNS \nClient\\Turn off multicast name resolution \n\nNote: This Group Policy path is provided by the Group Policy template \nDnsClient.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 \n(non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\DNSClient|EnableMulticast", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a46b68847d695ccaf100d27f8b6279ca", "name": "18.6.7.1 \u2014 Ensure 'Audit client does not support encryption' is set to 'Enabled'", "description": "Ensure 'Audit client does not support encryption' is set to 'Enabled'", "rational": "Organizations should be aware of all unencrypted SMB traffic in their environment. \nOlder SMB protocols that do not use encryption can make an environment susceptible \nto many types of attacks, including SMB interception attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nServer\\Audit client does not support encryption \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanServer.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanServer|AuditClientDoesNotSuppo", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "aaa2392f7cb2705dc03c4f1c477a9623", "name": "18.6.7.2 \u2014 Ensure 'Audit client does not support signing' is set to 'Enabled'", "description": "Ensure 'Audit client does not support signing' is set to 'Enabled'", "rational": "Organizations should be aware of all unsigned SMB traffic in their environment. Older \nSMB protocols that do not use signing can make an environment susceptible to many \ntypes of attacks, including SMB interception attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nServer\\Audit client does not support signing \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanServer.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanServer|AuditClientDoesNotSuppo", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d1795f0b06626fe5388471827249356f", "name": "18.6.7.3 \u2014 Ensure 'Audit insecure guest logon' is set to 'Enabled'", "description": "Ensure 'Audit insecure guest logon' is set to 'Enabled'", "rational": "Insecure guest logons can be used by file servers to allow unauthenticated access to \nshared folders.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nServer\\Audit insecure guest logon \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanServer.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanServer|AuditInsecureGuestLogon", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f6be14970a9a4e23eea9d67dd148888d", "name": "18.6.7.4 \u2014 Ensure 'Enable authentication rate limiter' is set to 'Enabled'", "description": "Ensure 'Enable authentication rate limiter' is set to 'Enabled'", "rational": "Authentication rate limiter considerably reduces the risk of brute force attacks by \nimplementing a 2-second delay (default) between each failed NTLM or PKU2U-based \nauthentication attempt. \n\nAccording to Microsoft, if a threat actor sends 300 brute force attempts per second from \na client for 5 minutes which equals 90,000 passwords, the same number of attempts \nwould now take 50 hours or more.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nServer\\Enable authentication rate limiter \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanServer.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer). \n\nPage 564", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanServer|EnableAuthRateLimiter", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "23027604a47d738d7ef74ede8c479426", "name": "18.6.7.5 \u2014 Ensure 'Enable remote mailslots' is set to 'Disabled'", "description": "Ensure 'Enable remote mailslots' is set to 'Disabled'", "rational": "Remote mailslots is a legacy protocol that uses SMBv1 to function. This protocol is \nlinked to known vulnerabilities, such as denial-of-service, buffer overflow, and remote \ncode execution attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nServer\\Enable remote mailslots \n\nNote: A reboot is required after the setting is applied. \n\nNote #2: This Group Policy path may not exist by default. It is provided by the Group \nPolicy template LanmanServer.admx/adml that is included with the Microsoft Windows \n11 Release 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Bowser|EnableMailslots", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "880c28585e313f9fd99c9f52f9f6697d", "name": "18.6.7.6 \u2014 Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'", "description": "Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'", "rational": "The newer, more modern version of SMB (v3) is supported and available on all currently \nsupported Microsoft Windows OSes. SMBv1 is no longer enabled by default due to its \nsecurity risks, and although SMBv2 is more robust than v1, it does not support \nencryption like its successor.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 3.1.1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nServer\\Mandate the minimum version of SMB \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanServer.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanServer|MinSmb2Dialect", "selement": "CONTENT", "condition": "EQUALS", "sinput": "7" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "714c9147aa2abce87c54c7751e44a779", "name": "18.6.7.7 \u2014 Ensure 'Set authentication rate limiter delay (milliseconds)' is set to 'Enab...", "description": "Ensure 'Set authentication rate limiter delay (milliseconds)' is set to 'Enabled: 2000' or more", "rational": "Authentication rate limiter considerably reduces the risk of brute force attacks by \nimplementing a 2-second delay (default) between each failed NTLM or PKU2U-based \nauthentication attempt. \n\nAccording to Microsoft, if a threat actor sends 300 brute force attempts per second from \na client for 5 minutes which equals 90,000 passwords, the same number of attempts \nwould now take 50 hours or more.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 2000 or more: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nServer\\Set authentication rate limiter delay (milliseconds) \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanServer.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer). \n\nPage 570", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanServer|InvalidAuthenticationDe", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1ceadf906588d654c39fc30eb2b1f2b0", "name": "18.6.8.1 \u2014 Ensure 'Audit insecure guest logon' is set to 'Enabled'", "description": "Ensure 'Audit insecure guest logon' is set to 'Enabled'", "rational": "Insecure guest logons can be used by file servers to allow unauthenticated access to \nshared folders.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nWorkstation\\Audit insecure guest logon \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanWorkstation.admx/adml that is included with the Microsoft Windows \n11 Release 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation|AuditInsecureGuest", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c15c51754311539e497f91371e1d9632", "name": "18.6.8.2 \u2014 Ensure 'Audit server does not support encryption' is set to 'Enabled'", "description": "Ensure 'Audit server does not support encryption' is set to 'Enabled'", "rational": "Organizations should be aware of all unencrypted SMB traffic in their environment. \nOlder SMB protocols that do not use encryption can make an environment susceptible \nto many types of attacks, including SMB interception attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nWorkstation\\Audit server does not support encryption \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanWorkstation.admx/adml that is included with the Microsoft Windows \n11 Release 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation|AuditServerDoesNot", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f22860d50b537c0e08dcd1ef13ae0ad0", "name": "18.6.8.3 \u2014 Ensure 'Audit server does not support signing' is set to 'Enabled'", "description": "Ensure 'Audit server does not support signing' is set to 'Enabled'", "rational": "Organizations should be aware of all unsigned SMB traffic in their environment. Older \nSMB protocols that do not use signing can make an environment susceptible to many \ntypes of attacks, including SMB interception attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nWorkstation\\Audit server does not support signing \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanWorkstation.admx/adml that is included with the Microsoft Windows \n11 Release 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation|AuditServerDoesNot", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "7f04028b005cd18cfa77dc5ecdb1ed2a", "name": "18.6.8.4 \u2014 Ensure 'Enable insecure guest logons' is set to 'Disabled'", "description": "Ensure 'Enable insecure guest logons' is set to 'Disabled'", "rational": "Insecure guest logons are used by file servers to allow unauthenticated access to \nshared folders.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nWorkstation\\Enable insecure guest logons \n\nNote: This Group Policy path is provided by the Group Policy template \nLanmanWorkstation.admx/adml that is included with the Microsoft Windows 10 \nRelease 1511 Administrative Templates (or newer). \n\nPage 579", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation|AllowInsecureGuest", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "469b0cd4484e0bf4833340bbe0183742", "name": "18.6.8.5 \u2014 Ensure 'Enable remote mailslots' is set to 'Disabled'", "description": "Ensure 'Enable remote mailslots' is set to 'Disabled'", "rational": "Remote mailslots is a legacy protocol that uses SMBv1 to function. This protocol is \nlinked to known vulnerabilities, such as denial-of-service, buffer overflow, and remote \ncode execution attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nWorkstation\\Enable remote mailslots \n\nNote: A reboot is required after the setting is applied. \n\nNote #2: This Group Policy path may not exist by default. It is provided by the Group \nPolicy template LanmanWorkstation.admx/adml that is included with the Microsoft \nWindows 11 Release 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkProvider|EnableMailslots", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a1eedc915a27a51f3652e48453d6bee5", "name": "18.6.8.6 \u2014 Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'", "description": "Ensure 'Mandate the minimum version of SMB' is set to 'Enabled: 3.1.1'", "rational": "The newer, more modern version of SMB (v3) is supported and available on all currently \nsupported Microsoft Windows OSes. SMBv1 is no longer enabled by default due to its \nsecurity risks, and although SMBv2 is more robust than v1, it does not support \nencryption like its successor.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 3.1.1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nWorkstation\\Mandate the minimum version of SMB \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanWorkstation.admx/adml that is included with the Microsoft Windows \n11 Release 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation|MinSmb2Dialect", "selement": "CONTENT", "condition": "EQUALS", "sinput": "7" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "83c748ca20453d04b28a950b9a690127", "name": "18.6.8.7 \u2014 Ensure 'Require Encryption' is set to 'Enabled'", "description": "Ensure 'Require Encryption' is set to 'Enabled'", "rational": "The newer, more modern version of SMB (v3) is supported and available on all currently \nsupported Microsoft Windows OSes. SMBv1 is no longer enabled by default due to its \nsecurity risks, and although SMBv2 is more robust than v1, it does not support \nencryption like its successor.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Lanman \nWorkstation\\Require Encryption \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LanmanWorkstation.admx/adml that is included with the Microsoft Windows \n11 Release 24H2 Administrative Templates (or newer). \n\nPage 585", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\LanmanWorkstation|RequireEncryption", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9422c3db5754b15213d32c355d152400", "name": "18.6.11.2 \u2014 Ensure 'Prohibit installation and configuration of Network Bridge on your DNS...", "description": "Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enabled'", "rational": "The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access \nControl (MAC) bridge, enabling them to connect two or more physical network \nsegments together. A Network Bridge thus allows a computer that has connections to \ntwo different networks to share data between those networks. \n\nIn an enterprise managed environment, where there is a need to control network traffic...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Network \nConnections\\Prohibit installation and configuration of Network Bridge on your \nDNS domain network \n\nNote: This Group Policy path is provided by the Group Policy template \nNetworkConnections.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates. \n\nPage 596", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections|NC_AllowNetBridge_NLA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0d9655e63a6e0f7880cb08675b2fc6dc", "name": "18.6.11.3 \u2014 Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain networ...", "description": "Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled'", "rational": "Non-administrators should not be able to turn on the Mobile Hotspot feature and open \ntheir Internet connectivity up to nearby mobile devices.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Network \nConnections\\Prohibit use of Internet Connection Sharing on your DNS domain \nnetwork \n\nNote: This Group Policy path is provided by the Group Policy template \nNetworkConnections.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections|NC_ShowSharedAccessUI", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0ceb482d021516c935c896a47df42366", "name": "18.6.11.4 \u2014 Ensure 'Require domain users to elevate when setting a network's location' is...", "description": "Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled'", "rational": "Allowing regular users to set a network location increases the risk and attack surface.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Network \nConnections\\Require domain users to elevate when setting a network's location \n\nNote: This Group Policy path is provided by the Group Policy template \nNetworkConnections.admx/adml that is included with the Microsoft Windows 7 & \nServer 2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Network Connections|NC_StdDomainUserSetLocation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "19dc2ac05d0feaccc14b6ac9c6177947", "name": "18.6.21.1 \u2014 Ensure 'Minimize the number of simultaneous connections to the Internet or a ...", "description": "Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet'", "rational": "Preventing bridged network connections can help prevent a user unknowingly allowing \ntraffic to route between internal and external networks, which risks exposure to sensitive \ninternal data.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 3 = Prevent Wi-Fi when on Ethernet: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Windows \nConnection Manager\\Minimize the number of simultaneous connections to the \nInternet or a Windows Domain \n\nNote: This Group Policy path is provided by the Group Policy template WCM.admx/adml \nthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative \nTemplates. It was...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy|fMinimizeConnecti", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "3183e0f2a995b8f9a09fae3a6f266963", "name": "18.6.21.2 \u2014 Ensure 'Prohibit connection to non-domain networks when connected to domain a...", "description": "Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set to 'Enabled'", "rational": "The potential concern is that a user would unknowingly allow network traffic to flow \nbetween the insecure public network and the enterprise managed network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\Windows \nConnection Manager\\Prohibit connection to non-domain networks when connected \nto domain authenticated network \n\nNote: This Group Policy path is provided by the Group Policy template WCM.admx/adml \nthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative \nTemplates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WcmSvc\\GroupPolicy|fBlockNonDomain", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d2107edbaaac59e76b57dd759083e629", "name": "18.6.23.2.1 \u2014 Ensure 'Allow Windows to automatically connect to suggested open hotspots, to...", "description": "Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled'", "rational": "Automatically connecting to an open hotspot or network can introduce the system to a \nrogue network with malicious intent.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Network\\WLAN \nService\\WLAN Settings\\Allow Windows to automatically connect to suggested \nopen hotspots, to networks shared by contacts, and to hotspots offering paid \nservices \n\nNote: This Group Policy path is provided by the Group Policy template \nwlansvc.admx/adml that is included with the Microsoft Windows 10 Release 1511 \nAdministrative Temp...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config|AutoConnectAllowedOE", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0271e050a440c22b4edd8b69fdfa7825", "name": "18.7.1 \u2014 Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'", "description": "Ensure 'Allow Print Spooler to accept client connections' is set to 'Disabled'", "rational": "Disabling the ability for the Print Spooler service to accept client connections mitigates \nremote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other \nremote Print Spooler attacks. However, this recommendation does not mitigate against \nlocal attacks on the Print Spooler service.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Allow Print \nSpooler to accept client connections \n\nNote: This Group Policy path is provided by the Group Policy template \nprinting2.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 624", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers|RegisterSpoolerRemoteRpcEndPoint", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e40bb6b70347c8194151f644e350e535", "name": "18.7.2 \u2014 Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard En...", "description": "Ensure 'Configure Redirection Guard' is set to 'Enabled: Redirection Guard Enabled'", "rational": "This setting prevents non-administrators from redirecting files within the print spooler \nprocess.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Redirection Guard Enabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRedirection Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers|RedirectionguardPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9b25ba45cc39f7d0ec8a283b262b2721", "name": "18.7.3 \u2014 Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC c...", "description": "Ensure 'Configure RPC connection settings: Protocol to use for outgoing RPC connections' is set to 'Enabled: RPC over TCP'", "rational": "This setting prevents the use of named pipes for RPC connections to the print spooler \nand forces the use of TCP which is a more secure communication method.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: RPC over TCP: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC connection settings: Protocol to use for outgoing RPC connections \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|RpcUseNamedPipeProtocol", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "68bbd14d9c014d3af076589cc35795e7", "name": "18.7.4 \u2014 Ensure 'Configure RPC connection settings: Use authentication for outgoing RP...", "description": "Ensure 'Configure RPC connection settings: Use authentication for outgoing RPC connections' is set to 'Enabled: Default'", "rational": "This setting can prevent the use of named pipes for RPC connections to the print \nspooler and forces the use of TCP which is a more secure communication method.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Default: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC connection settings: Use authentication for outgoing RPC connections \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|RpcAuthentication", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c191ab73153059601157c37ccc01c801", "name": "18.7.5 \u2014 Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC ...", "description": "Ensure 'Configure RPC listener settings: Protocols to allow for incoming RPC connections' is set to 'Enabled: RPC over TCP'", "rational": "This setting can prevent the use of named pipes for RPC connections to the print \nspooler and forces the use of TCP which is a more secure communication method.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: RCP over TCP: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC listener settings: Configure protocol options for incoming RPC \nconnections \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|RpcProtocols", "selement": "CONTENT", "condition": "EQUALS", "sinput": "5" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1e34a405d2790f0acd9aa1eee93f8e18", "name": "18.7.6 \u2014 Ensure 'Configure RPC listener settings: Authentication protocol to use for i...", "description": "Ensure 'Configure RPC listener settings: Authentication protocol to use for incoming RPC connections:' is set to 'Enabled: Negotiate' or higher", "rational": "This setting can prevent the use of named pipes for RPC connections to the print \nspooler and forces the use of TCP which is a more secure communication method.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Negotiate or Enabled: Kerberos: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC listener settings: Configure protocol options for incoming RPC \nconnections \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|ForceKerberosForRpc", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9e50cd69a9211a91558e0c06ed7bfc61", "name": "18.7.7 \u2014 Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'", "description": "Ensure 'Configure RPC over TCP port' is set to 'Enabled: 0'", "rational": "Using dynamic ports for printing makes it more difficult for a threat actor to know which \nport is being used and therefore which port to attack.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 0: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Configure \nRPC over TCP port \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\RPC|RpcTcpPort", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "45ef0b38babf5ed2a25b8acb6840c391", "name": "18.7.8 \u2014 Ensure 'Configure RPC packet level privacy setting for incoming connections' ...", "description": "Ensure 'Configure RPC packet level privacy setting for incoming connections' is set to 'Enabled'", "rational": "A security bypass vulnerability (CVE-2021-1678 | Windows Print Spooler Spoofing \nVulnerability) exists in the way the Printer RPC binding handles authentication for the \nremote Winspool interface. Enabling the RPC packet level privacy setting for incoming \nconnections enforces the server-side to increase the authentication level to minimize \nthis vulnerability.