Scribd
Upload
36 views

CISecurity

This document contains recommendations for security configuration settings for Windows systems. It includes recommendations for password policies, account lockout policies, local security policies, and other security options. The recommendations are divided into sections for different policy areas and each contains settings that should be configured to enhance security.

Uploaded by

Miletza Angulo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
36 views

CISecurity

This document contains recommendations for security configuration settings for Windows systems. It includes recommendations for password policies, account lockout policies, local security policies, and other security options. The recommendations are divided into sections for different policy areas and each contains settings that should be configured to enhance security.

Uploaded by

Miletza Angulo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 49

Terms of Use....................................................................................................................................................................

1
Recommendations..................................................................................................................................................... 48
1 Account Policies ................................................................................................................................................. 48
1.1 Password Policy ........................................................................................................................................ 48
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' (Scored) ..............................................................
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' (Scored) ..........................................................
1.1.3 (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' (Scored). 53
1.1.4 (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' (Scored) ............................................................
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' (Scored) .....................................................
1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' (Scored) .........................................................
1.2 Account Lockout Policy ......................................................................................................................... 63
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' (Scored) ..................................................................
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' (Scored).........................
1.2.3 (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' (Scored)..................................................
2 Local Policies ....................................................................................................................................................... 69
2.1 Audit Policy ................................................................................................................................................. 69
2.2 User Rights Assignment ........................................................................................................................ 70
2.2.1 (L1) Ensure 'Access Credential Manager as a trusted caller' is set to 'No One' (Scored) ........................................................
2.2.2 (L1) Ensure 'Access this computer from the network' is set to 'Administrators, Remote Desktop Users' (Scored)................
2.2.3 (L1) Ensure 'Act as part of the operating system' is set to 'No One' (Scored).........................................................................
2.2.4 (L1) Ensure 'Adjust memory quotas for a process' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE' (Scored)
2.2.5 (L1) Ensure 'Allow log on locally' is set to 'Administrators, Users' (Scored) 78
2.2.6 (L1) Ensure 'Allow log on through Remote Desktop Services' is set to 'Administrators, Remote Desktop Users' (Scored).....
2.2.7 (L1) Ensure 'Back up files and directories' is set to 'Administrators' (Scored).........................................................................
2.2.8 (L1) Ensure 'Change the system time' is set to 'Administrators, LOCAL SERVICE' (Scored) ....................................................
2.2.9 (L1) Ensure 'Change the time zone' is set to 'Administrators, LOCAL SERVICE, Users' (Scored) .............................................
2.2.10 (L1) Ensure 'Create a pagefile' is set to 'Administrators' (Scored) ................. 89
2.2.11 (L1) Ensure 'Create a token object' is set to 'No One' (Scored) ........................ 91
2.2.12 (L1) Ensure 'Create global objects' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' (Scored) ........
2.2.13 (L1) Ensure 'Create permanent shared objects' is set to 'No One' (Scored)..........................................................................
2.2.14 (L1) Configure 'Create symbolic links' (Scored)....................................................... 97
2.2.15 (L1) Ensure 'Debug programs' is set to 'Administrators' (Scored) ................. 99
2.2.16 (L1) Ensure 'Deny access to this computer from the network' to include 'Guests, Local account' (Scored) ........................
2.2.17 (L1) Ensure 'Deny log on as a batch job' to include 'Guests' (Scored)........ 103
2.2.18 (L1) Ensure 'Deny log on as a service' to include 'Guests' (Scored) ............ 105
2.2.19 (L1) Ensure 'Deny log on locally' to include 'Guests' (Scored)....................... 107
2.2.20 (L1) Ensure 'Deny log on through Remote Desktop Services' to include 'Guests, Local account' (Scored) ...........................
2.2.21 (L1) Ensure 'Enable computer and user accounts to be trusted for delegation' is set to 'No One' (Scored) ........................
2.2.22 (L1) Ensure 'Force shutdown from a remote system' is set to 'Administrators' (Scored) .....................................................
2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Scored) ...........................................
2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SER
2.2.25 (L1) Ensure 'Increase scheduling priority' is set to 'Administrators, Window Manager\Window Manager Group' (Scored)
2.2.26 (L1) Ensure 'Load and unload device drivers' is set to 'Administrators' (Scored) .................................................................
2.2.27 (L1) Ensure 'Lock pages in memory' is set to 'No One' (Scored) .................. 124
2.2.28 (L2) Ensure 'Log on as a batch job' is set to 'Administrators' (Scored) ..... 126
2.2.29 (L2) Configure 'Log on as a service' (Scored) ......................................................... 128
2.2.30 (L1) Ensure 'Manage auditing and security log' is set to 'Administrators' (Scored) ..............................................................
2.2.31 (L1) Ensure 'Modify an object label' is set to 'No One' (Scored).................... 132
2.2.32 (L1) Ensure 'Modify firmware environment values' is set to 'Administrators' (Scored) .......................................................
2.2.33 (L1) Ensure 'Perform volume maintenance tasks' is set to 'Administrators' (Scored) ..........................................................
2.2.34 (L1) Ensure 'Profile single process' is set to 'Administrators' (Scored) .... 138
2.2.35 (L1) Ensure 'Profile system performance' is set to 'Administrators, NT SERVICE\WdiServiceHost' (Scored) ........................
2.2.36 (L1) Ensure 'Replace a process level token' is set to 'LOCAL SERVICE, NETWORK SERVICE' (Scored)....................................
2.2.37 (L1) Ensure 'Restore files and directories' is set to 'Administrators' (Scored) ......................................................................
2.2.38 (L1) Ensure 'Shut down the system' is set to 'Administrators, Users' (Scored) .....................................................................
2.2.39 (L1) Ensure 'Take ownership of files or other objects' is set to 'Administrators' (Scored) ....................................................
2.3 Security Options..................................................................................................................................... 150
2.3.1 Accounts............................................................................................................................................ 150
2.3.1.1 (L1) Ensure 'Accounts: Administrator account status' is set to 'Disabled' (Scored) .............................................................
2.3.1.2 (L1) Ensure 'Accounts: Block Microsoft accounts' is set to 'Users can't add or log on with Microsoft accounts' (Scored)...
2.3.1.3 (L1) Ensure 'Accounts: Guest account status' is set to 'Disabled' (Scored)...........................................................................
2.3.1.4 (L1) Ensure 'Accounts: Limit local account use of blank passwords to console logon only' is set to 'Enabled' (Scored) .....
2.3.1.5 (L1) Configure 'Accounts: Rename administrator account' (Scored) ........ 159
2.3.1.6 (L1) Configure 'Accounts: Rename guest account' (Scored) .......................... 161
2.3.2 Audit ................................................................................................................................................... 163
2.3.2.1 (L1) Ensure 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category se
2.3.2.2 (L1) Ensure 'Audit: Shut down system immediately if unable to log security audits' is set to 'Disabled' (Scored) ..............
2.3.3 DCOM.................................................................................................................................................. 168
2.3.4 Devices............................................................................................................................................... 169
2.3.4.1 (L1) Ensure 'Devices: Allowed to format and eject removable media' is set to 'Administrators and Interactive Users' (Sco
2.3.4.2 (L2) Ensure 'Devices: Prevent users from installing printer drivers' is set to 'Enabled' (Scored) .........................................
2.3.5 Domain controller ........................................................................................................................ 172
2.3.6 Domain member ........................................................................................................................... 173
2.3.6.1 (L1) Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled' (Scored)............
2.3.6.2 (L1) Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled' (Scored) ...........
2.3.6.3 (L1) Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled' (Scored) .................
2.3.6.4 (L1) Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled' (Scored) .........................
2.3.6.5 (L1) Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0' (Scored
2.3.6.6 (L1) Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled' (Scored) ..............
2.3.7 Interactive logon ........................................................................................................................... 185
2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled' (Scored) ...............................................
2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled' (Scored) .....................................................
2.3.7.3 (BL) Ensure 'Interactive logon: Machine account lockout threshold' is set to '10 or fewer invalid logon attempts, but not
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0' (Scored) ..................
2.3.7.5 (L1) Configure 'Interactive logon: Message text for users attempting to log on' (Scored) ..................................................
2.3.7.6 (L1) Configure 'Interactive logon: Message title for users attempting to log on' (Scored) ..................................................
2.3.7.7 (L2) Ensure 'Interactive logon: Number of previous logons to cache (in case domain controller is not available)' is set to
2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days' (Sc
2.3.7.9 (L1) Ensure 'Interactive logon: Smart card removal behavior' is set to 'Lock Workstation' or higher (Scored) ...................
2.3.8 Microsoft network client........................................................................................................... 203
2.3.8.1 (L1) Ensure 'Microsoft network client: Digitally sign communications (always)' is set to 'Enabled' (Scored) ......................
2.3.8.2 (L1) Ensure 'Microsoft network client: Digitally sign communications (if server agrees)' is set to 'Enabled' (Scored) ........
2.3.8.3 (L1) Ensure 'Microsoft network client: Send unencrypted password to third-party SMB servers' is set to 'Disabled' (Scor
2.3.9 Microsoft network server......................................................................................................... 211
2.3.9.1 (L1) Ensure 'Microsoft network server: Amount of idle time required before suspending session' is set to '15 or fewer m
2.3.9.2 (L1) Ensure 'Microsoft network server: Digitally sign communications (always)' is set to 'Enabled' (Scored) .....................
2.3.9.3 (L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled' (Scored).........
2.3.9.4 (L1) Ensure 'Microsoft network server: Disconnect clients when logon hours expire' is set to 'Enabled' (Scored)..............
2.3.9.5 (L1) Ensure 'Microsoft network server: Server SPN target name validation level' is set to 'Accept if provided by client' or
2.3.10 Network access ........................................................................................................................... 224
2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' (Scored) ...............................
2.3.10.2 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts' is set to 'Enabled' (Scored) .......
2.3.10.3 (L1) Ensure 'Network access: Do not allow anonymous enumeration of SAM accounts and shares' is set to 'Enabled' (S
2.3.10.4 (L1) Ensure 'Network access: Do not allow storage of passwords and credentials for network authentication' is set to '
2.3.10.5 (L1) Ensure 'Network access: Let Everyone permissions apply to anonymous users' is set to 'Disabled' (Scored)............
2.3.10.6 (L1) Ensure 'Network access: Named Pipes that can be accessed anonymously' is set to 'None' (Scored) .......................
2.3.10.7 (L1) Ensure 'Network access: Remotely accessible registry paths' (Scored) ......................................................................
2.3.10.8 (L1) Ensure 'Network access: Remotely accessible registry paths and sub-paths' (Scored) ..............................................
2.3.10.9 (L1) Ensure 'Network access: Restrict anonymous access to Named Pipes and Shares' is set to 'Enabled' (Scored) ........
2.3.10.10 (L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote
2.3.10.11 (L1) Ensure 'Network access: Shares that can be accessed anonymously' is set to 'None' (Scored) ...............................
2.3.10.12 (L1) Ensure 'Network access: Sharing and security model for local accounts' is set to 'Classic - local users authenticate
2.3.11 Network security ....................................................................................................................... 251
2.3.11.1 (L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Enabled' (Scored) .......
2.3.11.2 (L1) Ensure 'Network security: Allow LocalSystem NULL session fallback' is set to 'Disabled' (Scored).............................
2.3.11.3 (L1) Ensure 'Network Security: Allow PKU2U authentication requests to this computer to use online identities' is set to
2.3.11.4 (L1) Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES2
2.3.11.5 (L1) Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled' (Sco
2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled' (Not Scored)............................
2.3.11.7 (L1) Ensure 'Network security: LAN Manager authentication level' is set to 'Send NTLMv2 response only. Refuse LM &
2.3.11.8 (L1) Ensure 'Network security: LDAP client signing requirements' is set to 'Negotiate signing' or higher (Scored) ..........
2.3.11.9 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) clients' is set to '
2.3.11.10 (L1) Ensure 'Network security: Minimum session security for NTLM SSP based (including secure RPC) servers' is set to
2.3.12 Recovery console ....................................................................................................................... 272
2.3.13 Shutdown....................................................................................................................................... 272
2.3.14 System cryptography ............................................................................................................... 273
2.3.14.1 (L2) Ensure 'System cryptography: Force strong key protection for user keys stored on the computer' is set to 'User is
2.3.15 System objects............................................................................................................................. 275
2.3.15.1 (L1) Ensure 'System objects: Require case insensitivity for non-Windows subsystems' is set to 'Enabled' (Scored).........
2.3.15.2 (L1) Ensure 'System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)' is set to '
2.3.16 System settings ........................................................................................................................... 279
2.3.17 User Account Control ............................................................................................................... 279
2.3.17.1 (L1) Ensure 'User Account Control: Admin Approval Mode for the Built-in Administrator account' is set to 'Enabled' (Sc
2.3.17.2 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' is se
2.3.17.3 (L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny e
2.3.17.4 (L1) Ensure 'User Account Control: Detect application installations and prompt for elevation' is set to 'Enabled' (Score
2.3.17.5 (L1) Ensure 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' is set to 'E
2.3.17.6 (L1) Ensure 'User Account Control: Run all administrators in Admin Approval Mode' is set to 'Enabled' (Scored)............
2.3.17.7 (L1) Ensure 'User Account Control: Switch to the secure desktop when prompting for elevation' is set to 'Enabled' (Sco
2.3.17.8 (L1) Ensure 'User Account Control: Virtualize file and registry write failures to per-user locations' is set to 'Enabled' (Sc
3 Event Log............................................................................................................................................................ 295
4 Restricted Groups .......................................................................................................................................... 295
5 System Services............................................................................................................................................... 296
5.1 (L2) Ensure 'Bluetooth Audio Gateway Service (BTAGService)' is set to 'Disabled' (Scored) .....................................................
5.2 (L2) Ensure 'Bluetooth Support Service (bthserv)' is set to 'Disabled' (Scored)..........................................................................
5.3 (L1) Ensure 'Computer Browser (Browser)' is set to 'Disabled' or 'Not Installed' (Scored) ........................................................
5.4 (L2) Ensure 'Downloaded Maps Manager (MapsBroker)' is set to 'Disabled' (Scored) ..............................................................
5.5 (L2) Ensure 'Geolocation Service (lfsvc)' is set to 'Disabled' (Scored) ............. 304
5.6 (L1) Ensure 'IIS Admin Service (IISADMIN)' is set to 'Disabled' or 'Not Installed' (Scored) ........................................................
5.7 (L1) Ensure 'Infrared monitor service (irmon)' is set to 'Disabled' or 'Not Installed' (Scored) ...................................................
5.8 (L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled' (Scored) ....................................................
5.9 (L2) Ensure 'Link-Layer Topology Discovery Mapper (lltdsvc)' is set to 'Disabled' (Scored) .......................................................
5.10 (L1) Ensure 'LxssManager (LxssManager)' is set to 'Disabled' or 'Not Installed' (Scored) ........................................................
5.11 (L1) Ensure 'Microsoft FTP Service (FTPSVC)' is set to 'Disabled' or 'Not Installed' (Scored) ...................................................
5.12 (L2) Ensure 'Microsoft iSCSI Initiator Service (MSiSCSI)' is set to 'Disabled' (Scored) ..............................................................
5.13 (L2) Ensure 'Microsoft Store Install Service (InstallService)' is set to 'Disabled' (Scored) ........................................................
5.14 (L1) Ensure 'OpenSSH SSH Server (sshd)' is set to 'Disabled' or 'Not Installed' (Scored) .........................................................
5.15 (L2) Ensure 'Peer Name Resolution Protocol (PNRPsvc)' is set to 'Disabled' (Scored) .............................................................
5.16 (L2) Ensure 'Peer Networking Grouping (p2psvc)' is set to 'Disabled' (Scored) .......................................................................
5.17 (L2) Ensure 'Peer Networking Identity Manager (p2pimsvc)' is set to 'Disabled' (Scored) ......................................................
5.18 (L2) Ensure 'PNRP Machine Name Publication Service (PNRPAutoReg)' is set to 'Disabled' (Scored)......................................
