cce.mitre.orgcce.mitre.org/lists/data/downloads/cce-co… · xls file · web view ·...

CCE ID CCE Description

CCE-4017-0 CCE-5 (1) enabled/disabled




Old v4 CCE Id

CCE Parameters

The "Security Zones: Use Only Machine Settings" setting should be configured correctly.

Internet Explorer Processes (Restrict ActiveX Install)

The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.

The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.

CCE-4043-6 CCE-347 enabled/disabled



Internet Explorer Processes (Zone Elevation Protection)

The "Internet Explorer Processes (Consistent MIME Handling)" setting should be configured correctly.

The "Allow Software to Run or Install Even if the Signature is Invalid" setting should be configured correctly.



The "Internet Explorer Processes (MK Protocol)" setting should be configured correctly.

The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.



CCE-3201-1 CCE-693



The "Internet Explorer Processes (Restrict File Download)" setting should be configured correctly.

The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.

The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.

(1) number of proxy settings

The "Do Not Allow Users to enable or Disable Add-Ons" setting should be configured correctly.

The "Turn Off Crash Detection" setting should be configured correctly.





The "Internet Explorer Processes (Scripted Window Security Restrictions)" setting should be configured correctly.

The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.

The "Internet Explorer Processes (MIME Sniffing)" setting should be configured correctly.

The "Check for Signature on Downloaded Programs" setting should be configured correctly.









The "Do Not Allow Resetting Internet Explorer Settings" setting should be configured correctly.

The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Internet Zone.

The "Turn Off First- Run Opt-In" setting should be configured correctly for the Internet Zone.

The "Web Browser Applications" setting should be configured correctly for the Internet Zone.

The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Restricted Sites Zone.

The "Turn Off First- Run Opt-In" setting should be configured correctly for the Restricted Sites Zone.

The "Web Browser Applications" setting should be configured correctly for the Restricted Sites Zone.

The "Intranet Sites: Include all network paths (UNCs)" setting should be configured correctly.









The "Disable the Advanced Page" setting should be configured correctly.

The "Disable the Privacy Page" setting should be configured correctly.

The "Disable the Security Page" setting should be configured correctly.

The "Prevent Ignoing Certificate Errors" setting should be configured correctly.

The "Turn Off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools" setting should be configured correctly.

The "Turn Off Configuring the Update Check Interval (In Days)" setting should be configured correctly.

The "Add-on List" setting should be configured correctly.

The "Deny all add-ons unless specifically allowed in the Add-on List" setting should be configured correctly.










The "Disable "Configuring History"" setting should be configured correctly.

The "Disable Changing Automatic Configuration Settings" setting should be configured correctly.

The "Disable Changing Connection Settings" setting should be configured correctly.

The "Disable Changing Proxy Settings" setting should be configured correctly.

The "Disable Showing the Splash Screen" setting should be configured correctly.

The "Prevent "Fix settings" Functionality" setting should be configured correctly.

The "Prevent participation in the Customer Experience Improvement Programs" setting should be configured correctly.

The "Prevent performance of First Run Customize settings" setting should be configured correctly.

The "Prevent the deletation of temporary internet files and cookies" setting should be configured correctly.








CCE-3853-9 CCE-47

CCE-3998-2 CCE-685

The "Turn off "Delete Browsing History" functionality" setting should be configured correctly.

The "Turn off Managing Phishing Filter" setting should be configured correctly.

The "Turn off the Security Settings Check feature" setting should be configured correctly.

The "Allow Active Content from CD's to Run on User Machine" setting should be configured correctly.

The "Enable third-party browser extensions" setting should be configured correctly.

The "Automatically Check for Internet Explorer Updates" setting should be configured correctly.

The "Check for Server Certificate Revocation" setting should be configured correctly.

The "Access data sources across domains" setting should be configured correctly for the Internet Zone.

enabled/disabled/prompt

The "Drag and drop or copy and paste files" setting should be configured correctly for the Internet Zone.


CCE-3888-5 CCE-491

CCE-3906-5 CCE-355


CCE-3601-2 CCE-439



CCE-3927-1 CCE-1013

CCE-3945-3 CCE-176

The "Font download" setting should be configured correctly for the Internet Zone.


The "Installation of desktop items" setting should be configured correctly for the Internet Zone.


The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Internet Zone.

The "Allow Scriptlets" setting should be configured correctly for the Internet Zone.


