This CIS certified policy for Microsoft Windows Server 2016 is based on the CIS Benchmark for Microsoft

Windows Server 2016, v3.0.0. The policy contains all Level 1 - Member Server related Automated and
Manual types of checks from the benchmark. The controls within the policy are configured on the basis of
values provided by the CIS benchmark. As this policy and the controls within the policy are certified by CIS,
the policy is LOCKED for prohibiting any changes to the controls or their configuration values. If the
organizational security policy requires different configuration values or changes to the policy, please make a
copy of this policy and modify the control configuration values as per the needs of the organization's
security policy.

In the case of CIS required Control duplication (where a Control requirement appears in more than one
section of the benchmark), Qualys Policy Compliance Policy Editor limits the existence of any Controls
within a single policy to one (1) occurrence of each control.

CIS has stated that these settings should be considered as minimum allowable values; if an Organization
requires more stringency than the CIS minimum, these more restrictive and/or stringent values shall all be
considered as a PASS. The settings assigned to any given control by CIS are not guaranteed to be
appropriate for any particular environment and all settings should be reviewed and applied according to the
needs of the business. Before you apply the recommendations from the policy, check the relevant vendor
documentation to avoid discrepancies. Also, it is recommended that these values be tested before applying
to the Production Environment.

All ports will remain closed when the network interface (Public, Private, or Domain) is set to Block. For the
remote scans to succeed, the network interface should have appropriate Inbound rules configured via Local
Group Policy --> Windows Firewall with Advanced Security --> Inbound Security Rules.

1) TCP/UDP inbound ports: 135,137,445,389 (Qualys port scan)

2) UDP inbound ports: 135,137,445,389 (Qualys port scan), and

3) Remote Desktop: 3389 (prerequisite for RDP connections)

Additional Information:
A. The following 'Manual' types of checks from the CIS benchmark is set as INACTIVE in the policy.
CIS Ref #1.2.3 (L1) Ensure 'Allow Administrator account lockout' is set to 'Enabled' (Manual)
CIS Ref #2.3.11.6 (L1) Ensure 'Network security: Force logoff when logon hours expire' is set to 'Enabled'

CAUTION: Remote connection requirements may vary from one setup to another. It is important to note that
multiple unsuccessful authentications could result in LOCKING OUT the user account running the scans.

CIS Benchmark for Microsoft Windows Server 2016, v3.0.0, [Automated and manual,
Level 1 - Member Server] v.2.0
Section 1:Account Policies
1.1 1318 Status of the 'Enforce password history' setting URGENT

Windows 2016 Server

@Among the characteristics that make 'user identification' via password a secure and workable solution is the 'password
history' setting. By requiring that a series of password-choices be unique, not a repetition of something used recently, it
reduces the risk of a malicious user breaking the password through dictionary/brute force attacks or fortuitous guessing based
upon 'social engineering,' where a user has mentioned that one of his favorite password-creation strategies is such-and-such.
With this password history requirement, users who wish to re-use the same password must select new and unique ones for a
certain time period, before returning to their 'preferred' one. Each time a new password is chosen, it adds to the security value
of using a password as a security tool--while no specific 'password history' can guarantee password security, twelve (12) is
 generally considered to be an adequate number. This, along with requiring other password security factors, such as increasing
the variability of the symbol set-space by requiring mixed-cases, as well as other tactics, such as requiring a new password to
be chosen every 45-90 days, further increases the difficulty of breaking any password by brute-force and social-engineering
attacks.

greater than or equal to

24

Attribute not found

Unable to retrieve password policy

Remediation : To establish the recommended configuration via GP, set the following UI path to 24 or more password(s):
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password
history

1.2 3376 Status of the 'Maximum Password Age' setting (expiration) URGENT

Windows 2016 Server

@One characteristic that makes 'user identification' via password a secure/workable solution is setting a 'password expiration'
requirement. Each time a new password is created, replacing one that has been in place for a given period of time, this resets
the difficulty of breaking a password via brute-force to its maximum level; it can also help ensure that a compromised 'hack'
account with a password that has expired is then closed. While no 'secure maximum' for limiting the use of a password has
been agreed upon, ninety (90) days is generally considered to be the maximum allowed for most enterprise environments.
However, this tactic should be used along with other password security factors, such increasing the complexity the password
set-space by requiring mixed-cases and/or special characters, to further increase the difficulty of breaking any password by
brute-force attacks.

in range
1-365

Attribute not found

Remediation : To establish the recommended configuration via Group Policy, set the following UI path value according to the
business needs and organization's security policies. Computer Configuration\Policies\Windows Settings\Security
Settings\Account Policies\Password Policy\Maximum password age # Example 60

1.3 1072 Status of the 'Minimum Password Age' setting URGENT

Windows 2016 Server

@Among the characteristics that make 'user identification' via password a workable security solution is setting a 'minimum
password age.' Without this minimum age requirement, any user(s) who wish to re-use the same password can merely cycle
through a number of previously used passwords until returning to the preferred one (this is determined by the 'Password
History' setting). While no specific 'minimum password age' can guarantee password security, one (1) day is generally
considered to be the shortest length of time permissible, along with requiring other password security factors, such as
increasing the variability of the symbol set-space by requiring mixed-cases, special characters, further increases the difficulty
of breaking any password using brute-force methods. Consider implementing this control for all account passwords in
conjunction with CID 1318 (Password History) and CID 1071 (Minimum Password Length) and CID 1073 (Maximum Password
Age).

greater than or equal to

1

Attribute not found

 Unable to retrieve password policy

Remediation : To establish the recommended configuration via GP, set the following UI path to 1 or more day(s): Computer
Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age

1.4 1071 Status of the 'Minimum Password Length' setting URGENT

Windows 2016 Server

@Among the several characteristics that make 'user identification' via password a secure and workable solution is setting a
'minimum password length' requirement. Each character that is added to the password length squares the difficulty of breaking
the password via 'brute force,' which attempts using every combination possible within the password symbol set-space, in
order to discover a user's password. While no 'minimum length' can be guaranteed secure, eight (8) is commonly considered
to be the minimum for most application access, along with requiring other password security factors, such as increasing the
size of the symbol set-space by requiring mixed-cases, along with other forms of password variability creation, increases the
difficulty of breaking any password by brute-force attack.

greater than or equal to

14

Attribute not found

Remediation : To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password
length

1.5 1092 Status of the 'Password Complexity Requirements' setting URGENT

Windows 2016 Server

@Among the several characteristics that make 'user identification' via password a secure and workable solution is setting the
'password complexity' requirement. This makes the selection of mixed-case, numerical, and 'punctuation' symbols mandatory
during password creation. This exponentially increases the size of the 'symbol-set' that must be addressed when conducting a
brute-force attack. For example, it makes the number of combinations that must be checked to match the correct combination
for an eight-character password potentially '8!' or '8 factorial' to the 92nd power, which is up in the 'googol' range of
combinations. When coupled with other measures for password security, such as maximum- and minimum-use duration,
system lockout after a specified number of invalid attempts, and password-history requirements, 'password complexity' should
only permit credentials to be compromised via blind luck, social engineering, or secretly installed keystroke-logging software
on the system.

Disabled (0)

Enabled (1)

Attribute not found

Unable to retrieve password policy

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity
requirements

1.6 2484 Status of the 'Store passwords using reversible encryption' setting URGENT

Windows 2016 Server

@Microsoft's 'Store passwords using reversible encryption' setting, the original LANMAN encryption scheme, is very
vulnerable to cracking, due to its 'standard': It treats all characters as uppercase and truncates anything longer than 14
characters, while padding all shorter passwords up to 14 characters in length with the same padding characters. As using
reversible encryption can allow a malicious user to crack the password fairly easily with tools available online, risking the
compromise of any credentials copied from the server/workstation or 'sniffed' off the wire by a malicious user, the use of
reversible encryption should be disabled/restricted as appropriate to the needs of the business.
 Disabled (0)

Enabled (1)

Attribute not found

Unable to retrieve password policy

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using
reversible encryption

1.7 2341 Status of the 'Account Lockout Duration' setting (invalid login attempts) URGENT

Windows 2016 Server

@The 'Account Lockout Duration' setting determines the amount of time an account will be locked upon reaching the
maximum number of login attempts allowed by the 'Account Lockout Threshold' setting. A user's password can be guessed or
broken via repeated attempts to login by using a logical or known account name and changing the password until successful
login occurs. If this is set to '0', the account will be locked until an Administrator or the system unlocks it. This policy setting
only has meaning when the 'Account Lockout Threshold' setting is specified. In addition, the 'Account Lockout Duration' setting
must be set to a value equal to or greater than that which is configured in the 'Reset Account Lockout Counter After' setting. If
not, the 'Reset Account Lockout Counter After' settings will not increment any invalid attempts during the time in which the
account has been re-enabled and when the counter is reset. Consider implementing this control in conjunction with CID 2342
and CID 2423.

greater than or equal to

15

Account locked until Administrator or system unlocks it (0)

Not Applicable

Unable to retrieve password policy

Remediation : To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s):
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account
lockout duration

1.8 2342 Status of the 'Account Lockout Threshold' setting (invalid login attempts) URGENT

Windows 2016 Server

@The 'Account Lockout Threshold' parameter determines the number of invalid login attempts allowed before an account will
be 'locked.' The 'Account Lockout Duration' parameter must be set to a value equal to or greater than that which is configured
in the 'Reset Account Lockout Counter After' setting. If it is not set, the 'Reset Account Lockout Counter After' setting will not
increment any invalid login attempts during the time in which the account has been re-enabled and when the counter is reset.
As user passwords can be guessed or broken via repeated attempts to login by using a logical or known account name and
launching a brute-force attack on the password until successful login occurs, this value should be set as appropriate to the
needs of the business. NOTE: Consider implementing this control in conjunction with CID 2341 and CID 2343.

in range
1-5

Attribute not found

Unable to retrieve password policy

Remediation : #Configure the following setting as per the business requirements or the organization's security policies
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account
lockout threshold
1.9 26502 Status of the 'Allow Administrator account lockout' setting URGENT

Windows 2016 Server

@This policy setting provides the ability to lock out the built-in local Administrator account. Someone who attempts to use
more than a few unsuccessful passwords while trying to log on to the system might be a malicious user who is attempting to
determine an account password by trial and error. Limiting the number of failed sign-ins that can be performed nearly
eliminates the effectiveness of attacks such as Brute force attacks and mitigates the risks associated with unauthorized
access and strengthens the overall security posture of an organization.

equal to
1

Disabled (0)

Enabled (1)

Not Applicable

Unable to retrieve password policy settings

Remediation : To establish the recommended configuration via GP, set the following UI path: Computer
Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policies\Allow Administrator
account lockout

1.10 2343 Status of the 'Reset Account Lockout Counter After' setting URGENT

Windows 2016 Server

@The 'Reset Account Lockout Counter After' setting determines the minimum amount of time that must elapse before an
account that has been locked, due to invalid logon attempts, will have its counter reset to zero. If the 'Account Lockout
Threshold' setting is not enabled, the 'Account Lockout Counter After' parameter has no effect on the security of the accounts.
In addition, the 'Account Lockout Duration' setting must be set to a value equal to or greater than that which is configured in
'Reset Account Lockout Counter After' setting. If not, the 'Reset Account Lockout Counter After' settings will not increment any
invalid logon attempts during the time in which the account has been re-enabled and when the counter is reset. As having this
parameter set appropriately makes it more difficult for a malicious user to break passwords, when implemented in conjunction
with the 'Account Lockout Threshold' setting, this value should be set as appropriate to the needs of the business. NOTE:
Consider implementing this control in conjunction with CID 2342 and CID 2343.

greater than or equal to

15

Not Applicable

Unable to retrieve password policy

Remediation : To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s):
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account
lockout counter after

Section 2:Local Policies

2.1 3924 Current list of Groups and User accounts granted the 'Access credential Manager as a trusted URGENT
caller (SeTrustedCredManAccessPrivilege)' right

Windows 2016 Server

@The 'Access credential Manager as a trusted caller (SeTrustedCredManAccessPrivilege)' setting permits a process to read
any object/property in any directory, no matter what privileges are assigned. As this permission could allow the compromise of
 all system's information, this capability should be restricted according to the needs of the business. NOTE: A Domain
Controller does require this capability.

does not contain regular expression list

.+

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to No One: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager
as a trusted caller

2.2 2181 Current list of Groups and User Accounts granted the 'Access this computer from the network' URGENT
right

Windows 2016 Server

@The 'Access this computer from the network' right allows a User to interact with remote Windows systems. By Windows
default, all user/computer accounts are granted this right when the 'Everyone' group is included during initial configuration;
however, depending on the mix of folder/file permissions on the networked systems, certain files and/or other confidential
information resources, such as print queues, may be inappropriately accessible. (This is especially true if the domain still
retains NT4 RRAS servers, which allow anonymous network login--these Users can potentially access file servers with non-
NTFS file systems, which only enforce folder-level access.) As the Manufacturer stipulates that the 'Everyone' group could be
removed and the 'Authenticated Users' group substituted in its place (MS-KB 823659), this right should be limited as
appropriate to the needs of the business. CAUTION: If the 'Everyone group is being removed, the 'Authenticated Users' group
must be added to this User Right BEFORE doing the update that changes this setting, or ALL systems shall be blocked from
accessing remote hosts.

is contained in regular expression list

\bAdministrators$
\bAuthenticated\s+Users$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from
the network

2.3 2182 Current list of Groups and User Accounts granted the 'Act as part of the operating system' URGENT
right

Windows 2016 Server

@The 'Act as part of the operating system' privilege allows a process to impersonate/gain access to the same local resources
as the 'user' being impersonated, but without requiring authentication. (The Manufacturer recommends that any process that
needs this privilege should work through the 'LocalSystem' account, not a separate/special user account.) If all servers are
connecting to, or members of, the Win-2003 product line, this privilege is not required. As the use of Win-2000 or Win-NT 4.0
servers may be require that this privilege be used for applications that exchange clear-text passwords, this right should be
limited as appropriate to the needs of the business. NOTE: There are further risks in this privilege in that potential access is
not limited by what the user account is associated to by default; the calling process can request arbitrary, OS-level privileges
and add these to the access token.

does not contain regular expression list

.+

Right not assigned

 Remediation : To establish the recommended configuration via GP, set the following UI path to No One: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Act as part of the operating
system

2.4 2184 Current list of Groups and User Accounts granted the 'Adjust memory quotas for a process' URGENT
right

Windows 2016 Server

@The 'Adjust memory quotas for a process' would allow an application, process, service, or user to increase the processor
power assigned to a specific process' execution, thus preempting other jobs in the processor queue. (In the default installation,
this right is given only to 'Administrators,' 'Local Service,' and 'Network Service.' As this privilege could easily be misused to
create a DoS condition, this right should be limited as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$
\bLOCAL\s+SERVICE$
\bNETWORK\s+SERVICE$
\bIIS_IUSRS$
IIS AppPool\\.+

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators, LOCAL
SERVICE, NETWORK SERVICE: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User
Rights Assignment\Adjust memory quotas for a process

2.5 2391 Current list of Groups and User Accounts granted the 'Allow log on locally URGENT
(SeInteractiveLogonRight)' right

Windows 2016 Server

@The 'Log on locally (SeInteractiveLogonRight)' user right allows a User to 'log on locally' via the console/keyboard. (In the
default configuration for member servers/workstations, this right is given to Administrators, Power Users, Users, Guest, and
Backup Operators; for DCs this is given to Account Operators, Administrators, Backup Operators, Print Operators, and Server
Operators.) If certain Users are to be restricted from local logon, they must also be restricted from connecting via a remote
desktop or terminal services session via the Remote Desktop Protocol (RDP). As unrestricted logon capability to a server
could potentially allow a malicious user to attempt a brute-force attack, this capability should be restricted as appropriate to the
needs of the business.

is contained in regular expression list

\bAdministrators$
\bBackup\s+Operators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators, Users:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow log on
locally

2.6 2185 Current list of Groups and User Accounts granted the 'Allow logon through Terminal Services' URGENT
right

Windows 2016 Server

@The 'Allow logon through Terminal Services' right allows user logon via a Remote Desktop Protocol (RDP) connection. (In
the default installation, this is limited to Administrators and Remote Desktop Users.) Any Group or User Account granted this
user right is permitted to logon via Remote Desktop Protocol. As the ability to logon via Terminal Services can allow a
malicious user to initiate a Denial of Service attack, Groups and User Accounts granted the 'Allow logon through Terminal
Services' right should be restricted as appropriate to the needs of the business. NOTE: As the initial versions of RDP for
Windows XP use weak encryption protocols, these versions should be patched to improve security.

is contained in regular expression list

 \bAdministrators$
\bRemote\s+Desktop\s+Users$
\bAuthenticated Users$

Right not assigned

Remediation : Go to the following path and dd the required Users or Groups as per the business needs or organization's
security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment\Allow log on through Remote Desktop Services

2.7 2186 Current list of Groups and User Accounts granted the 'Back up files and directories' right URGENT

Windows 2016 Server

@The 'Back up files and directories' right allows the user to perform backups by circumventing file and directory permissions.
(In the default installation, this right is granted to Administrators and Backup Operators.) As this right could be used to traverse
and read attributes for all files and directories, Groups and User Accounts granted the 'Backup files and directories' right
should be restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators. Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Back up files and directories

2.8 2191 Current list of Groups and User Accounts granted the 'Change the system time' right URGENT

Windows 2016 Server

@The 'Change the system time' user right allows users to alter the date/time on the system's internal clock. (The default
configuration grants this right to Administrators and Power Users.) As this right would allow changes in the recording of times
in the audit trail as stored by the Event Log, as well as being of critical importance for Kerberos authentication, Groups and
User Accounts granted this right should be restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$
\bLOCAL SERVICE$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators, LOCAL
SERVICE: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment\Change the system time

2.9 3925 Current list of Groups and User accounts granted the 'Change the time zone privilege URGENT
(SeTimeZonePrivilege)' setting

Windows 2016 Server

@The 'Change the time zone privilege (SeTimeZonePrivilege)' will allow the user to change the system's time zone. As this
privilege could allow a user to alter the logging parameters times used by the system log or other time time-sensitive functions
such as email, making accurate forensic tracking infeasible, it should be restricted according to the needs of the business.

is contained in regular expression list

 \bAdministrators$
\bLOCAL\s+SERVICE$

Right not assigned

Remediation : Go to the following path and configured the 'Change the time zone' group policy setting as per the business
needs or organization's security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Change the time zone

2.10 2192 Current list of Groups and User Accounts granted the 'Create a Pagefile' right URGENT

Windows 2016 Server

@The 'Create a Pagefile' right allows a user to call the application programming interface (API) that allows creation of a page
file to add virtual memory space. (In the default installation, this right is given only to Administrators.) Pagefile alteration can
allow a malicious user to slow down a process through lack of paging space. The pagefile may also retain confidential data
after system shutdown if the 'Clear virtual memory pagefile' setting (CID-1048) has been disabled. As the Pagefile governs the
behavior of the systems' virtual memory space, Groups and User Accounts granted the 'Create a Pagefile' right should be
restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a pagefile

2.11 2193 Current list of Groups and User Accounts granted the 'Create a Token Object' right URGENT

Windows 2016 Server

@The 'Create a Token Object' right allows a process to create an [access] token object, which provides a security context for
a process/thread. (In the default installation, this right is not assigned to any Groups or User Accounts.) As the 'Create a Token
Object' right could be used for unauthorized user privilege escalation, Groups and User Accounts granted this right should be
restricted as appropriate to the needs of the business.

does not contain regular expression list

.+

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to No One: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create a token object

2.12 3242 Current list of Groups and User Accounts granted the 'Create Global Objects' right URGENT

Windows 2016 Server

@The 'Create Global Objects' user right allows a user to create global objects when connected to a Terminal Services
session. All running processes on the system have access to global objects. (In the default installation this right is granted to
Administrators, Interactive, and Service.) As the creation of global objects can negatively impact system processes, Groups
and User Accounts granted the 'Create Global Objects' right should be restricted as appropriate to the needs of the business.

is contained in regular expression list

 \bAdministrators$
\bLOCAL\s+SERVICE$
\bNETWORK\s+SERVICE$
\bSERVICE$
NT Service\\MSSQLServer

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators, LOCAL
SERVICE, NETWORK SERVICE, SERVICE: Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Create global objects

2.13 2194 Current list of Groups and User Accounts granted the 'Create Permanent Shared Objects' URGENT
right

Windows 2016 Server

@The 'Create Permanent Shared Objects' user right is necessary for the creation of 'permanent shared objects' in the name
space of Windows' object manager. (A permanent shared object is one that Windows does not destroy after all references to it
are deleted--during the default configuration, this right is assigned only to the 'Local System.') The manufacturer has indicated
that this privilege shouldn't normally be required for any other user, but may need be needed for special situations, such as for
accounts that run services deeply embedded within the OS. As there have been exploits based on permanent object creation
for earlier versions of Windows server using 'lopht,' this right should be limited as appropriate to the needs of the business.

does not contain regular expression list

.+

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to No One: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create permanent shared
objects

2.14 3941 Status of the 'Create Symbolic Links' (SeCreateSymbolicLinkPrivilege) right CRITICAL

Windows 2016 Server

@The 'Create Symbolic Links' (SeCreateSymbolicLinkPrivilege) setting allow user to link and potentially change permissions
on files. As this capability can permit a malicious user to exploit security vulnerabilities in an application resource that was not
designed to use symbolic links, this should be restricted according to the needs of the business.

is contained in regular expression list

\bAdministrators$
\bNT\s+VIRTUAL\s+MACHINE\\Virtual\s+Machines$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create symbolic links

2.15 2195 Current list of Groups and User Accounts granted the 'Debug Programs' right URGENT

Windows 2016 Server

@The 'Debug Programs' user right allows a user to attach a debugger to any process. (The default configuration assigns this
right only to Administrators.) As this right would allow a user to capture critical and/or sensitive data from any operating
program, Groups and User Accounts granted the 'Debug Programs' right should be restricted as appropriate to the needs of
the business.
 is contained in regular expression list
\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs

2.16 2196 Current list of Groups and User Accounts granted the 'Deny Access to this computer from the CRITICAL
network' right

Windows 2016 Server

@The 'Deny Access to this computer from the network' user right revokes the right of a User to interact with this Windows
system remotely. As this right can lock out both potentially malicious users and those who require system access, it should be
configured according to the needs of the business. CAUTION: If the 'Everyone' group is added to this setting, ALL systems will
be blocked from accessing this system remotely. Also, as the Qualys scan uses the 'Administrator' login by default to run its
checks, one should be very careful about adding the 'ADMINISTRATOR' to this group, as it will block network-based local or
'BUILTIN' 'Administrator' access.

contains regular expression list

\bGuests$
\bLocal\s+account\s+and\s+member\s+of\s+Administrators\s+group$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to include Guests, Local account:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to
this computer from the network

2.17 2197 Current list of Groups and User Accounts granted the 'Deny logon as a batch job' right CRITICAL

Windows 2016 Server

@The Current list of Groups and User Accounts granted the 'Deny logon as a batch job' setting determines which accounts
are prevented from logging on as a batch job. As the capability to log on by using a batch-queue tool could be exploited by
unauthorized users used to schedule jobs that could create a denail-of-service condition, this should be restricted according to
the needs of the business.

contains regular expression list

\bGuests$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to include Guests: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on as a batch job

2.18 2198 Current list of Groups and User Accounts granted the 'Deny logon as a service' right CRITICAL

Windows 2016 Server

@The Current list of Groups and User Accounts granted the Deny logon as a service setting determines which users and
groups are prevented from logging on as a service. As this setting is usually restricted to Administrators and system account, it
should be configured according to the needs of the business.
 contains regular expression list
\bGuests$

Right not assigned

Remediation : #Configure the following setting as per the business needs or the organization's security policy. To do this
configuration via Group Policy Editor, use the following UI path. Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\User Rights Assignment\Deny log on as a service

2.19 2199 Current list of Groups and User Accounts granted the 'Deny log on locally' right CRITICAL

Windows 2016 Server

@The 'Deny logon locally' right prohibits a user from logging on directly at the console. (In the default installation for XP, only
the 'Guest' account is included in this setting--for servers, only privileged administrative accounts have console logon
capability.) As use of a grant of this right could facilitate creation of a number of SYSTEM-level DoS exploits, this right's usage
should be set as appropriate to the needs of the business. NOTE: If the 'Everyone' user group is assigned this logon right, all
Users will be barred from console logon, so if network access is lost and serial access capability hasn't been added, the only
way to access the system is through the Recovery Console.

contains regular expression list

\bGuests$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to include Guests: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on locally

2.20 2200 Current list of Groups and User Accounts granted the 'Deny logon through terminal (Remote CRITICAL
Desktop) service' right

Windows 2016 Server

@The 'Deny logon through terminal service' or 'Deny log on through Remote Desktop Services' user right prohibits a user
from logging on using the Remote Desktop Protocol (RDP) to connect to Terminal Services. In the default installation for XP,
no accounts are included in this group, but Users other than Administrators must be granted the right to log in with RDP. For
servers, only privileged accounts have RDP logon capability and the 'Guest' account is included in this 'Deny' group. (This may
differ if the system offers Terminal Server services.) As RDP connections can provide a way to launch exploits against the
system, membership in this group should be set appropriate to the needs of the business. NOTE: If the 'Everyone' user group
is assigned this logon right, all Users will be barred from RDP-based access to the system, so if network access is lost and
serial access capability hasn't been added, the only way to access the system is through the console.

contains regular expression list

\bGuests$
\bLocal account$
\bRemote\s+Dekstop\sService$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to include Guests, Local account:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny log on
through Remote Desktop Services

2.21 2383 Current list of Groups and User Accounts granted the 'Enable computer and user accounts to URGENT
be trusted for delegation' right
 Windows 2016 Server
@The 'Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)' privilege is not
assigned to any system but a domain controller, as it permits a computer/user to alter the 'Trusted for Delegation' setting for
objects in Active Directory (Workstations and Servers that are not functioning as Domain Controllers can also be checked to
ensure default values have not been changed in the Local Security Policy). This will allow a front-end service/process to
function with the rights of a given client's credentials when authenticating itself to a back-end process/service. As this user
right should be limited to Domain Controller Administrators and can be a powerful method to facilitate system penetration,
allowing Trojans to send out under impersonated accounts, this privilege should be restricted as appropriate to the needs of
the business.

does not contain regular expression list

.+

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to No One: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user
accounts to be trusted for delegation

2.22 2384 Current list of Groups and User Accounts granted the 'Force shutdown from a remote system' URGENT
right

Windows 2016 Server

@The 'Force shutdown from a remote system (SeRemoteShutdownPrivilege)' User Right allows the system to be shutdown
remotely. In the default configuration this right is assigned only to Administrators on workstations/member servers and to
Administrators and Server Operators on Domain Controllers. As this right can create a denial-of-service condition, it should be
restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Force shutdown from a
remote system

2.23 2385 Current list of Groups and User Accounts granted the 'Generate Security Audits' right URGENT

Windows 2016 Server

@The 'Generate Security Audits' (SeAuditPrivilege) User Right permits the generation of security log records. (In the default
configuration it is assigned to the Local Service and Network Service on workstations and domain controllers and the Local
System on member servers.) As this right can create a condition causing the generation of many spurious log entries, making
it difficult to sort out any actual attack traces and can also create a DoS condition if the 'shutdown the system immediately if
unable to generate security audits' setting has been enabled, it should be restricted as appropriate to the needs of the
business.

is contained in regular expression list

\bLOCAL\s+SERVICE$
\bNETWORK\s+SERVICE$
\bIIS_IUSRS$
IIS AppPool\\.+
NT Service\\ADFSSrv

Right not assigned

 Remediation : To establish the recommended configuration via GP, set the following UI path to LOCAL SERVICE, NETWORK
SERVICE: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment\Generate security audits

2.24 2642 Current list of Groups and User Accounts granted the 'Impersonate a client after CRITICAL
authentication' right

Windows 2016 Server

@The 'Impersonate a client after authentication' user right allows programs that are run of behalf of the user to impersonate a
client. A common usage of this permission is to grant the right to a service account in order to pass client authentication to
another service. In the default installation this right is only assigned to Administrators and Service. As the 'Impersonate a client
after authentication' user right allows the impersonation of a user with specific rights, the granting of this right to Groups and
User Accounts should be restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$
\bLOCAL SERVICE$
\bNETWORK SERVICE$
\bSERVICE$
\bIIS_IUSRS$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators, LOCAL
SERVICE, NETWORK SERVICE, SERVICE: Computer Configuration\Policies\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Impersonate a client after authentication

2.25 2386 Current list of Groups and User Accounts granted the 'Increase Scheduling Priority' right URGENT

Windows 2016 Server

@The 'Increase Scheduling Priority' (SeIncreaseBasePriorityPrivilege) User Right allows the user/process to increase the
'base class' assigned to a process. (In the default configuration for all workstations, servers, and domain controllers, this right
is only assigned to Administrators.) As this privilege could allow critical processes to be superseded by those that are rarely
needed, but consume a great many CPU cycles, facilitating a DoS condition, this setting should be restricted as appropriate to
the needs of the business. NOTE: This privilege is not required for use of any administrative tools that are part of the default
OS, but may be needed during the software development process.