5.19 (L2) Ensure 'Problem Reports and Solutions Control Panel Support (wercplsupport)' is set to 'Disabled' (Scored) ................
5.20 (L2) Ensure 'Remote Access Auto Connection Manager (RasAuto)' is set to 'Disabled' (Scored) ............................................
5.21 (L2) Ensure 'Remote Desktop Configuration (SessionEnv)' is set to 'Disabled' (Scored) ..........................................................
5.22 (L2) Ensure 'Remote Desktop Services (TermService)' is set to 'Disabled' (Scored) ................................................................
5.23 (L2) Ensure 'Remote Desktop Services UserMode Port Redirector (UmRdpService)' is set to 'Disabled' (Scored) ..................
5.24 (L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled' (Scored) ................................................
5.25 (L2) Ensure 'Remote Registry (RemoteRegistry)' is set to 'Disabled' (Scored)..........................................................................
5.26 (L1) Ensure 'Routing and Remote Access (RemoteAccess)' is set to 'Disabled' (Scored) .........................................................
5.27 (L2) Ensure 'Server (LanmanServer)' is set to 'Disabled' (Scored) ................. 348
5.28 (L1) Ensure 'Simple TCP/IP Services (simptcp)' is set to 'Disabled' or 'Not Installed' (Scored) .................................................
5.29 (L2) Ensure 'SNMP Service (SNMP)' is set to 'Disabled' or 'Not Installed' (Scored) ..................................................................
5.30 (L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled' (Scored) ......... 354
5.31 (L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled' (Scored).... 356
5.32 (L1) Ensure 'Web Management Service (WMSvc)' is set to 'Disabled' or 'Not Installed' (Scored) ...........................................
5.33 (L2) Ensure 'Windows Error Reporting Service (WerSvc)' is set to 'Disabled' (Scored) ............................................................
5.34 (L2) Ensure 'Windows Event Collector (Wecsvc)' is set to 'Disabled' (Scored).........................................................................
5.35 (L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed' (Sco
5.36 (L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled' (Scored) ..............................................................
5.37 (L2) Ensure 'Windows Push Notifications System Service (WpnService)' is set to 'Disabled' (Scored) ....................................
5.38 (L2) Ensure 'Windows PushToInstall Service (PushToInstall)' is set to 'Disabled' (Scored) ......................................................
5.39 (L2) Ensure 'Windows Remote Management (WS-Management) (WinRM)' is set to 'Disabled' (Scored) ...............................
5.40 (L1) Ensure 'World Wide Web Publishing Service (W3SVC)' is set to 'Disabled' or 'Not Installed' (Scored) ............................
5.41 (L1) Ensure 'Xbox Accessory Management Service (XboxGipSvc)' is set to 'Disabled' (Scored) ...............................................
5.42 (L1) Ensure 'Xbox Live Auth Manager (XblAuthManager)' is set to 'Disabled' (Scored) ...........................................................
5.43 (L1) Ensure 'Xbox Live Game Save (XblGameSave)' is set to 'Disabled' (Scored) .....................................................................
5.44 (L1) Ensure 'Xbox Live Networking Service (XboxNetApiSvc)' is set to 'Disabled' (Scored) ......................................................
6 Registry ............................................................................................................................................................... 383
7 File System ........................................................................................................................................................ 383
8 Wired Network (IEEE 802.3) Policies.................................................................................................. 383
9 Windows Firewall with Advanced Security ...................................................................................... 384
9.1 Domain Profile ........................................................................................................................................ 384
9.1.1 (L1) Ensure 'Windows Firewall: Domain: Firewall state' is set to 'On (recommended)' (Scored) ...........................................
9.1.2 (L1) Ensure 'Windows Firewall: Domain: Inbound connections' is set to 'Block (default)' (Scored) .......................................
9.1.3 (L1) Ensure 'Windows Firewall: Domain: Outbound connections' is set to 'Allow (default)' (Scored).....................................
9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No' (Scored) ...........................................
9.1.5 (L1) Ensure 'Windows Firewall: Domain: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\domainfw.lo
9.1.6 (L1) Ensure 'Windows Firewall: Domain: Logging: Size limit (KB)' is set to '16,384 KB or greater' (Scored) ...........................
9.1.7 (L1) Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes' (Scored) ...........................................
9.1.8 (L1) Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes' (Scored)..................................
9.2 Private Profile ......................................................................................................................................... 400
9.2.1 (L1) Ensure 'Windows Firewall: Private: Firewall state' is set to 'On (recommended)' (Scored) ............................................
9.2.2 (L1) Ensure 'Windows Firewall: Private: Inbound connections' is set to 'Block (default)' (Scored) ........................................
9.2.3 (L1) Ensure 'Windows Firewall: Private: Outbound connections' is set to 'Allow (default)' (Scored)......................................
9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No' (Scored) .............................................
9.2.5 (L1) Ensure 'Windows Firewall: Private: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\privatefw.log
9.2.6 (L1) Ensure 'Windows Firewall: Private: Logging: Size limit (KB)' is set to '16,384 KB or greater' (Scored) ............................
9.2.7 (L1) Ensure 'Windows Firewall: Private: Logging: Log dropped packets' is set to 'Yes' (Scored) ............................................
9.2.8 (L1) Ensure 'Windows Firewall: Private: Logging: Log successful connections' is set to 'Yes' (Scored)....................................
9.3 Public Profile ........................................................................................................................................... 416
9.3.1 (L1) Ensure 'Windows Firewall: Public: Firewall state' is set to 'On (recommended)' (Scored) ..............................................
9.3.2 (L1) Ensure 'Windows Firewall: Public: Inbound connections' is set to 'Block (default)' (Scored) ..........................................
9.3.3 (L1) Ensure 'Windows Firewall: Public: Outbound connections' is set to 'Allow (default)' (Scored).......................................
9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No' (Scored) ..............................................
9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No' (Scored) .........................................
9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No' (Scored) .....................
9.3.7 (L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%SystemRoot%\System32\logfiles\firewall\publicfw.log'
9.3.8 (L1) Ensure 'Windows Firewall: Public: Logging: Size limit (KB)' is set to '16,384 KB or greater' (Scored) ..............................
9.3.9 (L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes' (Scored) ..............................................
9.3.10 (L1) Ensure 'Windows Firewall: Public: Logging: Log successful connections' is set to 'Yes' (Scored)...................................
10 Network List Manager Policies ............................................................................................................. 436
11 Wireless Network (IEEE 802.11) Policies ....................................................................................... 436
12 Public Key Policies ...................................................................................................................................... 436
13 Software Restriction Policies................................................................................................................. 436
14 Network Access Protection NAP Client Configuration.............................................................. 436
15 Application Control Policies................................................................................................................... 436
16 IP Security Policies ..................................................................................................................................... 436
17 Advanced Audit Policy Configuration................................................................................................ 437
17.1 Account Logon ..................................................................................................................................... 437
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' (Scored) .................................................................
17.2 Account Management ....................................................................................................................... 440
17.2.1 (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' (Scored)................................................
17.2.2 (L1) Ensure 'Audit Security Group Management' is set to include 'Success' (Scored) ..........................................................
17.2.3 (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' (Scored).......................................................
17.3 Detailed Tracking ............................................................................................................................... 446
17.3.1 (L1) Ensure 'Audit PNP Activity' is set to include 'Success' (Scored) ......... 446
17.3.2 (L1) Ensure 'Audit Process Creation' is set to include 'Success' (Scored) 448
17.4 DS Access ................................................................................................................................................ 449
17.5 Logon/Logoff ........................................................................................................................................ 450
17.5.1 (L1) Ensure 'Audit Account Lockout' is set to include 'Failure' (Scored) . 450
17.5.2 (L1) Ensure 'Audit Group Membership' is set to include 'Success' (Scored)..........................................................................
17.5.3 (L1) Ensure 'Audit Logoff' is set to include 'Success' (Scored)....................... 454
17.5.4 (L1) Ensure 'Audit Logon' is set to 'Success and Failure' (Scored) .............. 456
17.5.5 (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' (Scored)........................................................
17.5.6 (L1) Ensure 'Audit Special Logon' is set to include 'Success' (Scored)....... 460
17.6 Object Access ........................................................................................................................................ 462
17.6.1 (L1) Ensure 'Audit Detailed File Share' is set to include 'Failure' (Scored).............................................................................
17.6.2 (L1) Ensure 'Audit File Share' is set to 'Success and Failure' (Scored) ...... 464
17.6.3 (L1) Ensure 'Audit Other Object Access Events' is set to 'Success and Failure' (Scored).......................................................
17.6.4 (L1) Ensure 'Audit Removable Storage' is set to 'Success and Failure' (Scored) ...................................................................
17.7 Policy Change ....................................................................................................................................... 472
17.7.1 (L1) Ensure 'Audit Audit Policy Change' is set to include 'Success' (Scored)..........................................................................
17.7.2 (L1) Ensure 'Audit Authentication Policy Change' is set to include 'Success' (Scored) .........................................................
17.7.3 (L1) Ensure 'Audit Authorization Policy Change' is set to include 'Success' (Scored) ............................................................
17.7.4 (L1) Ensure 'Audit MPSSVC Rule-Level Policy Change' is set to 'Success and Failure' (Scored).............................................
17.7.5 (L1) Ensure 'Audit Other Policy Change Events' is set to include 'Failure' (Scored) ..............................................................
17.8 Privilege Use ......................................................................................................................................... 486
17.8.1 (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' (Scored) ...............................................................
17.9 System...................................................................................................................................................... 489
17.9.1 (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' (Scored) . 489
17.9.2 (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' (Scored) .................................................................
17.9.3 (L1) Ensure 'Audit Security State Change' is set to include 'Success' (Scored) ......................................................................
17.9.4 (L1) Ensure 'Audit Security System Extension' is set to include 'Success' (Scored) ...............................................................
17.9.5 (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' (Scored).........................................................................
18 Administrative Templates (Computer) ............................................................................................ 501
18.1 Control Panel ........................................................................................................................................ 501
18.1.1 Personalization ........................................................................................................................... 501
18.1.1.1 (L1) Ensure 'Prevent enabling lock screen camera' is set to 'Enabled' (Scored) ................................................................
18.1.1.2 (L1) Ensure 'Prevent enabling lock screen slide show' is set to 'Enabled' (Scored) ...........................................................
18.1.2 Regional and Language Options ......................................................................................... 505
18.1.2.2 (L1) Ensure 'Allow users to enable online speech recognition services' is set to 'Disabled' (Scored) ................................
18.1.3 (L2) Ensure 'Allow Online Tips' is set to 'Disabled' (Scored).......................... 508
18.2 LAPS .......................................................................................................................................................... 510
18.2.1 (L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (Scored) .... 510
18.2.2 (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (Scored) ...............
18.2.3 (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (Scored) ........................................................
18.2.4 (L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + specia
18.2.5 (L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (Scored).................................................
18.2.6 (L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (Scored) .........................................
18.3 MS Security Guide............................................................................................................................... 525
18.3.1 (L1) Ensure 'Apply UAC restrictions to local accounts on network logons' is set to 'Enabled' (Scored)................................
18.3.2 (L1) Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver (recommended)' (Scored) ...........................
18.3.3 (L1) Ensure 'Configure SMB v1 server' is set to 'Disabled' (Scored)........... 531
18.3.4 (L1) Ensure 'Enable Structured Exception Handling Overwrite Protection (SEHOP)' is set to 'Enabled' (Scored) .................
18.3.5 (L1) Ensure 'NetBT NodeType configuration' is set to 'Enabled: P-node (recommended)' (Scored) ....................................
18.3.6 (L1) Ensure 'WDigest Authentication' is set to 'Disabled' (Scored) ............ 538
18.4 MSS (Legacy)......................................................................................................................................... 540
18.4.1 (L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled' (Scored)..............
18.4.2 (L1) Ensure 'MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)' is
18.4.3 (L1) Ensure 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)' is set t
18.4.4 (L2) Ensure 'MSS: (DisableSavePassword) Prevent the dial-up password from being saved' is set to 'Enabled' (Scored) ....
18.4.5 (L1) Ensure 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' is set to 'Disabled' (Sc
18.4.6 (L2) Ensure 'MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds' is set to 'Enabled: 300,000 or
18.4.7 (L1) Ensure 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except fr
18.4.8 (L2) Ensure 'MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead
18.4.9 (L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled' (Scored) .........
18.4.10 (L1) Ensure 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recom
18.4.11 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted' is set to
18.4.12 (L2) Ensure 'MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted' is set to 'Ena
18.4.13 (L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a w
18.5 Network .................................................................................................................................................. 567
18.5.1 Background Intelligent Transfer Service (BITS) ........................................................ 567
18.5.2 BranchCache ................................................................................................................................ 567
18.5.3 DirectAccess Client Experience Settings ........................................................................ 567
18.5.4 DNS Client...................................................................................................................................... 568
18.5.4.1 (L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled' (Scored) ....................................................................
18.5.5 Fonts ................................................................................................................................................ 570
18.5.5.1 (L2) Ensure 'Enable Font Providers' is set to 'Disabled' (Scored) ............ 570
18.5.6 Hotspot Authentication .......................................................................................................... 572
18.5.7 Lanman Server ............................................................................................................................ 572
18.5.8 Lanman Workstation ............................................................................................................... 573
18.5.8.1 (L1) Ensure 'Enable insecure guest logons' is set to 'Disabled' (Scored).............................................................................
18.5.9 Link-Layer Topology Discovery.......................................................................................... 575
18.5.9.1 (L2) Ensure 'Turn on Mapper I/O (LLTDIO) driver' is set to 'Disabled' (Scored) .................................................................
18.5.9.2 (L2) Ensure 'Turn on Responder (RSPNDR) driver' is set to 'Disabled' (Scored) .................................................................
18.5.10 Microsoft Peer-to-Peer Networking Services............................................................ 579
18.5.10.2 (L2) Ensure 'Turn off Microsoft Peer-to-Peer Networking Services' is set to 'Enabled' (Scored) .....................................
18.5.11 Network Connections ........................................................................................................... 582
18.5.11.2 (L1) Ensure 'Prohibit installation and configuration of Network Bridge on your DNS domain network' is set to 'Enable
18.5.11.3 (L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled' (Scored) ...
18.5.11.4 (L1) Ensure 'Require domain users to elevate when setting a network's location' is set to 'Enabled' (Scored) ..............
18.5.12 Network Connectivity Status Indicator ........................................................................ 588
18.5.13 Network Isolation ................................................................................................................... 588
18.5.14 Network Provider ................................................................................................................... 589
18.5.14.1 (L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with "Require Mutual Authentication" and "Require Integrity" s
18.5.15 Offline Files ................................................................................................................................ 592
18.5.16 QoS Packet Scheduler............................................................................................................ 592