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\MS Security \nGuide\\Configure RPC packet level privacy setting for incoming connections \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print|RpcAuthnLevelPrivacyEnabled", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "350a94cdd86d22b673c8278bb53b589b", "name": "18.7.10 \u2014 Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'", "description": "Ensure 'Limits print driver installation to Administrators' is set to 'Enabled'", "rational": "Restricting the installation of print drives to Administrators can help mitigate the \nPrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled. \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Limits \nprint driver installation to Administrators \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 10 Release 21H2 \nAdministrative Templates (or newer). \n\nPage 642", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint|RestrictDriverInstallationToAdministrators", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d398e9238ac4b9ce9dcd576d766aa9d9", "name": "18.7.11 \u2014 Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit ...", "description": "Ensure 'Manage processing of Queue-specific files' is set to 'Enabled: Limit Queue-specific files to Color profiles'", "rational": "A Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-36958) \nexists when the Windows Print Spooler service improperly performs privileged file \noperations. A threat actor who successfully exploits this vulnerability could run arbitrary \ncode with SYSTEM privileges and then install programs; view, change, or delete data; \nor create new accounts with full user rights.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Limit Queue-specific files to Color profiles: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Manage \nprocessing of Queue-specific files \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer). \n\nPage 644", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers|CopyFilesPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1267272c5c42fdd9c8eb00701e102e3d", "name": "18.7.12 \u2014 Ensure 'Point and Print Restrictions: When installing drivers for a new conne...", "description": "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'", "rational": "Enabling Windows User Account Control (UAC) for the installation of new print drivers \ncan help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print \nSpooler attacks. \n\nAlthough the Point and Print default driver installation behavior overrides this setting, it \nis important to configure this as a backstop in the event that behavior is reversed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Show warning and elevation prompt: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Point and \nPrint Restrictions: When installing drivers for a new connection \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint|NoWarningNoElevationOnInstall", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "389e534a999933ac20ab0267a1dff679", "name": "18.7.13 \u2014 Ensure 'Point and Print Restrictions: When updating drivers for an existing c...", "description": "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'", "rational": "Enabling Windows User Account Control (UAC) for updating existing print drivers can \nhelp mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print \nSpooler attacks. \n\nAlthough the Point and Print default driver installation behavior overrides this setting, it \nis important to configure this as a backstop in the event that behavior is reversed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Show warning and elevation prompt: \n\nComputer Configuration\\Policies\\Administrative Templates\\Printers\\Point and \nPrint Restrictions: When updating drivers for an existing connection \n\nNote: This Group Policy path is provided by the Group Policy template \nPrinting.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Printers\\PointAndPrint|UpdatePromptSettings", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "765d27e7a5654cf90b1a85f4c48278d5", "name": "18.9.3.1 \u2014 Ensure 'Include command line in process creation events' is set to 'Enabled'", "description": "Ensure 'Include command line in process creation events' is set to 'Enabled'", "rational": "Capturing process command line information in event logs can be very valuable when \nperforming forensic investigations of attack incidents.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Audit Process \nCreation\\Include command line in process creation events \n\nNote: This Group Policy path is provided by the Group Policy template \nAuditSettings.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit|ProcessC", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ff278d613a7e71402bd1f778f8310c44", "name": "18.9.4.1 \u2014 Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clie...", "description": "Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients'", "rational": "This setting is important to mitigate the CredSSP encryption oracle vulnerability, for \nwhich information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | \nCredSSP Remote Code Execution Vulnerability. All versions of Windows from Windows \nVista onwards are affected by this vulnerability, and will be compatible with this \nrecommendation provided that they have been patched at least th...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Force Updated Clients: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Credentials \nDelegation\\Encryption Oracle Remediation \n\nNote: This Group Policy path is provided by the Group Policy template \nCredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1803 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\CredSSP\\Parame ters|AllowEncryptionOracle", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c869ab5c1d7245df8f24bda7c742f805", "name": "18.9.4.2 \u2014 Ensure 'Remote host allows delegation of non-exportable credentials' is set t...", "description": "Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled'", "rational": "Restricted Admin Mode was designed to help protect administrator accounts by \nensuring that reusable credentials are not stored in memory on remote devices that \ncould potentially be compromised. Windows Defender Remote Credential Guard helps \nyou protect your credentials over a Remote Desktop connection by redirecting Kerberos \nrequests back to the device that is requesting the connection. Bot...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Credentials \nDelegation\\Remote host allows delegation of non-exportable credentials \n\nNote: This Group Policy path is provided by the Group Policy template \nCredSsp.admx/adml that is included with the Microsoft Windows 10 Release 1703 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredentialsDelegation|AllowProtected", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f092fae121c4bd8526c20bd56b7f1fdb", "name": "18.9.5.1 \u2014 Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'", "description": "Ensure 'Turn On Virtualization Based Security' is set to 'Enabled'", "rational": "Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based \nsecurity. Previous versions of Windows stored secrets in the Local Security Authority \n(LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its \nprocess memory. With Windows Defender Credential Guard enabled, the LSA process \nin the operating system talks to a new component called...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|EnableVirtualizationBase", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "5ef62301f2223a6a5d890454a3973b6b", "name": "18.9.5.2 \u2014 Ensure 'Turn On Virtualization Based Security: Select Platform Security Level...", "description": "Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot' or higher", "rational": "Secure Boot can help reduce the risk of bootloader attacks and in conjunction with DMA \nprotections to help protect data from being scraped from memory. \n\nPage 677", "remediation": "To establish the recommended configuration via GP, set the following UI path to Secure \nBoot or Secure Boot and DMA Protection: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Select Platform Security Level \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|RequirePlatformSecurityF", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "63f3be7e5ed08dfa0e1c4c7e662ab97b", "name": "18.9.5.3 \u2014 Ensure 'Turn On Virtualization Based Security: Virtualization Based Protectio...", "description": "Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled with UEFI lock'", "rational": "The Enabled with UEFI lock option ensures that Virtualization Based Protection of \nCode Integrity cannot be disabled remotely. \n\nPage 680", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled with UEFI lock: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Virtualization Based Protection \nof Code Integrity \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|HypervisorEnforcedCodeIn", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "328cea45a7a954895cd42d85e58c3264", "name": "18.9.5.4 \u2014 Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes...", "description": "Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)'", "rational": "This setting will help protect this control from being enabled on a system that is not \ncompatible which could lead to a crash or data loss.", "remediation": "To establish the recommended configuration via GP, set the following UI path to TRUE: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Require UEFI Memory Attributes \nTable \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1703 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|HVCIMATRequired", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0b5422e218cb5d296b527fa6f31be90a", "name": "18.9.5.5 \u2014 Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration...", "description": "Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock'", "rational": "The Enabled with UEFI lock option ensures that Credential Guard cannot be \ndisabled remotely. \n\nPage 685", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled with UEFI lock: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Credential Guard Configuration \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1511 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|LsaCfgFlags", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "80bfd6a18d136359bb98c91bccad095d", "name": "18.9.5.6 \u2014 Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' i...", "description": "Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled'", "rational": "Secure Launch changes the way Windows boots to use Intel Trusted Execution \nTechnology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits \nfrom being able to impact the security of the Windows Virtualization Based Security \nenvironment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Secure Launch Configuration \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 \n& Server 2019 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|ConfigureSystemGuardLaun", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1341aa20ba2526cf53e803c640a00d43", "name": "18.9.5.7 \u2014 Ensure 'Turn On Virtualization Based Security: Kernel- mode Hardware-enforced...", "description": "Ensure 'Turn On Virtualization Based Security: Kernel- mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'", "rational": "This setting stores a copy of the apps shadow stack (intended code execution flow) in \nthe hardware-based (CPU) security feature VBS. This can prevent malware from \nhijacking an apps code by exploiting memory bugs such as stack buffer overflows, \ndangling pointers, or uninitialized variables. This allows VBS to shut down any exploit \nattempts via the modification of the intended code execution...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Enabled in enforcement mode \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nGuard\\Turn On Virtualization Based Security: Kernel-mode Hardware-enforced \nStack Protection \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceGuard.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard|ConfigureKernelShadowSta", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b653e316c58130717ccc3a1d42cb15e9", "name": "18.9.7.1.1 \u2014 Ensure 'Prevent installation of devices using drivers that match these device...", "description": "Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled'", "rational": "A BitLocker-protected computer may be vulnerable to Direct Memory Access (DMA) \nattacks when the computer is turned on or is in the Standby power state - this includes \nwhen the workstation is locked. \n\nBitLocker with TPM-only authentication lets a computer enter the power-on state without \nany pre-boot authentication. Therefore, a threat actor may be able to perform DMA \nattacks. \n\nThis issue...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nInstallation\\Device Installation Restrictions\\Prevent installation of devices \nusing drivers that match these device setup classes \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceInstallation.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceInstall\\Restrictions|DenyDevic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e851b14c1da2238946bcc23de8f37fed", "name": "18.9.7.2 \u2014 Ensure 'Prevent automatic download of applications associated with device met...", "description": "Ensure 'Prevent automatic download of applications associated with device metadata' is set to 'Enabled'", "rational": "Installation of software should be conducted by an authorized system administrator and \nnot a standard user. Allowing automatic third-party software installations under the \ncontext of the SYSTEM account has potential for allowing unauthorized access via \nbackdoors or installation software bugs.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Device \nInstallation\\Prevent automatic download of applications associated with \ndevice metadata \n\nNote: This Group Policy path is provided by the Group Policy template \nDeviceInstallation.admx/adml that is included with the Microsoft Windows 7 & \nServer 2008 R2 Administrative Templates, or with the Group Policy template \nDeviceSetup.admx/...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata|PreventDeviceMetadataFromNetwork", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9ab32f222a82b4ffae0ec92410315638", "name": "18.9.13.1 \u2014 Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, un...", "description": "Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical'", "rational": "This policy setting helps reduce the impact of malware that has already infected your \nsystem.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Good, unknown and bad but critical: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Early Launch \nAntimalware\\Boot-Start Driver Initialization Policy \n\nNote: This Group Policy path is provided by the Group Policy template \nEarlyLaunchAM.admx/adml that is included with the Microsoft Windows 8.0 & Server \n2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Policies\\EarlyLaunch|DriverLoadPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a543c02383550949a4908d7ebef9e6e6", "name": "18.9.17.1 \u2014 Ensure 'Enable / disable CLFS logfile authentication' is set to 'Enabled'", "description": "Ensure 'Enable / disable CLFS logfile authentication' is set to 'Enabled'", "rational": "CLFS is a security feature which hardens logfile parsing. If modifications to logfiles are \ndetected, CLFS will consider the logfile unsafe for parsing and return an error to the \ncaller. It is also able to detect modifications by writing authentication codes to logfiles \nwhich combines file data with a system-unique cryptographic key.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative \nTemplates\\System\\Filesystem\\Enable / disable CLFS logfile authentication \n\nNote: This Group Policy path is provided by the Group Policy template \nFileSys.admx/adml that is included with the Microsoft Windows 11 Release 25H2 \nAdministrative Templates (or newer). \n\nPage 708", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Policies|ClfsAuthenticationChecking", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "4bd1ecea226597a67fbcaa5d9b5e8bbe", "name": "18.9.19.4 \u2014 Ensure 'Continue experiences on this device' is set to 'Disabled'", "description": "Ensure 'Continue experiences on this device' is set to 'Disabled'", "rational": "A cross-device experience is when a system can access app and send messages to \nother devices. In an enterprise managed environment only trusted systems should be \ncommunicating within the network. Access to any other system should be prohibited.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Group \nPolicy\\Continue experiences on this device \n\nNote: This Group Policy path is provided by the Group Policy template \nGroupPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1607 \n& Server 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|EnableCdp", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c5a44340256f1c0ccc8874a76b406683", "name": "18.9.19.5 \u2014 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'", "description": "Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'", "rational": "This setting ensures that group policy changes take effect more quickly, as compared to \nwaiting until the next user logon or system restart.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Group \nPolicy\\Turn off background refresh of Group Policy \n\nNote: This Group Policy path is provided by the Group Policy template \nGroupPolicy.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|DisableBkGndGr", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "df68b72f4eb27d5a70e87ece2e9e57b2", "name": "18.9.20.1.2 \u2014 Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'", "description": "Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled'", "rational": "Users might download drivers that include malicious code.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Internet \nCommunication Management\\Internet Communication settings\\Turn off downloading \nof print drivers over HTTP \n\nNote: This Group Policy path is provided by the Group Policy template ICM.admx/adml \nthat is included with all versions of the Microsoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Printers|DisableWebPnPDownload", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "3170bcfe6936f0811811bfef91bfdef1", "name": "18.9.20.1.6 \u2014 Ensure 'Turn off Internet download for Web publishing and online ordering wiz...", "description": "Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled'", "rational": "Although the risk is minimal, enabling this setting will reduce the possibility of a user \nunknowingly downloading malicious content through this feature.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Internet \nCommunication Management\\Internet Communication settings\\Turn off Internet \ndownload for Web publishing and online ordering wizards \n\nNote: This Group Policy path is provided by the Group Policy template ICM.admx/adml \nthat is included with all versions of the Microsoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|NoWebService", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "94069f3bf7e5fdcb6047f9f0ab9064a5", "name": "18.9.24.1 \u2014 Ensure 'Enumeration policy for external devices incompatible with Kernel DMA ...", "description": "Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Block All'", "rational": "Device memory sandboxing allows the OS to leverage the I/O Memory Management \nUnit (IOMMU) of a device to block unpermitted I/O, or memory access, by the \nperipheral.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Block All: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Kernel DMA \nProtection\\Enumeration policy for external devices incompatible with Kernel \nDMA Protection \n\nNote: This Group Policy path is provided by the Group Policy template \nDmaGuard.admx/adml that is included with the Microsoft Windows 10 Release 1809 & \nServer 2019 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Kernel DMA Protection|DeviceEnumerationPolicy", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0945df460fb90a83c815d78255e3a46c", "name": "18.9.26.1 \u2014 Ensure 'Configure password backup directory' is set to 'Enabled: Active Direc...", "description": "Ensure 'Configure password backup directory' is set to 'Enabled: Active Directory' or 'Enabled: Azure Active Directory'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if a threat \nactor manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to insta...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Active Directory or Enabled: Azure Active Directory: \n\nComputer Configuration\\Policies\\Administrative \nTemplates\\System\\LAPS\\Configure password backup directory \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|BackupDirectory", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9b5d00497dc560c032d1c775d31ea013", "name": "18.9.26.2 \u2014 Ensure 'Do not allow password expiration time longer than required by policy'...", "description": "Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if a threat \nactor manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to insta...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Do not \nallow password expiration time longer than required by policy \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n23H2 Administrative Templates v2.0 (or newer). \n\nNote #2: This setting also existed in the Mi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PasswordExpirati", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "13b6a99870cb9d6a7be60bac6add82ae", "name": "18.9.26.3 \u2014 Ensure 'Enable password encryption' is set to 'Enabled'", "description": "Ensure 'Enable password encryption' is set to 'Enabled'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if a threat \nactor manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to insta...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Enable \npassword encryption \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|ADPasswordEncryp", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "943809c4d0abe4b7d1d491a81e87c1b3", "name": "18.9.26.4 \u2014 Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large let...", "description": "Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' or 'Passphrase'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if a threat \nactor manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to insta...