is contained in regular expression list

\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase scheduling priority

2.26 2387 Current list of Groups and User Accounts granted the 'Load and unload device drivers' right URGENT

Windows 2016 Server

@The 'Load and unload device drivers' (SeLoadDriverPrivilege) User Right permits installation and removal of device drivers
for the 'Plug and Play' installation process. (During the default installation, this right is assigned only to Administrators.) As a
malicious program masquerading as a device drivers could unintentionally be installed with 'trusted' privileges in this manner,
this setting should be restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$
\bNT\s+SERVICE\\MSSQLSERVER$
 Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Load and unload device
drivers

2.27 2388 Current list of Groups and User Accounts granted the 'Lock Pages in Memory' right URGENT

Windows 2016 Server

@The 'Lock Pages in Memory (SeLockMemoryPrivilege)' user right allows a User, Application, or Process to maintain data in
physical memory, which prevents this data from being sent to a pagefile in virtual memory. (In the default installation for XP,
this isn't assigned to any user. For servers, only the Administrator is granted this right be default.) As use of this privilege could
tie up large amounts of RAM, this setting should be restricted as appropriate to the needs of the business.

is contained in regular expression list

NT Service\\MSSQLServer
NT Service\\MSSQL\$.+
NT Service\\SQLServerAgent
NT Service\\SQLAgent\$.+

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to No One: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Lock pages in memory

2.28 2392 Current list of Groups and User Accounts granted the 'Manage Auditing and Security Log URGENT
(SeSecurityPrivilege)' right

Windows 2016 Server

@The 'Manage Auditing and Security Log' (SeSecurityPrivilege) privilege assignment determines which user can specify
'object access' audit monitoring for various resources, such as files, registry keys, and AD items. (In the default configuration
for all Windows systems, this is assigned only to Administrators.) Assigning user accounts to this privilege does allow/enable
the assignees to carry out generalized object or access auditing--to have that occur it must be enabled in the 'Computer
Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies' setting. As any holder of this privilege can
clear the log files, to preserve system audit trails, this capability should be restricted as appropriate to the needs of the
business.

is contained in regular expression list

\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and
security log

2.29 4232 Current list of Groups and User Accounts granted the 'Modify an object label URGENT
(SeRelabelPrivilege)' right

Windows 2016 Server

@The 'Modify an object label (SeRelabelPrivilege)' Group Policy setting determines which user account(s) is/are permitted to
alter the 'integrity label' of system objects, including files, registry keys, and/or processes that others own. As this capability
may lead to the compromise of confidential information or privilege escalation, it should be carefully restricted and access
monitored according to the needs of the business.

does not contain regular expression list

 .+

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to No One: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label

2.30 2393 Current list of Groups and User Accounts granted the 'Modify firmware environment values URGENT
(SeSystemEnvironmentPrivilege)' right

Windows 2016 Server

@The 'Modify firmware environment values (SeSystemEnvironmentPrivilege)' user right allows the modification of the system
environment variables, to permit a user or process to change the locations where a program operational files are kept. (In the
default installation, this right is given only to Administrators, but may be needed during the application development or
installation process.) As this privilege could allow the refocusing of system environment targets onto a rogue program source,
this capability should be restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify firmware
environment values

2.31 2394 Current list of Groups and User Accounts granted the 'Perform Volume Maintenance Tasks URGENT
(SeManageVolumePrivilege)' right

Windows 2016 Server

@The 'Perform Volume Maintenance Tasks (SeManageVolumePrivilege)' user right permits non-administrative and/or remote
users to manage volumes or disks. (In the default configuration, this is assigned only to Administrators.) As malicious use of
the capability could result in a DoS, data loss, data disclosure (by reading disk areas containing restricted data), and even
performance issues, this capability should be restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$
NT Service\\MSSQLServer
NT Service\\MSSQL\$.+
NT Service\\SQLServerAgent
NT Service\\SQLAgent\$.+

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Perform volume
maintenance tasks

2.32 2395 Current list of Groups and User Accounts granted the 'Profile Single Process URGENT
(SeProfileSingleProcessPrivilege)' right

Windows 2016 Server

@The 'Profile Single Process (SeProfileSingleProcessPrivilege)' user right allows users to review the operation/performance
of non-OS processes. (The default system configuration grants this privilege to Administrators, Power Users (on workstations),
and the Local System.) As it may be necessary to grant this privilege for use of the System Monitor when it is set to gather I/O
data via Windows Management Instrumentation, it should otherwise be restricted as appropriate to the needs of the business.
 is contained in regular expression list
\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Profile single process

2.33 2396 Current list of Groups and User Accounts granted the 'Profile System Performance URGENT
(SeSystemProfilePrivilege)' right

Windows 2016 Server

@The 'Profile System Performance (SeSystemProfilePrivilege)' user right allows users to review the operation/performance of
system processes. (The default system configuration grants this privilege to Administrators and the Local System, which may
not appear but is included). As it is not usually necessary to grant this privilege for use of the System Monitor, but may be
required when gathering data via Windows Management Instrumentation, due to its capability to permit a malicious user to
gather system data, it should be restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$
\bNT\s+SERVICE\\WdiServiceHost$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators, NT
SERVICE\WdiServiceHost: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment\Profile system performance

2.34 2398 Current list of Groups and User Accounts granted the 'Replace a process level token URGENT
(SeAssignPrimaryTokenPrivilege)' right

Windows 2016 Server

@The 'Replace a process level token (SeAssignPrimaryTokenPrivilege)' privilege permits the replacement of a process token
of a child process, which can include altering authorization levels. (The default installation configuration grants this right to the
Local Service and network Services, while the Local System already has the right.) As this right could be used for privilege
escalation, it should be restricted as appropriate to the needs of the business.

is contained in regular expression list

\bLOCAL\s+SERVICE$
\bNETWORK\s+SERVICE$
\bIIS_IUSRS$
IIS AppPool\\.+
NT Service\\MSSQLServer

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to LOCAL SERVICE, NETWORK
SERVICE: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment\Replace a process level token

2.35 2399 Current list of Groups and User Accounts granted the 'Restore files and directories URGENT
(SeRestorePrivilege)' right

Windows 2016 Server

@The 'Restore files and directories (SeRestorePrivilege)' user right allows a user or process access to cross file and directory
permissions when restoring files and directories, as well as act as the 'valid security principal' for any object being restored. (In
 the default installation configuration, this right is granted to Administrators and Backup Operators.) As this privilege could be
used to overwrite a valid file with malicious content, this capability should be restricted as appropriate to the needs of the
business.

is contained in regular expression list

\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Restore files and directories

2.36 2400 Current list of Groups and User Accounts granted the 'Shut down the system URGENT
(SeShutdownPrivilege)' right

Windows 2016 Server

@The 'Shut down the system (SeShutdownPrivilege)' user right allows the user or process to shut down the [local] system. (In
the default installation, this is restricted to Administrators, Backup Operators, Power Users, and [ordinary] Users for
workstations, to Administrators, Backup Operators, Print Operators, and Server Operators on member servers, and to
Administrators and Server Operators for domain controllers.) As this privilege can cause a DoS condition if abused, it should
be restricted as appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$

Right not assigned

Remediation : Go to the following path and configure the Shut down the system gpo setting as per the business needs or
organization's security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights
Assignment\Shut down the system

2.37 2402 Current list of Groups and User Accounts granted the 'Take ownership of files or other objects URGENT
(SeTakeOwnershipPrivilege)' right

Windows 2016 Server

@The 'Take ownership of file or other objects (SeTakeOwnershipPrivilege)' user right allows a user to take over any object in
the system, such as files/folders, printers, processes, registry keys, and/or services. (In the default installation this right is only
assigned to Administrators.) As this privilege would allow capturing and controlling any system object, it should be restricted as
appropriate to the needs of the business.

is contained in regular expression list

\bAdministrators$

Right not assigned

Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Take ownership of files or
other objects

2.38 8141 Status of the Security Options 'Accounts: Block Microsoft accounts' setting CRITICAL
 Windows 2016 Server

@The "Accounts: Block Microsoft accounts' to 'Users can't add or log on with Microsoft accounts" policy setting prevents users
from adding new Microsoft accounts on the computer. If the option "Users can't add Microsoft accounts" is selected, User will
not be able to create new Microsoft accounts, switch to Microsoft account, or connect a domain account to a Microsoft account
and if the option "Users can't add or log on with Microsoft accounts" is selected then existing Microsoft account users will not
be able to log on to Windows. Companies/organizations that want to effectively implement identity management policies and
maintain control of the accounts which are used to log on to their computers will probably want to block Microsoft accounts.
Microsoft account will be blocked to meet requirements of compliance standards that apply to their information system.

This policy is disabled (0)

Users cant add Microsoft accounts (1)

Users cant add or log on with Microsoft accounts (3)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Users can't add or log on with
Microsoft accounts: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security
Options\Accounts: Block Microsoft accounts

2.39 8364 Status of the local 'Guest' account (enabled/disabled) CRITICAL

Windows 2016 Server

@The 'Guest' account on the local system (Member Server or Domain Controller) can be employed when a user needs to be
granted access to the system, but does not need any of the typical rights/privileges granted to an ordinary 'Authenticated
User,' such as for use in a 'kiosk' role. As there are known exploits for the 'Guest' role, including allowing non-authenticated
users to create a mail relay when the domain 'Guest' account is enabled, it should be disabled whenever feasible to do so.
NOTE: In order to prevent a malicious user from identifying the account by its SID after renaming the Guest account, disable
the anonymous Security (SID)/Name translation setting.

matches regular expression list

^Disabled$

No results found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Guest account status

2.40 1366 Status of the 'Accounts: Limit local account use of blank passwords to console logon only' URGENT
setting

Windows 2016 Server

@At times, having a blank password for user login is acceptable, especially at kiosk-type machine that are for public access.
However, as allowing remote users to log in without passwords can be a serious security risk, this capability should be
restricted appropriately, such as limiting this capability to the physical console.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Limit local account use of
blank passwords to console logon only

2.41 8367 Status of the name of the 'Built-in Administrator' account URGENT
 Windows 2016 Server

@The 'Built-in Administrator' account has full access to the system, including all files, directories, and processes. As knowing
the name of a valid account with super-user privileges is half the battle in crafting a brute-force exploit, coupled with the fact
that the 'Administrator' cannot be locked out, the Administrator account name-value should be set as appropriate to the needs
of the business.

matches regular expression list

^Account Renamed$

No results found

Remediation : To establish the recommended configuration via GP, configure the following UI path: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename administrator
account

2.42 8366 Status of the name of the 'Built-in Guest' account CRITICAL

Windows 2016 Server

@The 'Guest' account can be employed when a user needs to be granted access to the system, but does not need any of the
typical rights/privileges granted to an ordinary 'Authenticated User,' such as for use in a 'kiosk' role. As there are known
exploits for the 'Guest' role, including allowing non-authenticated users to create a mail relay when the domain 'Guest' account
is enabled, this account should be renamed to something unique for your organization and set as appropriate to the needs of
the business. NOTE: In order to prevent a malicious user from identifying the account by its SID after renaming the Guest
account, disable the anonymous Security (SID)/Name translation setting.

matches regular expression list

^Account Renamed$

No results found

Remediation : To establish the recommended configuration via GP, configure the following UI path: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Accounts: Rename guest account

2.43 2608 Status of the 'Audit: Force audit policy subcategory settings (Windows Vista or later) to CRITICAL
override audit policy category settings' setting

Windows 2016 Server

@The 'Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings' setting
determines how the system applies audit policy settings. Windows Vista has the capability of managing audit policy through
the use of audit policy subcategories. However, if audit policy is set at the category level, subcategory audit policy settings are
overwritten by default. Enabling this setting addresses this issue by forcing the audit policy subcategory settings to override
the audit policy category settings. When this setting is enabled, audit policy can be managed at the subcategory level without
requiring changes to the Group Policy.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force audit policy
subcategory settings (Windows Vista or later) to override audit policy category settings
2.44 1156 Status of the 'Audit: Shut Down system immediately if unable to log security audits' setting SERIOUS

Windows 2016 Server

@The 'Audit: Shut down system immediately if unable to log security audits' setting is responsible for ensuring that all security
related events are captured in the Security Event Logs. If, for any reason, security events are not able to be captured when
this setting is enabled, the system will immediately shut down which could negatively impact operations. If a system is shut
down as a result, a member of the Administrator Group will be required to log in and archive the logs to allow for further review
in order to determine the cause and respond accordingly. It is important to coordinate the enabling of this setting with
requirements stipulated within internal policies and procedures for backup and retention of activity logs. As maximum
effectiveness of this setting requires considering setting of the 'Security Log Retention Method' to 'Overwrite Events by Days'
or 'Do Not Overwrite Events,' this value should be set according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system
immediately if unable to log security audits

2.45 1163 Status of the 'Prevent users from installing printer drivers' setting CRITICAL

Windows 2016 Server

@The 'Prevent users from installing printer drivers' setting provides protection from users installing unsigned or malware
infected drivers onto the system. As installing printer drivers requires code to be loaded directly into operating system kernel's
privileged space and a malicious user can use this vector to introduce invalid or Trojan-based print drivers in order to subvert
the system, this parameter should be restricted/set according to the needs of the business. Note: By preventing users of the
system from installing printer drivers could result in increased calls to the Helpdesk for support. Consider implementing this
control in conjunction with CID 1150 (Unsigned driver installation behavior).

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Prevent users from
installing printer drivers

2.46 1370 Status of the 'Domain member: Digitally encrypt or sign secure channel data (always)' setting CRITICAL

Windows 2016 Server

@The 'Domain member: Digitally encrypt or sign secure channel data (always)' setting dictates that SMB data exchanged
between a server and client (on a secure channel) must be either signed or sealed. If the domain controller on the other side
of the channel does not support signing or sealing, the system can refuses to establish a channel--This provides the strongest
security for inter-domain communication. As this setting may break the communication path to legacy applications, this should
be changed only after careful testing and set as appropriate to business needs.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt
or sign secure channel data (always)

2.47 1371 Status of the 'Domain member: Digitally encrypt secure channel data (when possible)' setting CRITICAL
 Windows 2016 Server
@The 'Domain member: Digitally encrypt secure channel data (when possible)' entry is used when negotiating the conditions
of a secure channel with a domain controller and specifies whether or not outgoing secure channel traffic is encrypted
(sealed). Enabling this reduces the likelihood of successful sniffing or replay attacks. As enabling this setting may break the
communication path to legacy applications, this should be changed only after careful testing and set as appropriate to
business needs. NOTE: If the domain controller does not support this ability, traffic will be sent unencrypted regardless of the
setting.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally encrypt
secure channel data (when possible)

2.48 1372 Status of the 'Domain member: Digitally sign secure channel data (when possible)' setting CRITICAL

Windows 2016 Server

@The 'Domain member: Digitally sign secure channel data (when possible)' entry is used to specify whether or not outgoing
secure channel traffic is signed. (This entry is used when negotiating the conditions of a channel with a domain controller.)
Having the traffic digitally signed reduces the likelihood of successful spoofing and/or hijacking attempts going unnoticed, as
alterations of the cryptographic hash on a traffic segment will cause error conditions. NOTE: If the domain controller does not
support this ability, traffic will be sent unsigned.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Digitally sign
secure channel data (when possible)

2.49 1373 Status of the 'Domain member: Disable machine account password changes' setting CRITICAL

Windows 2016 Server

@The 'Domain member: Disable machine account password changes' used to authenticate/authorize a system within a
domain; this value is set to be changed every 30 days by default. By having the 'Disable machine account password changes'
setting configured to 'disabled,' the systems domain account password will be changed automatically by the workstation. If this
parameter is set to 'enabled,' the workstation will not manage its system domain account password automatically and the
password will never be changed, which may be a condition required by certain legacy programs. As keeping the same
password for a long period of time can allow a malicious user to attempt to break it, this value should be set as appropriate to
the needs of the system and its role in the application provision process.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine
account password changes

2.50 1374 Status of the 'Domain member: Maximum machine account password age' setting CRITICAL
 Windows 2016 Server

@The 'Domain member: Maximum machine account password age' used to authenticate/authorize a system within a domain;
this value is set to be changed every 30 days by default. As this setting determines how often the system resets its own
password and will have no discernible impact on the end-user, it should be set as appropriate to the environment and
business needs.

in range
1-30

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to 30 or fewer days, but not 0:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member:
Maximum machine account password age

2.51 1375 Status of the 'Domain member: Require strong (Windows 2000 or later) session key' setting CRITICAL

Windows 2016 Server

@The 'Domain member: Require strong (Windows 2000 or later) session key' is to require a 128-bit key for encrypted secure
channel data. When a system joins a domain, an account is created. Thereafter, when the system starts, it uses the computer
account password to create a secure channel to domain controller--This channel is used for NTLM passthrough
authentication, LSA SID\Name Lookup, etc. As this setting requires that all 'secure traffic' between domain controllers and
workstations use a 128-bit key to encrypt the traffic, this should be tested carefully and set as appropriate, for it may otherwise
break Unix/Windows network integrations or other legacy connections.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Require strong
(Windows 2000 or later) session key

2.52 1190 Status of the 'Interactive Logon: Do Not Display Last User Name' setting SERIOUS

Windows 2016 Server

@The 'Interactive Logon: Do Not Display Last User Name' setting prevents the name of the last authorized user login form
being automatically displayed. As this information is half of what is needed by a malicious user to log in and there is an
increased risk that an unauthorized user may gain knowledge of the client domain naming standards and obtain a valid
username (for use in a brute-force attack), this 'last username' display capability should be set as appropriate to the needs of
the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not display
last user name

2.53 1376 Status of the 'Interactive Logon: Do not require CTRL+ALT+DEL' setting URGENT
 Windows 2016 Server
@The Windows OS behaves differently when the 'CTRL+ALT+Delete' is invoked before login--this guarantees that the
authentication process for the system is engaged. Otherwise, when only the two-line login screen is presented, it is possible
that a Trojan program is displaying a phony userid/password login screen, which will collect the credentials and exit, leaving
the user believing that he/she simply mistyped one or both of the required values. NOTE: As this is one of the reverse-logic
controls, it is important to remember that this should be DISABLED to actually be enabled.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Do not require
CTRL+ALT+DEL

2.54 8145 Status of the Security Options 'Interactive logon: Machine inactivity limit' setting (seconds) SERIOUS

Windows 2016 Server

@The 'Interactive logon: Machine inactivity limit' setting sets the limit in terms of amount of inactive time, when exceeded the
screen saver is run, locking the session. As open sessions on systems that have been left unattended can be compromised by
malicious users, potentially allowing them access to sensitive data and this can further be used to conserve the resources set
aside for maintaining the connection for maximum performance. Thus, it is important to establish a limit in terms of specific
amount of inactive time after which the session would be locked, allowing only the legitimate users to log back on to the
session. However, setting this time to very low value could lock the legitimate sessions in less time. Thus, this value should be
set as appropriate to the needs of the business.

in range
1-900

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to 900 or fewer seconds, but not
0: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon:
Machine inactivity limit

2.55 3778 Status of the contents of the 'login banner' (Windows/Unix/Linux) SERIOUS

Windows 2016 Server

@The logon banner provides a warning to inappropriate or unapproved users as to the consequences of accessing private
systems and data illegally. By displaying a legal text message during the login process, all individuals attempting to access the
system understand that monitoring of all system activity is performed and all violators may be prosecuted, to the full extent of
the law. As implementing a logon banner to deter inappropriate use can provide a foundation for legal action against abuse,
this 'warning' content should be set as appropriate to the needs of the business.

regular expression
.+

RegSubKey not found

Key not found

Remediation : To establish the recommended configuration via GP, configure the following UI path to a value that is consistent
with the security and operational requirements of your organization: Computer Configuration\Policies\Windows
Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message text for users attempting to log on
2.56 1134 Status of 'logon banner title' setting (Legal Notice) SERIOUS

Windows 2016 Server

@Login/logon banners and any captions describing them are electronic messages that provide a notice of legal cautions to
users of computing resources. As these generate consent to real-time monitoring of user retrieval of stored files and records,
eliminates any reasonable expectation of privacy, and establishes the 'common authority' to consent to a search by law
enforcement, this text value should be written according to the needs of the business.

regular expression
.+

Key not found

Remediation : To establish the recommended configuration via GP, configure the following UI path to a value that is consistent
with the security and operational requirements of your organization: Computer Configuration\Policies\Windows
Settings\Security Settings\Local Policies\Security Options\Interactive logon: Message title for users attempting to log on

2.57 1091 Status of the number of days before a [Prompt user] password expiration warning prompt is SERIOUS
displayed at login

Windows 2016 Server

@Among the several characteristics that make 'user identification' via password a secure and workable solution is setting the
'expiration warning date' requirement. This establishes the number of days before the host will begin to display 'password
expiration warning' messages upon login. Without having a pre-expiration warning message, it is more likely that users will not
prepare for this event, which may contribute to the selection of hard-to-remember or easily broken password sequences,
which circumvents the intent of having rules for password complexity enforced. This may cause some users to forget or write
down their new password, which can lead either to a system compromise or increased calls to Help Desk resources.
(Interactive Logon: Prompt User to Change Password Before Expiration)

in range
5-14

RegSubKey not found

Key not found

Remediation : To establish the recommended configuration via Group Policy P, set the following UI path to a value according
to the business needs and organization's security policies. Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options\Interactive logon: Prompt user to change password before expiration

2.58 1377 Status of the 'Interactive Logon: Require Domain Controller authentication to unlock CRITICAL
workstation' setting

Windows 2016 Server

@Enabling the 'Interactive Logon: Require Domain Controller authentication to unlock workstation' setting can help protect
against attacks that occur when the system is in screen-saver mode, for if this is disabled, a malicious user could potentially
succeed with a brute-force attack against the Administrator account in the local password cache. NOTE: When a user locks or
uses hibernation on the workstation, the Domain Controller must be available to unlock it again.

equal to
1
 Disabled (0)

Enabled (1)

RegSubKey not found

Key not found

Remediation : To implement the recommended configuration state, set the following Group Policy setting to 1. Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Require Domain
Controller authentication to unlock workstation

2.59 1378 Status of the 'Interactive Logon: Smart Card Removal Behavior' setting CRITICAL

Windows 2016 Server

@The 'Interactive Logon: Smart Card Removal Behavior' setting allows the control of the status of the workstation when the
smart card is removed, from 'no action' to 'log off' user. The 'Smart Cards' are part of the two-factor authentication system
used in high security environments, providing a tamper-resistant/portable way to log on to a Microsoft Windows Server family
domain, provide client authentication, sign code, and secure e-mail.

No action (0)

Lock workstation (1)

Force logoff (2)

Disconnect if a remote desktop services session (3)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Lock Workstation (or, if
applicable for your environment, Force Logoff or Disconnect if a Remote Desktop Services session): Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive logon: Smart card
removal behavior

2.60 1149 Status of the 'Microsoft network client: Digitally sign communications (always)' setting CRITICAL

Windows 2016 Server

@The 'Microsoft network client: Digitally sign communications (always)' setting is associated with the Server Message Block
(SMB) protocol only. Whenever it is enabled, all signed communications will be negotiated with any server that supports it. As
enabling this setting helps to reduce the potential for man-in-the-middle (MITM) attacks to occur by providing protection for
packet tampering and supports mutual authentication, this value should be set according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : Go to the following path and configured the Microsoft network client: Digitally sign communications (always)
setting as per the business needs or organization's security policy. Computer Configuration\Policies\Windows
Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)

2.61 1379 Status of the 'Microsoft network client: Digitally Sign Communications (if server agrees)' CRITICAL
setting

Windows 2016 Server

@The 'Microsoft network client: Digitally Sign Communications (if server agrees)' setting is used to specify whether or not to
initiate traffic signing, based upon the receiving server agreeing to sign the traffic that it receives. When enabling this setting,
all Server Message Block (SMB) communications by MS clients with servers using the Win2K or later OS will attempt to be
negotiate signing, potentially guaranteeing message integrity, but not confidentiality, so this should be set as appropriate to
business needs. NOTE: If the recipient server is not Win2K or above, SMB traffic will go through, but signing will not take
place.
 Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally
sign communications (if server agrees)

2.62 1380 Status of the 'Microsoft network client: Send Unencrypted Password to Connect to Third-Party CRITICAL
SMB Server' setting

Windows 2016 Server

@The 'Microsoft network client: Send Unencrypted Password to Connect to Third-Party SMB Server' setting will determine if
using plain-text passwords is allowed when connecting to a third-party SMB server. As sending unencrypted passwords
through a shared network can risk credentials being compromised by anyone using a packet sniffer on the network, this value
should be set as appropriate to business needs.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Send
unencrypted password to third-party SMB servers

2.63 1199 Status of the 'Microsoft network server: Amount of Idle Time Required Before Suspending CRITICAL
Session' setting

Windows 2016 Server

@The 'Microsoft network server: Amount of Idle Time Required Before Suspending Session' setting establishes time limits on
sessions between computers that share resources with other Windows systems and do so using the SMB protocol, which
exchanges credentials, performs authentication and allocates resources for connection management. As open sessions on
systems that have been left unattended can be compromised by malicious users, potentially allowing them access to sensitive
data and this can further be used to conserve the resources set aside for maintaining the connection for maximum
performance, establishing a specific amount of time that the system is allowed to be idle before the connection is closed
automatically, this value should be set as appropriate to the needs of the business.

less than or equal to

15

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to 15 or fewer minute(s), but not
0: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network
server: Amount of idle time required before suspending session

2.64 1189 Status of the 'Microsoft network server: Digitally sign communication (always)' setting (SMB) CRITICAL

Windows 2016 Server

@The 'Microsoft network server: Digitally sign communication (always)' setting requires that communication from the server
must be digitally signed, thus ensuring its authenticity. (This still allows the messages contents to be intercepted and read.) As
digitally signing SMB traffic reduces the risk of spoofing and 'man-in-the-middle' (MITM) attacks, this value should be set as
appropriate to the needs of the business. (RequireSecuritySignature)

Disabled (0)
 Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally
sign communications (always)

2.65 1381 Status of the 'Microsoft network server: Digitally Sign Communications (if Client agrees) CRITICAL
setting

Windows 2016 Server

@When enabling 'Microsoft network server: Digitally Sign Communications (if Client agrees) setting, all Server Message Block
(SMB) communications by MS clients to servers using the Win2K or later OS will request signing, which guarantees message
integrity, but not confidentiality. As this will potentially break legacy applications, this value should be set as appropriate to use
requirements. NOTE: If the recipient server is not Win2K or above, SMB traffic will go through, but signing will not take place.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally
sign communications (if client agrees)

2.66 1382 Status of the 'Microsoft Network Server: Disconnect clients when logon hours expire' setting CRITICAL

Windows 2016 Server

@The 'Microsoft Network Server: Disconnect clients when logon hours expire' setting forces workstation clients that are
connected to services via the domain to disconnect from it when the permitted login period has expired, even though the User
will not have the desktop forcibly closed. As this will also disconnect a workstation that is acting as a server, closing the
network connections when the allotted time expires, this should be set as appropriate to business needs. NOTE: This lockout
applies only to SMB-based connections.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server:
Disconnect clients when logon hours expire

2.67 5264 Status of the 'Microsoft network server: Server SPN target name validation level' setting SERIOUS

Windows 2016 Server

@The 'Microsoft network server: Server SPN target name validation level' setting determines the validation level against the
SPN provided by clients when attempting to access shared folders/printers through the SMB protocol. This setting can assist
in combating relay attacks on computers (or servers) using the SMB protocol. It can allow for a check against a list of SPN's
on the computer/server before making the connection.

Off (0)

Accept if provided by client (1)

Required from client (2)

Key not found

 Remediation : To establish the recommended configuration via GP, set the following UI path to Accept if provided by client
(configuring to Required from client also conforms with the benchmark): Computer Configuration\Policies\Windows
Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Server SPN target name validation level

2.68 8279 Status of the Security Options 'Network Access: Allow Anonymous SID/Name Translation' CRITICAL
setting

Windows 2016 Server

@The 'Network Access: Allow Anonymous SID/Name Translation' setting is used to disallow anonymous users from resolving
to a username by using the associated security identifier (SID). User with local access could use the well-known
Administrator's SID to learn the real name of the built-in Administrator account, even if it is renamed. The user could then use
the account name to initiate a password guessing attack. Thus, this setting should be set as per the need of the organization.