18.5.17 SNMP ............................................................................................................................................. 592
18.5.18 SSL Configuration Settings ................................................................................................. 592
18.5.19 TCPIP Settings .......................................................................................................................... 593
18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter 'DisabledComponents' is set to '0xff (255)') (Scored)..............................
18.5.20 Windows Connect Now ........................................................................................................ 597
18.5.20.1 (L2) Ensure 'Configuration of wireless settings using Windows Connect Now' is set to 'Disabled' (Scored) ...................
18.5.20.2 (L2) Ensure 'Prohibit access of the Windows Connect Now wizards' is set to 'Enabled' (Scored)....................................
18.5.21 Windows Connection Manager ........................................................................................ 601
18.5.21.1 (L1) Ensure 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' is set to 'Enab
18.5.21.2 (L1) Ensure 'Prohibit connection to non-domain networks when connected to domain authenticated network' is set
18.5.22 Wireless Display ...................................................................................................................... 606
18.5.23 WLAN Service ........................................................................................................................... 606
18.5.23.2.1 (L1) Ensure 'Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts
18.6 Printers.................................................................................................................................................... 609
18.7 Start Menu and Taskbar .................................................................................................................. 610
18.7.1 Notifications ................................................................................................................................. 610
18.7.1.1 (L2) Ensure 'Turn off notifications network usage' is set to 'Enabled' (Scored) .................................................................
18.8 System...................................................................................................................................................... 612
18.8.1 Access-Denied Assistance...................................................................................................... 612
18.8.2 App-V ............................................................................................................................................... 612
18.8.3 Audit Process Creation............................................................................................................ 613
18.8.3.1 (L1) Ensure 'Include command line in process creation events' is set to 'Disabled' (Scored) ............................................
18.8.4 Credentials Delegation ............................................................................................................ 615
18.8.4.1 (L1) Ensure 'Encryption Oracle Remediation' is set to 'Enabled: Force Updated Clients' (Scored) ....................................
18.8.4.2 (L1) Ensure 'Remote host allows delegation of non-exportable credentials' is set to 'Enabled' (Scored) .........................
18.8.5 Device Guard ................................................................................................................................ 619
18.8.5.1 (NG) Ensure 'Turn On Virtualization Based Security' is set to 'Enabled' (Scored) ..............................................................
18.8.5.2 (NG) Ensure 'Turn On Virtualization Based Security: Select Platform Security Level' is set to 'Secure Boot and DMA Pro
18.8.5.3 (NG) Ensure 'Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity' is set to 'Enabled
18.8.5.4 (NG) Ensure 'Turn On Virtualization Based Security: Require UEFI Memory Attributes Table' is set to 'True (checked)' (S
18.8.5.5 (NG) Ensure 'Turn On Virtualization Based Security: Credential Guard Configuration' is set to 'Enabled with UEFI lock' (
18.8.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' (Scored) ..............
18.8.6 Device Health Attestation Service ..................................................................................... 633
18.8.7 Device Installation..................................................................................................................... 634
18.8.7.1.1 (BL) Ensure 'Prevent installation of devices that match any of these device IDs' is set to 'Enabled' (Scored)................
18.8.7.1.2 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Prevent installation of devices that m
18.8.7.1.3 (BL) Ensure 'Prevent installation of devices that match any of these device IDs: Also apply to matching devices that a
18.8.7.1.4 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes' is set to 'Enabled' (S
18.8.7.1.5 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Prevent installation
18.8.7.1.6 (BL) Ensure 'Prevent installation of devices using drivers that match these device setup classes: Also apply to match
18.8.8 Device Redirection .................................................................................................................... 652
18.8.9 Disk NV Cache.............................................................................................................................. 653
18.8.10 Disk Quotas ................................................................................................................................ 653
18.8.11 Display.......................................................................................................................................... 653
18.8.12 Distributed COM ...................................................................................................................... 653
18.8.13 Driver Installation .................................................................................................................. 653
18.8.14 Early Launch Antimalware................................................................................................. 654
18.8.14.1 (L1) Ensure 'Boot-Start Driver Initialization Policy' is set to 'Enabled: Good, unknown and bad but critical' (Scored) ....
18.8.15 Enhanced Storage Access .................................................................................................... 656
18.8.16 File Classification Infrastructure ..................................................................................... 656
18.8.17 File Share Shadow Copy Agent ......................................................................................... 657
18.8.18 File Share Shadow Copy Provider................................................................................... 657
18.8.19 Filesystem (formerly NTFS Filesystem) ...................................................................... 657
18.8.20 Folder Redirection.................................................................................................................. 657
18.8.21 Group Policy .............................................................................................................................. 658
18.8.21.2 (L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enab
18.8.21.3 (L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to
18.8.21.4 (L1) Ensure 'Continue experiences on this device' is set to 'Disabled' (Scored) ..............................................................
18.8.21.5 (L1) Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled' (Scored) ..................................................
18.8.22 Internet Communication Management ........................................................................ 667
18.8.22.1.1 (L2) Ensure 'Turn off access to the Store' is set to 'Enabled' (Scored)...........................................................................
18.8.22.1.2 (L1) Ensure 'Turn off downloading of print drivers over HTTP' is set to 'Enabled' (Scored) ..........................................
18.8.22.1.3 (L2) Ensure 'Turn off handwriting personalization data sharing' is set to 'Enabled' (Scored) .......................................
18.8.22.1.4 (L2) Ensure 'Turn off handwriting recognition error reporting' is set to 'Enabled' (Scored) .........................................
18.8.22.1.5 (L2) Ensure 'Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com' is set to 'Enabled
18.8.22.1.6 (L1) Ensure 'Turn off Internet download for Web publishing and online ordering wizards' is set to 'Enabled' (Scored
18.8.22.1.7 (L2) Ensure 'Turn off printing over HTTP' is set to 'Enabled' (Scored)...........................................................................
18.8.22.1.8 (L2) Ensure 'Turn off Registration if URL connection is referring to Microsoft.com' is set to 'Enabled' (Scored) .........
18.8.22.1.9 (L2) Ensure 'Turn off Search Companion content file updates' is set to 'Enabled' (Scored) .........................................
18.8.22.1.10 (L2) Ensure 'Turn off the "Order Prints" picture task' is set to 'Enabled' (Scored) ......................................................
18.8.22.1.11 (L2) Ensure 'Turn off the "Publish to Web" task for files and folders' is set to 'Enabled' (Scored) .............................
18.8.22.1.12 (L2) Ensure 'Turn off the Windows Messenger Customer Experience Improvement Program' is set to 'Enabled' (Sc
18.8.22.1.13 (L2) Ensure 'Turn off Windows Customer Experience Improvement Program' is set to 'Enabled' (Scored) ...............
18.8.22.1.14 (L2) Ensure 'Turn off Windows Error Reporting' is set to 'Enabled' (Scored) ..............................................................
18.8.23 iSCSI ............................................................................................................................................... 695
18.8.24 KDC ................................................................................................................................................ 695
18.8.25 Kerberos ...................................................................................................................................... 696
18.8.25.1 (L2) Ensure 'Support device authentication using certificate' is set to 'Enabled: Automatic' (Scored).............................
18.8.26 Kernel DMA Protection ........................................................................................................ 698
18.8.26.1 (BL) Ensure 'Enumeration policy for external devices incompatible with Kernel DMA Protection' is set to 'Enabled: Blo
18.8.27 Locale Services ......................................................................................................................... 700
18.8.27.1 (L2) Ensure 'Disallow copying of user input methods to the system account for sign-in' is set to 'Enabled' (Scored).....
18.8.28 Logon ............................................................................................................................................ 702
18.8.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled' (Scored) ........................................
18.8.28.2 (L1) Ensure 'Do not display network selection UI' is set to 'Enabled' (Scored) ................................................................
18.8.28.3 (L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled' (Scored)..................
18.8.28.4 (L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled' (Scored)......................................
18.8.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled' (Scored) ...................................................
18.8.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled' (Scored) ....................................................................
18.8.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled' (Scored) .....................................................................
18.8.29 Mitigation Options .................................................................................................................. 716
18.8.30 Net Logon.................................................................................................................................... 716
18.8.31 OS Policies .................................................................................................................................. 717
18.8.31.1 (L2) Ensure 'Allow Clipboard synchronization across devices' is set to 'Disabled' (Scored) .............................................
18.8.31.2 (L2) Ensure 'Allow upload of User Activities' is set to 'Disabled' (Scored)........................................................................
18.8.32 Performance Control Panel ................................................................................................ 720
18.8.33 PIN Complexity ........................................................................................................................ 720
18.8.34 Power Management ............................................................................................................... 720
18.8.34.6.1 (L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled' (Scored) ...........
18.8.34.6.2 (L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled' (Scored) ...........
18.8.34.6.3 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (on battery)' is set to 'Disabled' (Scored).............................
18.8.34.6.4 (BL) Ensure 'Allow standby states (S1-S3) when sleeping (plugged in)' is set to 'Disabled' (Scored).............................
18.8.34.6.5 (L1) Ensure 'Require a password when a computer wakes (on battery)' is set to 'Enabled' (Scored) ..........................
18.8.34.6.6 (L1) Ensure 'Require a password when a computer wakes (plugged in)' is set to 'Enabled' (Scored)...........................
18.8.35 Recovery...................................................................................................................................... 733
18.8.36 Remote Assistance.................................................................................................................. 734
18.8.36.1 (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' (Scored) ................................................................
18.8.36.2 (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' (Scored) ...........................................................
18.8.37 Remote Procedure Call......................................................................................................... 738
18.8.37.1 (L1) Ensure 'Enable RPC Endpoint Mapper Client Authentication' is set to 'Enabled' (Scored) .......................................
18.8.37.2 (L1) Ensure 'Restrict Unauthenticated RPC clients' is set to 'Enabled: Authenticated' (Scored)......................................
18.8.38 Removable Storage Access ................................................................................................. 742
18.8.39 Scripts ........................................................................................................................................... 742
18.8.40 Server Manager........................................................................................................................ 742
18.8.41 Service Control Manager Settings ................................................................................... 743
18.8.42 Shutdown .................................................................................................................................... 743
18.8.43 Shutdown Options .................................................................................................................. 743
18.8.44 Storage Health .......................................................................................................................... 743
18.8.45 Storage Sense ............................................................................................................................ 744
18.8.46 System Restore......................................................................................................................... 744
18.8.47 Troubleshooting and Diagnostics ................................................................................... 744
18.8.47.5.1 (L2) Ensure 'Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider' is
18.8.47.11.1 (L2) Ensure 'Enable/Disable PerfTrack' is set to 'Disabled' (Scored)............................................................................
18.8.48 Trusted Platform Module Services ................................................................................. 752
18.8.49 User Profiles .............................................................................................................................. 753
18.8.49.1 (L2) Ensure 'Turn off the advertising ID' is set to 'Enabled' (Scored) . 753
18.8.50 Windows File Protection ..................................................................................................... 755
18.8.51 Windows HotStart .................................................................................................................. 755
18.8.52 Windows Time Service......................................................................................................... 756
18.8.52.1.1 (L2) Ensure 'Enable Windows NTP Client' is set to 'Enabled' (Scored)...........................................................................
18.8.52.1.2 (L2) Ensure 'Enable Windows NTP Server' is set to 'Disabled' (Scored).........................................................................
18.9 Windows Components ..................................................................................................................... 760
18.9.1 Active Directory Federation Services .............................................................................. 760
18.9.2 ActiveX Installer Service......................................................................................................... 760
18.9.3 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade).....................................................................
18.9.4 App Package Deployment ...................................................................................................... 761
18.9.4.1 (L2) Ensure 'Allow a Windows app to share application data between users' is set to 'Disabled' (Scored) ......................
18.9.5 App Privacy................................................................................................................................... 763
18.9.5.1 (L1) Ensure 'Let Windows apps activate with voice while the system is locked' is set to 'Enabled: Force Deny' (Scored)
18.9.6 App runtime ................................................................................................................................. 765
18.9.6.1 (L1) Ensure 'Allow Microsoft accounts to be optional' is set to 'Enabled' (Scored) ...........................................................
18.9.6.2 (L2) Ensure 'Block launching Universal Windows apps with Windows Runtime API access from hosted content.' is set t
18.9.7 Application Compatibility...................................................................................................... 769
18.9.8 AutoPlay Policies........................................................................................................................ 770
18.9.8.1 (L1) Ensure 'Disallow Autoplay for non-volume devices' is set to 'Enabled' (Scored) ........................................................
18.9.8.2 (L1) Ensure 'Set the default behavior for AutoRun' is set to 'Enabled: Do not execute any autorun commands' (Scored)
18.9.8.3 (L1) Ensure 'Turn off Autoplay' is set to 'Enabled: All drives' (Scored) 774
18.9.9 Backup............................................................................................................................................. 775
18.9.10 Biometrics .................................................................................................................................. 776
18.9.10.1.1 (L1) Ensure 'Configure enhanced anti-spoofing' is set to 'Enabled' (Scored) ................................................................
18.9.11 BitLocker Drive Encryption ............................................................................................... 778
18.9.11.1.1 (BL) Ensure 'Allow access to BitLocker-protected fixed data drives from earlier versions of Windows' is set to 'Disab
18.9.11.1.2 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered' is set to 'Enabled' (Scored) ..................
18.9.11.1.3 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent' is set to 'En
18.9.11.1.4 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Password' is set to 'Enabled:
18.9.11.1.5 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Recovery Key' is set to 'Enabled: Allow
18.9.11.1.6 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLoc
18.9.11.1.7 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information t
18.9.11.1.8 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recove
18.9.11.1.9 (BL) Ensure 'Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery
18.9.11.1.10 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives' is set to 'Enabled' (Scored)............
18.9.11.1.11 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based enc
18.9.11.1.12 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and