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled, and configure the Password Complexity option to Large letters + small \nletters + numbers + special characters, Passphrase (long words), \nPassphrase (short words) or Passphrase (short words with unique \nprefixes): \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Password \nSettings \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LA...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PasswordComplexi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "84021d17cfeac516bab6477a662dd3cf", "name": "18.9.26.5 \u2014 Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'", "description": "Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if a threat \nactor manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to insta...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled, and configure the Password Length option to 15 or more: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Password \nSettings \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PasswordLength", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c5129445d62b2e5e14bf8e11a00a8865", "name": "18.9.26.6 \u2014 Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'", "description": "Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if a threat \nactor manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to insta...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled, and configure the Password Age (Days) option to 30 or fewer: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Password \nSettings \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PasswordAgeDays", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "16868c297b8101aa154d8eb860c71b30", "name": "18.9.26.7 \u2014 Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled...", "description": "Ensure 'Post-authentication actions: Grace period (hours)' is set to 'Enabled: 8 or fewer hours, but not 0'", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if a threat \nactor manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to insta...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 8 or fewer hours, but not 0: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Post-\nauthentication actions: Grace period (hours) \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v3.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PostAuthenticati", "selement": "CONTENT", "condition": "EQUALS", "sinput": "8" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6858944a66ed86db7dcf1dce137a6e90", "name": "18.9.26.8 \u2014 Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the p...", "description": "Ensure 'Post-authentication actions: Actions' is set to 'Enabled: Reset the password and logoff the managed account' or higher", "rational": "Due to the difficulty in managing local Administrator passwords, many organizations \nchoose to use the same password on all workstations and/or Member Servers when \ndeploying them. This creates a serious attack surface security risk because if a threat \nactor manages to compromise one system and learn the password to its local \nAdministrator account, then they can leverage that account to insta...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Reset the password and logoff the managed account, Reset the \npassword and reboot the device or Reset the password, logoff the managed \naccount, and terminate any remaining processes: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\LAPS\\Post-\nauthentication actions: Actions \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LAPS.admx/ad...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\LAPS|PostAuthenticati", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "732d86faf1a3effca6df12ccdf91157c", "name": "18.9.27.1 \u2014 Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'", "description": "Ensure 'Allow Custom SSPs and APs to be loaded into LSASS' is set to 'Disabled'", "rational": "Vulnerabilities exist where threat actors can intercept logon credentials via SSP/AP. \nDisabling Custom SSPs and APs to be loaded into LSASS minimizes this vulnerability.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Local \nSecurity Authority\\Allow Custom SSPs and APs to be loaded into LSASS \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LocalSecurityAuthority.admx/adml that is included with the Microsoft \nWindows 11 Release 22H2 Administrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|AllowCustomSSPsAPs", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8c5a6e46b11ecf6cf111c6840da50b9c", "name": "18.9.27.2 \u2014 Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: E...", "description": "Ensure 'Configures LSASS to run as a protected process' is set to 'Enabled: Enabled with UEFI Lock'", "rational": "Provides added security for the credentials that LSA stores and manages. Enabling this \nsetting with UEFI Lock prevents the setting from being changed remotely.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Enabled with UEFI Lock: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Local \nSecurity Authority\\Configures LSASS to run as a protected process \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate LocalSecurityAuthority.admx/adml that is included with the Microsoft \nWindows 11 Release 22H2 Administrative Templates v1.0 (or newer). \n\nNote...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|RunAsPPL", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "5663716e96d48eddb4bc068aea963d08", "name": "18.9.29.1 \u2014 Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'", "description": "Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'", "rational": "A threat actor with access to the console (for example, someone with physical access or \nsomeone who is able to connect to the workstation through Remote Desktop Services) \ncould view the name of the last user who logged on to the server. The threat actor could \nthen try to guess the password, use a dictionary, or use a brute-force attack to try and \nlog on.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Block \nuser from showing account details on sign-in \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 10 Release 1607 & \nServer 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|BlockUserFromShowingAccountDe", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "4438eef5eeaf5bba5344598f5c607101", "name": "18.9.29.2 \u2014 Ensure 'Do not display network selection UI' is set to 'Enabled'", "description": "Ensure 'Do not display network selection UI' is set to 'Enabled'", "rational": "An unauthorized user could disconnect the PC from the network or can connect the PC \nto other available networks without signing into Windows.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not \ndisplay network selection UI \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|DontDisplayNetworkSelectionUI", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c3847d87180504b424e2788765ae15a6", "name": "18.9.29.3 \u2014 Ensure 'Do not enumerate connected users on domain- joined computers' is set ...", "description": "Ensure 'Do not enumerate connected users on domain- joined computers' is set to 'Enabled'", "rational": "A threat actor could use this feature to gather account names of other users, that \ninformation could then be used in conjunction with other types of attacks such as \nguessing passwords or social engineering. The value of this countermeasure is small \nbecause a user with domain credentials could gather the same account information \nusing other methods.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Do not \nenumerate connected users on domain-joined computers \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|DontEnumerateConnectedUsers", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a840d716e0b5f4a6f5dc7f95d95fb6d9", "name": "18.9.29.4 \u2014 Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'", "description": "Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled'", "rational": "A threat actor could use this feature to gather account names of other users, that \ninformation could then be used in conjunction with other types of attacks such as \nguessing passwords or social engineering. The value of this countermeasure is small \nbecause a user with domain credentials could gather the same account information \nusing other methods.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative \nTemplates\\System\\Logon\\Enumerate local users on domain-joined computers \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|EnumerateLocalUsers", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "79d270785a48a496bbfb3710d91c025b", "name": "18.9.29.5 \u2014 Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'", "description": "Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'", "rational": "App notifications might display sensitive business or personal data.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn \noff app notifications on the lock screen \n\nNote: This Group Policy path is provided by the Group Policy template \nLogon.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|DisableLockScreenAppNotificat", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "32d59ebd95a3506b06ad9e7b531fcaaa", "name": "18.9.29.6 \u2014 Ensure 'Turn off picture password sign-in' is set to 'Enabled'", "description": "Ensure 'Turn off picture password sign-in' is set to 'Enabled'", "rational": "Picture passwords bypass the requirement for a typed complex password. In a shared \nwork environment, a simple shoulder surf where someone observed the on-screen \ngestures would allow that person to gain access to the system without the need to know \nthe complex password. Vertical monitor screens with an image are much more visible at \na distance than horizontal key strokes, increasing the like...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn \noff picture password sign-in \n\nNote: This Group Policy path is provided by the Group Policy template \nCredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer). \n\nPage 794", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|BlockDomainPicturePassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "74aa06457cc4f68d59628cf8a01b1c98", "name": "18.9.29.7 \u2014 Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'", "description": "Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'", "rational": "A PIN is created from a much smaller selection of characters than a password, so in \nmost cases a PIN will be much less robust than a password.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Logon\\Turn on \nconvenience PIN sign-in \n\nNote: This Group Policy path is provided by the Group Policy template \nCredentialProviders.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer). \n\nNote #2: In older Microsoft Windows Administrative Templates, this setting was initiall...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|AllowDomainPINLogon", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "771e694eae254525fd6b8e8e6ea1a0b0", "name": "18.9.31.1.1 \u2014 Ensure 'Block NetBIOS-based discovery for domain controller location' is set ...", "description": "Ensure 'Block NetBIOS-based discovery for domain controller location' is set to 'Enabled'", "rational": "NetBIOS is considered insecure because it doesn't perform authentication and can \nallow remote threat actors to trigger a denial-of-service by sending spoofed Name \nConflicts or Name Release datagrams. This is also known as NetBIOS Name Server \nProtocol Spoofing.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Net Logon\\DC \nLocator DNS Records\\Block NetBIOS-based discovery for domain controller \nlocation \n\nNote: This Group Policy path is provided by the Group Policy template \nNetlogon.admx/adml that is included with the Microsoft Windows 11 Release 24H2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Netlogon\\Parameters|BlockNetbiosDiscovery", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1991491ee56e09350f8b03141d110578", "name": "18.9.35.6.1 \u2014 Ensure 'Allow network connectivity during connected- standby (on battery)' is...", "description": "Ensure 'Allow network connectivity during connected- standby (on battery)' is set to 'Disabled'", "rational": "Disabling this setting ensures that the computer will not be accessible to threat actors \nover a WLAN network while left unattended, on battery and in a sleep state.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Allow network connectivity during connected-standby \n(on battery) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 10 Release 1607 & \nServer 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\f15576e8-98b7-4186-b944- eafa664402d9|DCSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "3451462d7eca836e54c919bb17a90de6", "name": "18.9.35.6.2 \u2014 Ensure 'Allow network connectivity during connected- standby (plugged in)' is...", "description": "Ensure 'Allow network connectivity during connected- standby (plugged in)' is set to 'Disabled'", "rational": "Disabling this setting ensures that the computer will not be accessible to threat actors \nover a WLAN network while left unattended, plugged in and in a sleep state.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Allow network connectivity during connected-standby \n(plugged in) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 10 Release 1607 & \nServer 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\f15576e8-98b7-4186-b944- eafa664402d9|ACSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "5e469192459d81ccb4016a96c0c3ad27", "name": "18.9.35.6.3 \u2014 Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'D...", "description": "Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled'", "rational": "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such \nas the BitLocker volume encryption key. A threat actor finding a computer in sleep \nstates (S1-S3) could directly attack the memory of the computer and gain access to the \nsecrets through techniques such as RAM reminisce and direct memory access (DMA).", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (on \nbattery) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer). \n\nPage 812", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\abfc2519-3608-4c2a-94ea- 171b0ed546ab|DCSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b112c2e5f980cb0c96beeeb85f914fb9", "name": "18.9.35.6.4 \u2014 Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'D...", "description": "Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled'", "rational": "System sleep states (S1-S3) keep power to the RAM which may contain secrets, such \nas the BitLocker volume encryption key. A threat actor finding a computer in sleep \nstates (S1-S3) could directly attack the memory of the computer and gain access to the \nsecrets through techniques such as RAM reminisce and direct memory access (DMA).", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Allow standby states (S1-S3) when sleeping (plugged \nin) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer). \n\nPage 814", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\abfc2519-3608-4c2a-94ea- 171b0ed546ab|ACSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "381bd595f2788eb5712b0369a143367a", "name": "18.9.35.6.5 \u2014 Ensure 'Require a password when a computer wakes (on battery)' is set to 'Ena...", "description": "Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled'", "rational": "Enabling this setting ensures that anyone who wakes an unattended computer from \nsleep state will have to provide logon credentials before they can access the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Require a password when a computer wakes (on \nbattery) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5- f7d2daa51f51|DCSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "bc539cf9cdfb027fb9835d831b0a2e84", "name": "18.9.35.6.6 \u2014 Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Ena...", "description": "Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled'", "rational": "Enabling this setting ensures that anyone who wakes an unattended computer from \nsleep state will have to provide logon credentials before they can access the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Power \nManagement\\Sleep Settings\\Require a password when a computer wakes (plugged \nin) \n\nNote: This Group Policy path is provided by the Group Policy template \nPower.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 (non-\nR2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Power\\PowerSettings\\0e796bdb-100d-47d6-a2d5- f7d2daa51f51|ACSettingIndex", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "11e96372d0734f8277c3d95ff15f1c1c", "name": "18.9.37.1 \u2014 Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'", "description": "Ensure 'Configure Offer Remote Assistance' is set to 'Disabled'", "rational": "A user might be tricked and accept an unsolicited Remote Assistance offer from a threat \nactor.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Remote \nAssistance\\Configure Offer Remote Assistance \n\nNote: This Group Policy path is provided by the Group Policy template \nRemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fAllowUnsolicited", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "dea369ccfe716442abaa9fdc5c77e922", "name": "18.9.37.2 \u2014 Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'", "description": "Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled'", "rational": "There is slight risk that a rogue administrator will gain access to another user's desktop \nsession, however, they cannot connect to a user's computer unannounced or control it \nwithout permission from the user. When an expert tries to connect, the user can still \nchoose to deny the connection or give the expert view-only privileges. The user must \nexplicitly click the Yes button to allow the e...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Remote \nAssistance\\Configure Solicited Remote Assistance \n\nNote: This Group Policy path is provided by the Group Policy template \nRemoteAssistance.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer). \n\nPage 823", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fAllowToGetHelp", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "cada2ef8d375a1d00d5ea5962074ce9a", "name": "18.9.38.1 \u2014 Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'", "description": "Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled'", "rational": "Anonymous access to RPC services could result in accidental disclosure of information \nto unauthenticated users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Remote \nProcedure Call\\Enable RPC Endpoint Mapper Client Authentication \n\nNote: This Group Policy path is provided by the Group Policy template RPC.admx/adml \nthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative \nTemplates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc|EnableAuthEpResolution", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0e04db841b9d14896eac3f04b69762c5", "name": "18.9.38.2 \u2014 Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'", "description": "Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated'", "rational": "Unauthenticated RPC communication can create a security vulnerability.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Authenticated: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Remote \nProcedure Call\\Restrict Unauthenticated RPC clients \n\nNote: This Group Policy path is provided by the Group Policy template RPC.admx/adml \nthat is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative \nTemplates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Rpc|RestrictRemoteClients", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b35b59cec1e49ab1e7c950658476e417", "name": "18.9.41.1 \u2014 Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled:...", "description": "Ensure 'Configure SAM change password RPC methods policy' is set to 'Enabled: Block all change password RPC methods'", "rational": "User passwords stored in the SAM should only be changed from a Domain Controller \nusing secure methods.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Block all change password RPC methods: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Security \nAccount Manager\\Configure SAM change password RPC methods policy \n\nNote: This Group Policy path is provided by the Group Policy template SAM.admx/adml \nthat is included with the Microsoft Windows 11 Release 24H2 Administrative Templates \n(or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\SAM|SamrChange", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b9baa1bae3d5375f19ea0de20df8a5f5", "name": "18.9.53.1.1 \u2014 Ensure 'Enable Windows NTP Client' is set to 'Enabled'", "description": "Ensure 'Enable Windows NTP Client' is set to 'Enabled'", "rational": "A reliable and accurate account of time is important for a number of services and \nsecurity requirements, including but not limited to distributed applications, authentication \nservices, multi-user databases and logging services. The use of an NTP client (with \nsecure operation) establishes functional accuracy and is a focal point when reviewing \nsecurity relevant events.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Windows Time \nService\\Time Providers\\Enable Windows NTP Client \n\nNote: This Group Policy path is provided by the Group Policy template \nW32Time.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 846", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\W32Time\\TimeProviders\\NtpClient|Enabled", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f4a5a797ea410d7c49970061aba6b962", "name": "18.9.53.1.2 \u2014 Ensure 'Enable Windows NTP Server' is set to 'Disabled'", "description": "Ensure 'Enable Windows NTP Server' is set to 'Disabled'", "rational": "The configuration of proper time synchronization is critically important in an enterprise \nmanaged environment both due to the sensitivity of Kerberos authentication timestamps \nand also to ensure accurate security logging. This should be done through a known \nNTP server. Member servers and workstations should not typically be time sources for \nother clients.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Windows Time \nService\\Time Providers\\Enable Windows NTP Server \n\nNote: This Group Policy path is provided by the Group Policy template \nW32Time.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\W32Time\\TimeProviders\\NtpServer|Enabled", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "43df3c2c61fc94c8b1defa8cf7db5748", "name": "18.9.54 \u2014 (L1) Ensure 'Configure the behavior of the sudo command' is set to 'Enabled: ...", "description": "(L1) Ensure 'Configure the behavior of the sudo command' is set to 'Enabled: Disabled'", "rational": "Sudo for Windows could be exploited for escalation of privilege and spoofing attacks by \na malicious actor. For example, in October 2024, CVE-2024-43571 (spoofing \nvulnerability) was created by Microsoft.