Disabled (0)

Enabled (1)

Not Defined

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Allow anonymous
SID/Name translation

2.69 1197 Status of the 'Network access: Do not allow anonymous enumeration of SAM accounts' SERIOUS
setting

Windows 2016 Server

@If enabled, the 'Anonymous enumeration of SAM accounts' allows an anonymous user to request the translation of a
security ID (SID) to a username. As an attacker could use a well-known SID, such as a local Administrator account, to access
the system, this capability should be set in accordance with the requirements and expectations of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow
anonymous enumeration of SAM accounts

2.70 1153 Status of the 'Network Access: Do not allow Anonymous Enumeration of SAM Accounts and CRITICAL
Shares' setting

Windows 2016 Server

@The 'Network Access: Do not allow Anonymous Enumeration of SAM Accounts and Shares' setting protects the list of user
accounts and provides protection for the list of network file shares that have been established. As this helps to prevent
malicious users from requesting the translation of a security ID (SID) to a username, such as that of the local Administrator
account, to access the system, this value should be set according to the needs of the business. NOTE: Whenever enabling
this setting, consider doing so in conjunction with CID 1197 (Anonymous enumeration of SAM accounts).

None. Rely on default permissions. (0)

Do not allow enumeration of Security Accounts Manager accounts and names. (1)

RegSubKey not found

No access without explicit anonymous permissions. (2)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow
anonymous enumeration of SAM accounts and shares
2.71 1383 Status of the 'Network Access: Let Everyone permissions apply to anonymous users' setting CRITICAL

Windows 2016 Server

@Enabling the 'Network Access: Let Everyone permissions apply to anonymous users' setting would add the 'anonymous
user,' with a 'null [authentication] session,' such as an unauthenticated web browser-connected user or null dial-up-connection
user, to the all-inclusive 'Everyone' group. As this capability would grant an anonymous user the escalated network privileges
that are assigned by default to the 'Everyone' group, this should be disabled/restricted as appropriate to business needs.
NOTE: This setting is disabled by default and patches a security flaw in Windows NT4.0 that allowed null-session connections
to LAN resources via dial-up.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Let Everyone
permissions apply to anonymous users

2.72 5209 Status of the 'Network Access: Named Pipes that can be accessed anonymously' setting SERIOUS

Windows 2016 Server

@The 'Network Access: Named Pipes that can be accessed anonymously' setting refers to the communication links
established directly between local and remote 'host processes.' As this list defines which Pipes can be accessed remotely via
a 'null session,' which can permit null [unauthenticated] process access and should be left empty (if null-session access
should be blocked), this list should be populated in accordance with the needs of the business. NOTE: To properly use the
'Network Access: Named Pipes that can be accessed anonymously' setting, the 'Network Access: Restrict anonymous access
to Named Pipes and Shares' option must first be enabled. This setting can be set by using the registry key/value at location -
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes.

matches regular expression list

(^$|^BROWSER$)
\bRemote\s+Desktop\s+Users$
HydraLSPipe$
TermServLicensing$

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Named Pipes that
can be accessed anonymously

2.73 5212 Status of the 'Network Access: Remotely accessible registry paths' setting (Windows 2003 SERIOUS
and later)

Windows 2016 Server

@The 'Network Access: Remotely accessible registry paths' setting defines the registry paths/child paths which can be
accessed from other systems across the network. This access depends on the enablement of the Remote Registry Service
and requires authentication, however, opens up additional opportunity for a malicious user to gain access and make changes
to the registry settings defining how the system will function. If access to the 'Network Access: Remotely accessible registry
paths' service is not required for the system's operation, it should be restricted according to the needs of the business.

is contained in regular expression list

\bSystem\\CurrentControlSet\\Control\\ProductOptions$
\bSystem\\CurrentControlSet\\Control\\Server\sApplications$
\bSoftware\\Microsoft\\Windows\sNT\\CurrentVersion$

Key not found

 Remediation : To establish the recommended configuration via GP, set the following UI path to:
System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications
SOFTWARE\Microsoft\Windows NT\CurrentVersion Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths

2.74 5213 Status of the 'Network Access: Remotely accessible registry paths and subpaths' setting SERIOUS

Windows 2016 Server

@The 'Network Access: Remotely accessible registry paths and subpaths' setting defines the registry paths/child paths which
can be accessed from other systems across the network. This access depends on the enablement of the Remote Registry
Service and requires authentication, however, opens up additional opportunity for a malicious user to gain access and make
changes to the registry settings defining how the system will function. If access to the 'Network Access: Remotely accessible
registry paths and subpaths' service is not required for the system's operation, it should be restricted according to the needs of
the business. Note: This setting can be set using the registry key/value at location -
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths (Machine).

is contained in regular expression list

\bSystem\\CurrentControlSet\\Control\\Print\\Printers$
\bSystem\\CurrentControlSet\\Services\\Eventlog$
\bSoftware\\Microsoft\\OLAP\s+Server$
\bSoftware\\Microsoft\\Windows\s+NT\\CurrentVersion\\Print$
\bSoftware\\Microsoft\\Windows\s+NT\\CurrentVersion\\Windows$

Key not found

Remediation : #Configure the following setting as per the business requirements or the organization's security policy.
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access:
Remotely accessible registry paths and sub-paths

2.75 1434 Status of the 'Network access: Restrict anonymous access to Named Pipes and Shares' CRITICAL
setting

Windows 2016 Server

@The 'Anonymous access to Named Pipes and Shares' setting defines which Named Pipes can be accessed remotely,
without authentication between two processes. As these processes may/may not be on the same system, with a
communications model that is peer-to-peer, not client-server and has few security protections, this should be set according to
the needs of the business. NOTE: This setting must be enabled for 'Network Access: Named pipes that can be accessed
anonymously' or 'Network Access: Shares that can be accessed anonymously' to have any effect.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Restrict
anonymous access to Named Pipes and Shares

2.76 10968 Network access: Restrict clients allowed to make remote calls to SAM CRITICAL

Windows 2016 Server

@The 'Network Access: Restrict clients allowed to make remote calls to SAM' setting limit the remote querying of SAM to local
administrators only. If the policy is set to disable, any user can query any system for its users. So, this setting should be
configured as per the needs of the business.

matches regular expression list

O:BAG:BAD:\(A;;RC;;;BA\)

Not Configured
 Remediation : To establish the recommended configuration via GP, set the following UI path to Administrators: Remote
Access: Allow: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network
access: Restrict clients allowed to make remote calls to SAM

2.77 5210 Status of the 'Network Access: Shares that can be accessed anonymously' setting CRITICAL

Windows 2016 Server

@Named Pipes' ACLs control access to network-based shares on a system. The 'Network Access: Shares that can be
accessed anonymously' setting indicates the list of shares allowing null connection access. While shares can be opened up to
the 'Everyone' group, this would not include the 'null' (unauthenticated) user. By adding a specific share name to this list, it
could allow null connections access to the share; however, NTFS restrictions on the share could still apply. As null connections
are a security risk, especially at the perimeter, this should be disabled/restricted appropriate to business needs. Note: This
setting can be set by using the registry key/value at location -
HKLM\System\CurrentControlSet\Services\LanManServer\Parameters (NullSessionShares).

does not contain regular expression list

.+

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to (i.e. None): Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Shares that can
be accessed anonymously

2.78 1386 Status of the 'Network Access: Sharing and security model for local accounts' setting CRITICAL

Windows 2016 Server

@The 'Network Access: Sharing and security model for local accounts' setting determines how user privileges will be treated
after network-based logons (using local account privileges) are authenticated. If the mode is set to 'Classic,' network-based
logons that rely on local-account credentials will authenticate and be authorized via those local credentials. If set to 'Guest
only,' network-based logons that would otherwise use, map, and authorize users according to local-account privileges are
mapped instead to the 'Guest' account. As this setting can impede/restrict the activities of remote users who log onto domain-
based workstations with 'local accounts,' by reducing the user's capability both for doing work and potentially for reducing
harmful behavior, this should be set as appropriate to the business environment.

Classic - local users authenticate as themselves (0)

Guest only - local users authenticate as Guest (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Classic - local users
authenticate as themselves: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security
Options\Network access: Sharing and security model for local accounts

2.79 5266 Status of the 'Network security: Allow Local System to use computer identity for NTLM' setting SERIOUS

Windows 2016 Server

@The 'Network security: Allow Local System to use computer identity for NTLM' setting permits services that operate as Local
System using the Negotiate method to use the computer's identity for authentication. In some instances, this could result in
requests for authentication to fail between some Windows-based systems and send error messages to the logs. When this
setting is not configured, such services will authenticate anonymously as was normal behavior in earlier versions of Windows.
For Windows 7 or 2008 R2 systems connecting to Vista or 2008 systems, a NULL session will be used which employs a
system-generated session key providing no protection whereas the computer identity method allows for signing and
encryption. As with all security settings on critical devices, or those that process and/or store sensitive data, this should be set
in accordance with organizational requirements and expectations.

Disabled (0)
 Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow Local
System to use computer identity for NTLM

2.80 5265 Status of the 'Network security: Allow LocalSystem NULL session fallback' setting CRITICAL

Windows 2016 Server

@The 'Network security: Allow LocalSystem NULL session fallback' setting determines the values a service will use on
Windows systems to establish connections to a variety of Windows-based systems. When enabled, this setting will permit the
use of system-generated keys for NULL sessions which could allow sensitive data to be exposed in transit, therefore, should
be set in accordance with the requirements and expectations of the business. Note: If required to do so, you can reduce the
risk level by using this setting in conjunction with the 'Network setting: Allow Local System to use computer identity for NTLM'
(CID 5266) to allow for the use of the machine identity for Local System to protect data in transit with a well-known key.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Allow
LocalSystem NULL session fallback

2.81 5267 Status of the 'Network security: Allow PKU2U authentication requests to this computer to use CRITICAL
online identities' setting

Windows 2016 Server

@The 'Network security: Allow PKU2U authentication requests to this computer to use online identities' setting is used to
manage User IDs from authenticating to the system from the Internet via the PKU2U protocol. However, the use of this
capability does not have any impact on the use of Domain/Local account authentication. As this capability may be a useful
feature on systems that do not store or process sensitive or protected data, it certainly increases the threat landscape for
those that do and should be configured in compliance with organizational requirements and expectations. Note: This setting
can be set by using registry key/value at location - HKLM\System\CurrentControlSet\Control\Lsa\pku2u (AllowOnlineID).

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Allow PKU2U
authentication requests to this computer to use online identities

2.82 8231 Configure 'Network Security:Configure encryption types allowed for Kerberos' SERIOUS

Windows 2016 Server

@The Network security: Configure encryption types allowed for Kerberos settings determines the encryption types that the
Kerberos protocol is allowed to use. As encryption will not be enabled this is not set, it should be configured according to the
needs of the business.

in
4:8:16:24:2147483616:2147483632:2147483640:2147483644
 Not Configured (0)

DES_CBC_CRC (1)

RC4_HMAC_MD5 and AES_128_HMAC_SHA1 (12)

AES_256_HMAC_SHA1 (16)

DES_CBC_MD5 (2)

RC4_HMAC_MD5 and AES_256_HMAC_SHA1 (20)

Future encryption types (2147483616)

AES_256_HMAC_SHA1 and Future encryption types (2147483632)

RC4_HMAC_MD5 and AES_256_HMAC_SHA1 and Future encryption types (2147483636)

AES_128_HMAC_SHA1 and AES_256_HMAC_SHA1 and Future encryption types (2147483640)

RC4_HMAC_MD5 and AES_128_HMAC_SHA1 and AES_256_HMAC_SHA1 and Future encryption types

(2147483644)

All encryption types (2147483647)

AES_128_HMAC_SHA1 and AES_256_HMAC_SHA1 (24)

RC4_HMAC_MD5 and AES_128_HMAC_SHA1 and AES_256_HMAC_SHA1 (28)

Key not found

RC4_HMAC_MD5 (4)

AES_128_HMAC_SHA1 (8)

Remediation : #Configure the following setting as per the business needs or the organization's security policy. To do this
configuration via Group Policy Editor, use the following UI path. Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options\Network Security: Configure encryption types allowed for Kerberos

2.83 1164 Status of the 'Network Security: Do not store LAN Manager password hash value on next CRITICAL
password change' setting

Windows 2016 Server

@The 'Network Security: Do not store LAN Manager password hash value on next password change' setting prevents LM
password hashes from being stored on the system. Upon enabling this setting, you may want to force all user's to change their
passwords as the hash values are not automatically deleted. (All pre-existing password hash values will remain in place until
they have been cycled AFTER this setting has been enabled.) Also, when this setting is enabled on a member server or
workstation, only the local SAM accounts will be protected on that system. To prevent Active Directory from allowing these
hash values to be stored for domain accounts, use the Default Domain Controllers Group Policy Object. As enabling this
setting should enhance the security baseline unless legacy issues require support for pre-Windows NT systems, this
parameter should be restricted/set according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Do not store LAN
Manager hash value on next password change

2.84 4469 Status of the 'Network Security: Force logoff when logon hours expire' setting SERIOUS

Windows 2016 Server

@The 'Network Security: Force logoff when logon hours expire' setting is responsible for determining whether user's
connected to local computer's outside the predetermined logon hours for the account should be disconnected from the SMB
connection with the server. Whenever this policy is set to 'disabled,' an account that has already established a connection can
continue to be connected beyond the predetermined hours defined. Run this check periodically to ensure security settings are
configured and operating correctly to achieve the intended result for your security baseline requirements.

Disabled (0)
 Enabled (1)

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled. Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Force logoff when
logon hours expire

2.85 1387 Status of the 'Network Security: LAN Manager Authentication Level' setting CRITICAL

Windows 2016 Server

@This check provides the current status of the 'Network Security: LAN Manager Authentication Level' setting. The earliest
Windows network-based authentication scheme, 'LanManager' (LM), designed for Windows for Workgroups 3.11, can be
easily broken by software available on the Internet. MS has responded over the years by creating more secure authentication
protocols, with the strongest being 'NT LanManager, Version 2' (NTLM v2). The most secure setting, as specified by the
manufacturer for all OS versions 'Win2K' and above, is to use 'Send NTLMv2 response only.' When there are no Win95/98
hosts on the network, LM can be superseded by NTLM (version 1); if no hosts below Win2K exist, such as Windows NT4.0
server/workstation, NTLM version 2 can be used exclusively, with both LM and NTLM deprecated, so this value should be set
as appropriate to the needs of the business.

Send LM & NTLM responses (0)

Send LM and NTLM - use NTLMv2 session security if negotiated (1)

Send NTLM response only (2)

Send NTLMv2 response only (3)

Key not found

Send NTLMv2 response only. Refuse LM (4)

Send NTLMv2 response only. Refuse LM and NTLM (5)

Remediation : To establish the recommended configuration via GP, set the following UI path to: Send NTLMv2 response only.
Refuse LM & NTLM: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security
Options\Network security: LAN Manager authentication level

2.86 1388 Status of the 'Network Security: LDAP client signing requirements' setting CRITICAL

Windows 2016 Server

@One of the major shifts in user management has been to use the 'LDAP' (Lightweight Directory Access Protocol) model for
extending the Windows OS into a truly extensible 'enterprise' account manager. The 'Network Security: LDAP client signing
requirements' setting allows for requiring signing for LDAP communication, (requires specific configuration of the client and
server) ensuring that the two systems' communications have been mutually authenticated, by using SSL/TLS 'LDAP signature'
identification on the packets. As this security measure can prevent a malicious user from impersonating a secure host and
carrying out 'man-in-the-middle' (MITM) attacks, it should be implemented as appropriate to the business need. NOTE: The
'Require Signing' setting can cause communication between server and client to fail if the two are not properly configured.
Careful testing is strongly recommended before applying this to a Production environment.

None (0)

Negotiate signing (1)

Require signing (2)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Negotiate signing (configuring
to Require signing also conforms with the benchmark): Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options\Network security: LDAP client signing requirements

2.87 1389 Status of the 'Network Security: Minimum session security for NTLM SSP based (including CRITICAL
secure RPC) clients' setting

Windows 2016 Server

@This check provides the current status of the 'Network Security: Minimum session security for NTLM SSP based (including
secure RPC) clients' setting. Remote Procedure Call (RPC) provides a way for a remote user to execute an operation on the
 system as if sitting at the console. This can allow a malicious user to initiate RPC-based attacks that focus on 'privilege
escalation.' By requiring message integrity, confidentiality, session security and high-strength encryption for clients, the
problems with weak authentication that have made RPC vulnerable to 'man-in-the-middle' attacks can be overcome, so these
should be deployed on the Client as appropriate to the needs of business. NOTE: The recommendation is to use Message
Integrity, Message Confidentiality, NTLMv2 Session Security, and 128-bit Encryption: all these settings must be used together
for the complete security process to be successful. (See MS-KB 239869)

No requirements (0)

Key not found

Require NTLMv2 session security (524288)

Require 128-bit encryption (536870912)

Combined settings (537395200)

Remediation : Go to the following path and configured the Network security: Minimum session security for NTLM SSP based
(including secure RPC) clients setting as per the business needs or organization's policy, Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Minimum session
security for NTLM SSP based (including secure RPC) clients

2.88 1390 Status of the 'Network Security: Minimum session security for NTLM SSP based (including CRITICAL
secure RPC) servers' setting

Windows 2016 Server

@This check provides the current status of the 'Minimum session security for NTLM SSP based (including secure RPC)
servers' setting. Remote Procedure Protocol (RPC) provides a way for a remote user to execute an operation on the system
as if sitting at the console; this can allow a malicious user to initiate RPC-based attacks that focus on 'privilege escalation.' By
requiring message integrity, confidentiality, session security and high-strength encryption for clients, the problems with weak
authentication that have made RPC vulnerable to 'man-in-the-middle' attacks can be overcome, so these should be deployed
on the Server as appropriate to the business' need. NOTE: The recommendation is to use NTLMv2 Session Security, and
128-bit Encryption: These two settings must be used together for the complete security process to be successful. (See MS-KB
239869)

No requirements (0)

Key not found

Require NTLMv2 session security (524288)

Require 128-bit encryption (536870912)

Combined settings (537395200)

Remediation : Go to the following UI path and configure the GP as per the business requirements or the organization's
security policies. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security
Options\Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

2.89 8233 Status 'Network Security:Restrict NTLM: Audit Incoming NTLM Traffic' setting SERIOUS

Windows 2016 Server

@The Network security: Restrict NTLM : audit Incoming NTLM traffic setting allows for the auditing of all incoming NTLM
traffic. As the policy does not block any traffic when enabled, therefore, it can be used to effectively monitor traffic and should
be used according to the needs of the business.

Disable (0)

enable auditing for domain accounts (1)

Enable auditing for all accounts (2)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Not Defined. Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: Audit
Incoming NTLM Traffic
2.90 8243 Configure 'Network Security:Restrict NTLM: Outgoing NTLM traffic to remote servers' SERIOUS

Windows 2016 Server

@NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle
attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows
operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication
mechanisms, such as smart cards. As an example, One of such recent vulnerabilities is zero-day Vulnerability published on
1apr2020 on Zoom windows client. Attacker can exploit Zoom Windows client using UNC path injection to expose credentials
for use in SMBRelay attacks. When SMB service is disabled or Outbound SMB port connection is disabled from firewall,
attack does not works. The 'Network Security:Restrict NTLM: Outgoing NTLM traffic to remote servers' setting denies or audits
outgoing NTLM traffic to any windows remote server. If option 'Allow All' is selected or if this setting is not configured, the client
computer can authenticate identities to a remote server by using NTLM authentication. In case of a compromised server, client
computer could authenticate itself to a poisoned server and would at risk of compromising the sensitive data such as
credentials etc. In case of a compromised client, client computer could send sensitive data to the server. If 'Audit All' is
selected, the client computer logs an event for each NTLM authentication request to a remote server. This allows identifying
the servers receiving NTLM authentication requests from the client computer. If 'Deny All' is selected, client computer cannot
authenticate identities to a remote server by using NTLM authentication. This setting should be set as per the needs of the
organization to protect sensitive data being transferred or to audit computers in communication.

Allow all (0)

Audit all (1)

Deny all (2)

Key not found

Remediation : Set the following group policy to a value that is consistent with the security and operational requirements of your
organization. Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security:
Restrict NTLM: Outgoing NTLM traffic to remote servers

2.91 1369 Status of the 'Shutdown: Allow system to be shut down without having to log on' setting CRITICAL

Windows 2016 Server

@The 'Shutdown: Allow system to be shut down without having to log on' setting permits anyone with physical access to the
console to shut down the system without entering logon credentials. As host shutdown without valid credentials could lead to a
DoS condition, followed by the potential to load malicious code via a flash drive or CD-ROM during the reboot process, this
should be disabled or restricted as appropriate to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local
Policies -> Security Options -> "Shutdown: Allow system to be shutdown without having to log on" to "Disabled".

2.92 1188 Status of the 'System objects: Require case insensitivity for non-Windows subsystems' setting CRITICAL

Windows 2016 Server

@This check provides the current status of the 'System objects: Require case insensitivity for non-Windows subsystems'
setting. Because Windows is case-insensitive, but a POSIX subsystem will support case sensitivity, failure to enable this policy
setting would make it possible for a user of that subsystem to create a file with the same name as another file, but with a
different mix of upper and lower case letters. As this situation could potentially confuse users when they try to access such
files from normal Win32 tools, because only one of the files will be available, this should be set as appropriate to the needs of
the business.

Disabled (0)

Enabled (1)

Key not found

 Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Require case
insensitivity for non-Windows subsystems

2.93 1426 Status of the 'System objects: Strengthen default permissions of internal system objects' CRITICAL
setting

Windows 2016 Server

@The 'System objects: Strengthen default permissions of internal system objects' setting governs access permissions on
system objects, such as shared physical and logical resources, including semaphores and DOS device names. As these can
be more easily compromised if not sufficiently protected, access permissions should be set as appropriate to the business
need.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\System objects: Strengthen default
permissions of internal system objects (e.g. Symbolic Links)

2.94 2586 Status of the 'User Account Control: Admin Approval Mode for the Built-in Administrator CRITICAL
account' setting

Windows 2016 Server

@The 'User Account Control: Admin Approval Mode for the Built-in Administrator account' setting determines whether or not
the Built-in Administrator account will logon to the system in Admin Approval Mode. When this setting is enabled, the Built-in
Administrator account will logon to the system in Admin Approval Mode. Admin Approval Mode forces the system to prompt
the administrator for consent when an operation requiring privilege elevation is requested. When this setting is disabled, the
Built-in Administrator account will logon to the system in Windows XP compatible mode and the account will be granted full
administrative privileges. NOTE: Consider implementing this control in conjunction with CID 2583 and CID 2587.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin
Approval Mode for the Built-in Administrator account

2.95 2587 Status of the 'User Account Control: Behavior of the elevation prompt for administrators in CRITICAL
Admin Approval Mode' setting

Windows 2016 Server

@The 'User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode' setting determines
how requests for an elevation in privileges by Administrators are handled. When an Administrator account logs into a Windows
Vista, or later, operating environment, it is done in Protected [Administrator] Mode status. For certain tasks and actions to be
performed on the system, the Administrator account will need to be placed into Elevated [Administrator] Mode. The act of
going from Protected Mode to Elevated Mode can be configured by this setting to require credentials to be input or have no
interaction to be required at all. When this is set to allow elevations in privileges to occur without any user interaction, it
increases the likelihood that malware requiring to be run with Administrative privileges will be capable of executing its payload
on the system without hindrance. Therefore, the risk associated with this setting should be considered and set in accordance
with the needs and requirements of the business.

Elevate without prompting (0)

Prompt for credentials on the secure desktop (1)

Prompt for consent on the secure desktop (2)

Prompt for credentials (3)

 Key not found

Prompt for consent (4)

Prompt for consent for non-Windows binaries (5)

Remediation : To establish the recommended configuration via GP, set the following UI path to Prompt for consent on the
secure desktop: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User
Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

2.96 2605 Status of the 'User Account Control: Behavior of the elevation prompt for standard users' CRITICAL
setting

Windows 2016 Server

@The 'User Account Control: Behavior of the elevation prompt for standard users' setting determines how the system will
display elevation prompts to standard users. Windows Vista uses User Account Control elevation to prompt the user for
credentials or consent when a system operation requires administrative rights. This policy setting has two possible
configurations that affect elevation requests: 1) Prompt for credentials - when this setting is enabled the user is prompted to
provide administrator credentials in order for the operation to continue. 2) Automatically deny elevation requests - when this
setting is enabled the system will not perform the requested operation and the user is presented with an access denied error
message.

Automatically deny elevation requests (0)

Prompt for credentials on the secure desktop (1)

Prompt for credentials (3)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Automatically deny elevation
requests: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account
Control: Behavior of the elevation prompt for standard users

2.97 2582 Status of the 'User Account Control: Detect application installations and prompt for elevation' CRITICAL
setting

Windows 2016 Server

@The 'User Account Control: Detect application installations and prompt for elevation' setting determines whether or not the
user is presented with an elevation prompt when Windows Vista detects an installation application. When this setting is
enabled, Windows Vista uses heuristic detection to identify installation applications. When Windows detects an installation
application, the user is prompted for credentials or consent through an elevation prompt. When this setting is disabled,
installation applications are prevented from running and the user is presented with a notification error message.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect
application installations and prompt for elevation

2.98 2584 Status of the 'User Account Control: Only elevate UIAccess applications that are installed in CRITICAL
secure locations' setting

Windows 2016 Server

@The 'User Account Control: Only elevate UIAccess applications that are installed in secure locations' setting determines
whether or not the system will elevate applications that use a UIAccess integrity level check when requesting execution. When
this setting is enabled, applications are permitted to launch with UIAccess integrity only if they reside in secure system folders.
When this setting is disabled, applications are permitted to launch with UIAccess integrity regardless of their location in the file
system. Restricting which applications are permitted to run with elevated permissions can reduce the risk of a malicious user
gaining inappropriate access and/or control.
 Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate
UIAccess applications that are installed in secure locations

2.99 2583 Status of the 'User Account Control: Run all administrators in Admin Approval Mode' setting CRITICAL

Windows 2016 Server

@The 'User Account Control: Run all administrators in Admin Approval Mode' setting determines whether or not the system
will prompt consent or credentials when an administrative operation is requested. When this setting is enabled, users and
administrators are prompted for consent or credentials (depending on other Group Policy settings). When this setting is
disabled, both the Windows Vista User Account Control functionality and Application Information Service are disabled. As
disabling the functionality of User Account Control presents an attack surface that could allow a malicious user to gain
inappropriate access and/or control, this setting should be enabled as appropriate to the needs of the business. NOTE:
Consider implementing this control in conjunction with CID 2582, CID 2586, CID 2587, CID 2603, CID 2605, CID 2606.

Disabled (0)

Enabled (1)

Key not found

Remediation : Go to the following UI path and configured the GP setting as per the business requirements or the
organization's security policies. Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security
Options\User Account Control: Run all administrators in Admin Approval Mode

2.100 2606 Status of the 'User Account Control: Switch to the secure desktop when prompted for
elevation' setting CRITICAL

Windows 2016 Server

@The 'User Account Control: Switch to the secure desktop when prompted for elevation' setting determines whether or not the
system will switch to Secure Desktop when an executable file requests permission elevation. The Secure Desktop functionality
changes the interactive user desktop into a secure 'alpha-blended bitmap' display in order to present the permission elevation
prompt to the user. When this setting is enabled, the system will switch to the Secure Desktop for all elevation requests. When
this setting is disabled, all elevation requests will be presented through the interactive user desktop. This functionality is
designed to prevent malware from imitating the secure desktop by 'painting over' the interactive user desktop.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the
secure desktop when prompting for elevation

2.101 3940 Status of the 'User Account Control: Virtualize file and registry write failures to per-user
locations' setting CRITICAL

Windows 2016 Server

@The 'Virtualize file and registry write failures to per-user locations' setting will determine whether or not the recording of
system 'failure' notifications will be directed to a predefined file-system/registry location. As this setting can help mitigate risks
that may occur when run-time data is written to sensitive file and registry areas, this capability should be configured according
to the needs of the business.

Disabled (0)

Enabled (1)
 Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file
and registry write failures to per-user locations

Section 3:Windows Defender Firewall with Advanced Security

3.1 3952 Status of the 'Windows Firewall: Firewall state (Domain)' setting CRITICAL

Windows 2016 Server

@The 'Windows Firewall: Firewall state (Domain)' setting identifies the Domain firewall profile is currently active. Examples of
firewall profiles are 'Domain Profile is Active, Public Profile is Active, or Private Profile is Active. As enabling a firewall can
reduce the number of potential number of network-based attack vectors, while expecting a locally trusted network to be secure
enough to relax firewall standards can increase system vulnerability, this capability should be set according to the needs of the
business.

Off (0)

On (1)

Key not found

Remediation : #Configure the 'Firewall state' group policy setting as per the business needs or organization's security policy.
Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows
Defender Firewall with Advanced Security\Windows Defender Firewall Properties\Domain Profile\Firewall state

3.2 3949 Status of the 'Windows Firewall: Inbound connections (Domain)' setting CRITICAL

Windows 2016 Server

@The 'Windows Firewall: Inbound connections (Domain)' setting enables the operation of Windows Firewall 'Domain' profile
setting, to allow domain selection of specific, permitted inbound connections for this system. As enabling a firewall can reduce
the number of potential number of network-based attack vectors, while excessive rule-sets can block necessary connections,
this capability should be set according to the needs of the business.