The "Allow status bar updates via script" setting should be configured correctly for the Internet Zone.

The "Automatic prompting for file downloads" setting should be configured correctly for the Internet Zone.

The "Download signed ActiveX controls" setting should be configured correctly for the Internet Zone.


The "Download unsigned ActiveX controls" setting should be configured correctly for the Internet Zone.


CCE-4068-3 CCE-586

CCE-3963-6 CCE-132

CCE-4104-6 CCE-689

CCE-3623-6 CCE-720

CCE-3751-5 CCE-126

CCE-4143-4 CCE-245


The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Internet Zone.


The "Java permissions" setting should be configured correctly for the Internet Zone.

Custom/Disable Java/High safety/Low safety/Medium safety

The "Launching programs and files in an IFRAME" setting should be configured correctly for the Internet Zone.


The "Logon" setting should be configured correctly for the Internet Zone.

Anonymous logon/Automatic logon only in Intranet zone/Automatic logon with current user name and password/Prompt for user name and password

The "Loose XAML" setting should be configured correctly for the Internet Zone.


The "Navigate sub-frames across different domains" setting should be configured correctly for the Internet Zone.


The "Open files based on content, not file extension" setting should be configured correctly for the Internet Zone.

CCE-3553-5 CCE-359



CCE-3570-9 CCE-724

CCE-3843-0 CCE-1015

CCE-3984-2 CCE-878

CCE-3989-1 CCE-288

CCE-4121-0 CCE-552

The "Software channel permissions" setting should be configured correctly for the Internet Zone.

High safety/low safety/medium safety

The "Use Pop-up Blocker" setting should be configured correctly for the Internet Zone.

The "Userdata persistence" setting should be configured correctly for the Internet Zone.

The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Internet Zone.


The "XPS documents" setting should be configured correctly for the Internet Zone.


The "Display mixed content" setting should be configured correctly for the Internet Zone.


The "Display mixed content" setting should be configured correctly for the Intranet Zone.


The "Display mixed content" setting should be configured correctly for the Locked Down Intranet Zone.


CCE-4138-4 CCE-473

CCE-4028-7 CCE-239

CCE-3905-7 CCE-636

CCE-4050-1 CCE-292

CCE-4196-2 CCE-178

CCE-3337-3 CCE-41


CCE-4062-6 CCE-882

The "Display mixed content" setting should be configured correctly for the Local Machine Zone.


The "Display mixed content" setting should be configured correctly for the Locked Down Local Machine Zone.


The "Access data sources across domains" setting should be configured correctly for the Restricted Sites Zone.


The "Active scripting" setting should be configured correctly for the Restricted Sites Zone.


The "Binary and script behaviors" setting should be configured correctly for the Restricted Sites Zone.

Administrator approved/enabled/disabled

The "Drag and drop or copy and paste files" setting should be configured correctly for the Restricted Sites Zone.


The "File download" setting should be configured correctly for the Restricted Sites Zone.

The "Font download" setting should be configured correctly for the Restricted Sites Zone.


CCE-4079-0 CCE-763



CCE-3639-2 CCE-838



CCE-4057-6 CCE-52

CCE-3564-2 CCE-1012

The "Installation of desktop items" setting should be configured correctly for the Restricted Sites Zone.


The "Allow META REFRESH" setting should be configured correctly for the Restricted Sites Zone.

The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Restricted Sites Zone.

The "Allow Scriptlets" setting should be configured correctly for the Restricted Sites Zone.


The "Allow status bar updates via script" setting should be configured correctly for the Restricted Sites Zone.

The "Automatic prompting for file downloads" setting should be configured correctly for the Restricted Sites Zone.

The "Download signed ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.


The "Download unsigned ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.


CCE-4101-2 CCE-26

CCE-3996-6 CCE-925

CCE-4066-7 CCE-339

CCE-3696-2 CCE-128

CCE-3590-7 CCE-639

CCE-4110-3 CCE-995


The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Restricted Sites Zone.


The "Java permissions" setting should be configured correctly for the Restricted Sites Zone.


The "Launching programs and files in an IFRAME" setting should be configured correctly for the Restricted Sites Zone.


The "Logon" setting should be configured correctly for the Restricted Sites Zone.

Anonymous logon/Automatic logon only in Intranet zone/Automatic logon with current user name and password/Prompt for user name and password

The "Loose XAML" setting should be configured correctly for the Restricted Sites Zone.