18.9.11.1.13 (BL) Ensure 'Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or ciphe
18.9.11.1.14 (BL) Ensure 'Configure use of passwords for fixed data drives' is set to 'Disabled' (Scored).......................................
18.9.11.1.15 (BL) Ensure 'Configure use of smart cards on fixed data drives' is set to 'Enabled' (Scored) ......................................
18.9.11.1.16 (BL) Ensure 'Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives' is
18.9.11.2.1 (BL) Ensure 'Allow enhanced PINs for startup' is set to 'Enabled' (Scored) ..................................................................
18.9.11.2.2 (BL) Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled' (Scored) ....................................................
18.9.11.2.3 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered' is set to 'Enabled' (Scored
18.9.11.2.4 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agen
18.9.11.2.5 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Password' is set
18.9.11.2.6 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Recovery Key' is set to 'En
18.9.11.2.7 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options fro
18.9.11.2.8 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery in
18.9.11.2.9 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLo
18.9.11.2.10 (BL) Ensure 'Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker
18.9.11.2.11 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives' is set to 'Enabled' (Scored)
18.9.11.2.12 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Use BitLocker software-bas
18.9.11.2.13 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict encryption algorith
18.9.11.2.14 (BL) Ensure 'Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms
18.9.11.2.15 (BL) Ensure 'Configure use of passwords for operating system drives' is set to 'Disabled' (Scored) ..........................
18.9.11.2.16 (BL) Ensure 'Require additional authentication at startup' is set to 'Enabled' (Scored) .............................................
18.9.11.2.17 (BL) Ensure 'Require additional authentication at startup: Allow BitLocker without a compatible TPM' is set to 'En
18.9.11.3.1 (BL) Ensure 'Allow access to BitLocker-protected removable data drives from earlier versions of Windows' is set to
18.9.11.3.2 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered' is set to 'Enabled' (Scored).........
18.9.11.3.3 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent' is set
18.9.11.3.4 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Password' is set to 'En
18.9.11.3.5 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Recovery Key' is set to 'Enabled:
18.9.11.3.6 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the
18.9.11.3.7 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery informa
18.9.11.3.8 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker r
18.9.11.3.9 (BL) Ensure 'Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until re
18.9.11.3.10 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives' is set to 'Enabled' (Scored) ..
18.9.11.3.11 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Use BitLocker software-base
18.9.11.3.12 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithm
18.9.11.3.13 (BL) Ensure 'Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or
18.9.11.3.14 (BL) Ensure 'Configure use of passwords for removable data drives' is set to 'Disabled' (Scored)..............................
18.9.11.3.15 (BL) Ensure 'Configure use of smart cards on removable data drives' is set to 'Enabled' (Scored) ............................
18.9.11.3.16 (BL) Ensure 'Configure use of smart cards on removable data drives: Require use of smart cards on removable dat
18.9.11.3.17 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker' is set to 'Enabled' (Scored)............
18.9.11.3.18 (BL) Ensure 'Deny write access to removable drives not protected by BitLocker: Do not allow write access to devic
18.9.11.4 (BL) Ensure 'Disable new DMA devices when this computer is locked' is set to 'Enabled' (Scored).................................
18.9.12 Camera ......................................................................................................................................... 918
18.9.12.1 (L2) Ensure 'Allow Use of Camera' is set to 'Disabled' (Scored) ............. 918
18.9.13 Cloud Content ........................................................................................................................... 920
18.9.13.1 (L1) Ensure 'Turn off Microsoft consumer experiences' is set to 'Enabled' (Scored) .......................................................
18.9.14 Connect ........................................................................................................................................ 922
18.9.14.1 (L1) Ensure 'Require pin for pairing' is set to 'Enabled: First Time' OR 'Enabled: Always' (Scored) .................................
18.9.15 Credential User Interface .................................................................................................... 924
18.9.15.1 (L1) Ensure 'Do not display the password reveal button' is set to 'Enabled' (Scored) .....................................................
18.9.15.2 (L1) Ensure 'Enumerate administrator accounts on elevation' is set to 'Disabled' (Scored) ............................................
18.9.15.3 (L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled' (Scored).................................
18.9.16 Data Collection and Preview Builds ............................................................................... 930
18.9.16.1 (L1) Ensure 'Allow Telemetry' is set to 'Enabled: 0 - Security [Enterprise Only]' or 'Enabled: 1 - Basic' (Scored) ............
18.9.16.2 (L2) Ensure 'Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service' is set to
18.9.16.3 (L1) Ensure 'Do not show feedback notifications' is set to 'Enabled' (Scored) ................................................................
18.9.16.4 (L1) Ensure 'Toggle user control over Insider builds' is set to 'Disabled' (Scored) ...........................................................
18.9.17 Delivery Optimization........................................................................................................... 939
18.9.17.1 (L1) Ensure 'Download Mode' is NOT set to 'Enabled: Internet' (Scored)........................................................................
18.9.18 Desktop Gadgets ...................................................................................................................... 941
18.9.19 Desktop Window Manager ................................................................................................. 941
18.9.20 Device and Driver Compatibility ..................................................................................... 942
18.9.21 Device Registration (formerly Workplace Join)....................................................... 942
18.9.22 Digital Locker ............................................................................................................................ 942
18.9.23 Edge UI ......................................................................................................................................... 942
18.9.24 EMET ............................................................................................................................................. 943
18.9.25 Event Forwarding ................................................................................................................... 943
18.9.26 Event Log Service.................................................................................................................... 944
18.9.26.1.1 (L1) Ensure 'Application: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled
18.9.26.1.2 (L1) Ensure 'Application: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Scored) ........
18.9.26.2.1 (L1) Ensure 'Security: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Sc
18.9.26.2.2 (L1) Ensure 'Security: Specify the maximum log file size (KB)' is set to 'Enabled: 196,608 or greater' (Scored)............
18.9.26.3.1 (L1) Ensure 'Setup: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Scor
18.9.26.3.2 (L1) Ensure 'Setup: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Scored).................
18.9.26.4.1 (L1) Ensure 'System: Control Event Log behavior when the log file reaches its maximum size' is set to 'Disabled' (Sc
18.9.26.4.2 (L1) Ensure 'System: Specify the maximum log file size (KB)' is set to 'Enabled: 32,768 or greater' (Scored)...............
18.9.27 Event Logging ........................................................................................................................... 960
18.9.28 Event Viewer ............................................................................................................................. 960
18.9.29 Family Safety (formerly Parental Controls)............................................................... 960
18.9.30 File Explorer (formerly Windows Explorer) ............................................................. 961
18.9.30.2 (L1) Ensure 'Turn off Data Execution Prevention for Explorer' is set to 'Disabled' (Scored) ............................................
18.9.30.3 (L1) Ensure 'Turn off heap termination on corruption' is set to 'Disabled' (Scored) ........................................................
18.9.30.4 (L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled' (Scored) ..........................................................
18.9.31 File History................................................................................................................................. 968
18.9.32 Find My Device ......................................................................................................................... 968
18.9.33 Game Explorer.......................................................................................................................... 968
18.9.34 Handwriting............................................................................................................................... 968
18.9.35 HomeGroup................................................................................................................................ 969
18.9.35.1 (L1) Ensure 'Prevent the computer from joining a homegroup' is set to 'Enabled' (Scored) ...........................................
18.9.36 Import Video ............................................................................................................................. 972
18.9.37 Internet Explorer .................................................................................................................... 972
18.9.38 Internet Information Services .......................................................................................... 972
18.9.39 Location and Sensors ............................................................................................................ 973
18.9.39.2 (L2) Ensure 'Turn off location' is set to 'Enabled' (Scored) ...................... 973
18.9.40 Maintenance Scheduler........................................................................................................ 975
18.9.41 Maps .............................................................................................................................................. 975
18.9.42 MDM .............................................................................................................................................. 975
18.9.43 Messaging ................................................................................................................................... 976
18.9.43.1 (L2) Ensure 'Allow Message Service Cloud Sync' is set to 'Disabled' (Scored) .................................................................
18.9.44 Microsoft account ................................................................................................................... 978
18.9.44.1 (L1) Ensure 'Block all consumer Microsoft account user authentication' is set to 'Enabled' (Scored) .............................
18.9.45 Microsoft Edge.......................................................................................................................... 980
18.9.45.1 (L2) Ensure 'Allow Address bar drop-down list suggestions' is set to 'Disabled' (Scored) ...............................................
18.9.45.2 (L2) Ensure 'Allow Adobe Flash' is set to 'Disabled' (Scored) ................. 982
18.9.45.3 (L2) Ensure 'Allow InPrivate Browsing' is set to 'Disabled' (Scored) .. 984
18.9.45.4 (L1) Ensure 'Allow Sideloading of extension' is set to 'Disabled' (Scored)........................................................................
18.9.45.5 (L1) Ensure 'Configure cookies' is set to 'Enabled: Block only 3rd-party cookies' or higher (Scored) ..............................
18.9.45.6 (L1) Ensure 'Configure Password Manager' is set to 'Disabled' (Scored)..........................................................................
18.9.45.7 (L2) Ensure 'Configure Pop-up Blocker' is set to 'Enabled' (Scored) ... 992
18.9.45.8 (L2) Ensure 'Configure search suggestions in Address bar' is set to 'Disabled' (Scored) ..................................................
18.9.45.9 (L1) Ensure 'Configure the Adobe Flash Click-to-Run setting' is set to 'Enabled' (Scored) ...............................................
18.9.45.10 (L2) Ensure 'Prevent access to the about:flags page in Microsoft Edge' is set to 'Enabled' (Scored) ............................
18.9.45.11 (L1) Ensure 'Prevent certificate error overrides' is set to 'Enabled' (Scored) .................................................................
18.9.45.12 (L2) Ensure 'Prevent using Localhost IP address for WebRTC' is set to 'Enabled' (Scored) ............................................
18.9.46 Microsoft FIDO Authentication ......................................................................................1004
18.9.47 Microsoft Secondary Authentication Factor ............................................................1004
18.9.48 Microsoft User Experience Virtualization .................................................................1004
18.9.49 NetMeeting ...............................................................................................................................1004
18.9.50 Network Access Protection ..............................................................................................1005
18.9.51 Network Projector ................................................................................................................1005
18.9.52 OneDrive (formerly SkyDrive) .......................................................................................1006
18.9.52.1 (L1) Ensure 'Prevent the usage of OneDrive for file storage' is set to 'Enabled' (Scored) ................................................
18.9.53 Online Assistance ..................................................................................................................1008
18.9.54 OOBE ...........................................................................................................................................1008
18.9.55 Password Synchronization...............................................................................................1009
18.9.56 Portable Operating System ..............................................................................................1009
18.9.57 Presentation Settings ..........................................................................................................1009
18.9.58 Push To Install ........................................................................................................................1010
18.9.58.1 (L2) Ensure 'Turn off Push To Install service' is set to 'Enabled' (Scored).........................................................................
18.9.59 Remote Desktop Services (formerly Terminal Services) ..................................1012
18.9.59.2.2 (L1) Ensure 'Do not allow passwords to be saved' is set to 'Enabled' (Scored) ............................................................
18.9.59.3.2.1 (L2) Ensure 'Allow users to connect remotely by using Remote Desktop Services' is set to 'Disabled' (Scored) .......
18.9.59.3.3.1 (L2) Ensure 'Do not allow COM port redirection' is set to 'Enabled' (Scored) ...........................................................
18.9.59.3.3.2 (L1) Ensure 'Do not allow drive redirection' is set to 'Enabled' (Scored) ...................................................................
18.9.59.3.3.3 (L2) Ensure 'Do not allow LPT port redirection' is set to 'Enabled' (Scored) ..............................................................
18.9.59.3.3.4 (L2) Ensure 'Do not allow supported Plug and Play device redirection' is set to 'Enabled' (Scored)..........................
18.9.59.3.9.1 (L1) Ensure 'Always prompt for password upon connection' is set to 'Enabled' (Scored) .........................................
18.9.59.3.9.2 (L1) Ensure 'Require secure RPC communication' is set to 'Enabled' (Scored) ..........................................................
18.9.59.3.9.3 (L1) Ensure 'Require use of specific security layer for remote (RDP) connections' is set to 'Enabled: SSL' (Scored)..
18.9.59.3.9.4 (L1) Ensure 'Require user authentication for remote connections by using Network Level Authentication' is set to
18.9.59.3.9.5 (L1) Ensure 'Set client connection encryption level' is set to 'Enabled: High Level' (Scored) ....................................
18.9.59.3.10.1 (L2) Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes o
18.9.59.3.10.2 (L2) Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute' (Scored)..................................
18.9.59.3.11.1 (L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled' (Scored) .....................................................
18.9.59.3.11.2 (L1) Ensure 'Do not use temporary folders per session' is set to 'Disabled' (Scored) ..............................................
18.9.60 RSS Feeds ..................................................................................................................................1047
18.9.60.1 (L1) Ensure 'Prevent downloading of enclosures' is set to 'Enabled' (Scored) .................................................................
18.9.61 Search .........................................................................................................................................1049
18.9.61.2 (L2) Ensure 'Allow Cloud Search' is set to 'Enabled: Disable Cloud Search' (Scored)........................................................
18.9.61.3 (L1) Ensure 'Allow Cortana' is set to 'Disabled' (Scored).........................1051
18.9.61.4 (L1) Ensure 'Allow Cortana above lock screen' is set to 'Disabled' (Scored) ....................................................................
18.9.61.5 (L1) Ensure 'Allow indexing of encrypted files' is set to 'Disabled' (Scored) ....................................................................
18.9.61.6 (L1) Ensure 'Allow search and Cortana to use location' is set to 'Disabled' (Scored) .......................................................
18.9.62 Security Center.......................................................................................................................1059
18.9.63 Server for NIS..........................................................................................................................1059
18.9.64 Shutdown Options ................................................................................................................1059
18.9.65 Smart Card................................................................................................................................1059
18.9.66 Software Protection Platform .........................................................................................1060
18.9.66.1 (L2) Ensure 'Turn off KMS Client Online AVS Validation' is set to 'Enabled' (Scored) ......................................................
18.9.67 Sound Recorder .....................................................................................................................1062
18.9.68 Speech.........................................................................................................................................1062
18.9.69 Store ............................................................................................................................................1063
18.9.69.1 (L2) Ensure 'Disable all apps from Microsoft Store' is set to 'Disabled' (Scored) .............................................................
18.9.69.2 (L1) Ensure 'Only display the private store within the Microsoft Store' is set to 'Enabled' (Scored)................................
18.9.69.3 (L1) Ensure 'Turn off Automatic Download and Install of updates' is set to 'Disabled' (Scored)......................................
18.9.69.4 (L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled' (Scored) ........................
18.9.69.5 (L2) Ensure 'Turn off the Store application' is set to 'Enabled' (Scored)...........................................................................
18.9.70 Sync your settings.................................................................................................................1072
18.9.71 Tablet PC ...................................................................................................................................1072
18.9.72 Task Scheduler .......................................................................................................................1073