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Disabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\System\\Configure the \nbehavior of the sudo command \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate Sudo.admx that is included with the Microsoft Windows 11 Release 24H2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Sudo|Enabled", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1a1ff533b163b8689ad28fc8a3409abe", "name": "18.10.4.2 \u2014 Ensure 'Not allow per-user unsigned packages to install by default (requires ...", "description": "Ensure 'Not allow per-user unsigned packages to install by default (requires explicitly allow per install)' is set to 'Enabled'", "rational": "In a corporate managed environment, application installations should be managed \ncentrally by IT staff, not by end users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\App Package Deployment\\Not allow per-user unsigned packages to \ninstall by default (requires explicitly allow per install) \n\nNote: This Group Policy path is provided by the Group Policy template \nAppxPackageManager.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer). \n\nPag...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx|DisablePerUserUnsignedPackagesB", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "72053f173a7eb58523f0dfa1e75d801e", "name": "18.10.4.3 \u2014 Ensure 'Prevent non-admin users from installing packaged Windows apps' is set...", "description": "Ensure 'Prevent non-admin users from installing packaged Windows apps' is set to 'Enabled'", "rational": "In a corporate managed environment, application installations should be managed \ncentrally by IT staff, not by end users.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\App Package Deployment\\Prevent non-admin users from installing \npackaged Windows apps \n\nNote: This Group Policy path is provided by the Group Policy template \nAppxPackageManager.admx/adml that is included with the Microsoft Windows 10 \nRelease 2004 Administrative Templates (or newer). \n\nPage 864", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Appx|BlockNonAdminUserInstall", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "bb7abc29d5d6edc92c1cc3140ad015c7", "name": "18.10.5.1 \u2014 Ensure 'Let Windows apps activate with voice while the system is locked' is s...", "description": "Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny'", "rational": "Access to any computer resource should not be allowed when the device is locked.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Force Deny: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\App Privacy\\Let Windows apps activate with voice while the system \nis locked \n\nNote: This Group Policy path is provided by the Group Policy template \nAppPrivacy.admx/adml that is included with the Microsoft Windows 10 Release 1903 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy|LetAppsActivateWithVoiceA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "2b6673fdc919b176bb75aa28aede0c97", "name": "18.10.6.1 \u2014 Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'", "description": "Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled'", "rational": "Enabling this setting allows an organization to use their enterprise user accounts \ninstead of using their Microsoft accounts when accessing Windows store apps. This \nprovides the organization with greater control over relevant credentials. Microsoft \naccounts cannot be centrally managed and as such enterprise credential security \npolicies cannot be applied to them, which could put any informat...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\App runtime\\Allow Microsoft accounts to be optional \n\nNote: This Group Policy path is provided by the Group Policy template \nAppXRuntime.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 870", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|MSAOptional", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "4828de54e8cf913cea37eca8229f7ae9", "name": "18.10.8.1 \u2014 Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'", "description": "Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled'", "rational": "A threat actor could use this feature to launch a program to damage a client computer \nor data on the computer.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\AutoPlay Policies\\Disallow Autoplay for non-volume devices \n\nNote: This Group Policy path is provided by the Group Policy template \nAutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 \n(non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer|NoAutoplayfornonVolume", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "50b2f7e71daa3310b47be1965bd621af", "name": "18.10.8.2 \u2014 Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not exec...", "description": "Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands'", "rational": "Prior to Windows Vista, when media containing an autorun command is inserted, the \nsystem will automatically execute the program without user intervention. This creates a \nmajor security concern as code may be executed without user's knowledge. The default \nbehavior starting with Windows Vista is to prompt the user whether autorun command is \nto be run. The autorun command is represented as a h...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Do not execute any autorun commands: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\AutoPlay Policies\\Set the default behavior for AutoRun \n\nNote: This Group Policy path is provided by the Group Policy template \nAutoPlay.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 \n(non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|NoAutorun", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "dec6a2ca1d6e2309ffc74c94721ad1cb", "name": "18.10.8.3 \u2014 Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'", "description": "Ensure 'Turn off Autoplay' is set to 'Enabled: All drives'", "rational": "A threat actor could use this feature to launch a program to damage a client computer \nor data on the computer.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: All drives: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\AutoPlay Policies\\Turn off Autoplay \n\nNote: This Group Policy path is provided by the Group Policy template \nAutoPlay.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 879", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|NoDriveTypeA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "89ab78d077b2cacc101bb914d9022698", "name": "18.10.9.1.1 \u2014 Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'", "description": "Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled'", "rational": "Enterprise managed environments are now supporting a wider range of mobile devices, \nincreasing the security on these devices will help protect against unauthorized access \non your network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Biometrics\\Facial Features\\Configure enhanced anti-spoofing \n\nNote: This Group Policy path is provided by the Group Policy template \nBiometrics.admx/adml that is included with the Microsoft Windows 10 Release 1511 \nAdministrative Templates (or newer). \n\nNote #2: In the Windows 10 Release 1511 and Windows 10 Release 1607 & Serv...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Biometrics\\FacialFeatures|EnhancedAntiSpoofi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "7ada6ea1b29865ab275f431db031abc2", "name": "18.10.10.1.1 \u2014 Ensure 'Allow access to BitLocker-protected fixed data drives from earlier ve...", "description": "Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disabled'", "rational": "By default BitLocker virtualizes FAT formatted drives to permit access via the BitLocker \nTo Go Reader on previous versions of Windows. Additionally the BitLocker To Go \nReader application is applied to the unencrypted portion of the drive. \n\nThe BitLocker To Go Reader application, like any other application, is subject to \nspoofing and could be a mechanism to propagate malware.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Allow access to \nBitLocker-protected fixed data drives from earlier versions of Windows \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or n...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVDiscoveryVolumeType", "selement": "EXISTS", "condition": "", "sinput": "" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "dfa9ca35b45a8bf4a781bd9df0056b90", "name": "18.10.10.1.2 \u2014 Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set ...", "description": "Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVRecovery", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8b7be87efe80305cf49b1199753712cf", "name": "18.10.10.1.3 \u2014 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow d...", "description": "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Allow data recovery agent \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVManageDRA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1e02840e3bd76fcfa6db9d237f0c433e", "name": "18.10.10.1.4 \u2014 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recover...", "description": "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled: Allow 48-digit recovery password' or higher", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Allow 48-digit recovery password or Enabled: Require 48-digit \nrecovery password: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Recovery Password \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included wit...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVRecoveryPassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f5776b3ab3cf2b468a82b2c9f5f415e0", "name": "18.10.10.1.5 \u2014 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recover...", "description": "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow 256-bit recovery key' or higher", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Allow 256-bit recovery key or Enabled: Require 256-bit recovery \nkey: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Recovery Key \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft W...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVRecoveryKey", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "01c0f2944f922487b7be6f37160ebfd3", "name": "18.10.10.1.6 \u2014 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit re...", "description": "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Omit recovery options from the \nBitLocker setup wizard \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & S...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVHideRecoveryPage", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f6417401ea3010f06943d3d5c7c6a061", "name": "18.10.10.1.7 \u2014 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save Bi...", "description": "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Save BitLocker recovery information \nto AD DS for fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microso...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9b7c6ec246894b32f9d9fcaf96bea3a3", "name": "18.10.10.1.8 \u2014 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configu...", "description": "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Backup recovery passwords and key packages: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Configure storage of BitLocker \nrecovery information to AD DS: \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is inclu...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVActiveDirectoryInfoToStore", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "184a9e1c89ab01d5db46401b82863906", "name": "18.10.10.1.9 \u2014 Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not ...", "description": "Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker, a Data Recovery Agent will need to be configured for fixed drives. To \nrecover a drive will re...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Choose how BitLocker-\nprotected fixed drives can be recovered: Do not enable BitLocker until \nrecovery information is stored to AD DS for fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVRequireActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f36e139435a50a86974683bc3613a110", "name": "18.10.10.1.10 \u2014 Ensure 'Configure use of hardware-based encryption for fixed data drives' is ...", "description": "Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Disabled'", "rational": "From a security perspective hardware-based encryption may introduce vulnerabilities in \nthe hardware encryption of certain self-encrypting drives (SEDs), if the vendor and/or \nuser has not updated the firmware to remediate the vulnerability. For more information \nvisit ADV180028 - Security Update Guide - Microsoft - Guidance for configuring \nBitLocker to enforce software encryption.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Configure use of \nhardware-based encryption for fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVHardwareEncryption", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "11c2843655f09eda0226cecd763f96af", "name": "18.10.10.1.11 \u2014 Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'", "description": "Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled'", "rational": "Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly \nattempting to unlock a drive. Since this type of BitLocker password does include anti-\ndictionary attack protections provided by a TPM, for example, there is no mechanism to \nslow down rapid brute-force attacks against them.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Configure use of \npasswords for fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer). \n\nPage 906", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVPassphrase", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "642d32e58b863fe62baf8c2479993338", "name": "18.10.10.1.12 \u2014 Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'", "description": "Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled'", "rational": "A drive can be compromised by guessing or finding the authentication information used \nto access the drive. For example, a password could be guessed, or a drive set to \nautomatically unlock could be lost or stolen with the computer it automatically unlocks \nwith.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Configure use of \nsmart cards on fixed data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVAllowUserCert", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "edada36ca47b379591a79b41804ce0ec", "name": "18.10.10.1.13 \u2014 Ensure 'Configure use of smart cards on fixed data drives: Require use of sma...", "description": "Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is set to 'Enabled: True'", "rational": "A drive can be compromised by guessing or finding the authentication information used \nto access the drive. For example, a password could be guessed, or a drive set to \nautomatically unlock could be lost or stolen with the computer it automatically unlocks \nwith.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Fixed Data Drives\\Configure use of \nsmart cards on fixed data drives: Require use of smart cards on fixed data \ndrives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Ad...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVEnforceUserCert", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a34c21f88312cd8336058a4eccdb2090", "name": "18.10.10.2.1 \u2014 Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'", "description": "Ensure 'Allow enhanced PINs for startup' is set to 'Enabled'", "rational": "A numeric-only PIN provides less entropy than a PIN that is alpha-numeric. When not \nusing enhanced PIN for startup, BitLocker requires the use of the function keys [F1-F10] \nfor PIN entry since the PIN is entered in the pre-OS environment before localization \nsupport is available. This limits each PIN digit to one of ten possibilities. The TPM has \nan anti-hammering feature that includes a mec...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Allow enhanced \nPINs for startup \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|UseEnhancedPin", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "bba6ba49085ec40d9688d54d1f36e405", "name": "18.10.10.2.2 \u2014 Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'", "description": "Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'", "rational": "Secure Boot ensures that only firmware digitally signed by authorized software \npublishers is loaded during computer startup, which reduces the risk of rootkits and \nother types of malware from gaining control of the system. It also helps provide \nprotection against malicious users booting from an alternate operating system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Allow Secure \nBoot for integrity validation \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSAllowSecureBootForIntegrity", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "579cc2e6973ca6544d20eb359ed6cd9e", "name": "18.10.10.2.3 \u2014 Ensure 'Choose how BitLocker-protected operating system drives can be recover...", "description": "Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSRecovery", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6c363c3b65e269f3e6da8e83cb285963", "name": "18.10.10.2.4 \u2014 Ensure 'Choose how BitLocker-protected operating system drives can be recover...", "description": "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent' is set to 'Enabled: False'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Allow data \nrecovery agent \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSManageDRA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "788dabe80a7ab09a7f38284d006c1f28", "name": "18.10.10.2.5 \u2014 Ensure 'Choose how BitLocker-protected operating system drives can be recover...", "description": "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Require 48-digit recovery password: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Recovery \nPassword \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 &...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSRecoveryPassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "41991389b7589c6d8daf925b740855fc", "name": "18.10.10.2.6 \u2014 Ensure 'Choose how BitLocker-protected operating system drives can be recover...", "description": "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Do not allow 256-bit recovery key: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Recovery Key \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSRecoveryKey", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c12e0adad4dc9789c51841f4960f6046", "name": "18.10.10.2.7 \u2014 Ensure 'Choose how BitLocker-protected operating system drives can be recover...", "description": "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Omit recovery \noptions from the BitLocker setup wizard \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Micros...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSHideRecoveryPage", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "51821924d4dbd6bf839047da29a9493b", "name": "18.10.10.2.8 \u2014 Ensure 'Choose how BitLocker-protected operating system drives can be recover...", "description": "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Save BitLocker \nrecovery information to AD DS for operating system drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is inclu...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c3ad69d04dba6dcbc01caadad728d602", "name": "18.10.10.2.9 \u2014 Ensure 'Choose how BitLocker-protected operating system drives can be recover...", "description": "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Store recovery passwords and key packages: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Configure \nstorage of BitLocker recovery information to AD DS: \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/ad...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSActiveDirectoryInfoToStore", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0df3a771d4c3e15d1e398c20f40f6bc3", "name": "18.10.10.2.10 \u2014 Ensure 'Choose how BitLocker-protected operating system drives can be recover...", "description": "Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True'", "rational": "Should a user lose their primary means for accessing an encrypted OS volume, or \nshould the system not pass its boot time integrity checks, the system will go into \nrecovery mode. If the recovery key has not been backed up to Active Directory, the user \nwould need to have saved the recovery key to another location such as a USB flash \ndrive, or have printed the recovery password, and now have a...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Choose how \nBitLocker-protected operating system drives can be recovered: Do not enable \nBitLocker until recovery information is stored to AD DS for operating system \ndrives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncrypti...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSRequireActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f615aeff1b7219577fa986c6bb3ad1ef", "name": "18.10.10.2.11 \u2014 Ensure 'Configure use of hardware-based encryption for operating system drive...", "description": "Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Disabled'", "rational": "From a security perspective hardware-based encryption may introduce vulnerabilities in \nthe hardware encryption of certain self-encrypting drives (SEDs), if the vendor and/or \nuser has not updated the firmware to remediate the vulnerability. For more information \nvisit ADV180028 - Security Update Guide - Microsoft - Guidance for configuring \nBitLocker to enforce software encryption.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Operating System Drives\\Configure use \nof hardware-based encryption for operating system drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or new...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|OSHardwareEncryption", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d76c13cd6027045bc0cf775ae39ba350", "name": "18.10.10.3.1 \u2014 Ensure 'Allow access to BitLocker-protected removable data drives from earlie...", "description": "Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to 'Disabled'", "rational": "By default BitLocker virtualizes FAT formatted drives to permit access via the BitLocker \nTo Go Reader on previous versions of Windows. Additionally the BitLocker To Go \nReader application is applied to the unencrypted portion of the drive. \n\nThe BitLocker To Go Reader application, like any other application, is subject to \nspoofing and could be a mechanism to propagate malware.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Allow access to \nBitLocker-protected removable data drives from earlier versions of Windows \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templat...