The "Navigate sub-frames across different domains" setting should be configured correctly for the Restricted Sites Zone.


The "Open files based on content, not file extension" setting should be configured correctly for the Restricted Sites Zone.

CCE-3400-9 CCE-678

CCE-4158-2 CCE-563

CCE-4163-2 CCE-841

CCE-4202-8 CCE-973

CCE-3216-9 CCE-1000

CCE-3855-4 CCE-520



The "Run components not signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.


The "Run components signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.


The "Run ActiveX controls and plugins" setting should be configured correctly for the Restricted Sites Zone.

Administrator approved/enabled/disabled/prompt

The "Script ActiveX controls marked safe for scripting" setting should be configured correctly for the Restricted Sites Zone.


The "Scripting of Java applets" setting should be configured correctly for the Restricted Sites Zone.


The "Software channel permissions" setting should be configured correctly for the Restricted Sites Zone.

High safety/low safety/medium safety

The "Use Pop-up Blocker" setting should be configured correctly for the Restricted Sites Zone.

The "Userdata persistence" setting should be configured correctly for the Restricted Sites Zone.

CCE-4215-0 CCE-698

CCE-3991-7 CCE-460

CCE-3264-9 CCE-30

CCE-4087-3 CCE-31

CCE-4232-5 CCE-666





The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Restricted Sites Zone.


The "XPS documents" setting should be configured correctly for the Restricted Sites Zone.


The "Display mixed content" setting should be configured correctly for the Restricted Sites Zone.


The "Display mixed content" setting should be configured correctly for the Trusted Sites Zone.


The "Display mixed content" setting should be configured correctly for the Locked Down Trusted Sites Zone.


The "Enable Native XMLHttp Support" setting should be configured correctly.

The "Turn on the auto-complete feature for user names and passwords on form" setting should be configured correctly.

The "Allow Install On Demand (Internet Explorer)" setting should be configured correctly.

The "Turn off page transitions" setting should be configured correctly.














The "Disable AutoComplete for forms" setting should be configured correctly.

The "Disable Save this program to disk option" setting should be configured correctly.

The "Disable changing certificate settings" setting should be configured correctly.

The "Disable external branding of Internet Explorer" setting should be configured correctly.The "Configure Outlook Express" setting should be configured correctly

The "Turn on the Internet Connection Wizard Auto Detect" setting should be configured correctly.

The "Disable Internet Connection wizard" setting should be configured correctly.

The "Disable the Reset Web Settings feature" should be configured correctly.

The "Disable Downloading Of Site Subscription Content" setting should be configured correctly.

The "Disable Adding Schedules For Offline Pages" setting should be configured correctly.The "Disable Adding Channels" setting should be configured correctly.

The "Disable Editing And Creating Of Schedule Groups" setting should be configured correctly.

The "Disable All Scheduled Offline Pages" setting should be configured correctly.






CCE-3754-9 CCE-320

CCE-3891-9 CCE-138

CCE-4160-8 CCE-1045

CCE-4763-9 CCE-1005

The "Disable Editing Schedules For Offline Pages" setting should be configured correctly.

The "Disable Channel User Interface Completely" setting should be configured correctly.The "Disable Removing Channels" setting should be configured correctly.

The "Disable Removing Schedules For Offline Pages" setting should be configured correctly.

The "Disable Offline Page Hit Logging" setting should be configured correctly.

The "Java permissions" setting should be configured correctly for the Locked Down Intranet Zone.


The "Java permissions" setting should be configured correctly for the Local Machine Zone.


The "Java permissions" setting should be configured correctly for the Locked Down Local Machine Zone.


Computer-wide, rather than per-user, assignment of sites to zones for Internet Explorer should be enabled or disabled as appropriate.

enabled, disabled, or not configured


CCE-4652-4 CCE-218

CCE-4793-6 CCE-308

CCE-4692-0 CCE-781

CCE-3902-4 CCE-1088


CCE-4564-1 CCE-140


The "Turn on Protected Mode" setting should be configured correctly for the Internet Zone.

The "Java permissions" setting should be configured correctly for the Intranet Zone.


The "Download signed ActiveX controls" setting should be configured correctly for the Locked-Down Internet Zone.


The "Java permissions" setting should be configured correctly for the Locked Down Internet Zone.