18.9.73 Text Input .................................................................................................................................1073
18.9.74 Windows Calendar ...............................................................................................................1073
18.9.75 Windows Color System ......................................................................................................1073
18.9.76 Windows Customer Experience Improvement Program ..................................1073
18.9.77 Windows Defender Antivirus (formerly Windows Defender)........................1074
18.9.77.3.1 (L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled' (Scored) ...............
18.9.77.3.2 (L2) Ensure 'Join Microsoft MAPS' is set to 'Disabled' (Scored)........1077
18.9.77.7.1 (L1) Ensure 'Turn on behavior monitoring' is set to 'Enabled' (Scored).........................................................................
18.9.77.9.1 (L2) Ensure 'Configure Watson events' is set to 'Disabled' (Scored)..............................................................................
18.9.77.10.1 (L1) Ensure 'Scan removable drives' is set to 'Enabled' (Scored) .1085
18.9.77.10.2 (L1) Ensure 'Turn on e-mail scanning' is set to 'Enabled' (Scored)..............................................................................
18.9.77.13.1.1 (L1) Ensure 'Configure Attack Surface Reduction rules' is set to 'Enabled' (Scored) ................................................
18.9.77.13.1.2 (L1) Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is 'configured' (Scored) ...
18.9.77.13.3.1 (L1) Ensure 'Prevent users and apps from accessing dangerous websites' is set to 'Enabled: Block' (Scored) ........
18.9.77.14 (L1) Ensure 'Configure detection for potentially unwanted applications' is set to 'Enabled: Block' (Scored) ................
18.9.77.15 (L1) Ensure 'Turn off Windows Defender AntiVirus' is set to 'Disabled' (Scored) ..........................................................
18.9.78 Windows Defender Application Guard.......................................................................1103
18.9.78.1 (NG) Ensure 'Allow auditing events in Windows Defender Application Guard' is set to 'Enabled' (Scored) ....................
18.9.78.2 (NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled' (Scor
18.9.78.3 (NG) Ensure 'Allow data persistence for Windows Defender Application Guard' is set to 'Disabled' (Scored) ...............
18.9.78.4 (NG) Ensure 'Allow files to download and save to the host operating system from Windows Defender Application Gu
18.9.78.5 (NG) Ensure 'Allow users to trust files that open in Windows Defender Application Guard' is set to 'Enabled: 0 (Do no
18.9.78.6 (NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to
18.9.78.7 (NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1' (Scored)...........
18.9.79 Windows Defender Exploit Guard ................................................................................1120
18.9.80 Windows Defender SmartScreen ..................................................................................1121
18.9.80.1.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled: Warn and prevent bypass' (Scored) ......
18.9.80.2.1 (L1) Ensure 'Configure Windows Defender SmartScreen' is set to 'Enabled' (Scored) .................................................
18.9.80.2.2 (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for files' is set to 'Enabled' (Scored) ........
18.9.80.2.3 (L1) Ensure 'Prevent bypassing Windows Defender SmartScreen prompts for sites' is set to 'Enabled' (Scored) ........
18.9.81 Windows Error Reporting ................................................................................................1130
18.9.82 Windows Game Recording and Broadcasting .........................................................1131
18.9.82.1 (L1) Ensure 'Enables or disables Windows Game Recording and Broadcasting' is set to 'Disabled' (Scored) ..................
18.9.83 Windows Hello for Business (formerly Microsoft Passport for Work) ......1132
18.9.84 Windows Ink Workspace ..................................................................................................1133
18.9.84.1 (L2) Ensure 'Allow suggested apps in Windows Ink Workspace' is set to 'Disabled' (Scored) .........................................
18.9.84.2 (L1) Ensure 'Allow Windows Ink Workspace' is set to 'Enabled: On, but disallow access above lock' OR 'Disabled' but
18.9.85 Windows Installer ................................................................................................................1137
18.9.85.1 (L1) Ensure 'Allow user control over installs' is set to 'Disabled' (Scored) .......................................................................
18.9.85.2 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (Scored) ............................................................
18.9.85.3 (L2) Ensure 'Prevent Internet Explorer security prompt for Windows Installer scripts' is set to 'Disabled' (Scored) ......
18.9.86 Windows Logon Options ...................................................................................................1144
18.9.86.1 (L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled' (Scored) .................
18.9.87 Windows Mail .........................................................................................................................1146
18.9.88 Windows Media Center ......................................................................................................1146
18.9.89 Windows Media Digital Rights Management...........................................................1146
18.9.90 Windows Media Player ......................................................................................................1146
18.9.91 Windows Meeting Space....................................................................................................1147
18.9.92 Windows Messenger ...........................................................................................................1147
18.9.93 Windows Mobility Center .................................................................................................1147
18.9.94 Windows Movie Maker.......................................................................................................1147
18.9.95 Windows PowerShell ..........................................................................................................1148
18.9.95.1 (L1) Ensure 'Turn on PowerShell Script Block Logging' is set to 'Disabled' (Scored) ........................................................
18.9.95.2 (L1) Ensure 'Turn on PowerShell Transcription' is set to 'Disabled' (Scored) ...................................................................
18.9.96 Windows Reliability Analysis..........................................................................................1151
18.9.97 Windows Remote Management (WinRM) ................................................................1152
18.9.97.1.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Scored)............................................................................
18.9.97.1.2 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Scored).............................................................................
18.9.97.1.3 (L1) Ensure 'Disallow Digest authentication' is set to 'Enabled' (Scored) .....................................................................
18.9.97.2.1 (L1) Ensure 'Allow Basic authentication' is set to 'Disabled' (Scored)............................................................................
18.9.97.2.2 (L2) Ensure 'Allow remote server management through WinRM' is set to 'Disabled' (Scored).....................................
18.9.97.2.3 (L1) Ensure 'Allow unencrypted traffic' is set to 'Disabled' (Scored).............................................................................
18.9.97.2.4 (L1) Ensure 'Disallow WinRM from storing RunAs credentials' is set to 'Enabled' (Scored) .........................................
18.9.98 Windows Remote Shell ......................................................................................................1167
18.9.98.1 (L2) Ensure 'Allow Remote Shell Access' is set to 'Disabled' (Scored)..............................................................................
18.9.99 Windows Security (formerly Windows Defender Security Center) .............1170
18.9.99.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' (Scored) .........................................................
18.9.100 Windows SideShow...........................................................................................................1173
18.9.101 Windows System Resource Manager .......................................................................1173
18.9.102 Windows Update ................................................................................................................1174
18.9.102.1.1 (L1) Ensure 'Manage preview builds' is set to 'Enabled: Disable preview builds' (Scored) .........................................
18.9.102.1.2 (L1) Ensure 'Select when Preview Builds and Feature Updates are received' is set to 'Enabled: Semi-Annual Chann
18.9.102.1.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days' (Scored) .....................................
18.9.102.2 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' (Scored)........................................................................
18.9.102.3 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day' (Scored) ............................
18.9.102.4 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
18.9.102.5 (L1) Ensure 'Remove access to “Pause updates” feature' is set to 'Enabled' (Scored) ..................................................
19 Administrative Templates (User)......................................................................................................1192
19.1 Control Panel ......................................................................................................................................1192
19.1.1 Add or Remove Programs....................................................................................................1192
19.1.2 Display ..........................................................................................................................................1192
19.1.3 Personalization (formerly Desktop Themes).............................................................1193
19.1.3.1 (L1) Ensure 'Enable screen saver' is set to 'Enabled' (Scored) ................1193
19.1.3.2 (L1) Ensure 'Force specific screen saver: Screen saver executable name' is set to 'Enabled: scrnsave.scr' (Scored) ........
19.1.3.3 (L1) Ensure 'Password protect the screen saver' is set to 'Enabled' (Scored) ....................................................................
19.1.3.4 (L1) Ensure 'Screen saver timeout' is set to 'Enabled: 900 seconds or fewer, but not 0' (Scored) ....................................
19.2 Desktop..................................................................................................................................................1201
19.3 Network ................................................................................................................................................1201
19.4 Shared Folders ...................................................................................................................................1201
19.5 Start Menu and Taskbar ................................................................................................................1202
19.5.1 Notifications ...............................................................................................................................1202
19.5.1.1 (L1) Ensure 'Turn off toast notifications on the lock screen' is set to 'Enabled' (Scored) ..................................................
19.6 System....................................................................................................................................................1204
19.6.1 Ctrl+Alt+Del Options ..............................................................................................................1204
19.6.2 Display ..........................................................................................................................................1204
19.6.3 Driver Installation ...................................................................................................................1204
19.6.4 Folder Redirection ..................................................................................................................1204
19.6.5 Group Policy ...............................................................................................................................1205
19.6.6 Internet Communication Management .........................................................................1206
19.6.6.1.1 (L2) Ensure 'Turn off Help Experience Improvement Program' is set to 'Enabled' (Scored) ...........................................
19.7 Windows Components ...................................................................................................................1208
19.7.1 Add features to Windows 8 / 8.1 / 10 (formerly Windows Anytime Upgrade).....................................................................
19.7.2 App runtime ...............................................................................................................................1208
19.7.3 Application Compatibility....................................................................................................1208
19.7.4 Attachment Manager..............................................................................................................1209
19.7.4.1 (L1) Ensure 'Do not preserve zone information in file attachments' is set to 'Disabled' (Scored)......................................
19.7.4.2 (L1) Ensure 'Notify antivirus programs when opening attachments' is set to 'Enabled' (Scored) ......................................
19.7.5 AutoPlay Policies......................................................................................................................1213
19.7.6 Backup...........................................................................................................................................1213
19.7.7 Cloud Content ............................................................................................................................1214
19.7.7.1 (L1) Ensure 'Configure Windows spotlight on lock screen' is set to Disabled' (Scored) .....................................................
19.7.7.2 (L1) Ensure 'Do not suggest third-party content in Windows spotlight' is set to 'Enabled' (Scored)..................................
19.7.7.3 (L2) Ensure 'Do not use diagnostic data for tailored experiences' is set to 'Enabled' (Scored) .........................................
19.7.7.4 (L2) Ensure 'Turn off all Windows spotlight features' is set to 'Enabled' (Scored) .............................................................
19.7.8 Credential User Interface .....................................................................................................1222
19.7.9 Data Collection and Preview Builds................................................................................1222
19.7.10 Desktop Gadgets ....................................................................................................................1222
19.7.11 Desktop Window Manager ...............................................................................................1222
19.7.12 Digital Locker ..........................................................................................................................1223
19.7.13 Edge UI .......................................................................................................................................1223
19.7.14 File Explorer (formerly Windows Explorer) ...........................................................1223
19.7.15 File Revocation.......................................................................................................................1223
19.7.16 IME ...............................................................................................................................................1224
19.7.17 Import Video ...........................................................................................................................1224
19.7.18 Instant Search .........................................................................................................................1224
19.7.19 Internet Explorer ..................................................................................................................1224
19.7.20 Location and Sensors ..........................................................................................................1224
19.7.21 Microsoft Edge........................................................................................................................1225
19.7.22 Microsoft Management Console ....................................................................................1225
19.7.23 Microsoft User Experience Virtualization .................................................................1225
19.7.24 NetMeeting ...............................................................................................................................1225
19.7.25 Network Projector ................................................................................................................1225
19.7.26 Network Sharing ...................................................................................................................1226
19.7.26.1 (L1) Ensure 'Prevent users from sharing files within their profile.' is set to 'Enabled' (Scored) .......................................
19.7.27 OOBE ...........................................................................................................................................1228
19.7.28 Presentation Settings ..........................................................................................................1228
19.7.29 Remote Desktop Services (formerly Terminal Services) ..................................1228
19.7.30 RSS Feeds ..................................................................................................................................1228
19.7.31 Search .........................................................................................................................................1229
19.7.32 Sound Recorder .....................................................................................................................1229
19.7.33 Store ............................................................................................................................................1229
19.7.34 Tablet PC ...................................................................................................................................1229
19.7.35 Task Scheduler .......................................................................................................................1230
19.7.36 Windows Calendar ...............................................................................................................1230
19.7.37 Windows Color System ......................................................................................................1230
19.7.38 Windows Defender SmartScreen ..................................................................................1230
19.7.39 Windows Error Reporting ................................................................................................1231
19.7.40 Windows Hello for Business (formerly Microsoft Passport for Work) ......1231
19.7.41 Windows Installer ................................................................................................................1232
19.7.41.1 (L1) Ensure 'Always install with elevated privileges' is set to 'Disabled' (Scored) ............................................................
19.7.42 Windows Logon Options ...................................................................................................1234
19.7.43 Windows Mail .........................................................................................................................1234
19.7.44 Windows Media Center ......................................................................................................1234
19.7.45 Windows Media Player ......................................................................................................1235
19.7.45.2.1 (L2) Ensure 'Prevent Codec Download' is set to 'Enabled' (Scored)..............................................................................
Appendix: Summary Table ...............................................................................................................................1238
Appendix: Change History ................................................................................................................................1278
....................................1
............................ 48
........................ 48
.................. 48
.......................................................................................................................................... 48
.............................................................................................................................................. 51