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVDiscoveryVolumeType", "selement": "CONTENT", "condition": "EQUALS", "sinput": "<" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "07b9c7276fc36ed58cd4b34b99202a0f", "name": "18.10.10.3.2 \u2014 Ensure 'Choose how BitLocker-protected removable drives can be recovered' is ...", "description": "Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVRecovery", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "fb070bbfca47518c004a852634800ea9", "name": "18.10.10.3.3 \u2014 Ensure 'Choose how BitLocker-protected removable drives can be recovered: All...", "description": "Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set to 'Enabled: True'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Allow data recovery \nagent \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Admin...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVManageDRA", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "010d6c5016b6db9631880f2e242b3612", "name": "18.10.10.3.4 \u2014 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Rec...", "description": "Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Do not allow 48-digit recovery password: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Recovery Password \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Serve...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVRecoveryPassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "060902993b608836cc39d665f153ac4d", "name": "18.10.10.3.5 \u2014 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Rec...", "description": "Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Do not allow 256-bit recovery key: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Recovery Key \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVRecoveryKey", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a003dfb1b8e0961a9cc81096ce170c75", "name": "18.10.10.3.6 \u2014 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omi...", "description": "Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Omit recovery options \nfrom the BitLocker setup wizard \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windo...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVHideRecoveryPage", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9382ece5fc24466b1150c420bbce9c95", "name": "18.10.10.3.7 \u2014 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Sav...", "description": "Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Save BitLocker \nrecovery information to AD DS for removable data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "01a8e1a521a3b13db34eed0e50485369", "name": "18.10.10.3.8 \u2014 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Con...", "description": "Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Backup recovery passwords and key packages: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Configure storage of \nBitLocker recovery information to AD DS: \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVActiveDirectoryInfoToStore", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "67286fc202032d6949f38d6b825b4936", "name": "18.10.10.3.9 \u2014 Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do ...", "description": "Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False'", "rational": "Administrators should always have a safe, secure way to access encrypted data in the \nevent users cannot access their data. \n\nAdditionally, as with any authentication method, a drive can be compromised by \nguessing or finding the authentication information used to access the drive. \n\nTo use BitLocker a Data Recovery Agent will need to be configured for removable \ndrives. To recover a drive will...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Choose how \nBitLocker-protected removable drives can be recovered: Do not enable \nBitLocker until recovery information is stored to AD DS for removable data \ndrives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVRequireActiveDirectoryBackup", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1aafe90016c1b651409f9febd937d2d3", "name": "18.10.10.3.10 \u2014 Ensure 'Configure use of hardware-based encryption for removable data drives'...", "description": "Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Disabled'", "rational": "From a security perspective hardware-based encryption may introduce vulnerabilities in \nthe hardware encryption of certain self-encrypting drives (SEDs), if the vendor and/or \nuser has not updated the firmware to remediate the vulnerability. For more information \nvisit ADV180028 - Security Update Guide - Microsoft - Guidance for configuring \nBitLocker to enforce software encryption.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Configure use of \nhardware-based encryption for removable data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 8.0 & \nServer 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVHardwareEncryption", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "cfd9a47744cbf13f7cb2e6dac6dc778b", "name": "18.10.10.3.11 \u2014 Ensure 'Configure use of passwords for removable data drives' is set to 'Disa...", "description": "Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled'", "rational": "Using a dictionary-style attack, passwords can be guessed or discovered by repeatedly \nattempting to unlock a drive. Since this type of BitLocker password does not include \nanti-dictionary attack protections provided by a TPM, for example, there is no \nmechanism to slow down use of rapid brute-force attacks against them.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Configure use of \npasswords for removable data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVPassphrase", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "4d00227b18d5f676ae0a0cebcf50fb84", "name": "18.10.10.3.12 \u2014 Ensure 'Configure use of smart cards on removable data drives' is set to 'Ena...", "description": "Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled'", "rational": "A drive can be compromised by guessing or finding the authentication information used \nto access the drive. For example, a password could be guessed, or a drive set to \nautomatically unlock could be lost or stolen with the computer it automatically unlocks \nwith.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Configure use of \nsmart cards on removable data drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVAllowUserCert", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "17cfa451dfc6a4b499c5a7c7dd36095d", "name": "18.10.10.3.13 \u2014 Ensure 'Configure use of smart cards on removable data drives: Require use of...", "description": "Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives' is set to 'Enabled: True'", "rational": "A drive can be compromised by guessing or finding the authentication information used \nto access the drive. For example, a password could be guessed, or a drive set to \nautomatically unlock could be lost or stolen with the computer it automatically unlocks \nwith.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: True (checked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Configure use of \nsmart cards on removable data drives: Require use of smart cards on removable \ndata drives \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVEnforceUserCert", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a3cbcfdcfc2f627cd4dce5c07f7993c4", "name": "18.10.10.3.14 \u2014 Ensure 'Deny write access to removable drives not protected by BitLocker' is ...", "description": "Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled'", "rational": "Users may not voluntarily encrypt removable drives prior to saving important data to the \ndrive.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Deny write access \nto removable drives not protected by BitLocker \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included with the Microsoft Windows 7 & Server \n2008 R2 Administrative Templates (or newer). \n\nPage 964", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SYSTEM\\CurrentControlSet\\Policies\\Microsoft\\FVE|RDVDenyWriteAccess", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b95dbfb7031d004aa0e8e4441ddc40fc", "name": "18.10.10.3.15 \u2014 Ensure 'Deny write access to removable drives not protected by BitLocker: Do ...", "description": "Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization' is set to 'Enabled: False'", "rational": "Restricting write access to BitLocker-protected removable drives that were configured in \nanother organization can hinder legitimate business operations where encrypted data \nsharing is necessary.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: False (unchecked): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\BitLocker Drive Encryption\\Removable Data Drives\\Deny write access \nto removable drives not protected by BitLocker: Do not allow write access to \ndevices configured in another organization \n\nNote: This Group Policy path is provided by the Group Policy template \nVolumeEncryption.admx/adml that is included wit...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE|RDVDenyCrossOrg", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9a6a428bee66c46c975dfce2157b78d8", "name": "18.10.13.1 \u2014 Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'", "description": "Ensure 'Turn off cloud consumer account state content' is set to 'Enabled'", "rational": "The use of consumer accounts in an enterprise managed environment is not good \nsecurity practice as it could lead to possible data leakage.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Cloud Content\\Turn off cloud consumer account state content \n\nNote: This Group Policy path is provided by the Group Policy template \nCloudContent.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent|DisableConsumerAccountS", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "5b2b6cbbe72a1ab74dcf8bd841f82d9a", "name": "18.10.13.3 \u2014 Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'", "description": "Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled'", "rational": "Having apps silently install in an enterprise managed environment is not good security \npractice - especially if the apps send data back to a third-party.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Cloud Content\\Turn off Microsoft consumer experiences \n\nNote: This Group Policy path is provided by the Group Policy template \nCloudContent.admx/adml that is included with the Microsoft Windows 10 Release \n1511 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent|DisableWindowsConsumerF", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "49de099d2c94750c2deda92bb588362f", "name": "18.10.14.1 \u2014 Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled:...", "description": "Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always'", "rational": "If this setting is not configured or disabled then a PIN would not be required when \npairing wireless display devices to the system, increasing the risk of unauthorized use.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: First Time OR Enabled: Always: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Connect\\Require pin for pairing \n\nNote: This Group Policy path is provided by the Group Policy template \nWirelessDisplay.admx/adml that is included with the Microsoft Windows 10 Release \n1607 & Server 2016 Administrative Templates (or newer). The new Choose one of \nthe following actions sub-optio...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Connect|RequirePinForPairing", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8a033659b18558c53d90889bbe5c7b1d", "name": "18.10.15.1 \u2014 Ensure 'Do not display the password reveal button' is set to 'Enabled'", "description": "Ensure 'Do not display the password reveal button' is set to 'Enabled'", "rational": "This is a useful feature when entering a long and complex password, especially when \nusing a touchscreen. The potential risk is that someone else may see your password \nwhile surreptitiously observing your screen.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Credential User Interface\\Do not display the password reveal \nbutton \n\nNote: This Group Policy path is provided by the Group Policy template \nCredUI.admx/adml that is included with the Microsoft Windows 8.0 & Server 2012 \n(non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\CredUI|DisablePasswordReveal", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e2f2ca88def1df5700fc6a73c01c9ed9", "name": "18.10.15.2 \u2014 Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'", "description": "Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled'", "rational": "Users could see the list of administrator accounts, making it slightly easier for a threat \nactor who has logged onto a console session to try to crack the passwords of those \naccounts.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Credential User Interface\\Enumerate administrator accounts on \nelevation \n\nNote: This Group Policy path is provided by the Group Policy template \nCredUI.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI|EnumerateAdmin", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6f04b8ab8001439c3f7aa569393c7c71", "name": "18.10.15.3 \u2014 Ensure 'Prevent the use of security questions for local accounts' is set to '...", "description": "Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled'", "rational": "Users could establish security questions that are easily guessed or sleuthed by \nobserving the user\u2019s social media accounts, making it easier for a malicious actor to \nchange the local user account password and gain access to the computer as that user \naccount.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Credential User Interface\\Prevent the use of security questions \nfor local accounts \n\nNote: This Group Policy path is provided by the Group Policy template \nCredUI.admx/adml that is included with the Microsoft Windows 10 Release 1903 \nAdministrative Templates (or newer). \n\nPage 986", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|NoLocalPasswordResetQuestions", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ee6de0d5aa1f5c9b8152409cdf2c9cb0", "name": "18.10.16.1 \u2014 Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not r...", "description": "Ensure 'Allow Diagnostic Data' is set to 'Enabled: Diagnostic data off (not recommended)' or 'Enabled: Send required diagnostic data'", "rational": "Certain aspects of Microsoft Anti-Virus must have the setting Allow Diagnostic Data on \nand sending data to function properly.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Diagnostic data off (not recommended) or Enabled: Send required \ndiagnostic data: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Allow Diagnostic Data \n\nNote: This Group Policy path is provided by the Group Policy template \nDataCollection.admx/adml that is included with the Microsoft Windows 10 RTM \n(Release 1507) Administrative Templates...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection|AllowTelemetry", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "4998440971b3dd590e41d6831fd30179", "name": "18.10.16.3 \u2014 Ensure 'Do not show feedback notifications' is set to 'Enabled'", "description": "Ensure 'Do not show feedback notifications' is set to 'Enabled'", "rational": "Data must never be shared with third-parties without explicit consent, as it may contain \nsensitive information.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Do not show feedback \nnotifications \n\nNote: This Group Policy path is provided by the Group Policy template \nFeedbackNotifications.admx/adml that is included with the Microsoft Windows 10 \nRelease 1511 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection|DoNotShowFeedbackNoti", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8e8e8aff4e404acfaa61f25f0eb90841", "name": "18.10.16.4 \u2014 Ensure 'Enable OneSettings Auditing' is set to 'Enabled'", "description": "Ensure 'Enable OneSettings Auditing' is set to 'Enabled'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Data Collection and Preview Builds\\Enable OneSettings Auditing \n\nNote: This Group Policy path is provided by the Group Policy template \nDataCollection.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection|EnableOneSettingsAudi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1a3fb466a5ceba5a78fee519578c8e77", "name": "18.10.17.1 \u2014 Ensure 'Download Mode' is NOT set to 'Enabled: Internet'", "description": "Ensure 'Download Mode' is NOT set to 'Enabled: Internet'", "rational": "Due to privacy concerns and security risks, updates should only be downloaded directly \nfrom Microsoft, or from a trusted machine on the internal network that received its \nupdates from a trusted source and approved by the network administrator.", "remediation": "To establish the recommended configuration via GP, set the following UI path to any \nvalue other than Enabled: Internet (3): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Delivery Optimization\\Download Mode \n\nNote: This Group Policy path is provided by the Group Policy template \nDeliveryOptimization.admx/adml that is included with the Microsoft Windows 10 \nRTM (Release 1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeliveryOptimization|DODownloadMode", "selement": "CONTENT", "condition": "EQUALS", "sinput": "a" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6977a9e99993f3b0ffc518de7229037d", "name": "18.10.18.2 \u2014 Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'", "description": "Ensure 'Enable App Installer Experimental Features' is set to 'Disabled'", "rational": "Windows Package Manager is a command line tool can be used to discover, install, \nupgrade, remove and configure applications, and it can be used as a distribution \nchannel for software packages containing tools and applications. Users should not have \naccess to experimental features.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Desktop App Installer\\Enable App Installer Experimental Features \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 22H2 Administrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableExperimentalFeatu", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "7f920a6447080b4ceecb6c9075ce9084", "name": "18.10.18.3 \u2014 Ensure 'Enable App Installer Hash Override' is set to 'Disabled'", "description": "Ensure 'Enable App Installer Hash Override' is set to 'Disabled'", "rational": "Users should not have the ability to override SHA256 security validation.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Desktop App Installer\\Enable App Installer Hash Override \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 22H2 Administrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableHashOverride", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "85ace5658e79c8297c94d9a90fbbf663", "name": "18.10.18.4 \u2014 Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to '...", "description": "Ensure 'Enable App Installer Local Archive Malware Scan Override' is set to 'Disabled'", "rational": "Users should not have the ability to override malware scans.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Desktop App Installer\\Enable App Installer Local Archive Malware \nScan Override \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableLocalArchiveMalwa", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "41db4b9a031921a77f3163b763d75403", "name": "18.10.18.5 \u2014 Ensure 'Enable App Installer Microsoft Store Source Certificate Validation By...", "description": "Ensure 'Enable App Installer Microsoft Store Source Certificate Validation Bypass' is set to 'Disabled'", "rational": "It is important to validate that the Microsoft Store source is not spoofed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Desktop App Installer\\Enable App Installer Microsoft Store Source \nCertificate Validation Bypass \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableBypassCertificate", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ba4e5f829076b6ed4c5e1d19810f6f68", "name": "18.10.18.6 \u2014 Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'", "description": "Ensure 'Enable App Installer ms-appinstaller protocol' is set to 'Disabled'", "rational": "Users should not have the ability to install an application by clicking a link on a website. \nIf an unknown or malicious link is clicked, malicious software could be installed on the \nsystem.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Desktop App Installer\\Enable App Installer ms-appinstaller \nprotocol \n\nNote: This Group Policy path is provided by the Group Policy template \nDesktopAppInstaller.admx/adml that is included with the Microsoft Windows 11 \nRelease 22H2 Administrative Templates v1.0 (or newer). \n\nPage 1016", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppInstaller|EnableMSAppInstallerPro", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f77d0bf84516fc06b4c695bdd0fcf753", "name": "18.10.26.1.1 \u2014 Ensure 'Application: Control Event Log behavior when the log file reaches its...", "description": "Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", "rational": "If new events are not recorded it may be difficult or impossible to determine the root \ncause of system problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Application\\Control Event Log behavior when the \nlog file reaches its maximum size \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administr...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application|Retention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f87b004fba6c796ef660572735b529af", "name": "18.10.26.1.2 \u2014 Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabl...", "description": "Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors. \n\nThe consequence of this configuration is that older events will be removed from the \nlogs. Threat actors can take advantage of such a configuration, because they can \ngenerate a large number of extraneous events to overwrite any evidence...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 32,768 or greater: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Application\\Specify the maximum log file size \n(KB) \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templat...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Application|MaxSize", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e1e043785b1fd45740fbb0d68fb5949b", "name": "18.10.26.2.1 \u2014 Ensure 'Security: Control Event Log behavior when the log file reaches its ma...", "description": "Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", "rational": "If new events are not recorded it may be difficult or impossible to determine the root \ncause of system problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Security\\Control Event Log behavior when the log \nfile reaches its maximum size \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrati...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security|Retention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a4c0bfcf98c119d411f9436c4045fbd8", "name": "18.10.26.2.2 \u2014 Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled:...", "description": "Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors. \n\nThe consequence of this configuration is that older events will be removed from the \nlogs. Threat actors can take advantage of such a configuration, because they can \ngenerate a large number of extraneous events to overwrite any evidence...