The "Java permissions" setting should be configured correctly for the Locked Down Restricted Sites Zone.


The "Allow status bar updates via script" setting should be configured correctly for the Locked-Down Trusted Sites Zone.

The "Java permissions" setting should be configured correctly for the Locked Down Trusted Sites Zone.


The "Turn on Protected Mode" setting should be configured correctly for the Restricted Sites Zone.

CCE-4845-4 CCE-675

The "Java permissions" setting should be configured correctly for the Trusted Sites Zone.


CCE Technical Mechanisms

oval:org.mitre.oval:def:658



NIST SCAP Microsoft Internet Explorer Version 7.0 OVAL(SCAP-

IE7-OVAL-Beta-v3.xml)

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only

oval:org.mitre.oval:def:1277, oval:org.mitre.oval:def:2050

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!explorer.exe, HKLM\Software\Policies\Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict ActiveX Install, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\iexplore.exe

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck



HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Protection From Zone Elevation, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!explorer.exe, HKLM\Software\Policies\Microsoft\Internet E,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Binary Behavior Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\iexplore.exe

HKLM\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\RunInvalidSignatures




HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!explorer.exe, HKLM\Software\Policies\Microsoft,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/MK Protocol Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\iexplore.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe





HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoExtensionManagement

oval:org.mitre.oval:def:1380, oval:org.mitre.oval:def:1358, oval:org.mitre.oval:def:1694

HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoCrashDetection





HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Scripted Window Security Restrictions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\iexplore.exe

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Mime Sniffing Safety Feature, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\iexplore.exe

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\CheckExeSignatures






Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableRIED

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1407




Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1407




Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet







Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\PrivacyTab

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\PreventIgnoreCertErrors


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Page

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Interval

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management, Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management, Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\RestrictToList



Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\History, [HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Autoconfig


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Proxy


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSplash

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\SQM\DisableCustomerImprovementProgram


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Settings





Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableDeleteBrowsingHistory


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\Enabled

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCAL

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Enable Browser Extensions

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\NoUpdateCheck


Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation









Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1C00




Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A00












Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1E05








Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1609



Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1609
















Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1C00




Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A00


















Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1E05
















Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1609

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\XMLHTTP

HKCU\Software\Policies\Microsoft\Internet Explorer\Main!FormSuggest Passwords, HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest Passwords

HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup

HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Page_Transitions














HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use FormSuggest, HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!FormSuggest

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoSelectDownloadDir

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Certificates

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExternalBranding

HKCU\Software\Microsoft\Outlook Express!BlockExeAttachments

HKCU\Software\Policies\Microsoft\Internet Connection Wizard!DisableICW

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connwiz Admin Lock

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ResetWebSettings

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSubscriptionContent

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubscriptions

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingChannels

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingScheduleGroups

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoScheduledUpdates









HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingSubscriptions

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoChannelUI

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoRemovingChannels

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoRemovingSubscriptions

HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoChannelLogging

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1C00

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1C00

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1C00

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Protected Mode

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1C00

GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone\Download signed ActiveX controls

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1C00

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1C00

GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone\Allow status bar updates via script

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1C00

(1) GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Turn on Protected Mode (2) Registry Keys:[HKLM|HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500

Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1C00

IEProcesses-RestrictActiveXInstall-LocalComputer

DoNotAllowUsersAddDeleteSites-LocalComputer

NIST SCAP Microsoft Internet Explorer Version 7.0 XCCDF (SCAP-IE7-XCCDF-

Beta-v3.xml

FDCC IE7 XCCDF (fdcc-accepted-content-20080110\

fdcc-ie7-xccdf.xml)

UseOnlyMachineSettings-LocalComputer, UseOnlyMachineSettings-LocalComputer-Disabled

use_only_machine_settings_local_computer

IEProcesses_RestrictActiveXInstall_LocalComputer

DoNotAllowUsersAddDeleteSites_LocalComputer

DisablePeriodicCheckForIESoftwareUpdates-LocalComputer

DisablePeriodicCheckForIESoftwareUpdates_LocalComputer

IEProcesses-ConsistentMimeHandling-LocalComputer

IEProcesses_ProtectionFromZoneElevation_LocalComputer

IEProcesses_ConsistentMimeHandling_LocalComputer

AllowSoftwareRunInstallSignatureInvalid-LocalComputer, AllowSoftwareToRununOrInstallEvenIfSignatureInvalid-LocalUser