............................................................................................................................................ 55
.............................................................................................................................. 58
.......................................................................................................................... 61
.............. 63
...................................................................................................................................... 63
t not 0' (Scored)........................................................................................................ 65
............................................................................................................................... 67
......................... 69
.................... 69
.............. 70
................................................................................................................................................ 70
sktop Users' (Scored)................................................................ 72
.................................................................................................................................................. 74
E, NETWORK SERVICE' (Scored) .................................................................... 76

mote Desktop Users' (Scored)................................................................ 80


.................................................................................................................................................. 82
............................................................................................................................... 84
ed) ................................................................................................................... 87

ERVICE, SERVICE' (Scored) ............................................................... 93


................................................................................................................................................. 95

ccount' (Scored) .................................................................................................. 101

ount' (Scored) .................................................................................................. 109


No One' (Scored) ...................................................................................... 111
............................................................................................................ 113
red) .............................................................................................................................. 115
ERVICE, NETWORK SERVICE, SERVICE' (Scored) ........ 117
ndow Manager Group' (Scored) .................................................... 120
.................................................................................................................................... 122

....................................................................................................................................... 130
.......................................................................................................... 134
........................................................................................................................................... 136

ceHost' (Scored) ......................................................................................... 140


(Scored)...................................................................................................... 142
............................................................................................................................... 144
................................................................................................................................. 146
.............................................................................................................. 148
.............. 150
............. 150
........................................................................................................................................ 150
h Microsoft accounts' (Scored).......................................................................... 153
.............................................................................................................................................. 155
' is set to 'Enabled' (Scored) ................................................................... 157

............... 163
verride audit policy category settings' is set to 'Enabled' (Scored) ....................................................................................................................
to 'Disabled' (Scored) .......................................................................... 166
............... 168
............. 169
ators and Interactive Users' (Scored) ........................................................... 169
ored) ......................................................................................................................... 171

set to 'Enabled' (Scored).............................................................................. 173


set to 'Enabled' (Scored) ........................................................................ 175
to 'Enabled' (Scored) ....................................................................................... 177
sabled' (Scored) ........................................................................................ 179
r fewer days, but not 0' (Scored) ..................................................................... 181
t to 'Enabled' (Scored) .................................................................................. 183

d) ............................................................................................................................. 185
........................................................................................................................... 187
r invalid logon attempts, but not 0' (Scored) ........................................... 189
, but not 0' (Scored) ......................................................................................... 191
........................................................................................................................................... 193
........................................................................................................................................... 195
troller is not available)' is set to '4 or fewer logon(s)' (Scored)197
t to 'between 5 and 14 days' (Scored) ..................................................... 199
' or higher (Scored) ..................................................................................... 201

Enabled' (Scored) ........................................................................................ 203


s set to 'Enabled' (Scored) ............................................................................ 206
servers' is set to 'Disabled' (Scored) ...................................................... 209
session' is set to '15 or fewer minute(s)' (Scored)..................... 211
'Enabled' (Scored) ........................................................................................ 213
s set to 'Enabled' (Scored).............................................................................. 216
et to 'Enabled' (Scored)................................................................................ 219
'Accept if provided by client' or higher (Scored)................................... 221

ed' (Scored) ................................................................................................................ 224


is set to 'Enabled' (Scored) ............................................................................. 226
and shares' is set to 'Enabled' (Scored)..................................................... 228
etwork authentication' is set to 'Enabled' (Scored) ........................ 230
et to 'Disabled' (Scored).................................................................... 232
o 'None' (Scored) .................................................................................... 234
................................................................................................................................ 236
d) ..................................................................................................................................... 239
s set to 'Enabled' (Scored) ................................................................................... 242
set to 'Administrators: Remote Access: Allow' (Scored)................. 245
ne' (Scored) ................................................................................................................... 247
Classic - local users authenticate as themselves' (Scored) ..... 249

is set to 'Enabled' (Scored) .................................................................... 251


bled' (Scored)............................................................................................................ 253
to use online identities' is set to 'Disabled' (Scored) .......................... 255
to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' (Scored) .......................................................................................
d change' is set to 'Enabled' (Scored) ........................................................... 259
' (Not Scored)......................................................................................................... 261
Mv2 response only. Refuse LM & NTLM' (Scored) .................................. 263
gning' or higher (Scored) ................................................................................ 266
ng secure RPC) clients' is set to 'Require NTLMv2 session security, Require 128-bit encryption' (Scored)..........................................................
ing secure RPC) servers' is set to 'Require NTLMv2 session security, Require 128-bit encryption' (Scored)......................................................