Allow (0)

Block (1)

Key not found

Remediation : Go to the following path and configure the 'Inbound connections' group policy setting as per the business needs
or organization's security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Inbound
connections

3.3 3962 Status of the 'Windows Firewall: Display a notification (Domain)' setting CRITICAL

Windows 2016 Server

@The Windows Firewall: Display a notification (Domain)' setting generates a user alert, showing that an exception is being
added to a firewall policy by some application's activity. As adding an exception may increase the potential for a malware
attack or unauthorized user entry, this capability should be configured according to the needs of the business.

Yes (0)

No (1)

Key not found

 Remediation : Go to the following path and configure the 'Display a notification' group policy setting as per the business needs
or organization's security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Settings
Customize\Display a notification

3.4 1525 Status of the 'Windows Firewall: Log file path and name (Domain)' setting SERIOUS

Windows 2016 Server

@The 'Windows Firewall: Log file path and name (Domain)' setting allows specification of the exact path/filename for the
Windows Firewall log file on the system, as required by the domain profile. As this will allow logging/tracking of
rejected/dropped packets in a log file, allowing for a later security review, this value should be set as appropriate to the needs
of the business. (See CID-1523 regarding specific traffic to be logged.)

regular expression
\%SystemRoot\%\\System32\\logfiles\\firewall\\domainfw\.log

Key not found

Remediation : Go to the following path and configure the 'Log file path and name' group policy setting as per the business
needs or organization's security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall
with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Logging
Customize\Name

3.5 1526 Status of the 'Windows Firewall: Log File Size (Domain)' setting SERIOUS

Windows 2016 Server

@The 'Windows Firewall: Log File Size (Domain)' setting will determine how much of the firewall activity is captured before the
text is overwritten by more recent items. The Manufacturer recommends 4096KB (4 Megabytes), as a minimum, which should
be enough to capture one (or more) day's worth of events, to allow backtracking of the audit trail should a system become
infected by malware, or taken over by a malicious user. As this setting determines how much log information is saved, this
value should be set as appropriate to the needs of the business.

greater than or equal to

16384

Key not found

Remediation : #Configure the 'Size limit (KB)' group policy setting as per the business needs or organization's security policy
Computer Configuration\Windows Settings\Security Settings\Microsoft Defender Firewall with Advanced Security\Microsoft
Defender Firewall with Advanced Security\Microsoft Defender Firewall Properties \Domain Profile\Logging Customize\Size
limit (KB)

3.6 1524 Status of the 'Windows Firewall: Log dropped packets (Domain)' setting SERIOUS

Windows 2016 Server

@The 'Windows Firewall: Log dropped packets (Domain)' setting will allow logging/tracking of rejected/dropped packets in a
log file, allowing for a later security review. As it can be useful to understand know what sort of traffic is being discarded, to see
if repeating patterns appear, which can indicate recurring exploit attempts, this capability should be set as appropriate to the
needs of the business.

No (0)

Yes (1)

Key not found

 Remediation : # Configure the 'Log dropped packets' group policy setting as per the business needs or organization's security
policy Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced
Security\Windows Defender Firewall with Advanced Security\Windows Defender Firewall Properties\Domain Profile\Logging
Customize\Log dropped packets

3.7 1527 Status of the 'Windows Firewall: Log Successful Connections (Domain)' setting SERIOUS

Windows 2016 Server

@The 'Windows Firewall: Log Successful Connections (Domain)' setting enables logging of all successful connections, to
allow the tracking of all activity of network origin that could potentially affect the system. As this would provide an audit trail in
case of a breach, this value should be set as appropriate to the needs of the business. NOTE: This setting has the potential to
generate log files which may exceed the CIS-recommended maximum of 4096KB.

No (0)

Yes (1)

Key not found

Remediation : # Configure the 'Log Successful Connections' group policy setting as per the business needs or organization's
security policy Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced
Security\Windows Defender Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Logging
Customize\Log successful connections

3.8 3951 Status of the 'Windows Firewall: Firewall state (Private)' setting CRITICAL

Windows 2016 Server

@The 'Windows Firewall: Firewall state (Private)' enables the operation of Windows Firewall as specified by the settings for
this system on a 'home' or otherwise 'trusted' network. As enabling a firewall can reduce the number of potential number of
network-based attack vectors, while expecting a locally trusted network to be secure enough to relax firewall standards can
increase system vulnerability, this capability should be set according to the needs of the business.

Off (0)

On (1)

Key not found

Remediation : #Configure the 'Firewall state' group policy setting as per the business needs or organization's security policy.
Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows
Defender Firewall with Advanced Security\Windows Defender Firewall Properties\Private Profile\Private Profile\Firewall state

3.9 3948 Status of the 'Windows Firewall: Inbound connections (Private)' setting CRITICAL

Windows 2016 Server

@The 'Windows Firewall: Inbound connections (Private)' setting enables the operation of Windows Firewall 'Private' profile
setting, to allow user selection of specific, permitted inbound connections for this system. As enabling a firewall can reduce the
number of potential number of network-based attack vectors, while excessive rule-sets can block necessary connections, this
capability should be set according to the needs of the business.

Allow (0)

Block (1)

Key not found

Remediation : # Configure the 'Inbound connections' group policy setting as per the business needs or organization's security
policy. Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced
Security\Windows Defender Firewall with Advanced Security\Windows Defender Firewall Properties \Private Profile\Inbound
connections
3.10 3964 Status of the 'Windows Firewall: Display a notification (Private)' setting CRITICAL

Windows 2016 Server

@The Windows Firewall: Display a notification (Private)' setting generates a user alert, showing that a block was generated by
a firewall policy due to some application/external user activity. As a policy exception added by an application may increase the
potential for a malware attack or unauthorized user entry, this capability should be configured according to the needs of the
business.

Yes (0)

No (1)

Key not found

Remediation : Go to the following path and configure the 'Display a notification' group policy setting as per the business needs
or organization's security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Settings
Customize\Display a notification

3.11 8161 Status of the 'Windows Firewall: Log file path and name (Private)' setting SERIOUS

Windows 2016 Server

@The 'Windows Firewall: Private: Logging: Name' setting is used to specify the size limit of the file in which Windows Firewall
will write its log information. If events are not recorded it may be difficult or impossible to determine the root cause of system
problems or the unauthorized activities of malicious users. It should be used according to the needs of the business.

matches regular expression list

\%SystemRoot\%\\System32\\logfiles\\firewall\\privatefw\.log

Key not found

Remediation : Go to the following path and configure the 'name' group policy setting as per the business needs or
organization's security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Logging
Customize\Name

3.12 8160 Status of the 'Windows Firewall: Log File Size (Private)' setting SERIOUS

Windows 2016 Server

@The 'Windows Firewall: Log File Size (Private)' setting is used to specify the size limit of the file in which Windows Firewall
will write its log information. If events are not recorded it may be difficult or impossible to determine the root cause of system
problems or the unauthorized activities of malicious users. It should be used according to the needs of the business.

greater than or equal to

16384

Key not found

Remediation : #Configure the 'Size limit (KB)' group policy setting as per the business needs or organization's security policy
Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows
Defender Firewall with Advanced Security\Windows Defender Firewall Properties \Private Profile\Logging Customize\Size limit
(KB)

3.13 8163 Status of the 'Windows Firewall: Log dropped packets (Private)' setting SERIOUS
 Windows 2016 Server

@The 'Windows Firewall: Private: Logging: Log dropped packets' setting is used to log when Windows Firewall with Advanced
Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries
with the word DROP in the action column of the log. If events are not recorded it may be difficult or impossible to determine
the root cause of system problems or the unauthorized activities of malicious users. It should be used according to the needs
of the business.

No (0)

Yes (1)

Key not found

Remediation : # Configure the ' Log dropped packets' group policy setting as per the business needs or organization's security
policy Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security
\Windows Defender Firewall with Advanced Security\Windows Defender Firewall Properties \Private Profile\Logging
Customize\Log dropped packets

3.14 8162 Status of the 'Windows Firewall: Log Successful Connections (Private)' setting CRITICAL

Windows 2016 Server

@The 'Windows Firewall: Private: Logging: Log successful connections" setting is used to log when Windows Firewall with
Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries
with the word ALLOW in the action column of the log. If events are not recorded it may be difficult or impossible to determine
the root cause of system problems or the unauthorized activities of malicious users. It should be used according to the needs
of the business.

No (0)

Yes (1)

Key not found

Remediation : Go to the following path and configure the 'Log Successful Connections' group policy setting as per the
business needs or organization's security policy Computer Configuration\Policies\Windows Settings\Security
Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall
Properties\Private Profile\Logging Customize\Log successful connections

3.15 3950 Status of the 'Windows Firewall: Firewall state (Public)' setting CRITICAL

Windows 2016 Server

@The 'Windows Firewall: Firewall state (Public)' enables the operation of Windows Firewall as specified by the settings for
this system on a 'public' or otherwise 'untrusted' network. As enabling a firewall on a Public network can significantly reduce
the number of potential network-based attack vectors, this capability should be set according to the needs of the business.

Off (0)

On (1)

Key not found

Remediation : #Configure the 'Firewall state' group policy setting as per the business needs or organization's security policy.
Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows
Defender Firewall with Advanced Security\Windows Defender Firewall Properties\Public Profile\Firewall state

3.16 3932 Status of the 'Windows Firewall: Inbound connections (Public)' setting CRITICAL

Windows 2016 Server

@The 'Windows Firewall: Inbound connections (Public) setting can determine which inbound network connections are allowed
into the system via the public interface configuration. As configuring this setting can potentially block required port entry points
as well as reduce the network attack surface, this should be set according to the needs of the business.
 Allow (0)

Block (1)

Key not found

Remediation : # Configure the 'Inbound connections' group policy setting as per the business needs or organization's security
policy Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced
Security\Windows Defender Firewall with Advanced Security\Windows Defender Firewall Properties\Public Profile\Inbound
connections

3.17 3965 Status of the 'Windows Firewall: Display a notification (Public)' setting CRITICAL

Windows 2016 Server

@The Windows Firewall: Display a notification (Public)' setting generates a user alert, showing that a block was generated by
a firewall policy due to some application/external user activity. As a policy exception added by an application may increase the
potential for a malware attack or unauthorized user entry, this capability should be configured according to the needs of the
business.

Yes (0)

No (1)

Key not found

Remediation : Go to the following path and configure the 'Display a notification' group policy setting as per the business needs
or organization's security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Settings
Customize\Display a notification

3.18 3960 Status of the 'Windows Firewall: Apply local firewall rules (Public)' setting CRITICAL

Windows 2016 Server

@The 'Windows Firewall: Apply local firewall rules (Public)' setting determines if local rules for the 'Public' connection will be
applied. As local [host] firewall rules can conflict with domain settings that enforce more stringent security rules, this setting
should be configured according to the business.

No (0)

Yes (1)

Key not found

Remediation : # Configure the 'Apply local firewall rules' group policy setting as per the business needs or organization's
security policy Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced
Security\Windows Defender Firewall with Advanced Security\Windows Defender Firewall Properties \Public Profile\Settings
Customize\Apply local firewall rules\Rule merging

3.19 3966 Status of the 'Windows Firewall: Apply local connection security rules (Public)' setting CRITICAL

Windows 2016 Server

@The Status of the 'Windows Firewall: Apply local connection security rules (Public)' setting enables or disables the ability to
create and apply local connection security rules. As this grants or restricts the ability of users with administrative privileges to
create & apply local connection security rules, it should be configured according to the needs of the business.

No (0)

Yes (1)

Not configured
 Remediation : # Configure the 'Apply local connection security rules' group policy setting as per the business needs or
organization's security policy Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with
Advanced Security\Windows Defender Firewall with Advanced Security\Windows Defender Firewall Properties\Public
Profile\Settings Customize\Rule merging\Apply local connection security rules

3.20 8166 Status of the 'Windows Firewall: Log file path and name (Public)' setting SERIOUS

Windows 2016 Server

@The "Windows Firewall: Public: Logging: Name" setting is used to specify the path and name of the file in which Windows
Firewall will write its log information. If events are not recorded it may be difficult or impossible to determine the root cause of
system problems or the unauthorized activities of malicious users. It should be used according to the needs of the business.

matches regular expression list

\%SystemRoot\%\\System32\\logfiles\\firewall\\publicfw\.log

Key not found

Remediation : Go to the following path and configure the 'name' group policy setting as per the business needs or
organization's security policy. Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Logging
Customize\Name

3.21 8168 Status of the 'Windows Firewall: Log File Size (Public)' setting SERIOUS

Windows 2016 Server

@The 'Windows Firewall: Public: Logging: Size limit (KB)' setting is used to to specify the size limit of the file in which
Windows Firewall will write its log information. If events are not recorded it may be difficult or impossible to determine the root
cause of system problems or the unauthorized activities of malicious users. It should be used according to the needs of the
business.

greater than or equal to

16384

Key not found

Remediation : # Configure the 'Size limit (KB)' group policy setting as per the business needs or organization's security policy
Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows
Defender Firewall with Advanced Security\Windows Defender Firewall Properties\Public Profile\Logging Customize\Size limit
(KB)

3.22 8165 Status of the 'Windows Firewall: Log dropped packets (Public)' setting SERIOUS

Windows 2016 Server

@The "Windows Firewall: Public: Logging: Log dropped packets" setting is used to log when Windows Firewall with Advanced
Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries
with the word DROP in the action column of the log. If events are not recorded it may be difficult or impossible to determine
the root cause of system problems or the unauthorized activities of malicious users. It should be used according to the needs
of the business.

No (0)

Yes (1)

Key not found

 Remediation : # Configure the 'Log dropped packets' group policy setting as per the business needs or organization's security
policy Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced
Security\Windows Defender Firewall with Advanced Security\Windows Defender Firewall Properties\Public Profile\Logging
Customize\Log dropped packets

3.23 8167 Status of the 'Windows Firewall: Log Successful Connections (Public)' setting SERIOUS

Windows 2016 Server

@The 'Windows Firewall: Public: Logging: Log successful connections' setting is used to log when Windows Firewall with
Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries
with the word ALLOW in the action column of the log. If events are not recorded it may be difficult or impossible to determine
the root cause of system problems or the unauthorized activities of malicious users. It should be used according to the needs
of the business.

No (0)

Yes (1)

Key not found

Remediation : # Configure the 'Log Successful Connections' group policy setting as per the business needs or organization's
security policy Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced
Security\Windows Defender Firewall with Advanced Security\Windows Defender Firewall Properties\Public Profile\Logging
Customize\Log successful connections

Section 4:Advanced Audit Policy Configuration

4.1 4517 Status of the audit setting 'Credential Validation' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Credential Validation' security policy setting tracks local and domain accounts credential submission activities during
logon requests. Examples of these activities include validations and failures of credentials and confirmed and failed mappings
for logon requests. Depending on the type and size of a given company, the use of audit logs may be required to meet
regulatory requirements. As with all critical systems and devices, audit logs should be enabled, monitored and managed in
accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following Group Policy setting as appropriate to the business needs and organization's security
policies: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Account Logon\Audit Credential Validation

4.2 4511 Status of the audit setting 'Application Group Management' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Application Group Management' security policy setting tracks application group management activities. Examples of
these activities are creating, changing, deleting, basic application groups and when members and non-members are added to
application groups. Depending on the type and size of a given company, the use of audit logs may be required to meet
regulatory requirements. As with all critical systems and devices, audit logs should be enabled, monitored and managed in
accordance with the requirements and expectations of the business.

No Auditing (0)
 Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following Group Policy setting as appropriate to the business needs and organization's security
policies: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Account Management\Audit Application Group Management

4.3 4509 Status of the audit setting 'Security Group Management' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Security Group Management' security policy setting tracks security group management activities. Some of these
activities include creation, modification, deletion, and type changes of the security group. Depending on the type and size of a
given company, the use of audit logs may be required to meet regulatory requirements. As with all critical systems and
devices, audit logs should be enabled, monitored and managed in accordance with the requirements and expectations of the
business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following Group Policy setting as appropriate to the business needs and organization's security
policies: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Account Management\Audit Security Group Management

4.4 4507 Status of the audit setting 'Account Management: User Account Management' (advanced CRITICAL
audit setting)

Windows 2016 Server

@The 'User Account Management' audit policy setting tracks user account management activities. Some of these activities
include creating, modifying, and deleting user accounts, password creation or modifications, and backup or restoration of
Credential Manager credentials. Depending on the type and size of a given company, the use of audit logs may be required to
meet regulatory requirements. As with all critical systems and devices, audit logs should be enabled, monitored and managed
in accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'User Account Management' in accordance with business needs
and organization's security policies. To configure the setting go to Group policy editor :- Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account
Management\Audit User Account Management

4.5 10151 Status of the audit setting 'Audit PNP Activity' (advanced audit setting) SERIOUS
 Windows 2016 Server

@The policy 'Audit PNP Activity' setting allows you to audit when plug and play detects an external device. Its allow user to
audit events when a device is plugged into a system. This can help alert IT staff if unapproved devices are plugged in and
should be configured according to the business needs.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following Group Policy setting as appropriate to the business needs and organization's security
policies: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Detailed Tracking\Audit PNP Activity

4.6 4497 Status of the audit setting 'Process Creation' (advanced audit setting) SERIOUS

Windows 2016 Server

@The 'Process Creation' audit policy setting tracks events triggered by process creation (start) and the name of the user or
application responsible. Some of these events are recorded when a new process is started or when a token is assigned to a
new process. Depending on the type and size of a given company, the use of audit logs may be required to meet regulatory
requirements. As with all critical systems and devices, audit logs should be enabled, monitored and managed in accordance
with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Process Creation' in accordance with business needs and
organization's security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Detailed Tracking\Audit Process Creation

4.7 4477 Status of the audit setting 'Account Lockout' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Account Lockout' security policy setting tracks logon failures on locked-out accounts. This type of forensic event
information may be useful in detecting or identifying malicious users attempting to crack user account passwords. Repeated
failed logon activity on a known account that is disabled could be an indicator that the site is under brute force or other
password attack. In addition, dependent upon regulatory requirements the organization may be subject to, these policy
settings could be required for compliance. As with all critical systems and devices, audit settings and logs should be enabled,
monitored, and managed according to the needs of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

 Remediation : Configure the following group policy setting 'Account Lockout' in accordance with business needs and
organization's security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Account Lockout

4.8 10152 Status of the audit setting 'Audit Group Membership' (advanced audit setting) SERIOUS

Windows 2016 Server

@The policy 'Audit Group Membership' setting allows you to audit the group membership information in the user's logon
token. Events in this subcategory are generated on the computer on which a logon session is created. If this setting is not
configured , or if audit settings are too lax on the computers in the organization, security incidents might not be detected or not
enough evidence will be available for network forensic analysis after security incidents occur. This setting should be configured
according to the business needs.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : To establish the recommended configuration via GP, set the following UI path to Success: Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Logon/Logoff\Audit Group Membership

4.9 4476 Status of the audit setting 'Logoff' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Logoff' security policy setting tracks logoff events. This security policy setting tracks user and account logoff activity.
This type of forensic event information may be useful in detecting or identifying malicious users attempting to subvert system
security or cause damage to critical systems/data. In addition, dependent upon regulatory requirements the organization may
be subject to, these policy settings could be required for compliance. As with all critical systems and devices, audit settings
and logs should be enabled, monitored, and managed according to the needs of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Logoff' in accordance with business needs and organization's
security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Logoff

4.10 4475 Status of the audit setting 'Logon' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Logon' security policy setting tracks logon attempts. This security policy setting tracks user logon activity (successful
and failed) and Security Identifiers (SIDs). This type of forensic event information may be useful in detecting or identifying
malicious users attempting to subvert system security or cause damage to critical systems/data. In addition, dependent upon
regulatory requirements the organization may be subject to, these policy settings could be required for compliance. As with all
critical systems and devices, audit settings and logs should be enabled, monitored, and managed according to the needs of
the business.
 No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Logon' in accordance with business needs and organization's
security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Logon

4.11 4482 Status of the audit setting 'Other Logon/Logoff Events' (advanced audit setting) SERIOUS

Windows 2016 Server

@The 'Other Logon/Logoff Events' security policy setting tracks additional logon/logoff events such as wired or wireless
authentications, screen saver invocations or dismissals, and remote desktop session re-connections and disconnections.
Depending upon regulatory requirements, these audit policy settings may be required. As with all critical systems and devices,
audit settings and logs should be enabled, monitored, and managed according to the needs of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Other Logon/Logoff Events' in accordance with business needs and
organization's security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Other Logon/Logoff Events

4.12 4481 Status of the audit setting 'Special Logon' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Special Logon' security policy setting tracks users logon who belong to the 'Special Logon' group. The 'Special Logon'
group members have Administrator level privileges and can escalate the rights of other objects. Depending upon regulatory
requirements, these audit policy settings may be required. As with all critical systems and devices, audit settings and logs
should be enabled, monitored, and managed according to the needs of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Special Logon' in accordance with business needs and
organization's security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff\Audit Special Logon

4.13 4520 Status of the audit setting 'Detailed File Share' (advanced audit setting) CRITICAL
 Windows 2016 Server
@The 'Detailed File Share' security policy setting tracks access attempts on a shared folder for files or folders. Criteria about
permissions used to access the share are included. Depending on the type and size of a given company, the use of audit logs
may be required to meet regulatory requirements. As with all critical systems and devices, audit logs should be enabled,
monitored and managed in accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following Group Policy setting as appropriate to the business needs and organization's security
policies: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Object Access\Audit Detailed File Share

4.14 4490 Status of the audit setting 'File Share' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'File Share' audit policy setting tracks events regarding file shares. Some events that can be audited are network share
accessed, modified, added, and deleted. Depending on the type and size of a given company, the use of audit logs may be
required to meet regulatory requirements. As with all critical systems and devices, audit logs should be enabled, monitored
and managed in accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'File Share' in accordance with business needs and organization's
security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit File Share

4.15 4493 Status of the audit setting 'Other Object Access Events' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Other Object Access Events' audit policy setting tracks events of COM+ objects and Task Scheduler jobs. Some of
these events include Task Scheduler such as jobs created, enabled, updated, disabled, and deleted. Com+ object events are
adds, deletes, and updates. Depending on the type and size of a given company, the use of audit logs may be required to
meet regulatory requirements. As with all critical systems and devices, audit logs should be enabled, monitored and managed
in accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

 Remediation : Configure the following group policy setting 'Other Object Access Events' in accordance with business needs
and organization's security policies. To configure the setting go to Group policy editor :- Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object
Access\Audit Other Object Access Events

4.16 8255 Status of the audit setting 'Removable Storage' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Audit Policy: Object Access: Removable Storage' setting allows auditing for user attempts to access file system objects
on a removable storage device. It is important to track which users have attempted to access removable storage with other
related information for non-repudiation. Depending on the type and size of a given company, the use of audit logs may be
required to meet regulatory requirements. As audit logs help in case of security incidences, they should be enabled, monitored
and managed in accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following Group Policy setting as appropriate to the business needs and organization's security
policies: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit
Policies\Object Access\Audit Removable Storage

4.17 4501 Status of the audit setting 'Audit Policy Change' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Audit Policy Change' audit policy setting tracks changes to the System Audit Policy and several object and user audit
settings. Some of the objects that can be audited are audit settings on policy objects, user, SACL, file, and registry key
settings. Special Group list objects can also be audited. Depending on the type and size of a given company, the use of audit
logs may be required to meet regulatory requirements. As with all critical systems and devices, audit logs should be enabled,
monitored and managed in accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Audit Policy Change' in accordance with business needs and
organization's security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change

4.18 4502 Status of the audit setting 'Authentication Policy Change' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Authentication Policy Change' audit policy setting tracks events generated by changes to authentication policies. Some
of these changes include granting access to a computer from a network, grants for service logons, authentications for batch
job logons, and local and remote access grants. Depending on the type and size of a given company, the use of audit logs
may be required to meet regulatory requirements. As with all critical systems and devices, audit logs should be enabled,
monitored and managed in accordance with the requirements and expectations of the business.

No Auditing (0)
 Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Authentication Policy Change' in accordance with business needs
and organization's security policies. To configure the setting go to Group policy editor :- Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy
Change\Audit Authentication Policy Change

4.19 4503 Status of the audit setting 'Authorization Policy Change' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Authorization Policy Change' audit policy setting tracks changes to authorization policies. Examples of these changes
are newly created trusts to a domain, removal of trusts to a domain, user rights either assigned or removed, and any changes
to data recovery policies (encrypted). Depending on the type and size of a given company, the use of audit logs may be
required to meet regulatory requirements. As with all critical systems and devices, audit logs should be enabled, monitored
and managed in accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Authorization Policy Change' in accordance with business needs
and organization's security policies. To configure the setting go to Group policy editor :- Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy
Change\Audit Authorization Policy Change

4.20 4504 Status of the audit setting 'MPSSVC Rule-Level Policy Change' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'MPSSVC Rule-Level Policy Change' security policy setting tracks changes to Microsoft Protection Service (MPSSVC)
policy rules. These changes can be to Windows Firewall rules, settings, version number issues, and Group Policy settings.
Depending on the type and size of a given company, the use of security policy settings may be required to meet regulatory
requirements. As with all critical systems and devices, security policy settings should be enabled, monitored and managed in
accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'MPSSVC Rule-Level Policy Change' in accordance with business
needs and organization's security policies. To configure the setting go to Group policy editor :- Computer
Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy
Change\Audit MPSSVC Rule-Level Policy Change

4.21 4506 Status of the audit setting 'Other Policy Change Events' (advanced audit setting) CRITICAL
 g y g ( g)
Windows 2016 Server
@The 'Other Policy Change Events' audit policy setting tracks changes in security policy not examined by the Policy Change
feature. These changes include Cryptographic provider and context operations or modifications, cryptographic kernel-mode
self tests, and all trusted platform module configuration changes. Depending on the type and size of a given company, the use
of audit logs may be required to meet regulatory requirements. As with all critical systems and devices, audit logs should be
enabled, monitored and managed in accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Go to the following path and configure the 'Other Policy Change Events' setting as per the business needs or
organization's security policies. Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy
Configuration\Audit Policies\Policy Change\Audit Other Policy Change Events

4.22 4494 Status of the audit setting 'Sensitive Privilege Use' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Sensitive Privilege Use' audit policy setting tracks events where sensitive privileges are used. Examples of some of
these sensitive privileges are managing audit and security logs, modifying firmware, generation of security audits, and acting
as part of the operating system. Depending on the type and size of a given company, the use of audit logs may be required to
meet regulatory requirements. As with all critical systems and devices, audit logs should be enabled, monitored and managed
in accordance with the requirements and expectations of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Sensitive Privilege Use' in accordance with business needs and
organization's security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Privilege Use\Audit Sensitive Privilege Use

4.23 4473 Status of the audit setting 'IPsec Driver' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'IPsec Driver' security policy setting tracks the activities and events of the IPsec driver. These events include drops
(failed integrity or replay checks), notifications (cleartext, startup, shut down), and failures in loading IPsec filters, failed
initializations or incomplete network interfaces. Depending upon regulatory requirements, these security policy settings may
be required. As with all critical systems and devices, any security policy setting should be enabled, monitored, and managed
according to the needs of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

 Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'IPsec Driver' in accordance with business needs and organization's
security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit IPsec Driver

4.24 4474 Status of the audit setting 'Other System Events' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Other System Events' security policy setting tracks Windows Firewall service, driver, security policy, BranchCache, and
cryptography notifications and events. Examples of these events would be Firewall service and driver startup, shutdown, and
failed initializations or failed user notifications, driver runtime errors, and various BranchCache errors. Depending upon
regulatory requirements, these security policy settings may be required. As with all critical systems and devices, security policy
settings and logs should be enabled, monitored, and managed according to the needs of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Other System Events' in accordance with business needs and
organization's security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Other System Events

4.25 4470 Status of the audit setting 'Security State Change' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Security State Change' audit policy setting tracks changes in system security states. This setting can be configured to
audit system start, shut down, changes to time, and Administrator recovery from CrashOnAuditFail events. Depending upon
regulatory requirements, these audit policy settings may be required. As with all critical systems and devices, audit settings
and audit logs should be enabled, monitored, and managed according to the needs of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : To establish the recommended configuration via GP, in accordance with business needs and organization's
security policies configure the following : Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit
Policy Configuration\Audit Policies\System\Audit Security State Change

4.26 4471 Status of the audit setting 'Security System Extension' (advanced audit setting) CRITICAL

Windows 2016 Server

@The 'Security System Extension' audit policy setting tracks critical system events generated by installing new security
extension code(s) and/or installing new services. This audit policy can track when a Local Security Authority has started a
trusted logon process, loaded a security or authentication package. This audit policy can also track when a new service is
installed on the system. Depending upon regulatory requirements, these audit policy settings may be required. As with all
critical systems and devices, audit settings and logs should be enabled, monitored, and managed according to the needs of
the business.
 No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'Security System Extension' in accordance with business needs and
organization's security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit Security System Extension

4.27 4472 Status of the audit setting 'System Integrity' (advanced audit setting) CRITICAL

Windows 2016 Server

@The System Integrity audit policy setting reports on the integrity of the security system, including potential disk device errors,
verification failures, etc. As enabling this audit facility has the potential to fill up a large amount of log space and cause a self-
inflicted denial-of-service condition, it should be used according to the needs of the business.