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 196,608 or greater: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Security\\Specify the maximum log file size (KB) \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates,...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Security|MaxSize", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "787c3a6b9ffd43eaf9f343336af0add2", "name": "18.10.26.3.1 \u2014 Ensure 'Setup: Control Event Log behavior when the log file reaches its maxim...", "description": "Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", "rational": "If new events are not recorded it may be difficult or impossible to determine the root \ncause of system problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Setup\\Control Event Log behavior when the log \nfile reaches its maximum size \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Setup|Retention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "3ca6ff3fb10bc3e169ca76b912b55195", "name": "18.10.26.3.2 \u2014 Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32...", "description": "Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors. \n\nThe consequence of this configuration is that older events will be removed from the \nlogs. Threat actors can take advantage of such a configuration, because they can \ngenerate a large number of extraneous events to overwrite any evidence...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 32,768 or greater: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\Setup\\Specify the maximum log file size (KB) \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates, thi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\Setup|MaxSize", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "82df0cc33ca7d56a274499e6405123bc", "name": "18.10.26.4.1 \u2014 Ensure 'System: Control Event Log behavior when the log file reaches its maxi...", "description": "Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled'", "rational": "If new events are not recorded it may be difficult or impossible to determine the root \ncause of system problems or the unauthorized activities of threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\System\\Control Event Log behavior when the log \nfile reaches its maximum size \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System|Retention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c50bc1a33bebaf98da1a051a0251b1e0", "name": "18.10.26.4.2 \u2014 Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 3...", "description": "Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater'", "rational": "If events are not recorded it may be difficult or impossible to determine the root cause of \nsystem problems or the unauthorized activities of threat actors. \n\nThe consequence of this configuration is that older events will be removed from the \nlogs. Threat actors can take advantage of such a configuration, because they can \ngenerate a large number of extraneous events to overwrite any evidence...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 32,768 or greater: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Event Log Service\\System\\Specify the maximum log file size (KB) \n\nNote: This Group Policy path is provided by the Group Policy template \nEventLog.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates, th...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\EventLog\\System|MaxSize", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a091e44aa8cedf2c45cbc49bb56a4023", "name": "18.10.29.3 \u2014 Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'", "description": "Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled'", "rational": "Data Execution Prevention is an important security feature supported by Explorer that \nhelps to limit the impact of certain types of malware.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\File Explorer\\Turn off Data Execution Prevention for Explorer \n\nNote: This Group Policy path is provided by the Group Policy template \nExplorer.admx/adml that is included with the Microsoft Windows 7 & Server 2008 R2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer|NoDataExecutionPrevention", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8ccec3c7a5900f5d9a443d4e08018aa4", "name": "18.10.29.4 \u2014 Ensure 'Do not apply the Mark of the Web tag to files copied from insecure so...", "description": "Ensure 'Do not apply the Mark of the Web tag to files copied from insecure sources' is set to 'Disabled'", "rational": "MOTW is an important security feature that ensures files from insecure locations are \ntreated with extra caution and are tagged with MOTW. If files are left untagged, users \nand computers could be exposed to security risks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\File Explorer\\Do not apply the Mark of the Web tag to files copied \nfrom insecure sources \n\nNote: This Group Policy path is provided by the Group Policy template \nExplorer.admx/adml that is included with the Microsoft Windows 11 Release 24H2 \nAdministrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer|DisableMotWOnInsecurePathCo", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a1fa4e1cb22675cabb41bae7704e0f3f", "name": "18.10.29.5 \u2014 Ensure 'Turn off heap termination on corruption' is set to 'Disabled'", "description": "Ensure 'Turn off heap termination on corruption' is set to 'Disabled'", "rational": "Allowing an application to function after its session has become corrupt increases the \nrisk posture to the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\File Explorer\\Turn off heap termination on corruption \n\nNote: This Group Policy path is provided by the Group Policy template \nExplorer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Explorer|NoHeapTerminationOnCorrupti", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a61734ed05a0ec91a446304f65800f73", "name": "18.10.29.6 \u2014 Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'", "description": "Ensure 'Turn off shell protocol protected mode' is set to 'Disabled'", "rational": "Limiting the opening of files and folders to a limited set reduces the attack surface of the \nsystem.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\File Explorer\\Turn off shell protocol protected mode \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsExplorer.admx/adml that is included with all versions of the Microsoft \nWindows Administrative Templates. \n\nPage 1050", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer|PreXPSP2Shel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f53abc4f97dccdaeb314ef622f71860c", "name": "18.10.41.1 \u2014 Ensure 'Block all consumer Microsoft account user authentication' is set to '...", "description": "Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled'", "rational": "Organizations that want to effectively implement identity management policies and \nmaintain firm control of what accounts are used on their computers will probably want to \nblock Microsoft accounts. Organizations may also need to block Microsoft accounts in \norder to meet the requirements of compliance standards that apply to their information \nsystems.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft accounts\\Block all consumer Microsoft account user \nauthentication \n\nNote: This Group Policy path is provided by the Group Policy template \nMSAPolicy.admx/adml that is included with the Microsoft Windows 10 Release 1703 \nAdministrative Templates (or newer). \n\nPage 1060", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\MicrosoftAccount|DisableUserAuth", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "18551c98cff3fdcd5c095d3862b444c5", "name": "18.10.42.4.1 \u2014 Ensure 'Enable EDR in block mode' is set to 'Enabled'", "description": "Ensure 'Enable EDR in block mode' is set to 'Enabled'", "rational": "When Microsoft Defender Antivirus is not the primary antivirus product and is running in \npassive mode, EDR in block mode provides added protection against malicious \nartifacts.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Features\\Enable EDR in block mode \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer). \n\nPage 1063", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Features|PassiveRemediation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "64c85ad8953ab2f582cd8c93a7ae70a4", "name": "18.10.42.5.1 \u2014 Ensure 'Configure local setting override for reporting to Microsoft MAPS' is ...", "description": "Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled'", "rational": "The decision on whether or not to participate in Microsoft MAPS / Microsoft Defender \nAntivirus Cloud Protection Service for malicious software reporting should be made \ncentrally in an enterprise managed environment, so that all computers within it behave \nconsistently in that regard. Configuring this setting to Disabled ensures that the decision \nremains centrally managed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MAPS\\Configure local setting override \nfor reporting to Microsoft MAPS \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer). \n\nPage 1066", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet|LocalSettingOverrideSpynetReporting", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "65a9221f1b795fcc494acb4402fcdb77", "name": "18.10.42.5.2 \u2014 Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced'", "description": "Ensure 'Join Microsoft MAPS' is set to 'Enabled: Advanced'", "rational": "Cloud protection works with Microsoft Defender Antivirus to provide intelligent, real-time \nthreat detection. Microsoft strongly recommends enabling cloud protection, as several \nadvanced security features in Microsoft Defender for Endpoint rely on it to function \nproperly. To fully take advantage of these protections, including several ASR rules, this \nsetting must be enabled to allow for MAPS...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Advanced: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MAPS\\Join Microsoft MAPS \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Spynet|SpynetReporting", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0389d5d44c70769916fd5039f897726f", "name": "18.10.42.6.1.1 \u2014 Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'", "description": "Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled'", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Microsoft Defender Exploit \nGuard\\Attack Surface Reduction\\Configure Attack Surface Reduction rules \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR|ExploitGuard_ASR_Rules", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ecdca813d911e1eafcaa7a4e3c9e2621", "name": "18.10.42.6.1.2 \u2014 Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR ...", "description": "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured", "rational": "Attack surface reduction helps prevent actions and apps that are typically used by \nexploit-seeking malware to infect machines. \n\nPage 1073", "remediation": "To establish the recommended configuration via GP, set the following UI path so that \n26190899-1602-49e8-8b27-eb1d0a1ce869, 3b576869-a4ec-4529-8536-\nb80a7769e899, 56a863a9-875e-4185-98a7-b882c64b5ce5, 5beb7efe-fd9a-4556-\n801d-275e5ffc04cc, 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84, 7674ba52-37eb-\n4a4f-a9a1-f0f9a1619a2c, 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b, 9e6c4e1f-\n7d60-472f-ba1a-a39ef669e4b2, b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4, \nbe9ba2d9-53ea-4cdc-84e5-9b1eeee46550, d3e037e1-3eb8-44c8-a917-\n5...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Windows Defender Exploit Guard\\ASR\\Rules|26190899", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c22c4d0e4302fe7a8703e5cf06c1ff14", "name": "18.10.42.6.3.1 \u2014 Ensure 'Prevent users and apps from accessing dangerous websites' is set to '...", "description": "Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block'", "rational": "This setting can help prevent employees from using any application to access \ndangerous domains that may host phishing scams, exploit-hosting sites, and other \nmalicious content on the Internet.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Block: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender Antivirus\\Windows Defender Exploit Guard\\Network \nProtection\\Prevent users and apps from accessing dangerous websites \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1709 Administrative Templates (...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\windows Defender\\Windows Defender Exploit Guard\\Network Protection|EnableNetworkProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "69915b61b76aae763c22ba744789b7b9", "name": "18.10.42.7.1 \u2014 Ensure 'Enable file hash computation feature' is set to 'Enabled'", "description": "Ensure 'Enable file hash computation feature' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to monitor for suspicious and known malicious activity. \nFile hashes are a reliable way of detecting changes to files, and can speed up the scan \nprocess by skipping files that have not changed since they were last scanned and \ndetermined to be safe. A changed file hash can...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\MpEngine\\Enable file hash computation \nfeature \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\MpEngine|EnableFileHashComputation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0203ae55f348bb76eadd0d21f41a6bbc", "name": "18.10.42.10.1 \u2014 Ensure 'Configure real-time protection and Security Intelligence Updates duri...", "description": "Ensure 'Configure real-time protection and Security Intelligence Updates during OOBE' is set to 'Enabled'", "rational": "Critical Windows zero-day patch updates should be applied during OOBE to help \nmitigate against malicious attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Configure real-\ntime protection and Security Intelligence Updates during OOBE \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|OobeEnableRtpAndSigUpdate", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "09a58fe8c8bfca1fec43a431feb7aaae", "name": "18.10.42.10.2 \u2014 Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'", "description": "Ensure 'Scan all downloaded files and attachments' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Scan all \ndownloaded files and attachments \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableIOAVProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "be5a0262b5bc1a33f93f4ef9504dee2f", "name": "18.10.42.10.3 \u2014 Ensure 'Turn off real-time protection' is set to 'Disabled'", "description": "Ensure 'Turn off real-time protection' is set to 'Disabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn off real-\ntime protection \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableRealtimeMonitoring", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "690443ebcaa176af8b6ba5c93b6b34f6", "name": "18.10.42.10.4 \u2014 Ensure 'Turn on behavior monitoring' is set to 'Enabled'", "description": "Ensure 'Turn on behavior monitoring' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on behavior \nmonitoring \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableBehaviorMonitoring", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "660fd8e1e4503812945218a9458913fa", "name": "18.10.42.10.5 \u2014 Ensure 'Turn on script scanning' is set to 'Enabled'", "description": "Ensure 'Turn on script scanning' is set to 'Enabled'", "rational": "When running an antivirus solution such as Microsoft Defender Antivirus, it is important \nto ensure that it is configured to heuristically monitor in real-time for suspicious and \nknown malicious activity.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Real-Time Protection\\Turn on script \nscanning \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection|DisableScriptScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "8d10abd3b0647ff3fa83df6fa1292822", "name": "18.10.42.11.1.1.2 \u2014 Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audi...", "description": "Ensure 'Configure Remote Encryption Protection Mode' is set to 'Enabled: Audit' or higher", "rational": "This feature assists with mitigating brute force attempts by detecting and blocking \nunauthorized sign-ins and sessions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Audit or Enabled: Block: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Remediation\\Behavioral Network \nBlocks\\Brute-Force Protection\\Configure Remote Encryption Protection Mode \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administ...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Remediation\\Behavioral Network Blocks\\Brute Force Protection|BruteForceProtectionConfiguredState", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "5ed9d19548b92ec5f7ba3f0c4daa1e73", "name": "18.10.42.13.1 \u2014 Ensure 'Scan excluded files and directories during quick scans' is set to 'En...", "description": "Ensure 'Scan excluded files and directories during quick scans' is set to 'Enabled: 1'", "rational": "The Real-time Protection feature excludes some files and directories for contextual \nreasons. This setting ensures that these are scanned during a Quick Scan.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan excluded files and \ndirectories during quick scans \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|QuickScanIncludeExclusions", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e1ca760613dbb6526deb84e7b8774ff2", "name": "18.10.42.13.2 \u2014 Ensure 'Scan packed executables' is set to 'Enabled'", "description": "Ensure 'Scan packed executables' is set to 'Enabled'", "rational": "Packing executables is a way to compress and create smaller files and can make it \ndifficult to access and analyze the code associated with the executable. This is a \ncommon method to obfuscate malicious executables by bad actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan packed executables \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 and \nServer 2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisablePackedExeScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c942fcf304a825a7a6f3fb161d08b217", "name": "18.10.42.13.3 \u2014 Ensure 'Scan removable drives' is set to 'Enabled'", "description": "Ensure 'Scan removable drives' is set to 'Enabled'", "rational": "It is important to ensure that any present removable drives are always included in any \ntype of scan, as removable drives are more likely to contain malicious software brought \ninto the enterprise managed environment from an external, unmanaged computer.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Scan removable drives \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisableRemovableDriveScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a0dae071bdbb79140d69a26f02b6cb70", "name": "18.10.42.13.4 \u2014 Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabl...", "description": "Ensure 'Trigger a quick scan after X days without any scans' is set to 'Enabled: 7'", "rational": "Antivirus scans should be performed on a regular basis so that malicious software can \nbe detected and remediated before malicious activity occurs.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 7 days: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Trigger a quick scan after X \ndays without any scans \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DaysUntilAggressiveCatchupQuickScan", "selement": "CONTENT", "condition": "EQUALS", "sinput": "7" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "5c2a5bd5c861f29791ad3cc577b335c9", "name": "18.10.42.13.5 \u2014 Ensure 'Turn on e-mail scanning' is set to 'Enabled'", "description": "Ensure 'Turn on e-mail scanning' is set to 'Enabled'", "rational": "Incoming e-mails should be scanned by an antivirus solution such as Microsoft \nDefender Antivirus, as email attachments are a commonly used attack vector to infiltrate \ncomputers with malicious software.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Scan\\Turn on e-mail scanning \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server \n2012 R2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Scan|DisableEmailScanning", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "07bf628fc95c2667cd1ff7b348dc1b1a", "name": "18.10.42.16 \u2014 Ensure 'Configure detection for potentially unwanted applications' is set to ...", "description": "Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block'", "rational": "Potentially unwanted applications can increase the risk of your network being infected \nwith malware, cause malware infections to be harder to identify, and can waste IT \nresources in cleaning up the applications. They should be blocked from installation.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Block: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Configure detection for potentially \nunwanted applications \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 10 Release \n1809 & Server 2019 Administrative Templates (or newer). \n\nPage 1120", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender|PUAProtection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "2e9ae265059f262385d4c8e16826f5be", "name": "18.10.42.17 \u2014 Ensure 'Control whether exclusions are visible to local users' is set to 'Ena...", "description": "Ensure 'Control whether exclusions are visible to local users' is set to 'Enabled'", "rational": "Only administrators should be able to view and manage Microsoft Defender Antivirus \nexclusions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Antivirus\\Control whether exclusions are \nvisible to local users \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefender.admx/adml that is included with the Microsoft Windows 11 Release \n24H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender|HideExclusionsFromLocalUsers", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0b0a1b0ea405764a7f8dba4ee1ae1751", "name": "18.10.43.1 \u2014 Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set...", "description": "Ensure 'Allow auditing events in Microsoft Defender Application Guard' is set to 'Enabled'", "rational": "Auditing of Microsoft Defender Application Guard events may be useful when \ninvestigating a security incident.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Allow auditing events in \nMicrosoft Defender Application Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1709 \nAdministrative Templates (or newer). \n\nNote #2: In older Microsoft Windows A...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AuditApplicationGuard", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a655e82fa6755b25964076e6c36ce565", "name": "18.10.43.2 \u2014 Ensure 'Allow camera and microphone access in Microsoft Defender Application ...", "description": "Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'", "rational": "In effort to stop sensitive information from being obtained for malicious use, untrusted \nsites within the Microsoft Defender Application Guard container should not be accessing \nthe computers microphone or camera.