........... 272

the computer' is set to 'User is prompted when the key is first used' or higher (Scored) .................................................................................

s set to 'Enabled' (Scored).................................................................................. 275


s (e.g. Symbolic Links)' is set to 'Enabled' (Scored) .............................. 277

or account' is set to 'Enabled' (Scored) .......................................................... 279


s in Admin Approval Mode' is set to 'Prompt for consent on the secure desktop' (Scored)...............................................................................
rs' is set to 'Automatically deny elevation requests' (Scored) .......... 284
vation' is set to 'Enabled' (Scored) .............................................................. 286
d in secure locations' is set to 'Enabled' (Scored).............................. 288
set to 'Enabled' (Scored).......................................................................... 290
elevation' is set to 'Enabled' (Scored)........................................................ 292
locations' is set to 'Enabled' (Scored) ............................................. 294
........................ 295
.................... 295
..................... 296
.......................................................................................................................... 296
............................................................................................................................................... 298
........................................................................................................................ 300
....................................................................................................................................... 302

........................................................................................................................ 306
............................................................................................................................. 308
............................................................................................................................ 310
......................................................................................................................... 312
......................................................................................................................... 314
............................................................................................................................. 316
....................................................................................................................................... 318
....................................................................................................................... 320
............................................................................................................................................ 322
........................................................................................................................................ 324
.............................................................................................................................. 326
......................................................................................................................... 328
Scored)........................................................................................................................ 330
to 'Disabled' (Scored) ...................................................................... 332
ed) ............................................................................................................................. 334
............................................................................................................................................ 336
..................................................................................................................................... 338
o 'Disabled' (Scored) ...................................................................... 340
d) ............................................................................................................................. 342
.............................................................................................................................................. 344
............................................................................................................................................ 346

) .............................................................................................................................. 350
.................................................................................................................................... 352

red) .............................................................................................................................. 358


.......................................................................................................................................... 360
............................................................................................................................................... 362
'Disabled' or 'Not Installed' (Scored) ........................... 364
....................................................................................................................................... 366
(Scored) ................................................................................................................ 368
......................................................................................................................... 370
ed' (Scored) ................................................................................................................ 372
lled' (Scored) ........................................................................................ 374
d) ............................................................................................................................. 376
........................................................................................................................................... 378
................................................................................................................................ 380
.......................................................................................................................... 382
......................... 383
....................... 383

................ 384
red) .............................................................................................................. 384
cored) ................................................................................................................ 386
(Scored)................................................................................................................ 388
red) ............................................................................................................................. 390
32\logfiles\firewall\domainfw.log' (Scored).................. 392
eater' (Scored) ................................................................................................... 394
red) ........................................................................................................................... 396
s' (Scored)........................................................................................... 398
............... 400
ed) .............................................................................................................. 400
ored) ................................................................................................................ 402
Scored)................................................................................................................ 404
ed) ............................................................................................................................. 406
32\logfiles\firewall\privatefw.log' (Scored)................... 408
ater' (Scored) ................................................................................................... 410
ed) ........................................................................................................................... 412
' (Scored)........................................................................................... 414
................ 416
d) .............................................................................................................. 416
ored) .............................................................................................................................. 418
cored)................................................................................................................ 420
d) .................................................................................................................................... 422
ored) ............................................................................................................................. 424
et to 'No' (Scored) ......................................................................................... 426
2\logfiles\firewall\publicfw.log' (Scored)..................... 428
ter' (Scored) ................................................................................................... 430
d) ................................................................................................................................... 432
' (Scored)........................................................................................... 434
............ 436

.................. 436
............ 436

............. 436
.................. 436

............... 437
..................................................................................................................................... 437
............. 440
d).................................................................................................................................. 440
........................................................................................................................................... 442
............................................................................................................................. 444
............. 446
.................. 449
............... 450

.............................................................................................................................................. 452

............................................................................................................................ 458

................ 462
........................................................................................................................................... 462

............................................................................................................................. 466
.................................................................................................................................. 469
............... 472
............................................................................................................................................... 472
............................................................................................................................................ 475
.......................................................................................................................................... 478
ed).................................................................................................................................. 481
....................................................................................................................................... 484
................ 486
....................................................................................................................................... 486
................... 489

.................................................................................................................................... 492
................................................................................................................................ 495
....................................................................................................................................... 497
............................................................................................................................................... 499

................ 501

..................................................................................................................................... 501
.......................................................................................................................................... 503

d' (Scored) ................................................................................................................ 505

.................... 510

to 'Enabled' (Scored) ....................................................................................... 513


............................................................................................................................................. 515
mall letters + numbers + special characters' (Scored) ................... 518
)...................................................................................................................................... 521
ored) ........................................................................................................................ 523
............. 525
ed' (Scored).................................................................................................................. 525
ded)' (Scored) ................................................................................................ 528
to 'Enabled' (Scored) ........................................................................................ 533
(Scored) .............................................................................................................. 535

............... 540
t to 'Disabled' (Scored)......................................................................... 540
ects against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' (Scored).....................................
against packet spoofing)' is set to 'Enabled: Highest protection, source routing is completely disabled' (Scored) ............................................
d' is set to 'Enabled' (Scored) ...................................................................... 546
ed routes' is set to 'Disabled' (Scored)......................................................... 548
s' is set to 'Enabled: 300,000 or 5 minutes (recommended)' (Scored) ...............................................................................................................
name release requests except from WINS servers' is set to 'Enabled' (Scored) ..................................................................................................
Gateway addresses (could lead to DoS)' is set to 'Disabled' (Scored) ...............................................................................................................
s set to 'Enabled' (Scored) ........................................................................ 556
er grace period expires (0 recommended)' is set to 'Enabled: 5 or fewer seconds' (Scored) ............................................................................
ed data is retransmitted' is set to 'Enabled: 3' (Scored) ................... 560
ta is retransmitted' is set to 'Enabled: 3' (Scored) ................... 562
hich the system will generate a warning' is set to 'Enabled: 90% or less' (Scored) .............................................................................................
.................. 567

........... 568
.................................................................................................................................. 568
.............. 570

............................................................................................................................................ 573

.................................................................................................................................... 575
..................................................................................................................................... 577

Scored) ......................................................................................................................... 579

omain network' is set to 'Enabled' (Scored) ........................................... 582


k' is set to 'Enabled' (Scored) ....................................................................... 585
t to 'Enabled' (Scored) ......................................................................................... 587

ation" and "Require Integrity" set for all NETLOGON and SYSVOL shares' (Scored) ..........................................................................................

.............. 592
55)') (Scored)............................................................................................................ 594

'Disabled' (Scored) ............................................................................................... 597


(Scored).................................................................................................................. 599

Windows Domain' is set to 'Enabled: 3 = Prevent Wi-Fi when on Ethernet' (Scored) .........................................................................................
n authenticated network' is set to 'Enabled' (Scored) ............ 604

to networks shared by contacts, and to hotspots offering paid services' is set to 'Disabled' (Scored) ..............................................................
.................. 609

.................................................................................................................................... 610
................... 612

.............. 612

ed) ............................................................................................................................. 613

(Scored) ............................................................................................................... 615


abled' (Scored) ................................................................................... 617

....................................................................................................................................... 619
et to 'Secure Boot and DMA Protection' (Scored) ........................ 622
Code Integrity' is set to 'Enabled with UEFI lock' (Scored) ............... 624
able' is set to 'True (checked)' (Scored)...................................... 627
set to 'Enabled with UEFI lock' (Scored) ............................................. 629
t to 'Enabled' (Scored) ............................................................................. 632

to 'Enabled' (Scored)..................................................................................... 634


ent installation of devices that match any of these device IDs' is set to 'PCI\CC_0C0A' (Scored) .......................................................................
apply to matching devices that are already installed.' is set to 'True' (checked) (Scored) .................................................................................
up classes' is set to 'Enabled' (Scored) ................................................... 644
up classes: Prevent installation of devices using drivers for these device setup' is set to 'IEEE 1394 device setup classes' (Scored) ................
up classes: Also apply to matching devices that are already installed.' is set to 'True' (checked) (Scored) .......................................................

............ 653

and bad but critical' (Scored) ..................................................................... 654


ound processing' is set to 'Enabled: FALSE' (Scored)...................... 658
jects have not changed' is set to 'Enabled: TRUE' (Scored).......... 661
....................................................................................................................................... 663
............................................................................................................................. 665

............................................................................................................................................. 667
ored) ......................................................................................................................... 669
cored) ......................................................................................................................... 671
ored) ......................................................................................................................... 673
Microsoft.com' is set to 'Enabled' (Scored) .................................................. 675
zards' is set to 'Enabled' (Scored) ....................................................... 677
............................................................................................................................................. 679
set to 'Enabled' (Scored) ............................................................................ 681
ored) .............................................................................................................................. 683
........................................................................................................................... 685
led' (Scored) ............................................................................................................. 687
t Program' is set to 'Enabled' (Scored) ......................................................... 689
to 'Enabled' (Scored) ........................................................................................ 691
........................................................................................................................................ 693
.............. 695
............. 695
........... 696
matic' (Scored)...................................................................................................... 696

Protection' is set to 'Enabled: Block All' (Scored) .................................... 698

n' is set to 'Enabled' (Scored)................................................................... 700


............. 702
cored) ......................................................................................................................... 702
..................................................................................................................................... 704
to 'Enabled' (Scored).................................................................................... 706
Scored)........................................................................................................................ 708
.............................................................................................................................. 710
................................................................................................................................. 712
................................................................................................................................. 714

ed) ............................................................................................................................. 717


................................................................................................................................................ 719
set to 'Disabled' (Scored) ............................................................................... 722
set to 'Disabled' (Scored) ............................................................................... 724
bled' (Scored)............................................................................................................ 726
bled' (Scored)............................................................................................................ 728
abled' (Scored) ......................................................................................... 730
abled' (Scored)..................................................................................................... 732

..................................................................................................................................... 734
.......................................................................................................................................... 736

cored) ......................................................................................................................... 738


Scored)................................................................................................................... 740

............. 742

........... 743

ication with support provider' is set to 'Disabled' (Scored) 746


............................................................................................................................................ 750

.............................................................................................................................................. 756
................................................................................................................................................ 758
........... 760

........................................................................................................................................................ 760

Disabled' (Scored) .............................................................................................. 761

'Enabled: Force Deny' (Scored) .................................................................. 763

.......................................................................................................................................... 765
ss from hosted content.' is set to 'Enabled' (Scored) ................... 767
......................................................................................................................... 770
ny autorun commands' (Scored)..................................................................... 772