No Auditing (0)

Success (1)

Subcategory not found

Failure (2)

Success and Failure (3)

Dissolvable Agent is disabled in scan profile

Remediation : Configure the following group policy setting 'System Integrity' in accordance with business needs and
organization's security policies. To configure the setting go to Group policy editor :- Computer Configuration\Policies\Windows
Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\System\Audit System Integrity

Section 5:Administrative Templates (Computer)

5.1 9003 Status of the 'Lock screen camera' setting CRITICAL

Windows 2016 Server

@The 'Lock screen camera' setting specifies if the Camera feature should be available on the lock screen or not. If the setting
is not specified malicious users can gain the access over the camera and can be able to compromise the system.This setting
should be restricted according to the needs of the business.

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen camera

5.2 9004 Status of the 'Lock screen slide show' setting CRITICAL

Windows 2016 Server

@The 'Lock screen slide show' setting specifies if slide show can be played on the lock screen. If the setting is not specified
malicious users can gain access over the slide show content and compromise the system. This setting should be restricted
according to the needs of the business.
 Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen slide show

5.3 10098 Status of the 'Allow Input Personalization' setting SERIOUS

Windows 2016 Server

@The policy 'Allow Input Personalization' setting enables the automatic learning component of input personalization that
includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing
history, contacts, and recent calendar information. If this setting is not configured, information may be stored in the cloud or
sent to Microsoft. This setting should be set according to the business needs.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Control Panel\Regional and Language Options\Allow Input Personalization

5.4 10012 Status of the 'LAPS AdmPwd GPO Extension / CSE is installed' setting CRITICAL

Windows 2016 Server

@The policy 'Local Administrator Password Solution (LAPS)' setting allows an organization to automatically set randomized
and unique local Administrator account passwords on domain-attached workstations and member servers. The passwords are
stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved
Sysadmins when needed. In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy
Client Side Extension (CSE) must be installed on each managed computer. This setting should be configured according to the
business needs.

matches regular expression list

C\:\\Program Files\\LAPS\\CSE\\AdmPwd.dll

Not Installed

Remediation : In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side
Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll must be present
in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you):
C:\Program Files\LAPS\CSE\AdmPwd.dll

5.5 10015 Status of the 'Do not allow password expiration time longer than required by policy' setting CRITICAL

Windows 2016 Server

@The policy 'Local Administrator Password Solution (LAPS)' setting allows an organization to automatically set randomized
and unique local Administrator account passwords on domain-attached workstations and member servers. The passwords are
stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved
Sysadmins when needed. By enabling this setting, planned password expiration longer than password age dictated by
"Password Settings" policy is NOT allowed. This setting should be configured according to the business needs.

Enabled (1)

Not Configured
 Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\LAPS\Do not allow password expiration time longer than required by policy
NOTE: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is
required - it is included with Microsoft Local Administrator Password Solution (LAPS).

5.6 10008 Status of the 'Local Admin Password Management' setting CRITICAL

Windows 2016 Server

@The policy 'Local Administrator Password Solution (LAPS)' setting allows an organization to automatically set randomized
and unique local Administrator account passwords on domain-attached workstations and member servers. The passwords are
stored in a confidential attribute of the domain computer account and can be retrieved from Active Directory by approved
Sysadmins when needed. This setting should be configured according to the business needs.

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\LAPS\Enable Local Admin Password Management NOTE: This Group Policy
path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with
Microsoft Local Administrator Password Solution (LAPS).

5.7 10009 Status of the 'Password Complexity' Local Administrator Password Solution (LAPS) CRITICAL

Windows 2016 Server

@The policy 'password complexity' setting provides for system-wide password complexity requirements.This makes the
selection of mixed-case, numerical, and 'punctuation' symbols mandatory during password creation. This exponentially
increases the size of the 'symbol-set' that must be addressed when conducting a brute-force attack. Password complexity
provides one of the best; first, lines of defense against unauthorized access, this value should be set according to the needs of
the business.

Large Letters (1)

Large Letters + Small Letters (2)

Large Letters + Small Letters + Numbers (3)

Not Configured

Large Letters + Small Letters + Numbers + Specials (4)

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the
Password Complexity option to Large letters + small letters + numbers + special characters: Computer
Configuration\Policies\Administrative Templates\LAPS\Password Settings NOTE: This Group Policy path does not exist by
default. An additional Group Policy template (AdmPwd.admx/adml) is required - it is included with Microsoft Local
Administrator Password Solution (LAPS).

5.8 10010 Status of the 'Password Length' Local Administrator Password Solution (LAPS) CRITICAL

Windows 2016 Server

@The password length policy setting determines the minimum number of characters that should be used to make up a
password for a user account. Each character that is added to the password length squares the difficulty of breaking the
password via brute force, which attempts using every combination possible within the password symbol set-space, in order to
discover a user's password. To provide adequate defense against a dictionary or brute force attacks against the passwords,
the minimum length of a password should be long enough to provide adequate security and still short enough for users to
easily remember. This value should be configured as appropriate to the needs of the business.

greater than or equal to

15

Not Configured
 Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the
Password Length option to 15 or more: Computer Configuration\Policies\Administrative Templates\LAPS\Password Settings
NOTE: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is
required - it is included with Microsoft Local Administrator Password Solution (LAPS).

5.9 10011 Status of the 'Password Age' Local Administrator Password Solution (LAPS) CRITICAL

Windows 2016 Server

@One characteristic that makes 'user identification' via password a secure/workable solution is setting a 'password expiration'
requirement. Each time a new password is created, replacing one that has been in place for a given period of time, this resets
the difficulty of breaking a password via brute-force to its maximum level; it can also help ensure that a compromised 'hack'
account with a password that has expired is then closed. While no 'secure maximum' for limiting the use of a password has
been agreed upon, 30 days is considered to be the maximum allowed for most enterprise environments. However, this tactic
must be used along with other password security factors, such as increasing the complexity the password set-space by
requiring mixed-cases and/or special characters, to further increase the difficulty of breaking any password by brute-force
attacks.

less than or equal to

30

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled, and configure the
Password Age (Days) option to 30 or fewer: Computer Configuration\Policies\Administrative Templates\LAPS\Password
Settings NOTE: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml) is
required - it is included with Microsoft Local Administrator Password Solution (LAPS).

5.10 9024 Status of the 'Apply UAC restrictions to local accounts on network logons' settings CRITICAL

Windows 2016 Server

@This setting specifies whether local accounts should be used for remote administration via network logon such as NET USE,
connecting to C$, etc. Local accounts are at high risk for credential theft when the same account and password is configured
on multiple systems. This setting should be restricted according to the needs of the business.

Enabled (0)

Disabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\SCM: Pass the Hash Mitigations\Apply UAC restrictions to local accounts on
network logons NOTE: This Group Policy path does not exist by default. An additional Group Policy template (PtH.admx/adml)
is required - it is included with Microsoft Security Compliance Manager (SCM).

5.11 25339 Status of the 'Configure RPC packet level privacy setting for incoming connections' setting URGENT

Windows 2016 Server

@This policy setting controls whether packet-level privacy is enabled for RPC for incoming connections and handles
authentication for the remote Winspool interface. When this setting is enabled, the printer IRemoteWinspool protection level
will be increased and the Windows spooler spoofing vulnerability will no longer occur.

equal to
1
 Disabled (0)

Enabled (1)

Not Configured

Remediation : #Configure the following setting as per the business requirements and the organization's security policies. To
establish the recommended configuration via GP, set the following UI path to Enabled: Computer Configuration >
Administrative Templates > MS Security Guide > Configure RPC packet level privacy setting for incoming connections

5.12 11224 Status of the 'SMB 1.x MiniRedirector (mrxsmb10)' Windows service (LanmanWorkstation CRITICAL
depend on service 'mrxsmb10')

Windows 2016 Server

@Server Message Block (SMB) is mainly used for providing shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network. 'mrxsmb10' service is responible for implementing the SMB v1
protocol on Windows systems to provide connectivity to network resources. SMB does not encrypt traffic, has weak
authentication, and relies on firewall segmenting and clear-text passwords for access control. It is known to be exploited
frequently for remote code execution, denial of service and man-in-the-middle attacks. Use of SMB protocol should be
considered carefully and used as appropriate to the needs of the business.

Automatic (2)

Automatic (Delayed Autostart) (21)

Manual (3)

Service not found

Disabled (4)

Remediation : #Configure the following setting as per the business needs or the organization's security policy. # To do this
configuration via Group Policy Editor, use the following UI path: Computer Configuration\Policies\Administrative Templates\MS
Security Guide\Configure SMB v1 client driver

5.13 11281 Status of the 'SMB v1' protocol for LanManServer services on Windows CRITICAL

Windows 2016 Server

@Server Message Block (SMB) is mainly used for providing shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network. 'mrxsmb10' service implements the SMB v1 protocol on
Windows systems. SMB does not encrypt traffic, has weak authentication, and relies on firewall segmenting and clear-text
passwords for access control. It is known to be exploited frequently for remote code execution, denial of service and man-in-
the-middle attacks. Use of SMB protocol should be considered carefully and used as appropriate to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : Go tho the following path and enable or disable the SMBv1 protocol for LanManServer service as per the
business needs or organization's security policy.
HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\SMB1

5.14 25951 Status of the 'EnableCertPaddingCheck' setting SERIOUS

Windows 2016 Server

@This setting controls whether Windows performs a padding check when verifying the digital signature of a PE (Portable
Executable) file. When an executable file is signed with a digital certificate, Windows verifies the signature to ensure that the
file hasn't been tampered with. The padding check is an additional security measure that ensures that the padding added to
the hash during encryption is consistent with the expected padding. This prevents attackers from modifying the padding in a
way that could bypass the signature verification process. Thus, configure this setting as per the business requirements or the
organization's security policy.
 Enabled (1)

Setting not found

Remediation : #Configure the following setting as per the business requirements or the organization's security policy. Open the
registry key editor and create the following keys For 32-bit versions of Microsoft Windows
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config "EnableCertPaddingCheck"="1" Registry type:
REG_SZ For 64-bit versions of Microsoft Windows
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Cryptography\Wintrust\Config "EnableCertPaddingCheck"="1"
Registry type: REG_SZ

5.15 11052 Status of Structured Exception Handling Overwrite Protection (SEHOP) feature in Windows CRITICAL

Windows 2016 Server

@The Structured Exception Handling Overwrite Protection (SEHOP) is a Windows Operating System feature designed to
mitigate exploits against Structured Exception Handler (SEH) overwrite technique. SEH is a type of buffer overflow attack
where an application exception handling function pointer could be compromised to run an arbitrary code controlled by an
attacker. Enabling this feature improves the security profile of the systems by actively protecting all applications at run-time,
regardless of whether any mitigation techniques are incorporated within the applications or not. This feature should be
configured as appropriate to the needs of the business.

Enabled (0)

Disabled (1)

Not Configured

Remediation : Configure the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path:
\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\ Value Name: DisableExceptionChainValidation Value Type:
REG_DWORD Value: 0 If the registry value 'DisableExceptionChainValidation' does not exist, then this setting is not
configured. If present, a value of '0' indicates that the SEHOP feature is enabled, and value of '1' indicates disabled.

5.16 9587 Status of 'Enable LSA Protection' setting MEDIUM

Windows 2016 Server

@The LSA protection helps to prevent attackers from reading the memory and/or injecting code into any process associated
with the LSA system. It authenticates and logs users into the local system. The LSA subsystem process is responsible for
enforcing security policies on the endpoint which verifies when a user can log into an endpoint, creates access tokens for
users, and writes logs into the Windows Security Log. If this setting is not configured, then the attacker may be able to clear
and/or manipulate the Windows Event Logs preventing administrators from detecting the changes.This should be configured
according to the needs of the business

Disabled (0)

Enabled (1)

Not Configured

Remediation : Review and verify the result and ensure that the setting is configured as per the business needs or
organization's security policies.

5.17 11195 Status of the 'NetBIOS node type' setting SERIOUS

Windows 2016 Server

@In order to help mitigate the risk of NetBIOS Name Service (NBT-NS) poisoning attacks, setting the node type to P-node will
prevent the system from sending out NetBIOS broadcasts. This setting should be configured according to the needs of the
business.

b-node (1)

p-node (2)

m-node (4)
 h-node (8)

Not Configured

Remediation : To establish the recommended configuration, set the following Registry value to 0x2 (2) (DWORD):
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters:NodeType

5.18 9025 Status of the 'WDigest Authentication' setting CRITICAL

Windows 2016 Server

@The 'WDigest Authentication' setting specifies if a copy of the user's plaintext password is to be retained in memory. If this
setting is not specified malicious users can gain access and result in credential theft. This setting should be restricted
according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : #Configure the following setting as per the business needs or the organization's security policy. Computer
Configuration\Policies\Administrative Templates\MS Security Guide\WDigest Authentication (disabling may require
KB2871997) Note: This Group Policy path does not exist by default. An additional Group Policy template
(SecGuide.admx/adml) is required - it is included with Microsoft Security Compliance Manager (SCM).

5.19 1169 Status of the 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' setting CRITICAL

Windows 2016 Server

@Automatic logon feature allows a user to automatically be logged into the system without presenting credentials at startup.
Besides the obvious risk of anyone having physical access to the system being capable of being authenticated simply by
turning the system on, there is additional risk in that the credentials for the account being automatically logged on is stored in
clear text within the registry. NOTE: A software update to the GPO editor is required to view this object.
(HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon)

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (AutoAdminLogon) Enable Automatic Logon (not
recommended) NOTE: This Group Policy path does not exist by default. An additional Group Policy template (MSS-
legacy.admx/adml) is required - it is included with Microsoft Security Compliance Manager (SCM).

5.20 4741 Status of the 'MSS: (DisableIPSourceRoutingIPv6) IP source routing protection level (protects SERIOUS
against packet spoofing)' setting

Windows 2016 Server

@The 'MSS: (DisableIPSourceRoutingIPv6) IP source routing protection level (protects against packet spoofing)' setting is
intended to provide protection against source-routing spoofing on [multi-homed] Microsoft-based systems, that have at least
two valid network interface devices enabled and connected. (All Microsoft-based systems having more than one valid
networking device enabled can be used as a router or firewall between network segments, whether this is intended or not.) As
a vulnerability exists that could allow a malicious user to circumvent routing rules by 'spoofing' the device to make it look like
malicious or invalid traffic was sent from the protected side, this should be disabled/restricted according to the needs of the
business. NOTE: To configure the system to drop all source routed packets set the value of this parameter to 2. The registry
key for MSS: (DisableIPSourceRoutingIPv6) must be created in the Windows registry tree
(HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting) for this control
to work properly.

No additional protection, source routed packets are allowed (0)

Medium, source routed packets ignored when IP forwarding is enabled (1)

 Highest protection, source routing is completely disabled (2)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection,
source routing is completely disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:
(DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) NOTE: This Group Policy
path does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with
Microsoft Security Compliance Manager (SCM).

5.21 1172 Status of the 'MSS: (DisableIPSourceRouting) IP source routing protection level (protects CRITICAL
against packet spoofing)' setting

Windows 2016 Server

@The 'DisableIPSourceRouting' setting is intended to provide protection against source-routing spoofing on [multi-homed]
Microsoft-based systems, that have at least two valid network interface devices enabled and connected. (All Microsoft-based
systems having more than one valid networking device enabled can be used as a router or firewall between network
segments, whether this is intended or not.) As a vulnerability exists that could allow a malicious user to circumvent routing
rules by 'spoofing' the device to make it look like malicious or invalid traffic was sent from the protected side, this should be
disabled/restricted according to the needs of the business. NOTE: To configure the system to drop all source routed packets
set the value of this parameter to 2. The registry key for MSS: (DisableIPSourceRouting) must be created in the Windows
registry tree (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting) for
this control to work properly.

No additional protection, source routed packets are allowed (0)

Medium, source routed packets ignored when IP forwarding is enabled (1)

161803399999999

Highest protection,source routing is completely disabled (2)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Highest protection,
source routing is completely disabled: Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS:
(DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) NOTE: This Group Policy path
does not exist by default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with
Microsoft Security Compliance Manager (SCM).

5.22 1193 Status of the 'MSS: Allow ICMP redirects to override OSPF generated routes SERIOUS
(EnableICMPRedirect)' setting

Windows 2016 Server

@The 'MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes' setting allows Windows to alter
a pre-established route for packets, using the 'shortest path first (SPF)' routing algorithm to speed up data transfer. As
enabling this feature permits alteration of the routing table and attackers can impersonate/spoof 'accepted' routes, redirecting
packets through a 'man-in-the-middle (MITM)' attack-foundation host, potentially compromising sensitive information, this SPF
capability should be set as appropriate to the needs of the business. NOTE: A software update to the GPO editor is required to
view this object. Registry Key/value path-
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect.

Disabled (0)

Enabled (1)

RegSubKey not found

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (EnableICMPRedirect) Allow ICMP redirects to override
OSPF generated routes NOTE: This Group Policy path does not exist by default. An additional Group Policy template (MSS-
legacy.admx/adml) is required - it is included with Microsoft Security Compliance Manager (SCM).

5.23 1195 Status of the 'MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS SERIOUS
name release requests except from the 'WINS servers' setting
 Windows 2016 Server

@This 'NetBIOS Name-Release' setting determines whether or not a system releases its NetBIOS name after getting a name-
release request. As this blocking capability was added to help administrators protect against 'name-release' attacks that can
facilitate unauthorized access to systems and files, this capability should be set as appropriate to the needs of the business.
Note: The registry key for MSS: (NoNameReleaseOnDemand) must be created in the Windows registry tree
(MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand) for this control to work
properly.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (NoNameReleaseOnDemand) Allow the computer to
ignore NetBIOS name release requests except from WINS servers NOTE: This Group Policy path does not exist by default. An
additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security Compliance
Manager (SCM).

5.24 1458 Status of the 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' SERIOUS
setting

Windows 2016 Server

@The 'Enable Safe DLL Search Mode' setting as defined within the 'HKLM\System\CurrentControlSet\Control\Session
Manager\SafeDllSearchMode' registry key, determines whether or not [dll] code that a user loads will run from the system
directory first or the current directory. As modifying the way Windows locates driver files (.dll's) by forcing the OS to check the
Windows directory first (for files installed during the OS installation/update process) instead of pulling possible malware [driver]
files from the user's home directory, can block the execution of malware-based dll's, this should be set as appropriate to the
needs of the business. Note: The registry key-value for MSS: (SafeDllSearchMode) must be created in the Windows registry
tree (MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode) for this control to work properly.

Search current directory first (Disabled) (0)

Search system directory first (Enabled) (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (SafeDllSearchMode) Enable Safe DLL search mode
(recommended) NOTE: This Group Policy path does not exist by default. An additional Group Policy template (MSS-
legacy.admx/adml) is required - it is included with Microsoft Security Compliance Manager (SCM).

5.25 1196 Status of the 'MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver CRITICAL
grace period expires' setting

Windows 2016 Server

@The 'Screen saver grace period' setting determines how long is permitted between the start of the screen saver program
and requirement of a password to unlock the system. As permitting any grace period may allow a malicious user to gain
control of the system while it is unattended and unlocked, this value should be set as appropriate to the needs of the business.
(ScreenSaverGracePeriod)

less than or equal to

5

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: 5 or fewer seconds:
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (ScreenSaverGracePeriod) The time in
seconds before the screen saver grace period expires (0 recommended) NOTE: This Group Policy path does not exist by
 default. An additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security
Compliance Manager (SCM).

5.26 1463 Status of the 'MSS: (WarningLevel) Percentage threshold for the security event log at which SERIOUS
the system will generate a warning' setting

Windows 2016 Server

@The 'Event Log' can be set to trigger a notification event when it reaches a certain level of its set capacity. As this can notify
the Administrator of the log reaching a certain level by triggering a '523 Event,' showing that the Event Log is nearly full and
prevent a system shutdown caused by the Security Event log reaching capacity is full (see CID-1156), this should be set as
appropriate to the needs of the business. NOTE: 'The security event log is XX percent full' warning should be generated as a
'523 Event.'

less than or equal to

90

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: 90% or less:
Computer Configuration\Policies\Administrative Templates\MSS (Legacy)\MSS: (WarningLevel) Percentage threshold for the
security event log at which the system will generate a warning NOTE: This Group Policy path does not exist by default. An
additional Group Policy template (MSS-legacy.admx/adml) is required - it is included with Microsoft Security Compliance
Manager (SCM).

5.27 25358 Windows - Status of NetBIOS name resolution CRITICAL

Windows 2016 Server

@This setting determines whether NetBIOS name resolution will be performed by the DNS client. By default, NetBIOS name
resolution is disabled on public networks for security reasons. Defining this policy setting or not configuring it will result in
computers using locally configured settings. Review the configurations and verify that they are in line with the organization's
security policies and business requirements.

equal to
2

Disable Netbios name resolution (0)

Allow Netbios name resolution (1)

Disable Netbios name resolution on Public Networks (2)

Netbios Learning Mode (3)

Not Configured or Disabled

Remediation : #Configure the following setting as per the business requirements and the organization's security policies. To
establish the recommended configuration via GP, set the following UI path to 'Enabled: Disable NetBIOS name resolution on
public networks: Computer Configuration > Administrative Templates > Network > DNS Client > Configure NetBIOS settings

5.28 11192 Status of the 'Turn off multicast name resolution' setting SERIOUS

Windows 2016 Server

@An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, It
can trick the host into thinking that it knows the location of the requested system. This setting should be configured according
to the needs of the business.

Enabled (0)
 Disabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off multicast name resolution

5.29 10370 Status of the 'Enable insecure guest logons' setting CRITICAL

Windows 2016 Server

@The policy 'Enable insecure guest logons' setting determines if the SMB client will allow insecure guest logons to an SMB
server. Insecure guest logons are used by file servers to allow unauthenticated access to shared folders. While uncommon in
an enterprise environment, insecure guest logons are frequently used by consumer Network Attached Storage (NAS)
appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default.
If this setting is not configured , then clients can allow insecure guest logons which are vulnerable to a variety of man-in-the-
middle attacks that can result in data loss, data corruption, and exposure to malware. This setting should be configured
according to the business needs.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Network\Lanman Workstation\Enable insecure guest logons

5.30 2616 Status of the 'Prohibit installation and configuration of Network Bridge on the DNS domain MEDIUM
network' setting

Windows 2016 Server

@The 'Prohibit installation and configuration of Network Bridge on the DNS domain network' setting determines whether or not
the system will permit a user to install and configure the Network Bridge feature. The Network Bridge feature allows a user to
build a MAC (layer 2) bridge, allowing the user to connect two or more network segments. When this setting is disabled, the
user is permitted to create or modify Network Bridge configurations. The creation of a Network Bridge between a private
network and public Internet connection may create an unsecured link between the two networks and allow a malicious user to
gain inappropriate access and/or control. If this function is not required for the systems' operation, it should be
disabled/restricted as appropriate to the needs of the business.

Enabled (0)

Disabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit installation and configuration of
Network Bridge on your DNS domain network

5.31 2607 Status of the 'Prohibit use of Internet Connection Sharing on your DNS domain network' MEDIUM
setting

Windows 2016 Server

@The Internet Connection Sharing service is a feature that provides networked computers the ability to access the Internet
through a single connection. When this setting is enabled, the Internet Connection Sharing service is not permitted to run on
the local machine and Administrators are not permitted to enable or configure the service. It is always best practice to turn off
any unnecessary services to reduce the overall threat surface of the system. If this service is not required for the systems'
operation, it should be disabled to reduce the risk of a malicious user gaining inappropriate access and/or control.

Enabled (0)

Disabled (1)

Key not found

 Remediation : Go to the following path and configured the Prohibit use of Internet Connection Sharing on your DNS domain
network GPO setting as per the business needs or organization's security policy. Computer Configuration -> Administrative
Templates -> Network -> Network Connections > Prohibit use of Internet Connection Sharing on your DNS domain network

5.32 10081 Status of the 'Require domain users to elevate when setting a network's location' setting CRITICAL

Windows 2016 Server

@The policy 'Require domain users to elevate when setting a network's location' setting determines whether to require domain
users to elevate when setting a network's location. Allowing regular users to set a network location increases the risk and
attack surface. This setting should be set according to the business needs.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting
a network's location

5.33 10592 Status of the 'Hardened UNC Paths' setting for Netlogon CRITICAL

Windows 2016 Server

@The policy 'Hardened UNC Paths' setting allows you to configure secure access to UNC paths. Universal Naming
Convention (UNC) is a standardized notation that Windows uses to access file resources; in most cases these resource are
located on a remote server. UNC allows the system to access files using the standard path format. If this setting is set
properly, then Windows only allows access to the specified UNC paths after fulfilling additional security requirements. This
setting should be configured according to the business needs.

matches regular expression list

RequireMutualAuthentication\=1|RequireIntegrity\=1|RequirePrivacy=1

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled with the following
paths configured, at a minimum: Computer Configuration\Policies\Administrative Templates\Network\Network
Provider\Hardened UNC Paths \\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\SYSVOL
RequireMutualAuthentication=1, RequireIntegrity=1 OR newly updated \\*\NETLOGON RequireMutualAuthentication=1,
RequireIntegrity=1, RequirePrivacy=1 \\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1

5.34 10593 Status of the 'Hardened UNC Paths' setting for Sysvol CRITICAL

Windows 2016 Server

@The policy 'Hardened UNC Paths' setting allows you to configure secure access to UNC paths. Universal Naming
Convention (UNC) is a standardized notation that Windows uses to access file resources; in most cases these resource are
located on a remote server. UNC allows the system to access files using the standard path format. If this setting is set
properly, then Windows only allows access to the specified UNC paths after fulfilling additional security requirements. This
setting should be configured according to the business needs.

matches regular expression list

RequireMutualAuthentication\=1|RequireIntegrity\=1|RequirePrivacy=1

Not Configured
 Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled with the following
paths configured, at a minimum: Computer Configuration\Policies\Administrative Templates\Network\Network
Provider\Hardened UNC Paths \\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \\*\SYSVOL
RequireMutualAuthentication=1, RequireIntegrity=1 OR newly updated \\*\NETLOGON RequireMutualAuthentication=1,
RequireIntegrity=1, RequirePrivacy=1 \\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1, RequirePrivacy=1

5.35 17241 Configure 'Minimize the number of simultaneous connections to the Internet or a Windows MEDIUM
Domain' Prevent Wi-Fi when on Ethernet.

Windows 2016 Server

@The 'Minimize the number of simultaneous connections to the Internet or a Windows Domain' Prevent Wi-Fi when on
Ethernet policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a
Windows domain. While connected to an Ethernet connection, Windows won't allow use of a WLAN (automatically or
manually) until Ethernet is disconnected. However, if a cellular data connection is available, it will always stay connected for
services that require it, but no Internet traffic will be routed over cellular if an Ethernet or WLAN connection is present. If this
setting is disabled or not configured The potential concern is that a user would unknowingly allowing traffic to route between
internal and external networks, which risks exposure to sensitive internal data. This policy setting need to be configured
according to the needs of the business.

Allow simultaneous connections (0)

Minimize simultaneous connections (1)

Stay connected to cellular (2)

Prevent Wi-Fi when on Ethernet (3)

Feature not available in this build (300000000000000)

Key Not Found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled 1 = Minimize
simultaneous connections: Computer Configuration\Policies\Administrative Templates\Network\Windows Connection
Manager\Minimize the number of simultaneous connections to the Internet or a Windows Domain

5.36 21711 Status of the 'Allow Print Spooler to accept client connections' group policy setting URGENT

Windows 2016 Server

@This group policy controls whether the print spooler will accept client connections or not. When the policy is unconfigured or
enabled, the spooler will always accept client connections. When the policy is disabled, the spooler will not accept client
connections nor allow users to share printers. All printers currently shared will continue to be shared. This policy also blocks
the remote attack vector by preventing inbound remote printing operations. The system will no longer function as a print
server, but local printing to a directly attached device will still be possible. Configure this group policy as per the business
requirements and the organization's security policies.

equal to
2

Enabled (1)

Disabled (2)

Setting not found

Remediation : Configure the following group policy as per the business requirements and the organization's security policies.
Computer Configuration -> Administrative Templates -> Printers -> Allow Print Spooler to accept client connections Note - You
must restart the Print Spooler service for the group policy to take effect.