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Allow camera and microphone \naccess in Microsoft Defender Application Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1809 & \nServer 2019 Administrative Templates (or newer). \n\nNote #2: I...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AllowCameraMicrophoneRedirection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9487a1475caf79024ebb34f12ae1b60f", "name": "18.10.43.3 \u2014 Ensure 'Allow data persistence for Microsoft Defender Application Guard' is s...", "description": "Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'", "rational": "The primary purpose of Microsoft Defender Application Guard is to present a \n\"sandboxed container\" for visiting untrusted websites. If data persistence is allowed, \nthen it reduces the effectiveness of the sandboxing, and malicious content will be able \nto remain active in the Microsoft Defender Application Guard container between \nsessions.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Allow data persistence for \nMicrosoft Defender Application Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1709 \nAdministrative Templates (or newer). \n\nNote #2: In older Microsoft Window...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AllowPersistence", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a64e0eda909ceba2b67242cb0475a343", "name": "18.10.43.4 \u2014 Ensure 'Allow files to download and save to the host operating system from Mi...", "description": "Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'", "rational": "The primary purpose of Microsoft Defender Application Guard is to present a \n\"sandboxed container\". Potentially malicious files should not be copied to the host OS \nfrom the sandboxed environment, which could put the host at risk.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Allow files to download and \nsave to the host operating system from Microsoft Defender Application Guard \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1803 \nAdministrative Templates (or newe...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|SaveFilesToHost", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f305e88e77fbf3ebf24806e3c06aae6d", "name": "18.10.43.5 \u2014 Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Cl...", "description": "Ensure 'Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'", "rational": "The primary purpose of Microsoft Defender Application Guard is to present a \n\"sandboxed container\" for visiting untrusted websites. If the host clipboard is made \navailable to Microsoft Defender Application Guard, a compromised Microsoft Defender \nApplication Guard session will have access to its content, potentially exposing sensitive \ninformation to a malicious website or application. However...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Enable clipboard operation from an isolated session to the \nhost \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Configure Microsoft Defender \nApplication Guard clipboard settings: Clipboard behavior setting \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Wind...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AppHVSIClipboardSettings", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "04f0dbbde5065ff252591055058fdd7c", "name": "18.10.43.6 \u2014 Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set ...", "description": "Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'", "rational": "Microsoft Defender Application Guard uses Windows Hypervisor to create a virtualized \nenvironment for apps that are configured to use virtualization-based security isolation. \nWhile in isolation, improper user interactions and app vulnerabilities can\u2019t compromise \nthe kernel or any other apps running outside of the virtualized environment. \n\nPage 1139", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 1: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Microsoft Defender Application Guard\\Turn on Microsoft Defender \nApplication Guard in Managed Mode \n\nNote: This Group Policy path is provided by the Group Policy template \nAppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1703 \nAdministrative Templates (or newer). \n\nNote #2: In older Microsoft Windows...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\AppHVSI|AllowAppHVSI_ProviderSet", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "de082f41b61516c0ebeb8884b9fece3c", "name": "18.10.57.2.3 \u2014 Ensure 'Do not allow passwords to be saved' is set to 'Enabled'", "description": "Ensure 'Do not allow passwords to be saved' is set to 'Enabled'", "rational": "A threat actor with physical access to the computer may be able to break the protection \nguarding saved passwords. A threat actor who compromises a user's account and \nconnects to their computer could use saved passwords to gain access to additional \nhosts.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Connection Client\\Do not \nallow passwords to be saved \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 1157", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|DisablePasswordSaving", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "5597c4b6b6aea009e8a23bb28f4fa58d", "name": "18.10.57.3.3.3 \u2014 Ensure 'Do not allow drive redirection' is set to 'Enabled'", "description": "Ensure 'Do not allow drive redirection' is set to 'Enabled'", "rational": "Data could be forwarded from the user's Remote Desktop Services session to the user's \nlocal computer without any direct user interaction. Malicious software already present \non a compromised server would have direct and stealthy disk access to the user's local \ncomputer during the Remote Desktop session.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session Host\\Device and \nResource Redirection\\Do not allow drive redirection \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fDisableCdm", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b2bed15584f48620fbe3e988511a410e", "name": "18.10.57.3.9.1 \u2014 Ensure 'Always prompt for password upon connection' is set to 'Enabled'", "description": "Ensure 'Always prompt for password upon connection' is set to 'Enabled'", "rational": "Users have the option to store both their username and password when they create a \nnew Remote Desktop Connection shortcut. If the server that runs Remote Desktop \nServices allows users who have used this feature to log on to the server but not enter \ntheir password, then it is possible that a threat actor who has gained physical access to \nthe user's computer could connect to a Remote Desktop...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session \nHost\\Security\\Always prompt for password upon connection \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In the Microsoft Windows Vi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fPromptForPassword", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e0221047b03d6b0106e1eb673260202e", "name": "18.10.57.3.9.2 \u2014 Ensure 'Require secure RPC communication' is set to 'Enabled'", "description": "Ensure 'Require secure RPC communication' is set to 'Enabled'", "rational": "Allowing unsecure RPC communication can exposes the server to man in the middle \nattacks and data disclosure attacks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session \nHost\\Security\\Require secure RPC communication \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 1183", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|fEncryptRPCTraffic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "28b9a2bac7a2acb0c49757ef3f8ec8a9", "name": "18.10.57.3.9.3 \u2014 Ensure 'Require use of specific security layer for remote (RDP) connections' ...", "description": "Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL'", "rational": "The native RDP encryption is now considered a weak protocol, so enforcing the use of \nstronger TLS encryption for all RDP communications between clients and RD Session \nHost servers is preferred.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: SSL: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session \nHost\\Security\\Require use of specific security layer for remote (RDP) \nconnections \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|SecurityLayer", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e28548824b2c93adb7220f1d785b4697", "name": "18.10.57.3.9.4 \u2014 Ensure 'Require user authentication for remote connections by using Network L...", "description": "Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to 'Enabled'", "rational": "Requiring that user authentication occur earlier in the remote connection process \nenhances security.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session \nHost\\Security\\Require user authentication for remote connections by using \nNetwork Level Authentication \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Te...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|UserAuthentication", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "0568c3c10dc43ac21e7d937363181fdd", "name": "18.10.57.3.9.5 \u2014 Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'", "description": "Ensure 'Set client connection encryption level' is set to 'Enabled: High Level'", "rational": "If Remote Desktop client connections that use low level encryption are allowed, it is \nmore likely that a threat actor will be able to decrypt any captured Remote Desktop \nServices network traffic.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: High Level: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session Host\\Security\\Set \nclient connection encryption level \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 1189", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|MinEncryptionLevel", "selement": "CONTENT", "condition": "EQUALS", "sinput": "3" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "3beb6b948f1eecdf63ccfd4284b843ff", "name": "18.10.57.3.11.1 \u2014 Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'", "description": "Ensure 'Do not delete temp folders upon exit' is set to 'Disabled'", "rational": "Sensitive information could be contained inside the temporary folders and visible to \nother administrators that log into the system.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Remote Desktop Services\\Remote Desktop Session Host\\Temporary \nFolders\\Do not delete temp folders upon exit \n\nNote: This Group Policy path is provided by the Group Policy template \nTerminalServer.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Wind...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services|DeleteTempDirsOnExit", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a33ac5ccfd32b97c395d5f403db46b73", "name": "18.10.58.1 \u2014 Ensure 'Prevent downloading of enclosures' is set to 'Enabled'", "description": "Ensure 'Prevent downloading of enclosures' is set to 'Enabled'", "rational": "Allowing attachments to be downloaded through the RSS feed can introduce files that \ncould have malicious intent.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\RSS Feeds\\Prevent downloading of enclosures \n\nNote: This Group Policy path is provided by the Group Policy template \nInetRes.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates, this setting was named \nTurn off downloadi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Feeds|DisableEnclosureDownload", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e155e038b371a6acb6cb1c49ce9eb55a", "name": "18.10.59.3 \u2014 Ensure 'Allow Cortana' is set to 'Disabled'", "description": "Ensure 'Allow Cortana' is set to 'Disabled'", "rational": "If Cortana is enabled, sensitive information could be contained in search history and \nsent out to Microsoft.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Search\\Allow Cortana \n\nNote: This Group Policy path is provided by the Group Policy template \nSearch.admx/adml that is included with the Microsoft Windows 10 RTM (Release \n1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search|AllowCortana", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "fce130b173460df247fdfd7c51a6a7a4", "name": "18.10.59.4 \u2014 Ensure 'Allow Cortana above lock screen' is set to 'Disabled'", "description": "Ensure 'Allow Cortana above lock screen' is set to 'Disabled'", "rational": "Access to any computer resource should not be allowed when the device is locked.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Search\\Allow Cortana above lock screen \n\nNote: This Group Policy path is provided by the Group Policy template \nSearch.admx/adml that is included with the Microsoft Windows 10 Release 1607 & \nServer 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search|AllowCortanaAboveLock", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "6e2611bbbcdc8ec8790a64659f122371", "name": "18.10.59.5 \u2014 Ensure 'Allow indexing of encrypted files' is set to 'Disabled'", "description": "Ensure 'Allow indexing of encrypted files' is set to 'Disabled'", "rational": "Indexing and allowing users to search encrypted files could potentially reveal \nconfidential data stored within the encrypted files.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Search\\Allow indexing of encrypted files \n\nNote: This Group Policy path is provided by the Group Policy template \nSearch.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search|AllowIndexingEncryptedStoresOrItems", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9a08507cddad91713f9016d037d61623", "name": "18.10.59.6 \u2014 Ensure 'Allow search and Cortana to use location' is set to 'Disabled'", "description": "Ensure 'Allow search and Cortana to use location' is set to 'Disabled'", "rational": "In an enterprise managed environment, allowing Cortana and Search to have access to \nlocation data is unnecessary. Organizations likely do not want this information shared \nout.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Search\\Allow search and Cortana to use location \n\nNote: This Group Policy path is provided by the Group Policy template \nSearch.admx/adml that is included with the Microsoft Windows 10 RTM (Release \n1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Search|AllowSearchToUseLocation", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "117bbbb4d8be3a6bc7c0604c89eb381e", "name": "18.10.66.2 \u2014 Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'", "description": "Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled'", "rational": "Keeping your system properly patched can help protect against 0 day vulnerabilities.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Store\\Turn off Automatic Download and Install of updates \n\nNote: This Group Policy path is provided by the Group Policy template \nWinStoreUI.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 \nR2 Administrative Templates, or by the Group Policy template \nWindowsStore.admx/adml that is included with the Mi...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsStore|AutoDownload", "selement": "CONTENT", "condition": "EQUALS", "sinput": "4" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "603b5c11f346a15c7bb0232e2b92cf37", "name": "18.10.66.3 \u2014 Ensure 'Turn off the offer to update to the latest version of Windows' is set...", "description": "Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled'", "rational": "Unplanned OS upgrades can lead to more preventable support calls. The IT department \nshould be managing and approving all upgrades and updates.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Store\\Turn off the offer to update to the latest version of \nWindows \n\nNote: This Group Policy path is provided by the Group Policy template \nWinStoreUI.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 \nR2 Administrative Templates, or by the Group Policy template \nWindowsStore.admx/adml that is included...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsStore|DisableOSUpgrade", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "67e1dac1dc40f67d1ff6e33fec574dd0", "name": "18.10.73.1 \u2014 Ensure 'Allow Recall to be enabled' is set to 'Disabled'", "description": "Ensure 'Allow Recall to be enabled' is set to 'Disabled'", "rational": "Saving snapshots of all user activity could result in sensitive information such as \npasswords or banking details being stored insecurely and making it easily accessible. \n\nNote: Recall isn't available on managed devices by default and individual users can't \nenable Recall on their own.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled. \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows AI\\Allow Recall to be enabled \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsCopilot.admx/adml that is included with the Microsoft Windows 11 Release \n25H2 Administrative Templates (or newer). \n\nPage 1232", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsAI|AllowRecallEnablement", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "b41a924aa9e028cd411dcba1430bc197", "name": "18.10.77.1.1 \u2014 Ensure 'Automatic Data Collection' is set to 'Enabled'", "description": "Ensure 'Automatic Data Collection' is set to 'Enabled'", "rational": "Collection of this data assists Microsoft Defender SmartScreen in determining whether \nthe user entered their work or school password into a suspicious website or app.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender SmartScreen\\Enhanced Phishing \nProtection\\Automatic Data Collection \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WebThreatDefense.admx/adml that is included with the Microsoft Windows \n11 Release 23H2 Administrative Templates (or newer). \n\nPage 1235", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WTDS\\Components|CaptureThreatWindow", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "681866ecdd0cfac7947b6fa94c090782", "name": "18.10.77.1.2 \u2014 Ensure 'Notify Malicious' is set to 'Enabled'", "description": "Ensure 'Notify Malicious' is set to 'Enabled'", "rational": "Users will receive a pop-up notification if they try to access a website that is being \nblocked by Windows Defender SmartScreen. This assists users in making informed \ndecisions about why the website is being blocked and whether to continue to it.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender SmartScreen\\Enhanced Phishing Protection\\Notify \nMalicious \n\nNote: This Group Policy path is provided by the Group Policy template \nWebThreatDefense.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v1.0 (or newer). \n\nPage 1237", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WTDS\\Components|NotifyMalicious", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "5f19f9f9f9456dc0d185eee81714f1e4", "name": "18.10.77.1.3 \u2014 Ensure 'Notify Password Reuse' is set to 'Enabled'", "description": "Ensure 'Notify Password Reuse' is set to 'Enabled'", "rational": "Users will be alerted if they try to use a password that has been exposed in a known \ndata breach. This can help reduce the risk of password-related security incidents, such \nas unauthorized access to online accounts, and can encourage users to choose strong \nand unique passwords.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender SmartScreen\\Enhanced Phishing Protection\\Notify \nPassword Reuse \n\nNote: This Group Policy path is provided by the Group Policy template \nWebThreatDefense.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v1.0 (or newer). \n\nPage 1239", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WTDS\\Components|NotifyPasswordReuse", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "f61564fc8ef29beb474a77deb44ae6d2", "name": "18.10.77.1.4 \u2014 Ensure 'Notify Unsafe App' is set to 'Enabled'", "description": "Ensure 'Notify Unsafe App' is set to 'Enabled'", "rational": "Users will be warned if they store their password in Notepad or Microsoft 365 Office \nApps. This can help reduce the risk of security incidents, such as data theft or data loss. \nStoring credentials in plain text allows for anyone who has authorized or unauthorized \naccess to the system to obtain them.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender SmartScreen\\Enhanced Phishing Protection\\Notify \nUnsafe App \n\nNote: This Group Policy path is provided by the Group Policy template \nWebThreatDefense.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v1.0 (or newer). \n\nPage 1241", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WTDS\\Components|NotifyUnsafeApp", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "33726f53d3d26e48c70fdd3c6e69b072", "name": "18.10.77.1.5 \u2014 Ensure 'Service Enabled' is set to 'Enabled'", "description": "Ensure 'Service Enabled' is set to 'Enabled'", "rational": "Allowing Enhanced Phishing Protection the ability to warn users about unsafe password \nuse could prevent phishing attempts and (credential) data loss. In addition, the Microsoft \n365 Defender Portal provides valuable phishing sensor data found in the environment.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender SmartScreen\\Enhanced Phishing Protection\\Service \nEnabled \n\nNote: This Group Policy path is provided by the Group Policy template \nWebThreatDefense.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Templates v1.0 (or newer). \n\nPage 1243", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WTDS\\Components|ServiceEnabled", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a4eff68dbcd0098ee7d9ca44800d14e6", "name": "18.10.77.2.1 \u2014 Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and ...", "description": "Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass'", "rational": "Windows Defender SmartScreen helps keep PCs safer by warning users before running \nunrecognized programs downloaded from the Internet. However, due to the fact that \nsome information is sent to Microsoft about files and programs run on PCs some \norganizations may prefer to disable it.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Warn and prevent bypass: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Defender SmartScreen\\Explorer\\Configure Windows Defender \nSmartScreen \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsExplorer.admx/adml that is included with the Microsoft Windows 8.0 & Server \n2012 (non-R2) Administrative Templates (or newer). \n\nNote #2: In old...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\System|EnableSmartScreen", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "4d62eb75d348027aeb3f4dc4b1e24c81", "name": "18.10.79.1 \u2014 Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set t...", "description": "Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled'", "rational": "Users could record and broadcast session info to external sites, which is both a risk of \naccidentally exposing sensitive company data (on-screen) outside the company as well \nas a privacy concern.