............. 775

...................................................................................................................................... 776

ions of Windows' is set to 'Disabled' (Scored) .................................. 778


o 'Enabled' (Scored) ..................................................................................... 781
data recovery agent' is set to 'Enabled: True' (Scored) .............. 784
ery Password' is set to 'Enabled: Allow 48-digit recovery password' (Scored) ...................................................................................................
ery Key' is set to 'Enabled: Allow 256-bit recovery key' (Scored)........................................................................................................................
ecovery options from the BitLocker setup wizard' is set to 'Enabled: True' (Scored).........................................................................................
itLocker recovery information to AD DS for fixed data drives' is set to 'Enabled: False' (Scored) .....................................................................
ure storage of BitLocker recovery information to AD DS' is set to 'Enabled: Backup recovery passwords and key packages' (Scored) ............
t enable BitLocker until recovery information is stored to AD DS for fixed data drives' is set to 'Enabled: False' (Scored) ................................
set to 'Enabled' (Scored)................................................................................... 805
e BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' (Scored) ...................................
strict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' (Scored)..............................
strict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' (Scored) ........
Scored)........................................................................................................................ 816
Scored) ......................................................................................................................... 818
rt cards on fixed data drives' is set to 'Enabled: True' (Scored)..........................................................................................................................
................................................................................................................................... 822
............................................................................................................................ 825
ered' is set to 'Enabled' (Scored)........................................................ 827
ered: Allow data recovery agent' is set to 'Enabled: False' (Scored) ..................................................................................................................
ered: Recovery Password' is set to 'Enabled: Require 48-digit recovery password' (Scored) ............................................................................
ered: Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' (Scored) ........................................................................................
ered: Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' (Scored) .....................................................................
ered: Save BitLocker recovery information to AD DS for operating system drives' is set to 'Enabled: True' (Scored)........................................
ered: Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Store recovery passwords and key packages' (Scor
overed: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives' is set to 'Enabled: True' (Scored)
ives' is set to 'Enabled' (Scored) ....................................................... 851
ives: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' (Scored)................ 854
ives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' (Scored) .................
ives: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' (Scored
abled' (Scored) ............................................................................................ 862
ed) .............................................................................................................................. 864
a compatible TPM' is set to 'Enabled: False' (Scored) ............... 867
r versions of Windows' is set to 'Disabled' (Scored) ................... 869
s set to 'Enabled' (Scored)............................................................................... 872
Allow data recovery agent' is set to 'Enabled: True' (Scored) ........ 875
Recovery Password' is set to 'Enabled: Do not allow 48-digit recovery password' (Scored) ...............................................................................
Recovery Key' is set to 'Enabled: Do not allow 256-bit recovery key' (Scored) ...................................................................................................
Omit recovery options from the BitLocker setup wizard' is set to 'Enabled: True' (Scored)................................................................................
Save BitLocker recovery information to AD DS for removable data drives' is set to 'Enabled: False' (Scored)....................................................
Configure storage of BitLocker recovery information to AD DS:' is set to 'Enabled: Backup recovery passwords and key packages' (Scored)...
Do not enable BitLocker until recovery information is stored to AD DS for removable data drives' is set to 'Enabled: False' (Scored) .............
es' is set to 'Enabled' (Scored) ........................................................... 895
es: Use BitLocker software-based encryption when hardware encryption is not available' is set to 'Enabled: True' (Scored)...........................
es: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption' is set to 'Enabled: False' (Scored) ...................
es: Restrict crypto algorithms or cipher suites to the following:' is set to 'Enabled: 2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42' (Scored)
bled' (Scored)............................................................................................................ 906
bled' (Scored) ............................................................................................................. 908
of smart cards on removable data drives' is set to 'Enabled: True' (Scored) .......................................................................................................
set to 'Enabled' (Scored)...................................................................................... 912
o not allow write access to devices configured in another organization' is set to 'Enabled: False' (Scored) ......................................................
d' (Scored).................................................................................................................. 916
............ 918

......................................................................................................................... 920
............ 922
s' (Scored) ............................................................................................................ 922

........................................................................................................................... 924
red) ............................................................................................................................. 926
d' (Scored).................................................................................................................. 928

bled: 1 - Basic' (Scored) ...................................................................................... 930


e and Telemetry service' is set to 'Enabled: Disable Authenticated Proxy usage' (Scored) .................................................................................
..................................................................................................................................... 935
.......................................................................................................................................... 937

................................................................................................................................................ 939

............ 942
............. 943

maximum size' is set to 'Disabled' (Scored)................................................... 944


32,768 or greater' (Scored) ................................................................................. 946
mum size' is set to 'Disabled' (Scored)................................................... 948
,608 or greater' (Scored).................................................................................... 950
um size' is set to 'Disabled' (Scored)................................................... 952
8 or greater' (Scored)....................................................................................... 954
mum size' is set to 'Disabled' (Scored)................................................... 956
68 or greater' (Scored)....................................................................................... 958
ed) ............................................................................................................................. 961
........................................................................................................................ 964
........................................................................................................................................... 966

red) .............................................................................................................................. 969

.............. 975
.............. 975
........... 976
.................................................................................................................................... 976

bled' (Scored) ............................................................................................................. 978

d) ............................................................................................................................. 980

................................................................................................................................................ 986
her (Scored) ............................................................................................................ 988
.............................................................................................................................................. 990

............................................................................................................................. 994
d) .............................................................................................................................. 996
bled' (Scored) ............................................................................................................. 998
...................................................................................................................................1000
red) ............................................................................................................................1002

d) ............................................................................................................................1006
...........1008

.............................................................................................................................................1010

.......................................................................................................................................1013
is set to 'Disabled' (Scored) ...................................................................1016
........................................................................................................................................1019
................................................................................................................................1021
.....................................................................................................................................1023
abled' (Scored).................................................................................1025
ored) ............................................................................................................................1028
.........................................................................................................................................1031
s set to 'Enabled: SSL' (Scored).....................................................................1033
rk Level Authentication' is set to 'Enabled' (Scored)............................1035
(Scored) ...................................................................................................1037
is set to 'Enabled: 15 minutes or less' (Scored) ..........................1039
e' (Scored).......................................................................................................1041
.........................................................................................................................1043
d) ...........................................................................................................................1045

...................................................................................................................................1047
...........1049
............................................................................................................................1049

...............................................................................................................................1053
...............................................................................................................................1055
.......................................................................................................................1057

........................................................................................................................1060

...........1062
...........1063
......................................................................................................................................1063
ed' (Scored)................................................................................................................1065
Scored)......................................................................................................................1067
nabled' (Scored) ....................................................................................1069
...........................................................................................................................................1071
to 'Disabled' (Scored) .....................................................................1075

..............................................................................................................................................1080
.........................................................................................................................................1083

........................................................................................................................................1087
d) ............................................................................................................................1090
R rule' is 'configured' (Scored) ...........................................................................1092
o 'Enabled: Block' (Scored) .......................................................................1096
abled: Block' (Scored) ................................................................1098
.........................................................................................................................................1100

'Enabled' (Scored) ...........................................................................................1103


n Guard' is set to 'Disabled' (Scored)............................................1106
to 'Disabled' (Scored) ..........................................................................................1108
ndows Defender Application Guard' is set to 'Disabled' (Scored)........................................................................................................................
uard' is set to 'Enabled: 0 (Do not allow users to manually trust files)' OR '2 (Allow users to manually trust after an antivirus check)' (Scored
board behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host' (Scored).....................................
t to 'Enabled: 1' (Scored)................................................................1118

nd prevent bypass' (Scored) ...................................................................1121


............................................................................................................................1124
s set to 'Enabled' (Scored) .....................................................................1126
is set to 'Enabled' (Scored) ....................................................................1128

o 'Disabled' (Scored) ...........................................................................1131

ored) ...........................................................................................................................1133
s above lock' OR 'Disabled' but not 'Enabled: On' (Scored) ...........1135

............................................................................................................................1137
........................................................................................................................................1140
is set to 'Disabled' (Scored) ......................................................................1142

o 'Disabled' (Scored) .........................................................................................1144


.....................................................................................................................1148
.................................................................................................................................1150

...........................................................................................................................................1152
.........................................................................................................................................1155
..............................................................................................................................1157
...........................................................................................................................................1159
(Scored)......................................................................................................................1161
.........................................................................................................................................1163
ored) ............................................................................................................................1165

........................................................................................................................................1167

..........................................................................................................................................1171

ored) ...............................................................................................................1174
to 'Enabled: Semi-Annual Channel, 180 or more days' (Scored)..........................................................................................................................
Scored) ............................................................................................................1180
..............................................................................................................................................1182
day' (Scored) ............................................................................................................1185
installations' is set to 'Disabled' (Scored) ....................................1187
............................................................................................................................1190

..............1192

..........1192

led: scrnsave.scr' (Scored) ..............................................................................1195


................................................................................................................................1197
(Scored) .............................................................................................................1199
................1201
................1201
.............1201

............................................................................................................................1202
.................1204
..........1204

red) ............................................................................................................................1206

......................................................................................................................................................1208

Scored)......................................................................................................................1209
Scored) .......................................................................................................................1211

...........1213

..........................................................................................................................1214
d' (Scored)................................................................................................................1216
ored) ............................................................................................................................1218
.......................................................................................................................................1220

..........1223

............1224

cored) .......................................................................................................................1226
...........1228

...........1229

...........1229
........................................................................................................................................1232

........................................................................................................................................1235
...................1238
...................1278
................................................................................. 163
........................................................................ 257

................................................................................ 268
................................................................................... 270

.................................................................................... 273

..................................................................................... 282
(Scored)......................................... 542
ed) ................................................................. 544

...................................................................................... 550
............................................................................... 552
...................................................................................... 554

........................................................................................ 558

.............................................................................................. 564

........................................................................................... 589
....................................................................................... 601

............................................................................ 607

.................................................................................. 638
................................................................................ 641

etup classes' (Scored) ............................... 647


................................................................... 650
........................................................................... 787
................................................................................................ 790
........................................................................... 793
................................................................................. 796
key packages' (Scored) ......................... 799
se' (Scored) .................................................. 802

(Scored) .............................................................. 808


alse' (Scored).................................. 810
0.1.101.3.4.1.42' (Scored) .......................... 813

.............................................................................................. 820

.................................................................................... 830
.............................................................................. 833
............................................................................... 836
.............................................................................. 839
cored)........................................... 842
swords and key packages' (Scored).....................................................................................................................................................................
s set to 'Enabled: True' (Scored) 848

d: True' (Scored)................ 854


bled: False' (Scored) .......................... 856
2.16.840.1.101.3.4.1.42' (Scored) ................................................................................................................................................... 859

............................................................................ 878
................................................................................................... 880
.................................................................................... 883
............................................................................... 886
ds and key packages' (Scored)............. 889
nabled: False' (Scored) ............................... 892

True' (Scored)...................................... 898


led: False' (Scored) .......................... 900
16.840.1.101.3.4.1.42' (Scored) ................................................................................................................................................... 903

............................................................................................... 910

.............................................................. 914

......................................................................................... 933
...............................................................................................1110
fter an antivirus check)' (Scored)....................................................................................................................................................................111
(Scored)....................................................................1115
.............................................................................................1177
................................................... 845

............................... 859
............................. 903
..............................................1112
Recommendations of CISecurity
1 Account Policies
1.1 Password Policy
1.1.1 (L1) Ensure 'Enforce password history' is set to '24 or more password(s)'
1.1.2 (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' (Scored)
1.1.5 (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled'
1.1.6 (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' (Scored)
1.2 Account Lockout Policy
1.2.1 (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' (Scored)
1.2.2 (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' (Scored)
2.3.7 Interactive logon
2.3.7.1 (L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled'
2.3.7.2 (L1) Ensure 'Interactive logon: Don't display last signed-in' is set to 'Enabled'
2.3.7.4 (L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'
2.3.7.8 (L1) Ensure 'Interactive logon: Prompt user to change password before expiration' is set to 'between 5 and 14 days'
9 Windows Firewall with Advanced Security
18.8.28 Logon
18.8.28.1 (L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled'
18.8.28.5 (L1) Ensure 'Turn off app notifications on the lock screen' is set to 'Enabled'
18.8.28.6 (L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled'
18.8.28.7 (L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled'
18.9.102 Windows Update
18.9.102.1.3 (L1) Ensure 'Select when Quality Updates are received' is set to 'Enabled: 0 days'
18.9.102.2 (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled'
18.9.102.3 (L1) Ensure 'Configure Automatic Updates: Scheduled install day' is set to '0 - Every day'
18.9.102.4 (L1) Ensure 'No auto-restart with logged on users for scheduled automatic updates installations' is set to 'Disabled'
18.9.102.5 (L1) Ensure 'Remove access to “Pause updates” feature' is set to 'Enabled'
Implementación

5 Contraseñas
60 dias
Habilitar
Desactivar

15min
10 Intentos

Desactivar
Habilitar
900 segundos
5 días
Habilitar

Habilitar
Habilitar
Habilitar
Desactivar

Habilitar a 0 días
Habilitar
Habilitar a 0 cada día
Desactivar
Habilitar

You might also like