5.37 25338 Status of the 'Configure Redirection Guard' setting CRITICAL

 Windows 2016 Server

@This setting is a security measure that prevents the use of non-administratively created redirection primitives from being
followed within a given process. It manages printer access and allows users to continue working without waiting for a print job
to finish. Disabling this setting will not redirect files that may be used in the spooler process.

equal to
1

Redirection Guard Disabled (0)

Redirection Guard Enabled (1)

Redirection Guard Audit Only (2)

Not Configured or Disabled

Remediation : #Configure the following setting as per the business needs or the organization's security policy. 1. To do this
configuration via Group Policy Editor, use the following UI path. Computer Configuration > Administrative Templates > Printers
> Configure Redirection Guard > Enabled: Redirection Guard enabled OR 2. To do this configuration via Intune, use the
default Intune configuration profiles or create a custom profile to configure the following OMA-URI setting. OMA-URI:
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureRedirectionGuardPolicy https://learn.microsoft.com/en-
us/windows/client-management/mdm/policy-csp-printers

5.38 25348 Status of the 'Configure RPC connection settings: Protocol to use for outgoing RPC CRITICAL
connections' setting

Windows 2016 Server

@This control determines the protocol and protocol settings to be used for outgoing RPC connections to a remote print
spooler. The default protocol is RPC over TCP, with authentication always enabled by default. If the machine is joined to a
domain, authentication is always enabled; however, it is not enabled if the machine is not joined to a domain. The attacker can
relay NTLM authentication sessions to an attacked machine and execute code remotely via a printer spooler MSRPC
interface. Review and verify that the configurations are in line with the business requirements and the organization's security
policies.

equal to
0

RPC over TCP Enabled (0)

RPC over named pipes Enabled (1)

Disabled or Not Configured

Remediation : #Configure the following setting as per the business requirements and the organization's security policies. To
establish the recommended configuration via GP, set the following UI path to 'Enabled: RPC over TCP': Computer
Configuration > Administrative Templates > Printers > Configure RPC connection settings > Protocol to use for outgoing RPC
connections

5.39 25360 Status of the 'Use authentication for outgoing RPC over named pipes connections' setting CRITICAL

Windows 2016 Server

@This control determines the protocol and protocol settings to be used for outgoing RPC connections to a remote print
spooler. The default protocol is RPC over TCP, with authentication always enabled by default. If the machine is joined to a
domain, authentication is always enabled; however, it is not enabled if the machine is not joined to a domain. The attacker can
relay NTLM authentication sessions to an attacked machine and execute code remotely via a printer spooler MSRPC
interface. Review and verify that the configurations are in line with the business requirements and the organization's security
policies.
 equal to
0

Default (0)

Authentication Enabled (1)

Authentication Disabled (2)

Disabled or Not Configured

Remediation : #Configure the following setting as per the business requirements and the organization's security policies. To
establish the recommended configuration via GP, set the following UI path to Default : Computer Configuration >
Administrative Templates > Printers > Configure RPC connection settings > Use authentication for outgoing RPC over named
pipes connections

5.40 25361 Status of the 'Protocols to allow for incoming RPC connections' setting CRITICAL

Windows 2016 Server

@This control setting controls which protocols incoming RPC connections to the print spooler can use. Negotiate is used for
authentication over RPC over TCP by default. Protocols to allow for incoming RPC connections. To enforce Kerberos
authentication, enable and set the “Configure RPC listener settings” policy to allow Kerberos. Review and verify that the
configurations are in line with business requirements and the organization's security policies.

equal to
5

RPC over named pipes (3)

Not Configured or Disabled

RPC over TCP (5)

RPC over TCP and named pipes (7)

Remediation : #Configure the following setting as per the business requirements and the organization's security policies. To
establish the recommended configuration via GP, set the following UI path to 'RPC over TCP' : Computer Configuration >
Administrative Templates > Printers > Configure RPC listener settings > Protocols to allow for incoming RPC connections

5.41 25359 Status of the 'Authentication protocol to use for incoming RPC connections' setting CRITICAL

Windows 2016 Server

@This control setting controls which protocols incoming RPC connections to the print spooler can use. Negotiate is used for
authentication over RPC over TCP by default. Protocols to allow for incoming RPC connections. To enforce Kerberos
authentication, enable and set the “Configure RPC listener settings” policy to allow Kerberos. Review and verify that the
configurations are in line with business requirements and the organization's security policies.

equal to
0

Negotiate (0)

kerberos (1)

Disabled or Not Configured

 Remediation : #Configure the following setting as per the business requirements and the organization's security policies. To
establish the recommended configuration via GP, set the following UI path to 'Negotiate': Computer Configuration >
Administrative Templates > Printers > Configure RPC listener settings > Authentication protocol to use for incoming RPC
connections

5.42 25362 Status of the 'Configure RPC over TCP port' setting CRITICAL

Windows 2016 Server

@This control setting controls which port is used for RPC over TCP for incoming connections to the print spooler and outgoing
connections to remote print spoolers. A value of 0 is the default and indicates that dynamic TCP ports will be used if you
disable or do not configure this policy setting dynamic TCP ports are used. Review and verify that the configurations are in line
with business requirements and the organization's security policies.

equal to
0

Not Configured or Disabled

Remediation : #Configure the following setting as per the business requirements and the organization's security policies. To
establish the recommended configuration via GP, set the following UI path to 'Enabled': Computer Configuration >
Administartive Templates > Printers > Configure RPC over TCP port

5.43 22349 Status of the 'Restrict Driver Installation to Administrators' setting. MEDIUM

Windows 2016 Server

@This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers.
The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. If this
policy setting is set as enable ,Windows XP and later clients will only download print driver components from a list of explicitly
named servers. If a compatible print driver is available on the client, a printer connection will be made. It can configure
Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print. If
this policy setting is set as disable ,Windows Vista client computers can create a printer connection to any server using Point
and Print. It will not show a warning or an elevated command prompt when users create a printer connection to any server
using Point and Print and also if any existing printer connection driver needs to be updated. The "Users can only point and
print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service
packs).Security updates released for a remote code execution exploit in the Windows Print Spooler service known as
'PrintNightmare', documented in CVE-2021-34527.By default, administrators can install both signed and unsigned printer
drivers to a print server. Signed drivers are trusted by the installed root certificates in the system's Trusted Root Certification
Authorities. The workflow used to install a printer driver from a trusted print server on a client computer uses a different path.
Configure this setting as per the business requirements or the organization's security policy.

matches regular expression list

^1$

Key Not Found

Remediation : #Configure the following setting as per the business requirements or the organization's security policy.
Computer Configuration\Policies\Administrative Templates\Printers\Limits print driver installation to Administrators

5.44 25340 Status of the 'Manage processing of Queue-specific files' setting CRITICAL

Windows 2016 Server

@This setting allows standard color profile processing using the inbox mscms.dll executable. The security baseline is to
configure this setting to Enabled with the option of Limit queue-specific files to color profiles. A remote code execution
vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who
successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. The attacker could then install
programs, view, change, or delete data, or create new accounts with full user rights.
 equal to
1

Do not allow queue specific files (0)

Limit queue specific file to color profile (1)

Allow all queue specific files (2)

Disabled or Not Configured

Remediation : #Configure the following setting as per the business needs or the organization's security policy. 1. To do this
configuration via Group Policy Editor, use the following UI path. Computer Configuration > Administrative Templates > MS
Security Guide > Manage processing of Queue-specific files > Enabled: Limit Queue-specific files to Color profiles OR 2. To do
this configuration via Intune, use the default Intune configuration profiles or create a custom profile to configure the following
OMA-URI setting. OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureCopyFilesPolicy
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-printers

5.45 19070 Status of the 'Point and Print Restrictions: When installing drivers for a new connection' MEDIUM
setting

Windows 2016 Server

@The 'Point and Print Restrictions: When installing drivers for a new connection' setting controls the client Point and Print
behavior, including the security prompts for Windows computers. This setting applies only to non-Print Administrator clients,
and only to computers that are members of a domain. If this setting is disabled or not configured, Windows client computers
can point and print to any server. If this setting is enabled, Windows clients will only download print driver components from a
list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a
compatible print driver is not available on the client, no connection will be made. This subsetting allows the system to show a
warning and prompts before installing drivers. Thus, configure this setting as per the business requirements or the
organization's security policy.

Do not show warning or elevation prompt (1)

Show warning and elevation prompt (0)

Key Not Found

Remediation : #Configure the following setting as per the business requirements or the organization's security policy.
Computer Configuration\Administrative Templates\Printers\'Point and Print Restrictions: When installing drivers for a new
connection' setting

5.46 19071 Status of the 'Point and Print Restrictions: When updating drivers for an existing connection' MEDIUM
setting

Windows 2016 Server

@The 'Point and Print Restrictions: When updating drivers for an existing connection' setting controls the client Point and Print
behavior, including the security prompts for Windows computers. This setting applies only to non-Print Administrator clients,
and only to computers that are members of a domain. If this setting is disabled or not configured, Windows client computers
can point and print to any server. If this setting is enabled, Windows clients will only download print driver components from a
list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a
compatible print driver is not available on the client, no connection will be made. This subsetting allows the system to show a
warning and prompts before updating drivers. Thus, configure this setting as per the business requirements or the
organization's security policy.

Show warning only (1)

Show warning and elevation prompt (0)

Key Not Found

Do not show warning or elevation prompt (2)

Remediation : #Configure the following setting as per the business requirements or the organization's security policy.
Computer Configuration\Administrative Templates\Printers\'Point and Print Restrictions: When updating drivers for an existing
connection'
5.47 9440 Status of the 'Include command line in process creation events' setting MEDIUM

Windows 2016 Server

@The policy 'Include command line in process creation events' setting allows you to determines what information is logged in
security audit events when a new process has been created. The command line information for every process will be logged in
plain text in the security event log as part of the Audit Process Creation event. When this policy setting, any user with access
to read the security events will be able to read the command line arguments for any successfully created process. Command
line arguments can contain sensitive or private information such as passwords or user data which may lead to unauthorized
activities on the system. This setting should be set as per the business requirement.

Disabled (0)

Enabled (1)

Not Configured

Remediation : #Configure the following setting as per the business needs or the organization's security policy. To do this
configuration via Group Policy Editor, use the following UI path. Computer Configuration\Policies\Administrative
Templates\System\Audit Process Creation\Include command line in process creation events

5.48 14415 Status of the 'Encryption Oracle Remediation' group policy SERIOUS

Windows 2016 Server

@This policy setting applies to applications using the CredSSP component. This setting controls compatibility with vulnerable
clients and servers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability. This
should be configured as appropriate to the business needs.

Forced Updated Clients (0)

Mitigated (1)

Vulnerable (2)

Key not found

Remediation : Review the result and ensure that setting is configured or in line with business needs and organization's
security policies. Computer Configuration\Administrative Templates\System\Credentials Delegation: Encryption Oracle
Remediation

5.49 12013 Status of the 'Remote host allows delegation of non-exportable credentials' CRITICAL
(AllowProtectedCreds) setting

Windows 2016 Server

@The 'Remote host allows delegation of non-exportable credentials' Group Policy setting helps to prevent the risk of
credential theft on remote hosts when credential delegation is used. When enabled, it helps to (a) protect administrator
accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be
compromised, and (b) protect user credentials over a Remote Desktop Connections by redirecting Kerberos requests back to
the device that is requesting the connection. Both these features are provided by the options Restricted Admin Mode and
Windows Defender Remote Credential Guard, and should be enabled as appropriate to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via Group Policy, set the following Group Policy UI path value as
appropriate. Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\Remote host allows
delegation of non-exportable credentials This group policy setting is backed by the following registry location.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation:AllowProtectedCreds

5.50 11034 Configure 'Prevent Device Metadata Retrieval from Internet' Windows Group Policy MINIMAL
 Windows 2016 Server

@Windows can retrieve device metadata from the Internet while device installation. Preventing device metadata retrieval will
provide protection from potentially sensitive information being sent outside the enterprise and uncontrolled updates to the
system. This feature should be configured as appropriate to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : Configure the group policy value for Computer Configuration >> Administrative Templates >> System >> Device
Installation >> "Prevent device metadata retrieval from the Internet" to "Enabled".

5.51 8188 Status of the 'Boot-Start Driver Initialization Policy' setting SERIOUS

Windows 2016 Server

@The "Choose the boot-start drivers that can be initialized:" policy setting allows you to specify which boot-start drivers are
initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch
Antimalware boot-start driver can return the following classifications for each boot-start driver: i.e Good, Bad, Bad but required
for boot, Unknown. If the setting is enabled you will be allowed to choose which boot-start drivers to initialize the next time the
machine is started. The boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the
initialization of drivers determined to be Bad is skipped if the setting is disabled or not configured. This policy setting helps
reduce the impact of malware that has already infected your system. If your malware detection application does not have Early
Launch Antimalware boot-start driver or its disabled this setting has no effect and all boot-start drivers will be initialized. This
setting should be set as per the need of the business.

Good and unknown (1)

Good, unknown and bad but critical (3)

All (7)

Good only (8)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Good, unknown and
bad but critical: Computer Configuration\Policies\Administrative Templates\System\Early Launch Antimalware\Boot-Start Driver
Initialization Policy

5.52 3923 Status of the 'Registry policy processing (Option: Do not apply during periodic background SERIOUS
processing)' setting

Windows 2016 Server

@The 'Registry policy processing' settings determine when registry policies will be updated and affects the policies existing
within the 'Administrative Templates' folder, as well as all additional policies that have values stored within the registry. This
should be configured according to the needs of the business to ensure that all policy settings are applied and in compliance
with expectations. By enabling this, registry settings that were 'customized' by a user will be overridden and the
approved/appropriate settings will be applied.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Do not
apply during periodic background processing option to FALSE (unchecked): Computer Configuration\Policies\Administrative
Templates\System\Group Policy\Configure registry policy processing

5.53 7501 Status of the 'Registry policy processing option: Process even if the Group Policy objects have SERIOUS
not changed' setting
 Windows 2016 Server
@The Registry policy processing option 'Process even if the Group Policy objects have not changed' reapplies group policies
even when policies haven't changed. As updating policies while the system is in use can potentially damage data, while
reapplying the policy can potentially lock out an intruder, this capability must be set according to the needs of the business.

Enabled (0)

Disabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled, then set the Process
even if the Group Policy objects have not changed option to TRUE (checked): Computer Configuration\Policies\Administrative
Templates\System\Group Policy\Configure registry policy processing

5.54 27616 Status of the 'Configure security policy processing: Do not apply during periodic background SERIOUS
processing' setting

Windows 2016 Server

@This policy setting impacts all policies utilizing the security component within Group Policy, including those found in
Windows Settings\Security Settings. It supersedes any customized settings established by the program implementing the
security policy during installation. Enabling "Do not apply during periodic background processing" prevents the system from
updating affected policies in the background while the computer is in use. Background updates have the potential to disrupt
the user experience, cause program interruptions or abnormal operations, and, in rare instances, lead to data damage. This
value should be configured as appropriate to the needs of the business.

False (0)

True (1)

Key not found

Remediation : Review and verify that the configurations are in line with the business requirements and the organization's
security policies. #Configure the following setting as per the business needs or the organization's security policy. 1. To do this
configuration via Group Policy Editor, use the following UI path. Computer Configuration\Policies\Administrative
Templates\System\Group Policy\Configure security policy processing: Process even if the Group Policy objects have not
changed To do this configuration via Intune, Method 1: Create a custom profile to configure the following OMA-URI setting, as
per the business needs or the organization's security policy.
./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Security Method 2: Configure via configuration profiles using
settings Catalog, as per the business needs or the organization's security policy. Administrative Templates\System\Group
Policy\Configure security policy processing

5.55 27617 Status of the 'Configure security policy processing: Process even if the Group Policy objects SERIOUS
have not changed' setting

Windows 2016 Server

@This particular policy setting impacts all policies utilizing the security component within Group Policy, including those found
in Windows Settings\Security Settings. It takes precedence over any customized settings established by the program
implementing the security policy during installation. Enabling the "Process even if the Group Policy objects have not changed"
option ensures that policies are updated and reapplied even in instances where there have been no changes to the policies.
Numerous policy implementations stipulate that updates should occur solely when changes have been made. This value
should be configured as appropriate to the needs of the business.

True (0)

False (1)

Key not found

Remediation : Review and verify that the configurations are in line with the business requirements and the organization's
security policies. #Configure the following setting as per the business needs or the organization's security policy. 1. To do this
configuration via Group Policy Editor, use the following UI path. Computer Configuration\Policies\Administrative
Templates\System\Group Policy\Configure security policy processing: Process even if the Group Policy objects have not
changed To do this configuration via Intune, Method 1: Create a custom profile to configure the following OMA-URI setting, as
per the business needs or the organization's security policy.
 ./Device/Vendor/MSFT/Policy/Config/ADMX_GroupPolicy/CSE_Security Method 2: Configure via configuration profiles using
settings Catalog, as per the business needs or the organization's security policy. Administrative Templates\System\Group
Policy\Configure security policy processing

5.56 11193 Status of the 'Continue experiences on this device' setting SERIOUS

Windows 2016 Server

@A cross-device experience is when a system can access app and send messages to other devices. In an enterprise
environment only trusted systems should be communicating within the network. Access to any other system should be
prohibited. This setting should be configured according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\System\Group Policy\Continue experiences on this device

5.57 4194 Status of the 'Turn Off Background Refresh of Group Policy' setting MEDIUM

Windows 2016 Server

@The 'Turn Off Background Refresh' Group Policy setting prohibits automatically updating current Group Policy settings while
the system has a user actively logged into a session. As this setting can obstruct the needed refresh of a GPO and the
establishment of new security requirements on the system, it should be configured according to the needs of the business.

equal to
0

Enabled (1)

Not Configured or Disabled

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\System\Group Policy\Turn off background refresh of Group Policy

5.58 3922 Status of the 'Turn off downloading of print drivers over HTTP' setting CRITICAL

Windows 2016 Server

@The 'Turn off downloading of print drivers over HTTP' setting determines the capability for allowing the user to download
print drivers using an HTTP browser. As print drivers from Internet sites can be corrupted, contain a Trojan Horse, or host
other sorts of malware, allowing users to download print drivers over HTTP, which may impact the system's stability and
security, should be set according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication
settings\Turn off downloading of print drivers over HTTP

5.59 3920 Status of the 'Turn off Internet download for Web publishing and online ordering wizards' CRITICAL
setting
 Windows 2016 Server
@The 'Turn off Internet download for Web publishing and online ordering wizards' are used by Windows to show the providers
recommended by Microsoft to link to for online ordering/web publishing. As allowing the use of this kind of service can
potentially allow the downloading of malicious content, this capability should be restricted according to the needs of the
business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication
settings\Turn off Internet download for Web publishing and online ordering wizards

5.60 11194 Status of the 'Block user from showing account details on sign-in' setting SERIOUS

Windows 2016 Server

@An attacker with access to the console (for example, someone with physical access or someone who is able to connect to
the server through Terminal Services) could view the name of the last user who logged on to the server. The attacker could
then try to guess the password, use a dictionary, or use a brute-force attack to try and log on. This setting should be
configured according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To implement the recommended configuration state, set the following Group Policy setting to Enabled:
Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in

5.61 9008 Status of the 'Do not display network selection UI' setting CRITICAL

Windows 2016 Server

@The 'Do not display network selection UI' setting specifies whether anyone can interact with available networks UI on the
logon screen. If the setting is not specified unauthorized user could disconnect the PC from the network or can connect the PC
to other available networks without signing into Windows and can be able to compromise the system.This setting should be
restricted according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To implement the recommended configuration state, set the following Group Policy setting to Enabled:
Computer Configuration\Policies\Administrative Templates\System\Logon\Do not display network selection UI

5.62 8176 Status of the 'Do not enumerate connected users on domain-joined computers' setting SERIOUS

Windows 2016 Server

@The 'Do not enumerate connected users on domain-joined computers' policy setting prevents connected users from being
enumerated on domain-joined computers. If the setting is enabled the Logon UI will not enumerate any connected users on
domain-joined computers, connected users will be enumerated on domain-joined computers if this policy setting is
disabled/not configured. A malicious user could use this feature to collect accounts names of other users, and then information
can be used for attacks such as guessing passwords.. This setting should be set as per the need of the business.

Disabled (0)
 Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\System\Logon\Do not enumerate connected users on domain-joined
computers

5.63 8177 Status of the 'Enumerate local users on domain-joined computers (EnumerateLocalUsers)' SERIOUS
setting (Enabled / Disabled)

Windows 2016 Server

@The 'Enumerate local users on domain-joined computers' policy setting allows local users to be enumerated on domain-
joined computers. If the setting is enabled the Logon UI will enumerate all local users on domain-joined computers, local users
will not be enumerated on domain-joined computers if this policy setting is disabled/not configured. A malicious user could use
this feature to collect accounts names of other users, and then information can be used for attacks such as guessing
passwords. This setting should be set as per the need of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\System\Logon\Enumerate local users on domain-joined computers

5.64 8399 Status of the Configure 'Turn off app notifications on the lock screen' SERIOUS

Windows 2016 Server

@The 'Turn off app notifications on the lock screen' policy setting prevents app notifications from appearing on the lock
screen. If this setting is enabled, no app notifications will be displayed on the lock screen. If this policy setting is disabled or
not configured, users can choose which apps display notifications on the lock screen. App notifications might display sensitive
business or personal data. This policy setting need to be configured according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\System\Logon\Turn off app notifications on the lock screen

5.65 9388 Status of the 'Turn off picture password sign-in' setting MINIMAL

Windows 2016 Server

@The policy 'Turn off picture password sign-in' setting allows you to control whether a domain user can sign in using a picture
password. It improves the security of the system. With a picture password, you can sign in to your PC with your favorite photo
instead of a hard-to-remember password. This setting should be set as per the business requirement.

Disabled (0)

Enabled (1)

Not Configured

Remediation : Review and verify the result and ensure that the setting is configured as per the business needs or
organization's security policies. Computer Configuration\Administrative Templates\System\Logon: Turn off picture password
sign-in
5.66 8175 Status of the 'Turn on PIN sign-in' setting SERIOUS

Windows 2016 Server

@The 'Turn on PIN sign-in' setting allows you to control whether a domain user can sign in using a PIN. If this policy is
enabled, a domain user can set up and sign in with a PIN. A domain user can't set up and use a PIN if the policy setting is
disabled/not configured . Note that the user's domain password will be cached in the system vault when using this feature. A
PIN are created from a much smaller selection of characters than a password, so in most cases a PIN will be much less
robust than a password. This setting should be set as per the need of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\System\Logon\Turn on convenience PIN sign-in NOTE: In older Microsoft
Windows Administrative Templates, this setting was simply named "Turn on PIN sign-in", but it was renamed as of the
Windows 10 Release 1511 Administrative Templates.

5.67 4110 Status of the 'Require a Password When a Computer Wakes (on Battery)' setting CRITICAL

Windows 2016 Server

@The 'Require a Password When a Computer Wakes (on Battery)'s group policy setting forces the user to reenter the
password when the system resumes from a state of sleep while on battery power. As this group policy invokes security
settings that help deter unauthorized access, it should be configured according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Require a password when a
computer wakes (on battery)

5.68 4111 Status of the 'Require a Password When a Computer Wakes (Plugged In)' setting CRITICAL

Windows 2016 Server

@The 'Require a Password When a Computer Wakes (Plugged In)' group policy setting forces the user to reenter the
password when the system resumes from a state of sleep. As this group policy invokes security settings that help deter
unauthorized access, it should be configured according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Require a password when a
computer wakes (plugged in)

5.69 3900 Status of the 'Offer Remote Assistance' setting (Terminal Services) CRITICAL

Windows 2016 Server

@The 'Offer Remote Assistance' settings are configured to control the remote assistance capability that allows expert users
and/or system administrators to offer remote assistance to someone on another system. This utility employs Terminal Services
to provide this functionality and could allow malicious users the ability to gain access to systems from remote locations. As a
result, this should be set in compliance with internal security requirements and expectations to meet the needs of the
business.
 Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\System\Remote Assistance\Configure Offer Remote Assistance

5.70 3899 Status of the 'Solicited Remote Assistance' policy setting (Terminal Services) SERIOUS

Windows 2016 Server

@The 'Solicited Remote Assistance' group policy is used by Systems Administrators to control the remote assistance
capability through Terminal Services that allows users to send 'requests' to another person (possibly an IT Support resource)
to connect to their system remotely for 'expert assistance' with a problem. This policy must actually be 'configured' to disallow
the user from setting up Remote Assistance via the Control Panel (by default, the user can enable this function) which could
be in violation of internal security requirements and expectations. As with all Group Policy Objects and Services, a risk
assessment should be performed to determine the correct settings to meet the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\System\Remote Assistance\Configure Solicited Remote Assistance

5.71 1513 Status of the 'RPC Endpoint Mapper Client Authentication' setting SERIOUS

Windows 2016 Server

@The 'RPC Endpoint Mapper Client Authentication' service blocks anonymous or null connections to the RPC endpoint
mapping service. As RPC has generally weak or non-existent authentication for connection to RPC services, this capability
should be disabled/restricted as appropriate to the needs of the business. NOTE: The Manufacturer recommends that this be
disabled unless a specific and critical legacy application that requires anonymous RPC must use it.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\System\Remote Procedure Call\Enable RPC Endpoint Mapper Client
Authentication

5.72 10087 Status of the 'Enable Windows NTP Client' setting SERIOUS

Windows 2016 Server

@The policy 'Enable Windows NTP Client' setting specifies whether the Windows NTP Client is enabled or not. Network Time
Protocol (NTP) is a client/server application. Each workstation, router, or server must be equipped with NTP client software to
synchronize its clock to the network time server. If this setting is not configured, local computer clock does not synchronize
time with NTP servers. This setting should be set according to the business needs.

Disabled (0)

Enabled (1)

Not Configured
 Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Client

5.73 10088 Status of the 'Enable Windows NTP Server' setting SERIOUS

Windows 2016 Server

@he policy 'Enable Windows NTP Server' setting specifies whether the Windows NTP Server is enabled or not. Network Time
Protocol (NTP) is a client/server application. Each workstation, router, or server must be equipped with NTP client software to
synchronize its clock to the network time server. If this setting is not configured, your computer cannot service NTP requests
from other computers. This setting should be set according to the business needs.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Server

5.74 9009 Status of the 'Allow Microsoft accounts to be optional' setting CRITICAL

Windows 2016 Server

@The 'Allow Microsoft accounts to be enabled' setting specifies if the Microsoft accounts are optional for Windows Store apps
that require an account to sign in. This provides the organization with greater control over relevant credentials. This setting
should be restricted according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\App runtime\Allow Microsoft accounts to be optional

5.75 10006 Status of the 'Disallow Autoplay for non-volume devices' setting CRITICAL

Windows 2016 Server

@This policy setting disallows Autoplay for MTP devices like cameras or phones. If this setting is not configured, then attacker
could use this feature to launch a program to damage a client computer or data on the computer. This setting should be
configured according to the business needs.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Disallow Autoplay for non-volume
devices

5.76 10007 Status of the 'default behavior for AutoRun' CRITICAL

Windows 2016 Server

@This policy setting allows you to set the default behavior for Autorun commands. Autorun commands are generally stored in
autorun.inf files. These commands enable applications to start, start installation programs, or start other routines. If this setting
is not configured, this code may be executed without user's knowledge or consent, which may lead to security concerns. This
setting should be configured according to the business needs.
 Do not execute any autorun commands (1)

Automatically execute autorun commands (2)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Do not execute any
autorun commands: Computer Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Set
the default behavior for AutoRun

5.77 1183 Status of the 'Disable Autorun for all drives' setting for the HKLM key SERIOUS

Windows 2016 Server

@The 'Turn off Autoplay for all drives' setting defined within the
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun registry key allows the system to
refuse to automatically run a program, such as 'setup.exe,' from a portable storage medium, such as a CD-ROM. As these
'autoplay' type of programs executions are known to be vulnerable to running exploits by malicious users, who insert malicious
code hooks into the 'autorun.inf' files and the system will automatically launch these as soon as the media is read, this
parameter should be set as appropriate to the needs of the business. NOTE: Setting this parameter to a value of '255' should
disable the 'autoplay' for all types of removable media/drives. (NoDriveTypeAutoRun)

equal to
255

145

161803399999999

CD-ROM/Removable Drives (181)

All drives (255)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: All drives: Computer
Configuration\Policies\Administrative Templates\Windows Components\AutoPlay Policies\Turn off Autoplay

5.78 10377 Status of the 'Use enhanced anti-spoofing when available' setting CRITICAL

Windows 2016 Server

@The policy 'Use enhanced anti-spoofing when available' setting determines whether enhanced anti-spoofing is configured
for devices which support it. This setting allows users to use enhanced anti-spoofing features for facial bio-metric
authentication methods. Anti-spoofing is a technique of recognizing spoofed data packets coming from untrusted sources, are
dropped off allowing only authentic data packets. If this setting is enabled, Windows will require all users on the device to use
anti-spoofing for facial features, on devices which support it. Not configuring this setting may compromise security as users
will determine whether or not enhanced anti-spoofing is active for their device. This setting should be configured according to
the business needs.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Biometrics\Facial Features\Use enhanced anti-
spoofing when available

5.79 23128 Status of the 'Turn off cloud consumer account state content' setting SERIOUS
 Windows 2016 Server

@This policy 'Turn off cloud consumer account state content' setting determines whether cloud consumer account state
content is allowed in all Windows experiences. The use of consumer accounts in an enterprise managed environment is not
good security practice as it could lead to possible data leakage. If this policy is enabled, windows experiences that use the
cloud consumer account state content client component will instead present the default fallback content. If this policy is
disabled or do not configure, windows experiences will be able to use cloud consumer account state content. This setting
should be configured as appropriate to the needs of the business.

equal to
1

Disabled (0)

Enabled (1)

Key Not Found

Remediation : Configure the following group policy in accordance with business needs and the organization's security policies.
Computer Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off cloud consumer
account state content

5.80 10353 Status of the 'Turn off Microsoft consumer experiences' setting CRITICAL

Windows 2016 Server

@The policy 'Turn off Microsoft consumer experiences' setting turns off experiences that help consumers make the most of
their devices and Microsoft account. Not configuring this setting allows users to see suggestions from Microsoft and
notifications about their Microsoft account, which may not meet the security requirements of your organization. This setting
should be configured according to the business needs.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer
experiences

5.81 17242 Status of the 'Require pin for pairing' Enabled 'First Time OR Always' setting SERIOUS

Windows 2016 Server

@If this setting is not configured or disabled then a PIN would not be required when pairing wireless display devices to the
system, increasing the risk of unauthorized use. The setting should be configured according to the needs of the business.