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Game Recording and Broadcasting\\Enables or disables \nWindows Game Recording and Broadcasting \n\nNote: This Group Policy path is provided by the Group Policy template \nGameDVR.admx/adml that is included with the Microsoft Windows 10 RTM (Release \n1507) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\GameDVR|AllowGameDVR", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "d9f6b5b2e570c302a8520fefbf0a9fc3", "name": "18.10.80.1 \u2014 Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'", "description": "Ensure 'Enable ESS with Supported Peripherals' is set to 'Enabled: 1'", "rational": "Because the channel of communication between the sensors and the algorithm is \nsecured, it is impossible for malware to inject or replay data in order to simulate a user \nsigning in or to lock a user out of their machine.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: 1 (Enhanced Sign-in Security Enabled): \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Hello for Business\\Enable ESS with Supported Peripherals \n\nNote: This Group Policy path is provided by the Group Policy template \nPassport.admx/adml that is included with the Microsoft Windows 11 Release 22H2 \nAdministrative Templates v1.0 (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Policies\\PassportForWork\\Biometrics|EnableESSwithSupp", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "82de4a1eab0ec00d2d42b9bccb40473e", "name": "18.10.81.2 \u2014 Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow acc...", "description": "Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Enabled: Disabled'", "rational": "Allowing any apps to be accessed while system is locked is not recommended. If this \nfeature is permitted, it should only be accessible once a user authenticates with the \nproper credentials.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: On, but disallow access above lock OR Enabled: Disabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Ink Workspace\\Allow Windows Ink Workspace \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsInkWorkspace.admx/adml that is included with the Microsoft Windows 10 \nRelease 1607 & Server 2016 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsInkWorkspace|AllowWindowsInkWorkspace", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "2be318706b713d63494d119876cb27f6", "name": "18.10.82.1 \u2014 Ensure 'Allow user control over installs' is set to 'Disabled'", "description": "Ensure 'Allow user control over installs' is set to 'Disabled'", "rational": "In an enterprise managed environment, only IT staff with administrative rights should be \ninstalling or changing software on a system. Allowing users the ability to have any \ncontrol over installs can risk unapproved software from being installed or removed from \na system, which could cause the system to become vulnerable to compromise.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Installer\\Allow user control over installs \n\nNote: This Group Policy path is provided by the Group Policy template MSI.admx/adml \nthat is included with all versions of the Microsoft Windows Administrative Templates. \n\nNote #2: In older Microsoft Windows Administrative Templates, this setting was named \nEnable user con...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer|EnableUserControl", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "837a011a75901afca2a705509c223c61", "name": "18.10.82.2 \u2014 Ensure 'Always install with elevated privileges' is set to 'Disabled'", "description": "Ensure 'Always install with elevated privileges' is set to 'Disabled'", "rational": "Users with limited privileges can exploit this feature by creating a Windows Installer \ninstallation package that creates a new local account that belongs to the local built-in \nAdministrators group, adds their current account to the local built-in Administrators \ngroup, installs malicious software, or performs other unauthorized activities.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Installer\\Always install with elevated privileges \n\nNote: This Group Policy path is provided by the Group Policy template MSI.admx/adml \nthat is included with all versions of the Microsoft Windows Administrative Templates. \n\nPage 1262", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer|AlwaysInstallElevated", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "315e6ae15972b24f3a543c920df5b906", "name": "18.10.83.1 \u2014 Ensure 'Configure the transmission of the user's password in the content of M...", "description": "Ensure 'Configure the transmission of the user's password in the content of MPR notifications sent by winlogon.' is set to 'Disabled'", "rational": "MPR is a legacy utility that provides notifications to registered credential managers or \nnetwork providers when there is a logon event, or a password change event. Although \nMPR can be used by legitimate applications, the user's password field of these \nnotifications should be empty to prevent abuse by threat actors.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Logon Options\\Configure the transmission of the user's \npassword in the content of MPR notifications sent by winlogon. \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WinLogon.admx/adml that is included with the Microsoft Windows 11 Release \n22H2 Administrative Tem...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|EnableMPR", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "91bcf61ca9f6444ae91511b9ac15775c", "name": "18.10.83.2 \u2014 Ensure 'Sign-in and lock last interactive user automatically after a restart'...", "description": "Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled'", "rational": "Disabling this feature will prevent the caching of user's credentials and unauthorized \nuse of the device, and also ensure the user is aware of the restart.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Logon Options\\Sign-in and lock last interactive user \nautomatically after a restart \n\nNote: This Group Policy path is provided by the Group Policy template \nWinLogon.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 \nR2 Administrative Templates (or newer). \n\nNote #2: In older Microsoft Windows Ad...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System|DisableAutomat", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "7b3c5308f7aa6cff90f0a38c4b3a90b0", "name": "18.10.90.1.1 \u2014 Ensure 'Allow Basic authentication' is set to 'Disabled'", "description": "Ensure 'Allow Basic authentication' is set to 'Disabled'", "rational": "Basic authentication is less robust than other authentication methods available in \nWinRM because credentials including passwords are transmitted in plain text. A threat \nactor who is able to capture packets on the network where WinRM is running may be \nable to determine the credentials used for accessing remote hosts via WinRM.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Client\\Allow Basic \nauthentication \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client|AllowBasic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "c9dab85783783c8fa52e17104a33e3b6", "name": "18.10.90.1.2 \u2014 Ensure 'Allow unencrypted traffic' is set to 'Disabled'", "description": "Ensure 'Allow unencrypted traffic' is set to 'Disabled'", "rational": "Encrypting WinRM network traffic reduces the risk of a threat actor viewing or modifying \nWinRM messages as they transit the network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Client\\Allow unencrypted \ntraffic \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client|AllowUnencryptedTraffic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "9ff52c903ad0ab64af905d9b78f176f9", "name": "18.10.90.1.3 \u2014 Ensure 'Disallow Digest authentication' is set to 'Enabled'", "description": "Ensure 'Disallow Digest authentication' is set to 'Enabled'", "rational": "Digest authentication is less robust than other authentication methods available in \nWinRM. A threat actor who is able to capture packets on the network where WinRM is \nrunning may be able to determine the credentials used for accessing remote hosts via \nWinRM.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Client\\Disallow Digest \nauthentication \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Client|AllowDigest", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "3164e114b5b93fe120f2655c320929c8", "name": "18.10.90.2.1 \u2014 Ensure 'Allow Basic authentication' is set to 'Disabled'", "description": "Ensure 'Allow Basic authentication' is set to 'Disabled'", "rational": "Basic authentication is less robust than other authentication methods available in \nWinRM because credentials including passwords are transmitted in plain text. A threat \nactor who is able to capture packets on the network where WinRM is running may be \nable to determine the credentials used for accessing remote hosts via WinRM.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Service\\Allow Basic \nauthentication \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service|AllowBasic", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1242d29e8ea87e8736d2137a714028c1", "name": "18.10.90.2.3 \u2014 Ensure 'Allow unencrypted traffic' is set to 'Disabled'", "description": "Ensure 'Allow unencrypted traffic' is set to 'Disabled'", "rational": "Encrypting WinRM network traffic reduces the risk of a threat actor viewing or modifying \nWinRM messages as they transit the network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Service\\Allow unencrypted \ntraffic \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with all versions of the \nMicrosoft Windows Administrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service|AllowUnencryptedTraffi", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "1dd9d499275259148cf8770a32523f51", "name": "18.10.90.2.4 \u2014 Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'", "description": "Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled'", "rational": "Although the ability to store RunAs credentials is a convenient feature it increases the \nrisk of account compromise slightly. For example, if you forget to lock your desktop \nbefore leaving it unattended for a few minutes another person could access not only the \ndesktop of your computer but also any hosts you manage via WinRM with cached \nRunAs credentials.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Remote Management (WinRM)\\WinRM Service\\Disallow WinRM \nfrom storing RunAs credentials \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsRemoteManagement.admx/adml that is included with the Microsoft Windows \n8.0 & Server 2012 (non-R2) Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WinRM\\Service|DisableRunAs", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "a337c3fce425e1327748f84879ebc800", "name": "18.10.92.1 \u2014 Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'", "description": "Ensure 'Allow clipboard sharing with Windows Sandbox' is set to 'Disabled'", "rational": "Disabling copy and paste decreases the attack surface exposed by the Windows \nSandbox and possible exposure of untrusted applications to the internal network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Sandbox\\Allow clipboard sharing with Windows Sandbox \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsSandbox.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Sandbox|AllowClipboardRedirection", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "eaa1365d37bfdfa18266dcaa4fa3b04e", "name": "18.10.92.3 \u2014 Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'", "description": "Ensure 'Allow networking in Windows Sandbox' is set to 'Disabled'", "rational": "Disabling network access decreases the attack surface exposed by the Windows \nSandbox and exposure of untrusted applications to the internal network. \n\nNote: Per Microsoft, enabling networking in the Windows Sandbox can expose \nuntrusted applications to the internal network.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Sandbox\\Allow networking in Windows Sandbox \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsSandbox.admx/adml that is included with the Microsoft Windows 11 Release \n21H2 Administrative Templates (or newer). \n\nPage 1300", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Sandbox|AllowNetworking", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "296632f37d5e9270140dd2c4e5e4a134", "name": "18.10.93.2.1 \u2014 Ensure 'Prevent users from modifying settings' is set to 'Enabled'", "description": "Ensure 'Prevent users from modifying settings' is set to 'Enabled'", "rational": "Only authorized IT staff should be able to make changes to the exploit protection \nsettings in order to ensure the organizations specific configuration is not modified.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Security\\App and browser protection\\Prevent users from \nmodifying settings \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft \nWindows 10 Release 1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\App and Browser protection|DisallowExploitProtectionOverride", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "78dbeb63d469773150bca80a69d1b894", "name": "18.10.94.1.1 \u2014 Ensure 'No auto-restart with logged on users for scheduled automatic updates ...", "description": "Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'", "rational": "Some security updates require that the computer be restarted to complete an \ninstallation. If the computer cannot restart automatically, then the most recent update \nwill not completely install and no new updates will download to the computer until it is \nrestarted. Without the auto-restart functionality, users who are not security-conscious \nmay choose to indefinitely delay the restart, theref...", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Legacy Policies\\No auto-restart with logged on \nusers for scheduled automatic updates installations \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nNote #2: In older Microsof...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU|NoAutoRebootWithLog", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "e4d8e4d5eed5aec9d0d58113df51c3f8", "name": "18.10.94.2.1 \u2014 Ensure 'Configure Automatic Updates' is set to 'Enabled'", "description": "Ensure 'Configure Automatic Updates' is set to 'Enabled'", "rational": "Although each version of Windows is thoroughly tested before release, it is possible that \nproblems will be discovered after the products are shipped. The Configure Automatic \nUpdates setting can help you ensure that the computers in your environment will always \nhave the most recent critical operating system updates and service packs installed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage end user experience\\Configure Automatic \nUpdates \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU|NoAutoUpdate", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "69993fe0375e68eb5bda6f0c2a3e4ded", "name": "18.10.94.2.2 \u2014 Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Ev...", "description": "Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'", "rational": "Although each version of Windows is thoroughly tested before release, it is possible that \nproblems will be discovered after the products are shipped. The Configure Automatic \nUpdates setting can help you ensure that the computers in your environment will always \nhave the most recent critical operating system updates and service packs installed.", "remediation": "To establish the recommended configuration via GP, set the following UI path to 0 - \nEvery day: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage end user experience\\Configure Automatic \nUpdates: Scheduled install day \n\nNote: This Group Policy path is provided by the Group Policy template \nWindowsUpdate.admx/adml that is included with all versions of the Microsoft Windows \nAdministrative Templates. \n\nPage 1311", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU|ScheduledInstallDay", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "33863c207b8907f57ea39ef0b6fcb80d", "name": "18.10.94.2.3 \u2014 Ensure 'Enable features introduced via servicing that are off by default' is ...", "description": "Ensure 'Enable features introduced via servicing that are off by default' is set to 'Disabled'", "rational": "Often, new features or enhancements that are enabled by default (before IT \nadministrators are ready to manage them) can negatively impact the user experience or \nintroduce bugs and security risks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\\\Windows \nComponents\\Windows Update\\Manage end user experience\\Enable features \nintroduced via servicing that are off by default \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WindowsUpdate.admx/adml that is included with the Microsoft Windows 11 \nRelease 22H2 Administrative Templates v3.0 (...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|AllowTemporaryEnterpri", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ca2957ed66ad3b887a4bdce89979b1fa", "name": "18.10.94.2.4 \u2014 Ensure 'Remove access to \u201cPause updates\u201d feature' is set to 'Enabled'", "description": "Ensure 'Remove access to \u201cPause updates\u201d feature' is set to 'Enabled'", "rational": "In order to ensure security and system updates are applied, system administrators \nshould control when updates are applied to systems.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage end user experience\\Remove access to \u201cPause \nupdates\u201d feature \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 \nRelease 1809 & Server 2019 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|SetDisablePauseUXAcces", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "153088bd3358e2d7bab38fc65c7944cb", "name": "18.10.94.4.1 \u2014 Ensure 'Manage preview builds' is set to 'Disabled'", "description": "Ensure 'Manage preview builds' is set to 'Disabled'", "rational": "It can be risky for experimental features to be allowed in an enterprise managed \nenvironment because this can introduce bugs and security holes into systems, making it \neasier for a threat actor to gain access. It is generally preferred to only use production-\nready builds.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage updates offered from Windows Update\\Manage \npreview builds \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WindowsUpdate.admx/adml that is included with the Microsoft Windows 10 \nRelease 1709 Administrative Templates (or newer).", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|ManagePreviewBuildsPol", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "7a8877cd24a1e7eeeff32c29f702efdf", "name": "18.10.94.4.2 \u2014 Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'", "description": "Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'", "rational": "Quality Updates can contain important bug fixes and/or security patches, and should be \ninstalled as soon as possible.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled:0 days: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage updates offered from Windows Update\\Select \nwhen Quality Updates are received \n\nNote: Note: This Group Policy path may not exist by default. It is provided by the Group \nPolicy template WindowsUpdate.admx/adml that is included with the Microsoft \nWindows 10 Release 1607 & Server 2016 Administrative...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|DeferQualityUpdates", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "ce91f4d6ebf0abfb7ee074a1625ba9a9", "name": "18.10.94.4.3 \u2014 Ensure 'Enable optional updates' is set to 'Disabled'", "description": "Ensure 'Enable optional updates' is set to 'Disabled'", "rational": "Often, new features or enhancements that are enabled by default (before IT \nadministrators are ready to manage them) can negatively impact the user experience or \nintroduce bugs and security risks.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nDisabled: \n\nComputer Configuration\\Policies\\Administrative Templates\\Windows \nComponents\\Windows Update\\Manage updates offered from Windows Update\\Enable \noptional updates \n\nNote: This Group Policy path may not exist by default. It is provided by the Group Policy \ntemplate WindowsUpdate.admx/adml that is included with the Microsoft Windows 11 \nRelease 23H2 Administrative Templates (or newer). \n\nPage 1322", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate|SetAllowOptionalConten", "selement": "CONTENT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "097e2972e8ab1dc7a45a59578bd2691b", "name": "18.11.1 \u2014 Ensure 'Disable HTTP proxy features: Disable WPAD' is set to 'Enabled: Checked'", "description": "Ensure 'Disable HTTP proxy features: Disable WPAD' is set to 'Enabled: Checked'", "rational": "WPAD could expose the system to Man-In-The-Middle (MITM) attacks. If an \norganization depends on HTTP proxy configuration, it is recommended that other client \nconfiguration mechanisms be used instead, such as Group Policy.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Checked: \n\nComputer Configuration\\Policies\\Administrative Templates\\Center for Internet \nSecurity (CIS)\\Additional Benchmark Settings\\Disable HTTP proxy features: \nDisable WPAD \n\nNote: This Group Policy path is NOT provided by Microsoft. The Group Policy template \nCIS.admx/adml is included with the CIS Microsoft Windows Build Kits published after \nJanuary 2026.", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp|DisableWpad", "selement": "CONTENT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] }, { "external_id": "40d1bd5af90df969a14cee75b54b5725", "name": "18.11.2 \u2014 Ensure 'Disable HTTP proxy features: Disable proxy authentication' is set to ...", "description": "Ensure 'Disable HTTP proxy features: Disable proxy authentication' is set to 'Enabled: Disable authentication over loopback interfaces' or higher", "rational": "It is best to limit the sign-in interface to only known and trusted services, so malicious \nactors can't impersonate them.", "remediation": "To establish the recommended configuration via GP, set the following UI path to \nEnabled: Disable authentication over loopback interfaces or Disable all \nauthentication protocols and loopback authentication: \n\nComputer Configuration\\Policies\\Administrative Templates\\Center for Internet \nSecurity (CIS)\\Additional Benchmark Settings\\Disable HTTP proxy features: \nDisable proxy authentication \n\nNote: This Group Policy path is NOT provided by Microsoft. The Group Policy template \nCIS.admx/adml is...", "severity": "Medium", "filter": "all", "app_filter": "all", "conditions": [ { "type": "condition", "element": "REGISTRY", "input": "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings|DisableProxyAuthenticationSchemes", "selement": "CONTENT", "condition": "EQUALS", "sinput": "2" } ], "applicability": [ { "type": "applicability", "element": "OS", "input": "", "selement": "CONTENT", "condition": "CONTAINS", "sinput": "Windows 11" } ] } ] }