Never (0)

First Time (1)

Always (2)

Feature not available in this build (300000000000000)

Key Not Found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: First Time OR
Enabled: Always: Computer Configuration\Policies\Administrative Templates\Windows Components\Connect\Require pin for
pairing
5.82 8425 Status of "Do not display the password reveal button" SERIOUS

Windows 2016 Server

@This "Do not display the password reveal button" policy setting allows to configure the display of the password reveal button
in password entry user experiences. If this policy setting is enabled, the password reveal button will not be displayed after a
user types a password in the password entry text box. If this policy setting is disabled or not configured the password reveal
button will be displayed after a user types a password in the password entry text box. By default, the password reveal button is
displayed after a user types a password in the password entry text box. This is very useful when using long and complex
password but the potential risk is that someone else can see your password while observing your screen surreptitiously. This
policy setting need to configured according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Do not display the password
reveal button

5.83 3897 Status of 'Enumerate administrator accounts on elevation' setting CRITICAL

Windows 2016 Server

@The 'Enumerate administrator accounts on elevation' capability displays the 'administrator' account list on the system. As
showing this list may allow a malicious user to target a specific, privileged account for an attack or exploit, this capability
should be set in accordance with the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Credential User Interface\Enumerate administrator
accounts on elevation

5.84 23206 Status of the 'Allow Diagnostic Data' setting SERIOUS

Windows 2016 Server

@The policy 'Allow Diagnostic Data' setting determines the amount of diagnostic and usage data reported to Microsoft. The
diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and
does not apply to any additional apps installed by your organization. Thus sending any data to a 3rd party vendor is a security
concern and should only be done on an as-needed basis. This setting should be configured according to the business needs.

in
0:1

Diagnostic data off (not recommended) (0)

Send required diagnostic data (1)

Send optional diagnostic data (3)

Key Not Found

Remediation : Configure the following setting as per the business needs or the organization's security policy. Computer
Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Allow Diagnostic
Data
5.85 23129 Status of the 'Disable OneSettings Downloads' setting SERIOUS

Windows 2016 Server

@This policy 'Disable OneSettings Downloads' setting controls whether Windows attempts to connect with the OneSettings
service to download configuration settings. Sending data to a 3rd party vendor is a security concern and should only be done
on an as-needed basis. If this policy is enabled, Windows will not attempt to connect with the OneSettings Service. If this
policy is disabled or do not configure, Windows will periodically attempt to connect with the OneSettings service to download
configuration settings. This setting should be configured as appropriate to the needs of the business.

equal to
1

Disabled (0)

Enabled (1)

Key Not Found

Remediation : Configure the following group policy in accordance with business needs and the organization's security policies.
Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Disable
OneSettings Downloads

5.86 10348 Status of the 'Do not show feedback notifications' setting MEDIUM

Windows 2016 Server

@The policy 'Do not show feedback notifications' setting allows an organization to prevent its devices from showing feedback
questions from Microsoft. If this setting is not configured, users may confidential information through feedback. This setting
should be configured according to the business needs.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Do not show
feedback notifications

5.87 23130 Status of the 'Enable OneSettings Auditing' setting SERIOUS

Windows 2016 Server

@This policy 'Enable OneSettings Auditing' setting controls whether Windows records attempts to connect with the
OneSettings service to the Operational EventLog. If events are not recorded it may be difficult or impossible to determine the
root cause of system problems or the unauthorized activities of malicious users. If this policy is enabled, Windows will record
attempts to connect with the OneSettings service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel. If
this policy is disabled or do not configure, Windows will not record attempts to connect with the OneSettings service to the
EventLog. This setting should be configured as appropriate to the needs of the business.

equal to
1

Disabled (0)

Enabled (1)

Key Not Found

 Remediation : Configure the following group policy in accordance with business needs and the organization's security policies.
Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Enable
OneSettings Auditing

5.88 23132 Status of the 'Limit Diagnostic Log Collection' setting SERIOUS

Windows 2016 Server

@This policy 'Limit Diagnostic Log Collection' setting controls whether additional diagnostic logs are collected when more
information is needed to troubleshoot a problem on the device. Sending data to a 3rd-party vendor is a security concern and
should only be done on an as-needed basis. If this policy is enabled, diagnostic logs will not be collected. If this policy is
disabled or do not configure, we may occasionally collect diagnostic logs if the device has been configured to send optional
diagnostic data. This setting should be configured as appropriate to the needs of the business.

equal to
1

Disabled (0)

Enabled (1)

Key Not Found

Remediation : Configure the following group policy in accordance with business needs and the organization's security policies.
Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit
Diagnostic Log Collection

5.89 23131 Status of the 'Limit Dump Collection' setting SERIOUS

Windows 2016 Server

@This policy 'Limit Dump Collection' setting limits the type of dumps that can be collected when more information is needed to
troubleshoot a problem. Sending data to a 3rd party vendor is a security concern and should only be done on an as needed
basis. If this policy is enabled, Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps.
If this policy is disabled or do not configure, we may occasionally collect full or heap dumps if the user has opted to send
optional diagnostic data. This setting should be configured as appropriate to the needs of the business.

equal to
1

Disabled (0)

Enabled (1)

Key Not Found

Remediation : Configure the following group policy in accordance with business needs and the organization's security policies.
Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Limit
Dump Collection

5.90 10106 Status of 'Toggle user control over Insider builds' MEDIUM

Windows 2016 Server

@The setting 'Toggle user control over Insider builds' determines if users can access the Insider build controls in the
Advanced Options for Windows Update. These controls are located under 'Get Insider builds', and enable users to make their
devices available for downloading and installing Windows preview software. If this setting is enabled, it allows users, an
access of the 'Insider Builds', 'experimental features' etc. in enterprise environment. This can introduce bugs and security
holes into systems allowing an attacker to gain access. Thus, this setting should be restricted as per the need of the
organization. Note: This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, or Server
 2016. Registry path: Computer Configuration\Policies\Administrative Templates\Windows Components\Data Collection and
Preview Builds\Toggle user control over Insider builds. Applicable CCE - CCE-41380-7

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Data Collection and Preview Builds\Toggle user control
over Insider builds NOTE: This Group Policy path does not exist by default. An additional Group Policy template
(allowbuildpreview.admx/adml) is required - it is included with the Microsoft Windows 10 Administrative Templates.

5.91 3944 Status of the 'Application: Control Event Log behavior when the log file reaches its maximum CRITICAL
size' setting

Windows 2016 Server

@The 'Application: Retain old events' Group Policy setting stops logging events when a maximum file size limit is reached. As
this setting may conflict with established continuous logging requirements for forensic purposes, this setting should be
configured according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Application\Control Event
Log behavior when the log file reaches its maximum size

5.92 7502 Status of the 'Application: Maximum log size' setting (in KB) CRITICAL

Windows 2016 Server

@The 'Application Event Log' provides a standardized method for Windows applications, such as services or other system-
integrated applications, to log application (for local or remote viewing) of each instance of an application start, stop, or status
change. System logging and adequate log storage is essential to auditing/tracking system security events, but this can be
difficult to balance. As log files need enough space to retain a useful longitudinal baseline, yet be limited in size, to prevent the
output itself from becoming a Denial of Service (DoS) attack (by filling up the disk storage) the permitted log size should be set
as appropriate to business needs.

greater than or equal to

32768

Key not found

Remediation : Configure the following Group Policy as per the business needs and organization's security policies. Computer
Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Application\Specify the maximum
log file size (KB)

5.93 3943 Status of the 'Security: Control Event Log behavior when the log file reaches its maximum CRITICAL
size' setting

Windows 2016 Server

@The [GPO-based] 'Security: Retain old events' Group Policy setting stops logging events when a maximum file size limit is
reached. As this setting may conflict with established continuous logging requirements for forensic purposes, this setting
should be configured according to the needs of the business.
 Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Control Event
Log behavior when the log file reaches its maximum size

5.94 7503 Status of the 'Security: Maximum log size' setting (in KB) CRITICAL

Windows 2016 Server

@The GPO-based 'Security Log' provides information on security events, such as login and privilege use. As these files can
become DoS triggers if allowed to grow continuously, but still need to be large enough to retain a useful amount of data for
performing a forensic investigations, the value restricting Security Log size should be set as appropriate to the needs of the
organization.

greater than or equal to

196608

Key not found

Remediation : Configure the following Group Policy as business needs and organization's security policies. Computer
Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Security\Specify the maximum log
file size (KB)

5.95 9013 Status of the 'Setup: Control Event Log behavior when the log file reaches its maximum size' SERIOUS
setting

Windows 2016 Server

@This policy setting specifies Event Log behavior when the log file reaches its maximum size. If enabled this policy setting
and a log file reaches its maximum size, new events are not written to the log and are lost. When events are not recorded it
may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.
This setting should be restricted according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Setup\Control Event Log
behavior when the log file reaches its maximum size

5.96 9014 Status of the 'Setup: Maximum Log Size (KB)' setting CRITICAL

Windows 2016 Server

@The 'Setup: Maximum Log Size (KB)' setting specifies the maximum size of the log file in kilobytes. If events are not
recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of
malicious users.This setting should be restricted according to the needs of the business.

greater than or equal to

32768
 Key not found

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Enabled: 32,768
or greater: Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\Setup\Specify
the maximum log file size (KB)

5.97 3942 Status of the 'System: Control Event Log behavior when the log file reaches its maximum size' CRITICAL
Group Policy setting

Windows 2016 Server

@The 'System: Retain old events' Group Policy setting stops logging events when a maximum file size limit is reached. As this
setting may conflict with established continuous logging requirements for forensic purposes, this setting should be configured
according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\System\Control Event
Log behavior when the log file reaches its maximum size

5.98 7504 Status of the 'System: Maximum log size' setting (in KB) CRITICAL

Windows 2016 Server

@The GPO-based 'System Event Log' provides information on [operating] system events, such as OS segment startup
events, such as the 'Routing/Remote Access' service and the associated events that occur during process initialization. By
setting the 'Max System Event Log Size' guidelines to an appropriate value, this can prevent the log file from becoming a DoS
trigger (if it were allowed to grow unchecked), but still be of sufficient size to retain a useful amount of data for doing a forensic
investigation.

greater than or equal to

32768

Key not found

Remediation : Configure the following Group Policy as per the the business needs and organization's security policies.
Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service\System\Specify the
maximum log file size (KB)

5.99 8273 Status of the 'Turn off Data Execution Prevention for Explorer' setting CRITICAL

Windows 2016 Server

@The 'Turn off Data Execution Prevention for Explorer' policy setting can allow certain legacy plug-in applications to function
without terminating Window Explorer. As permitting Explorer to continue functioning during the operation of these applications
can permit the introduction of malware into Explorer, this capability should be set according to the need of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off Data Execution
Prevention for Explorer
5.100 2621 Status of the 'Turn off heap termination on corruption' setting
SERIOUS

Windows 2016 Server

@The 'Turn off heap termination on corruption' setting determines whether or not the system will fail an application if the heap
becomes corrupted. (When this permitted, applications continue to run even when the heap is corrupted and this is
occasionally necessary for troubleshooting.) As this capability to corrupt the Heap may allow a malicious user to compromise a
vulnerable system it should be restricted as appropriate to the needs of the business.

Disabled (0)

Enabled (1)

Not configured

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off heap termination on
corruption

5.101 2619 Status of the 'Turn off shell protocol protected mode' setting MEDIUM

Windows 2016 Server

@The 'Turn off shell protocol protected mode' setting determines the level of shell protocol functionality. The shell protocol
provides system functionality to allow applications to open folders and/or files. When this setting is enabled, the system will
allow applications to open folders and launch files. When this setting is disabled or not configured, the shell protocol is set to
'protected mode.' When the shell protocol is set to 'protected mode,' applications are permitted to open only a restricted list of
folders and are not permitted to open any files. It is always best practice to turn off any unnecessary services to reduce the
overall threat surface. If this function is not required for the systems' operation, it should be disabled to reduce the risk of a
malicious user gaining inappropriate access and/or control.

Disabled (0)

Enabled (1)

Not configured

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Disabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Turn off shell protocol
protected mode

5.102 12015 Status of the 'Block all consumer Microsoft account user authentication' (DisableUserAuth)
Group Policy setting CRITICAL

Windows 2016 Server

@'Block all consumer Microsoft account user authentication' group policy setting determines whether applications and
services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and
WebAccountManager APIs. Organizations that want to effectively implement identity management policies and maintain firm
control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also
need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information
systems. To prevent applications and services from utilizing this type of authentication, this setting should be enabled as
appropriate to the needs of the business.

Disable (0)

Enable (1)

Not Configured

Remediation : To establish the recommended configuration via Group Policy, set the following Group Policy UI path value as
appropriate. Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft accounts\Block all
consumer Microsoft account user authentication This group policy setting is backed by the following registry location.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftAccount:DisableUserAuth
5.103 9656 Status of the 'Configure local setting override for reporting to Microsoft MAPS' setting MEDIUM

Windows 2016 Server

@The policy 'Configure local setting override for reporting to Microsoft MAPS' setting configures a local override for the
configuration to join Microsoft MAPS. Microsoft Active Protection Service (abbreviated MAPS and formerly known as Microsoft
SpyNet) is the network of Windows Defender and Microsoft Security Essentials users that help determine which programs are
classified as spyware. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will
take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local
preference setting. This setting should be configured according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : Run gpedit.msc to open the Group Policy Editor and navigate to the following path: Computer Configuration >
Administrative Templates > Windows Components > Windows Defender (Antivirus) > Maps > Configure local setting override
for reporting to Microsoft MAPS Set the value for the setting as appropriate to the business needs and organization's security
policies.

5.104 13922 Status of 'Attack Surface Reduction' group policy

CRITICAL

Windows 2016 Server

@The 'Attack Surface Reduction' feature of Windows Defender Advanced Threat Protection helps in preventing
actions/behavior that are typically used by malwares to infect system. The 'Configure Attack Surface Reduction rules' group
policy is used to configure the state of individual Attack Surface Reduction (ASR) rules. As ASR rules directly effect the
behavior of the system and can prevent certain functions of the system to perform correctly if not configured aptly, this group
policy should be configured in accordance to business needs and organization's security policies.

Enable (1)

Feature not available in this build (300000000000000)

key not found

Remediation : # Configure the following group policy in accordance with business needs and organization's security policies.
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Antivirus\Windows
Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules

5.105 25357 Status of 'Block abuse of exploited vulnerable signed drivers' ASR rule (56a863a9-875e-4185-
98a7-b882c64b5ce5) CRITICAL

Windows 2016 Server

@This rule prevents an application from writing a vulnerable signed driver to disk. In the wild, vulnerable signed drivers can be
exploited by local applications - that have sufficient privileges - to gain access to the kernel. Vulnerable signed drivers enable
attackers to disable or circumvent security solutions, eventually leading to system compromise and thus, should be configured
according to the business needs and organization's security policies.

matches regular expression list

^1$

Not Configured or Disabled

Remediation : # Configure the '56a863a9-875e-4185-98a7-b882c64b5ce5' rule under the following group policy in accordance
with business needs and the organization's security policies. Computer Configuration\Policies\Administrative
Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface
Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule
5.106 13924 Status of 'Block all Office applications from creating child processes' ASR rule (D4F940AB-
401B-4EFC-AADC-AD5F3C50688A) CRITICAL

Windows 2016 Server

@Microsoft Office applications are a common target for attacker to compromise the system. The 'Attack Surface Reduction'
(ASR) feature of Windows Defender Advanced Threat Protection helps in preventing actions/behavior that are typically used
by malwares to infect system. Microsoft Office applications are frequently exploited by attackers to launch/download malicious
executables and compromise the system. The 'Block all Office applications from creating child processes' ASR rule can be
configured to block, audit or ignore creation of child processes by the office apps and thus, should be configured according to
the business needs and organization's security policies.

Off (0)

Block (1)

Audit (2)

Feature not available in this build (300000000000000)

key not found

Remediation : # Configure the 'D4F940AB-401B-4EFC-AADC-AD5F3C50688A' rule under following group policy in

accordance with business needs and organization's security policies. Computer Configuration\Policies\Administrative
Templates\Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface
Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule

5.107 14883 Status of Office communication application from creating child processes (26190899-1602-
49e8-8b27-eb1d0a1ce869) CRITICAL

Windows 2016 Server

@Microsoft Office applications are a common target for the attacker to compromise the system. The 'Attack Surface
Reduction' (ASR) feature of Windows Defender Advanced Threat Protection helps in preventing Outlook from creating child
processes. It protects against social engineering attacks and prevents exploit code from abusing a vulnerability in Outlook. To
achieve this, the rule prevents the launch of additional payload while still allowing legitimate Outlook functions. It also protects
against Outlook rules and forms exploits that attackers can use when a user's credentials are compromised. The Block Office
communication application from creating child processes ASR rule can be configured to block, audit or ignore such events and
thus, should be configured as per business needs and the organization's security policy

Off (0)

Block (1)

Audit (2)

Feature not available in this build (300000000000000)

key Not Found

Remediation : Go to the following path and configure the '26190899-1602-49e8-8b27-eb1d0a1ce869' rule as per the business
needs or organization's security policy. Computer Configuration\Policies\Administrative Templates\Windows
Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack
Surface Reduction rules: Set the state for each ASR rule

5.108 13923 Status of 'Block Office applications from injecting code into other processes' ASR rule
(75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84) CRITICAL

Windows 2016 Server

@Microsoft Office applications are a common target for attacker to compromise the system. The 'Attack Surface Reduction'
(ASR) feature of Windows Defender Advanced Threat Protection helps in preventing actions/behavior that are typically used
by malwares to infect system. Microsoft Office applications are frequently used by attacker to inject code into other processes
on the machine to hide from antivirus/antimalware programs. The 'Block Office applications from injecting code into other
processes' ASR rule can be configured to block, audit or ignore such events and thus, should be configured according to the
business needs and organization's security policies.

Off (0)
 Block (1)

Audit (2)

Feature not available in this build (300000000000000)

key not found

Remediation : # Configure the '75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84' rule under following group policy in

accordance with business needs and organization's security policies. Computer Configuration\Policies\Administrative
Templates\Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface
Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule

5.109 13926 Status of 'Block execution of potentially obfuscated scripts' ASR rule (5BEB7EFE-FD9A-4556-
801D-275E5FFC04CC) CRITICAL

Windows 2016 Server

@Microsoft Office applications are a common target for attacker to compromise the system. The 'Attack Surface Reduction'
(ASR) feature of Windows Defender Advanced Threat Protection helps in preventing actions/behavior that are typically used
by malwares to infect system. To prevent any detection, malwares can hide themselves by obfuscating their code or hide
inside other scripts. The 'Block execution of potentially obfuscated scripts' ASR rule can be configured to block, audit or ignore
scripts that seems to be obfuscated and thus, should be configured according to the business needs and organization's
security policies.

Off (0)

Block (1)

Audit (2)

Feature not available in this build (300000000000000)

key not found

Remediation : # Configure the '5BEB7EFE-FD9A-4556-801D-275E5FFC04CC' rule under following group policy in

accordance with business needs and organization's security policies. Computer Configuration\Policies\Administrative
Templates\Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface
Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule

5.110 13929 Status of 'Block untrusted and unsigned processes that run from USB' ASR rule (b2b3f03d-
6a65-4f7b-a9c7-1c7ef74a9ba4) CRITICAL

Windows 2016 Server

@The 'Attack Surface Reduction' (ASR) feature of Windows Defender Advanced Threat Protection helps in preventing
actions/behavior that are typically used by malwares to infect system. The 'Block untrusted and unsigned processes that run
from USB' ASR rule is used to either block, audit or ignore executable and script files stored on an USB device or SD cards.
Thus, this rule should be configured according to the business needs and organization's security policies.

Off (0)

Block (1)

Audit (2)

Feature not available in this build (300000000000000)

key not found

Remediation : # Configure the 'b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4' rule under following group policy in accordance with
business needs and organization's security policies. Computer Configuration\Policies\Administrative Templates\Windows
Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack
Surface Reduction rules: Set the state for each ASR rule

5.111 13928 Status of 'Block executable content from email client and webmail' ASR rule (BE9BA2D9-
53EA-4CDC-84E5-9B1EEEE46550) CRITICAL
 Windows 2016 Server

@The 'Attack Surface Reduction' (ASR) feature of Windows Defender Advanced Threat Protection helps in preventing
actions/behavior that are typically used by malwares to infect system. The 'Block executable content from email client and
webmail' ASR rule is used to either block, audit or ignore executable files, script files and script archive files attached with
emails in Microsoft Outlook and Webmails. Thus, this rule should be configured according to the business needs and
organization's security policies.

Off (0)

Block (1)

Audit (2)

Feature not available in this build (300000000000000)

key not found

Remediation : # Configure the 'BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' rule under following group policy in

accordance with business needs and organization's security policies. Computer Configuration\Policies\Administrative
Templates\Windows Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface
Reduction\Configure Attack Surface Reduction rules: Set the state for each ASR rule

5.112 13932 Status of 'Block Office applications from creating executable content' ASR rule (3B576869-
A4EC-4529-8536-B80A7769E899) CRITICAL

Windows 2016 Server

@Microsoft Office applications are a common target for attacker to compromise the system. The 'Attack Surface Reduction'
(ASR) feature of Windows Defender Advanced Threat Protection helps in preventing actions/behavior that are typically used
by malwares to infect system. Malicious Microsoft Office applications add-ons can create or launch executable files to
compromise the system. The 'Block Office applications from creating executable content' ASR rule can be configured to block,
audit or ignore creation of executable content by office apps and thus, should be configured according to the business needs
and organization's security policies.

Off (0)

Block (1)

Audit (2)

Feature not available in this build (300000000000000)

key not found

Remediation : # Configure the '3B576869-A4EC-4529-8536-B80A7769E899' rule under following group policy in accordance
with business needs and organization's security policies. Computer Configuration\Policies\Administrative Templates\Windows
Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack
Surface Reduction rules: Set the state for each ASR rule

5.113 14884 Status of 'Block Adobe Reader from creating child processes' ASR rule (7674ba52-37eb-4a4f-
a9a1-f0f9a1619a2c) CRITICAL

Windows 2016 Server

@Adobe Reader applications are a common target for an attacker to compromise the system. Through social engineering or
exploits, malware can download and launch additional payloads and break out of Adobe Reader. The 'Attack Surface
Reduction' (ASR) feature of Windows Defender Advanced Threat Protection helps in preventing such attacks like this by
blocking Adobe Reader from creating additional processes. The Block Adobe Reader from creating child processes ASR rules
can be configured block, audit or ignore such events and thus, should be configured according to the business needs and
organization's security policies.

Off (0)

Block (1)

Audit (2)

Feature not available in this build (300000000000000)

 Key Not Found

Remediation : Go to the following path and configure the '7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c' rule as per the business
needs or organization's security policy. Computer Configuration\Policies\Administrative Templates\Windows
Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack
Surface Reduction rules: Set the state for each ASR rule

5.114 13930 Status of 'Block credential stealing from the Windows local security authority subsystem
(lsass.exe)' ASR rule (9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) CRITICAL

Windows 2016 Server

@The 'Attack Surface Reduction' (ASR) feature of Windows Defender Advanced Threat Protection helps in preventing
actions/behavior that are typically used by malwares to infect system. The Local Security Authority Subsystem Service
(LSASS) manages the authentication to windows system. If not protected, malicious access to LSASS can result in clear text
password or NTLM hashes to be compromised. The 'Block credential stealing from the Windows local security authority
subsystem (lsass.exe)' ASR rule is used to either block, audit or ignore access to LSASS. Thus, this rule should be configured
according to the business needs and organization's security policies.

Off (0)

Block (1)

Audit (2)

Feature not available in this build (300000000000000)

key not found

Remediation : # Configure the '9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2' rule under following group policy in accordance with
business needs and organization's security policies. Computer Configuration\Policies\Administrative Templates\Windows
Components\Windows Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack
Surface Reduction rules: Set the state for each ASR rule

5.115 13931 Status of 'Prevent users and apps from accessing dangerous websites' setting
CRITICAL

Windows 2016 Server

@The Windows Defender Network protection feature in Windows 10 prevent users from accessing potentially
malicious/dangerous Internet domains that may host phishing scams, exploits, and other malicious content. The outbound
(HTTP and HTTPS) traffic to resources that have a low reputation is blocked when this feature is used. Thus, the 'Prevent
users and apps from accessing dangerous websites' group policy should be configured in accordance to business needs and
organization's security policies.

Disable (0)

Block (1)

Audit Mode (2)

Feature not available in this build (300000000000000)

key not found

Remediation : # Configure the following group policy in accordance with business needs and organization's security policies.
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Antivirus\Windows
Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites

5.116 19065 Status of the 'Enable file hash computation feature' setting
SERIOUS

Windows 2016 Server

@The 'Enable file hash computation feature' setting allows Microsoft Defender to compute the hash value for every file it
scans. This feature enables hash computation that could affect the availability of the user's system if the CPU has less power
or not optimized. Computing the hash of the files ensures the Integrity of it is intact. Thus, configure this setting as per the
business requirements or the organization's security policy.
 equal to
1

Enabled (1)

Disabled (0)

Key Not Found

Remediation : #Configure the following setting as per the business requirements or the organization's security policy.
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\'Enable file
hash computation feature'

5.117 9449 Status of 'Scan all downloaded files and attachments' setting MEDIUM

Windows 2016 Server

@The policy 'Scan all downloaded files and attachments' setting allows you to configure scanning for all downloaded files and
attachments. If this setting is not configured,then there is always a risk that the file which is downloaded may contain a virus or
a program that can damage your computer or your information.This setting should be configured according to the needs of the
business.

Enabled (0)

Disabled (1)

Not Configured

Remediation : Go to the following path and configure the 'Scan all downloaded files and attachments' setting according to the
business needs or organization's security policy. Computer Configuration\Administrative Templates\Windows
Components\Windows Defender Antivirus\Real-time Protection\Scan all downloaded files and attachments

5.118 16871 Status of the 'Real-time Protection ( Turn off real-time protection)' setting
SERIOUS

Windows 2016 Server

@Windows Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on
your computer. The 'turn off real-time protection' policy setting turns off real-time protection prompts for known malware
detection. If you enable this policy setting, Windows Defender Antivirus will not prompt users to take actions on malware
detections. Configure this setting according to business requirement and security policies.

Enabled (1)

Disabled (0)

Key Not Found

Remediation : Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components ->
Windows Defender Antivirus -> Real-time Protection-> "Turn off real-time protection" to "Enabled/Disabled"

5.119 9461 Status of 'Turn on behavior monitoring' setting MEDIUM

Windows 2016 Server

@The policy 'Turn on behavior monitoring' setting allows application to automatically and anonymously sends an activity log to
the cloud for analysis. Behavior Monitoring helps identify malicious patterns based on behavior, which means that it could
block malware aimed at files, registry, processes, threads, and network. If this setting is not configured, then malware may be
installed on the machine which cause corruption and unavailability of the system. This setting should be configured according
to the needs of the business.

Enabled (0)
 Disabled (1)

Not Configured

Remediation : Run gpedit.msc to open the Group Policy Editor and navigate to the following path: Computer Configuration >
Administrative Templates > Windows Components > Windows Defender > Real-time Protection > Turn on behavior monitoring
Set the value for the setting as appropriate to the business needs and organization's security policies.

5.120 22350 Status of the Disable Script Scanning setting. MEDIUM

Windows 2016 Server

@The 'DisableScriptScanning' setting allows or disallows Windows Defender Script Scanning functionality. The Microsoft
Defender Antivirus scans the scripts before the execution and blocks the malicious scripts from executing on the system.
Thus, configure this setting as per the business needs or the organization’s security policy.

matches regular expression list

^0$

Key Not Found

Remediation : #Configure the following setting as per the business requirements or the organization's security policy.
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time
Protection\Turn on script scanning

5.121 9525 Status of 'Scan packed executables' setting MEDIUM

Windows 2016 Server

@The policy 'Scan packed executables' setting allows you to configure scanning for packed executables before installing on
the machine. If this setting is not configured on the machine, then user can installed malicious executables which may lead to
compromise of the system .This setting should be configured according to the needs of the business.

Enabled (0)

Disabled (1)

Not Configured

Remediation : #Configure the following setting as per the business needs or the organization's security policy. Computer
Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Scan\Scan packed executable

5.122 9453 Status of 'Scan removable drives (Windows Defender)' setting MEDIUM

Windows 2016 Server

@The policy 'Windows Defender-Scan removable drives' setting allows you to manage whether or not to scan for malicious
software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If
this setting is not configured on the machine, then automatic exclusions may adversely impact performance, or result in data
corruption. This setting should be configured according to the needs of the business.

Enabled (0)

Disabled (1)

Not Configured

Remediation : Run gpedit.msc to open the Group Policy Editor and navigate to the following path: Computer Configuration >
Administrative Templates > Windows Components > Windows Defender > Scan > Scan removable drives Set the value for the
setting as appropriate to the business needs and organization's security policies.
5.123 9537 Status of 'Windows Defender - Turn on e-mail scanning' setting MEDIUM

Windows 2016 Server

@The policy 'Windows Defender - Turn on e-mail scanning' setting allows you to configure e-mail scanning. In e-mail scanning
mechanism, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail
bodies and attachments. This may results in overlooking of infected file which is not being scanned. This setting should be
configured according to the needs of the business.

Enabled (0)

Disabled (1)

Not Configured

Remediation : Run gpedit.msc to open the Group Policy Editor and navigate to the following path: Computer Configuration >
Administrative Templates > Windows Components > Windows Defender > Scan > Turn on e-mail scanning Set the value for
the setting as appropriate to the business needs and organization's security policies.

5.124 14413 Status of the 'Configure detection for potentially unwanted applications' setting
SERIOUS

Windows 2016 Server

@This group policy is used to enable or disable detection for potentially unwanted applications.The values can be block, audit,
or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. The Windows
application should be installed as appropriate to the business needs.

Disable(Default) (0)

Block (1)

Audit Mode (2)

Key not found

Remediation : Review the result and ensure that setting is configured or in line with business needs and organization's
security policies. Computer Configuration\Administrative Templates\Windows Components\Windows Defender
Antivirus\Configure detection for potentially unwanted applications

5.125 10969 Status of 'Turn off Windows Defender' setting

CRITICAL

Windows 2016 Server

@Windows Defender provides real-time protection against malware and other potentially unwanted software. If 'Turn off
Windows Defender' setting is set to enable, then real time scanning of new files will not occur which may cause overlooking of
antivirus and anti-malware. This setting should be configured according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : Go to the following path and configure the 'Turn off Windows Defender AntiVirus' setting according to the
business needs or organization's security policy. Computer Configuration\Policies\Administrative Templates\Windows
Components\Windows Defender Antivirus\Turn off Windows Defender AntiVirus

5.126 9404 Status of the 'Prevent the usage of OneDrive for file storage' (Skydrive) group policy setting MEDIUM

Windows 2016 Server

@The policy 'Prevent the usage of OneDrive for file storage' setting allows you to prevent apps and features from working with
files on OneDrive. If this setting is not configured on the machine, then user will not be enforced to store the work files to the
 storage solution that is designed for business.This setting should be configured according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\OneDrive\Prevent the usage of OneDrive
for file storage NOTE: This Group Policy path may not exist by default. An additional Group Policy template
(SkyDrive.admx/adml) may be required - it is included with the Microsoft Windows 10 Administrative Templates. Due to
conflicting settings with the older Windows 8.1/2012R2 template of the same name, we recommend renaming this Windows
10 template to "OneDrive.admx/adml" before adding it to your ADMX repository or Central Store, so both versions can coexist.
Likewise, ensure that any Windows 8.1/2012R2 versioned template is named "SkyDrive.admx/adml" before placing it in your
ADMX repository or Central Store.

5.127 3876 Status of the 'Do not allow passwords to be saved' setting (Terminal Services)
CRITICAL

Windows 2016 Server

@The 'Do not allow password to be saved' policy setting prevents user's of Terminal Services from saving their passwords
within the local Client files. As with all credentials used to access critical systems/data, their protection must have primacy in
any responsible security program to avoid misuse by malicious users. Best practice dictates that the location in which
credentials are maintained should be kept to a minimum to reduce the threat landscape to a manageable level. This check can
be run periodically to ensure the requirements and expectations of the business are being met regarding the protections
defined by internal policy or regulation(s).

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following Group Policy setting to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop
Connection Client\Do not allow passwords to be saved

5.128 3875 Status of the 'Do not allow drive redirection' setting (Terminal Services)
SERIOUS

Windows 2016 Server

@The 'Do not allow drive redirection' policy setting is responsible for preventing client drive mapping in Terminal Services
sessions. These drives show up in the Windows Explorer folder structure and are recurring when such maps are established.
This setting has the ability to stem this action from occurring. As the establishment of invalid drive mappings may be used for
nefarious purposes resulting in data leakage, corruption or deletion. Whenever possible to do so on Production systems, this
capability should be disabled to reduce the threat landscape to manageable/acceptable levels.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session
Host\Device and Resource Redirection\Do not allow drive redirection

5.129 3891 Status of the 'Always prompt for password upon connection' setting (Terminal Services)
CRITICAL

Windows 2016 Server

@By default, users can store their credentials when establishing shortcuts for Remote Desktop connections which allows
them to logon without having to enter a password. This control checks to see if the Terminal Services server will defeat this
 default capability using this security setting and forcing it down to all systems requesting connections requiring a password to
be entered for access. If it is allowed for cached credentials to be stored in shortcuts, a malicious user could exploit the
credentials stored in the shortcut and gain access to sensitive systems and data. Run this check periodically to ensure that all
security settings meet the needs and requirements of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session
Host\Security\Always prompt for password upon connection

5.130 4133 Status of the 'Require secure RPC communication' setting

SERIOUS

Windows 2016 Server

@The 'Require secure RPC communication' Group Policy setting requires that RDP-based RPC traffic have strengthened
communications security, by accepting only authenticated/encrypted connection requests. As secure RPC communications
can significantly alleviate security risks but may break connections with legacy applications, this capability should be
configured according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session
Host\Security\Require secure RPC communication

5.131 10431 Status of the 'Require use of specific security layer for remote (RDP) connections' setting MEDIUM

Windows 2016 Server

@The policy 'Require use of specific security layer for remote (RDP) connections' setting specifies whether to require the use
of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop
Protocol (RDP) connections. Not configuring this setting allows the security method used for remote connections to RD
Session Host servers to not be enforced through Group Policy and could potentially allow a less secure remote connection.
This setting should be configured according to the business needs.

RDP (0)

Negotiate (1)

SSL (2)

Not Configured

Remediation : Review and verify the result and ensure that the setting is configured as per the business needs or
organization's security policies. Computer Configuration\Policies\Windows Components\Remote Desktop Services\Remote
Desktop Session Host\Security: Require use of specific security layer for remote (RDP) connections

5.132 10404 Status of the 'Require user authentication for remote connections by using Network Level
Authentication' setting SERIOUS

Windows 2016 Server

@The policy 'Require user authentication for remote connections by using Network Level Authentication' setting allows you to
specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level
Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote
connection process. Not configuring this policy setting provides less security because user authentication will occur later in the
remote connection process. This setting should be configured according to the business needs.
 Disabled (0)

Enabled (1)

Not Configured

Remediation : Configure the following Group Policy to configure the "Require user authentication for remote connections by
using Network Level Authentication" setting as appropriate to the business needs and organization's security policies.
Computer Configuration\Administrative Template\Windows Components\Remote Desktop Servies\Remote Desktop Session
Host\Security\Require user authentication for remote connections by using Network Level Authentication

5.133 2635 Status of the 'Set Client Connection Encryption Level' setting (Terminal Services)
SERIOUS

Windows 2016 Server

@The 'Set Client Connection Encryption Level' setting determines the level of encryption used to secure Terminal Services
(Remote Desktop Protocol) communications between client and server. The policy setting has four possible configurations to
determine the level of encryption used to secure data sent between the terminal servers and clients. A policy setting of 'High'
secures communications using 128-bit encryption. A policy setting of 'Client Compatible' secures communications using the
maximum encryption key length supported by the client. A policy setting of 'Low,' secures communications using 56-bit
encryption. When the policy setting is disabled or not configured, data sent between the client and terminal server will not be
encrypted. As sensitive and/or confidential information is susceptible to interception by a malicious user, data sent using
Terminal Services communications should be secured using an encryption policy appropriate to the needs of the business.

Low Level (1)

Client Compatible (2)

High Level (3)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: High Level: Computer
Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session
Host\Security\Set client connection encryption level

5.134 4140 Status of the 'Do not delete temp folder upon exit' setting MEDIUM

Windows 2016 Server

@The 'Do Not Delete Temp Folder upon Exit' Group Policy setting' determines whether or not Terminal Services will maintain
the presence of temporary folders created during a session. As temporary folder creation within a user profile on the Terminal
Services server may be maintaining user-critical data, while also providing a potential vector for the installation of malware
and/or privilege escalation exploits, this setting should be configured according to the needs of the business.

Enabled (0)

Disabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session
Host\Do not delete temp folders upon exit

5.135 4139 Status of the 'Do not use temporary folders per session' Group Policy setting MEDIUM

Windows 2016 Server

@The 'Do not use temporary folders per session' Group Policy setting' determines whether or not Terminal Services may
create temporary folders in a session. As temporary folder creation within a user profile on the Terminal Services server may
provide a vector for the installation of malware or privilege escalation exploits, this setting should be configured according to
the needs of the business.
 Enabled (0)

Disabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session
Host\Temporary Folders\Do not use temporary folders per session

5.136 2612 Status of the 'Turn off downloading of enclosures' setting (Internet Explorer)
SERIOUS

Windows 2016 Server

@The 'Turn off downloading of enclosures' setting determines whether or not users are permitted to download enclosures (file
attachments) from RSS feeds. RSS feeds use what are called, "enclosures" to attach multimedia content to the feed. The
actual content is not embedded in the feed, rather, these enclosures consist of a hyperlink to the files associated with the
entry. Whenever this policy setting is enabled, users will not be permitted to download such "enclosures" from RSS feeds.
Uncontrolled/unmanaged file downloads may contain malicious software such as a viruses or Trojans, therefore, this feature
should be disabled as appropriate to the needs of the business.

Disabled (0)

Enabled (1)

RegSubKey not found

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\RSS Feeds\Prevent downloading of enclosures

5.137 4119 Status of the 'Allow indexing of encrypted files' setting MEDIUM

Windows 2016 Server

@The Windows Group Policy setting 'Allow indexing of encrypted files' permits the indexing/searching of the contents and/or
properties of files that have been encrypted. As this capability might facilitate unauthorized access to confidential materials, it
should be configured according to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Search\Allow indexing of encrypted files NOTE: This
Group Policy path does not exist by default. An additional Group Policy template (Search.admx/adml) is required - it is
included with the Microsoft Windows Vista, 2008, 7/2008R2, 8/2012, 8.1/2012R2 and Windows 10 Administrative Templates.

5.138 8274 Status of the 'Configure Windows Defender SmartScreen' setting

SERIOUS

Windows 2016 Server

@The 'Configure Windows Defender SmartScreen' setting allows you to manage the behavior of Windows SmartScreen.
Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the
Internet. If this setting is disabled or not configured, Windows SmartScreen behavior is managed by administrators on the PC
by using Windows SmartScreen Settings in Action Center. This should be set as appropriate to the needs of the business.

Disabled (0)

Enabled (1)

Key not found

 Remediation : #Configure the following setting as per the business requirements or the organization's security policy. To do
this configuration via Group Policy Editor, use any one of the following UI paths. Computer
Configuration\Policies\Administrative Templates\Windows Components\File Explorer\Configure Windows Defender
SmartScreen OR Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender
SmartScreen\Explorer\Configure Windows Defender SmartScreen Note: In older versions of ADMX files, this setting is known
as 'Configure Windows SmartScreen'. Above two group policies are backed by same registry key.

5.139 13343 Status of the 'Configure Windows Defender SmartScreen - Pick one of the following' setting
SERIOUS

Windows 2016 Server

@The 'Configure Windows Defender SmartScreen - Pick one of the following' specifies whether the Windows Defender
SmartScreen is on or off. Windows Defender SmartScreen protects the system by warning users before running potentially
malicious programs downloaded from the Internet. Warning prompts helps to provide an early warning system against
websites that might engage in phishing attacks or attempt to distribute malware through a socially-engineered attack. In order
to protect the system from intentional or unintentional attacks, it is recommended to configure this setting properly and
according to the business needs.

Registry not found

Warn and prevent bypass (Block)

Warn (Warn)

Remediation : Configure the following Group Policy to define the 'ShellSmartScreenLevel' setting as appropriate to the
business needs and organization's security policies. Navigate to Configuration >> Administrative Templates >> Windows
Components >> File Explorer >> "Configure Windows Defender SmartScreen" And configure the value as appropriate to the
needs of the business. Example: configure the policy value for Computer Configuration >> Administrative Templates >>
Windows Components >> File Explorer >> "Configure Windows Defender SmartScreen" to "Enabled" with "Warn and prevent
bypass" selected. v1703 of Windows 10 includes duplicate policies for this setting. It can also be configured under Computer
Configuration >> Administrative Templates >> Windows Components >> Windows Defender SmartScreen >> Explorer. v1607
of Windows 10, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components
>> File Explorer >> "Configure Windows SmartScreen" to "Enabled". (Selection options are not available.) v1511 of Windows
10, configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> File
Explorer >> "Configure Windows SmartScreen" to "Enabled" with "Require approval from an administrator before running
downloaded unknown software" selected.

5.140 11198 Status of the 'Allow Windows Ink Workspace' setting

SERIOUS

Windows 2016 Server

@Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be
accessible once a user authenticates with the proper credentials. The setting should be configured according to the needs of
the business.

Disabled (0)

On, but disallow access above lock (1)

On (2)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: On, but disallow
access above lock OR Disabled: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows
Ink Workspace\Allow Windows Ink Workspace

5.141 2618 Status of the 'Enable user control over installs' setting MEDIUM

Windows 2016 Server

@The 'Enable user control over installs' setting determines whether or not the system permits a user to modify the installation
options of Windows Installer. The Windows Installer contains default security features that prevent users from modifying
installation options such as the installation directory. When this setting is enabled, users are permitted to modify the installation
options of Windows Installer. The ability to modify these options is typically restricted to system administrators. As enabling
this setting bypasses several of the default security features of Windows Installer, this functionality should be
restricted/disabled as appropriate to the needs of the business.
 Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Allow user control over installs

5.142 8198 Status of the 'Windows Installer: Set Always install with elevated privileges' setting
CRITICAL

Windows 2016 Server

@The Windows Installer: Set Always install with elevated privileges setting can require the use of elevated privileges for the
installation of any program on the system. As without elevated privileges, program installation applies the current user's
permissions during program installation, this value should be set according to the needs of the business.

equal to
0

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Always install with elevated
privileges

5.143 9015 Status of the 'Sign-in last interactive user automatically after a system-initiated restart' setting
CRITICAL

Windows 2016 Server

@The 'Sign-in last interactive user automatically after a system-initiated restart' setting specifies if the device will automatically
sign-in the last interactive user after Windows Update restarts the system. If the setting is not specified malicious users can
gain access and can be able to compromise the system. This setting should be restricted according to the needs of the
business.

Enabled (0)

Disabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Logon Options\Sign-in last interactive user
automatically after a system-initiated restart

5.144 8249 Status of the 'Allow Basic authentication' setting (WinRM client)
SERIOUS

Windows 2016 Server

@The 'Allow Basic authentication' policy setting allows you to manage whether the Windows Remote Management (WinRM)
client uses Basic authentication. If this policy setting is enabled, the WinRM client will use Basic authentication. If the setting is
disabled/not configured then the WinRM client will not use Basic authentication. If this setting set as "HTTP transport" then the
username/password are sent over the network as clear text. Basic authentication is less powerful then other authentication
methods, its because login credentials including passwords are transmitted in plain text. An attacker who is able to access the
packets over the network can easily have the access to the credentials that are used for accessing remote hots via winRM.
This setting should be set as per the need of the business.
 Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM
Client\Allow Basic authentication

5.145 8253 Status of the 'Allow unencrypted traffic' setting (WinRM client)
SERIOUS

Windows 2016 Server

@The 'Allow unencrypted traffic' policy setting allows you to manage whether the Windows Remote Management (WinRM)
client sends and receives unencrypted messages over the network. If this policy setting is enabled the WinRM client sends
and receives unencrypted messages over the network. If this is disabled/not configured the WinRM client sends or receives
only encrypted messages over the network. Encrypting WinRM network traffic reduces the risk of an attacker viewing or
modifying WinRM messages as they transit the network. This setting should be set as per the need of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM
Client\Allow unencrypted traffic

5.146 8248 Status of the 'Disallow Digest authentication' setting (WinRM client)
CRITICAL

Windows 2016 Server

@The 'Disallow Digest authentication' policy setting allows you to manage whether the Windows Remote Management
(WinRM) client will not use Digest authentication. If this policy is enabled, the WinRM client will not use Digest authentication.
If the policy setting is disabled/not configured, the WinRM client will use Digest authentication. Digest authentication is less
robust than other authentication methods available in WinRM, If an attacker get the access over the network where WinRM is
running may be able to get the credentials used for the access via WinRM. This setting should be set as per the need of the
business.

Enabled (0)

Disabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM
Client\Disallow Digest authentication

5.147 8250 Status of the 'Allow Basic authentication' setting (WinRM service)
CRITICAL

Windows 2016 Server

@The 'Allow Basic authentication' policy setting allows you to manage whether the Windows Remote Management (WinRM)
service accepts Basic authentication from a remote client. If this policy setting is enabled, the WinRM service will accept Basic
authentication from a remote client. If the setting is disabled or not configured, the WinRM service will not accept Basic
authentication from a remote client. Basic authentication is less powerful then other authentication methods, its because login
credentials including passwords are transmitted in plain text. An attacker can easily get the credentials that are used to access
remote hosts via WinRM. A This setting should be set as per the need of the business.
 Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM
Service\Allow Basic authentication

5.148 8252 Status of the 'Allow unencrypted traffic' setting (WinRM service)
SERIOUS

Windows 2016 Server

@The 'Allow unencrypted traffic' policy setting allows you to manage whether the Windows Remote Management (WinRM)
service sends and receives unencrypted messages over the network. If the setting is enabled WinRM client sends and
receives unencrypted messages over the network. If this setting is disabled WinRM client sends or receives only encrypted
messages over the network. Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM
messages as they transit the network. This setting should be set as per the need of the business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM
Service\Allow unencrypted traffic

5.149 8251 Status of the 'Disallow WinRM from storing RunAs credentials' setting (WinRM service)
SERIOUS

Windows 2016 Server

@The 'Disallow WinRM from storing RunAs credentials' policy setting allows you to manage whether the Windows Remote
Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If the setting is enabled the
WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If the settings
is disabled or do not configured, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be
set for plug-ins and the RunAsPassword value will be stored securely. Although the ability to store RunAs credentials is a
convenient feature it increases the risk of account compromise slightly. A This setting should be set as per the need of the
business.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM
Service\Disallow WinRM from storing RunAs credentials

5.150 13344 Status of the 'Prevent users from modifying settings' setting for Windows Defender Exploit
Protection CRITICAL

Windows 2016 Server

@Exploit Protection is a integrated security feature of Windows Defender and provides various exploit mitigation techniques,
both system wide and on each program basis. Allowing users to change Exploit Protection configuration can lead to undesired
system behavior or leave the system vulnerable to security threats. To avert such conditions, 'Prevent users from modifying
settings' group policy should be configured in accordance of business needs and organization's security policies.

Disabled (0)

Enabled (1)
 Registry Not Found

Remediation : Configure the group policy 'Computer Configuration\Administrative Templates\Windows Components\Windows

Defender Security Center\App and browser protection\Prevent users from modifying settings' as per business needs and
organization's security policies.

5.151 5263 Status of the 'No auto-restart with logged on users for scheduled automatic updates' setting
SERIOUS

Windows 2016 Server

@The 'No auto-restart with logged on users for scheduled automatic updates' setting, when enabled, disallows the automatic
reboot on systems that have been updated via the Automatic Updates capability, while users are logged on. Unplanned and/or
unexpected reboots can be an inconvenience to users and result in the reduction of productivity or timely completion of work.
This setting can help avoid that by waiting until all users are logged off before rebooting to apply updates.

Disabled (0)

Enabled (1)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Update\No auto-restart with logged on users
for scheduled automatic updates installations

5.152 7805 Status of Windows 'Automatic Updates' (WSUS) setting ( NoAutoUpdate )

URGENT

Windows 2016 Server

@The Windows 'Automatic Updates' (WSUS) setting configures how Automatic Updates are applied to the Windows system.
The 'NoAutoUpdate' sub-setting determines whether to enable or disable automatic updates and compliments other related
settings which manage updates. If automatic update to systems is not enabled, it would mean that the systems do not always
have the most recent critical operating system updates and service packs installed. System updated and service packs have
fixes against known or published vulnerabilities. To ensure that systems are protected against exploitation and compromise
due to known vulnerabilities on a regular basis, this setting should be set as per the need of the organization.

Disabled (1)

Enabled (0)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates

5.153 8272 Status of the 'Configure Automatic Updates Option: Scheduled install day' policy setting
SERIOUS

Windows 2016 Server

@The 'Scheduled install day' policy setting specifies whether computers in your environment will receive security updates
from Windows Update or WSUS. If this setting is enabled, the operating system will recognize when a network connection is
available and then use the network connection to search Windows Update or your designated intranet site for updates that
apply to them. If this setting is disabled, Windows updates will need to be download and install manually if available. Although
each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products
are shipped. This should be set as appropriate to the needs of the business.

Every day (0)

Every Sunday (1)

Every Monday (2)

Every Tuesday (3)

 Every Wednesday (4)

Every Thursday (5)

Every Friday (6)

Every Saturday (7)

Key not found

Remediation : To establish the recommended configuration via GP, set the following UI path to 0 - Every day: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates:
Scheduled install day

5.154 13968 Status of 'Manage preview builds: Set the behavior of receiving preview builds' setting
CRITICAL

Windows 2016 Server

@The 'Manage preview builds' group policy defines whether the system is will be a part of Windows Insider Program. The
program allows users to install and try preview/beta versions of Windows softwares. These beta applications provides new
features but can contain bugs and security holes making the system vulnerable. As with any critical system, to prevent any
data loss or security incidents, use of stable and secure software releases is recommended. Thus, the 'Manage preview
builds: Set the behavior of receiving preview builds' group policy should be configured in accordance to business needs and
organization's security policies.

Disable preview builds (0)

Disable preview builds once next release is public (1)

Enable preview builds (2)

Feature not available in this build (300000000000000)

Key not found

Remediation : # Configure the following group policy in accordance with business needs and organization's security policies.
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for
Business\Manage preview builds: Set the behavior for receiving preview builds

5.155 11212 Status of the 'Select when Feature Updates are received -
DeferFeatureUpdatesPeriodInDays' setting CRITICAL

Windows 2016 Server

@Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing
new bugs into the operating system. In a controlled corporate environment, it is generally preferred to delay the feature
updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of
new features as long as possible.The setting should be configured according to the needs of the business.

greater than or equal to

180

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Current Branch for
Business, 180 days: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows
Update\Windows Update for Business\Select when Preview Builds and Feature Updates are received

5.156 11202 Status of the 'Select when Feature Updates are received - DeferFeatureUpdates' setting
SERIOUS

Windows 2016 Server

@Forcing new features without prior testing in your environment could cause software incompatibilities as well as introducing
new bugs into the operating system. In a controlled corporate environment, it is generally preferred to delay the feature
updates until thorough testing and a deployment plan is in place. This recommendation delays the automatic installation of
new features as long as possible.The setting should be configured according to the needs of the business.
 Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: Current Branch for
Business, 180 days: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer
Windows Updates\Select when Feature Updates are received

5.157 11235 Status of the 'Select when Quality Updates are received' 'DeferQualityUpdatesPeriodInDays'
Setting CRITICAL

Windows 2016 Server

@Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible. This
setting should be configured according to the needs of the business.

equal to
0

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Defer Windows Updates\Select
when Quality Updates are received.

5.158 11199 Status of the 'Select when Quality Updates are received' 'DeferQualityUpdates' setting
SERIOUS

Windows 2016 Server

@Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible.This
setting should be configured according to the needs of the business.

Disabled (0)

Enabled (1)

Not Configured

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled:0 days: Computer
Configuration\Policies\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\Select
when Quality Updates are received

Section 6:Administrative Templates (User)

6.1 9842 Status of the 'Turn off toast notifications on the lock screen' setting SERIOUS

Windows 2016 Server

@The policy 'Turn off toast notifications on the lock screen' setting turns off toast notifications on the lock screen. If the setting
is enabled, applications will not be able to raise toast notifications on the lock screen, If the setting is disabled or not
configured toast notifications on the lock screen are enabled and can be turned off by admin user or local user. Note : No
reboots or service restarts are required for this policy setting to take effect. Though the feature is very handy for users,
applications that provide toast notifications might display sensitive personal or business data while the device is unattended.
This should be configured according to the needs of the business.

matches regular expression list

 ^[^:]+:1

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: User
Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock
screen

6.2 9304 Status of the "Do not preserve zone information in file attachments" setting for Windows users CRITICAL

Windows 2016 Server

@The 'Do not preserve zone information in file attachments' Group Policy setting restricts the display of network information in
file attachments. As this setting can either reveal or restrict private network information that may be used for exploits, this
setting should be configured according to the needs of the business.

matches regular expression list

^[^:]+:2

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: User
Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\Do not preserve zone
information in file attachments

6.3 9305 Status of the 'Notify antivirus programs when opening attachments' configuration [For CRITICAL
Windows user]

Windows 2016 Server

@The 'Notify antivirus programs when opening attachments' setting configures the sequence for the system to determine file
attachment risk. As this capability can interrupt the proper functioning of specific anti-virus software, it should be configured
according to the needs of the business

matches regular expression list

^[^:]+:3

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: User
Configuration\Policies\Administrative Templates\Windows Components\Attachment Manager\Notify antivirus programs when
opening attachments

6.4 11211 Status of the 'Configure Windows spotlight on Lock Screen' setting SERIOUS

Windows 2016 Server

@Enabling this setting will help ensure your data is not shared with any third party. The Windows Spotlight feature will collect
data and display suggested apps as well as images from the internet. This setting should be configured according to the
needs of the business.

matches regular expression list

^[^:]+:2

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: User
Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Configure Windows spotlight on Lock
Screen
6.5 11203 Status of the 'Do not suggest third-party content in Windows spotlight' setting SERIOUS

Windows 2016 Server

@Enabling this setting will help ensure your data is not shared with any third party. The Windows Spotlight feature will collect
data and display suggested apps as well as images from the internet.The setting should be configured according to the needs
of the business.

matches regular expression list

^[^:]+:1

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: User
Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Do not suggest third-party content in
Windows spotlight

6.6 23138 Status of the 'Turn off Spotlight collection on Desktop' setting SERIOUS

Windows 2016 Server

@This policy setting removes the Spotlight collection setting in Personalization, rendering the user unable to select and
subsequently download daily images from Microsoft to the system desktop. This feature downloads pictures and
advertisements from the Bing server and displays them when the lock screen is being shown on user device. If this policy is
enabled, Spotlight collection will not be available as an option in Personalization settings. If this policy is disabled do not
configure, Spotlight collection will appear as an option in Personalization settings, allowing the user to select Spotlight
collection as the Desktop provider and display daily images from Microsoft on the desktop. This setting should be configured
as appropriate to the needs of the business.

matches regular expression list

^[^:]+:1

Remediation : Configure the following group policy in accordance with business needs and the organization's security policies.
User Configuration\Policies\Administrative Templates\Windows Components\Cloud Content\Turn off Spotlight collection on
Desktop

6.7 9830 Status of the 'Prevent users from sharing files within their profile' setting CRITICAL

Windows 2016 Server

@The 'Prevent users from sharing files within their profile' setting enables or disables file sharing among users. As this setting
could facilitate the unauthorized sharing of confidential information, it should be configured according to the needs of the
business

matches regular expression list

^[^:]+:1

Remediation : To establish the recommended configuration via GP, set the following UI path to Enabled: User
Configuration\Policies\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files
within their profile.

6.8 10089 Status of the 'Always install with elevated privileges' setting for Windows User CRITICAL
Windows 2016 Server

@The policy 'Always install with elevated privileges' setting can require the use of elevated privileges for the installation of any
program on the system. As without elevated privileges, program installation applies the current user's permissions during
program installation, this value should be set according to the needs of the business.

matches regular expression list

^[^:]+:0

Remediation : To establish the recommended configuration via GP, set the following UI path to Disabled: User
Configuration\Policies\Administrative Templates\Windows Components\Windows Installer\Always install with elevated
privileges