AllowSoftwareRunInstallSignatureInvalid_LocalComputer

IEProcesses-MKProtocolSecurityRestriction-LocalComputer

IEProcesses_MKProtocolSecurityRestriction_LocalComputer

DisableSoftwareUpdateShellNotifications-LocalComputer

DisableSoftwareUpdateShellNotifications_LocalComputer

IEProcesses-RestrictFileDownload-LocalComputer

MakeProxySettingsPerMachine-LocalComputer

TurnOffCrashDetection-LocalComputer

IEProcesses_RestrictFileDownload_LocalComputer

DisableAutomaticInstallOfIEComponents-LocalComputer

DisableAutomaticInstallOfIEComponents_LocalComputer

MakeProxySettingsPerMachine_LocalComputer

DoNotAllowUsersEnableDisableAddOns-LocalComputer, DoNotAllowUsersEnableDisableAddOns-LocalUser

DoNotAllowUsersEnableDisableAddOns_LocalComputer

TurnOffCrashDetection_LocalComputer

DoNotAllowUsersChangePolicies-LocalComputer

CheckSignatureDownloadedPrograms-LocalComputer

IEProcesses-ScriptedWindowSecurityRestrictions-LocalComputer

IEProcesses_ScriptedWindowSecurityRestrictions_LocalComputer

DoNotAllowUsersChangePolicies_LocalComputer

IEProcesses-MimeSniffingSafetyFeature-LocalComputer

IEProcesses_MimeSniffingSafetyFeature_LocalComputer

CheckSignatureDownloadedPrograms_LocalComputer

DoNotAllowResettingIESettings-LocalComputer

TurnOffFirst-RunOpt-In-InternetZone-LocalComputer

WebBrowserApplications-InternetZone-LocalComputer

DoNotAllowResettingIESettings_LocalComputer

AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalUser

allow_cut_copy_paste_operations_from_clipboard_via_script_internet_zone_local_computer

TurnOffFirstRunOptIn_InternetZone_LocalComputer

WebBrowserApplications_InternetZone_LocalComputer

AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalUser

AllowCutCopyPasteOperationsFromClipboardViaScript_RestrictedSitesZone_LocalComputer

TurnOffFirst-RunOpt-In-RestrictedSitesZone-LocalComputer

TurnOffFirstRunOptIn_RestrictedSitesZone_LocalComputer

WebBrowserApplications-RestrictedSitesZone-LocalComputer

WebBrowserApplications_RestrictedSitesZone_LocalComputer

IncludeAllNetworkPaths-LocalComputer, IncludeAllNetworkPaths-LocalUser

include_all_network_paths_local_computer

DisableThePrivacyPage-LocalComputer

TurnOffChangingURLDisplay-LocalComputer

AddOnList-LocalComputer

DenyAllAddOns-LocalComputer

DisableTheAdvancedPage-LocalComputer, DisableTheAdvancedPage-LocalUser

DisableTheSecurityPage-LocalComputer, DisableTheSecurityPage-LocalUser

PreventIgnoingCertificateErrors-LocalComputer, PreventIgnoingCertificateErrors-LocalUser

prevent_ignoring_certificate_errors_local_computer

TurnOffChangingURLDisplay_LocalComputer

TurnOffConfiguringUpdateCheckInterval-LocalComputer

TurnOffConfiguringUpdateCheckInterval_LocalComputer

DisableShowingSplashScreen-LocalComputer

DisableConfiguringHistory-LocalComputer, DisableConfiguringHistory-LocalUser

DisableConfiguringHistory_LocalComputer

DisableChangingAutomaticConfigurationSettings-LocalComputer, DisableChangingAutomaticConfigurationSettings-LocalUser

DisableChangingAutomaticConfigurationSettings_LocalComputer

DisableChangingConnectionSettings-LocalComputer, DisableChangingConnectionSettings-LocalUser

DisableChangingProxySettings-LocalComputer, DisableChangingProxySettings-LocalUser

DisableShowingSplashScreen_LocalComputer

PreventFixSettingsFunctionality-LocalComputer, PreventFixSettingsFunctionality-LocalUser

PreventParticipationInCustomerExperienceImprovementPrograms-LocalComputer, PreventParticipationInCustomerExperienceImprovementPrograms-LocalUser

PreventParticipationInCustomerExperienceImprovementPrograms_LocalComputer

PreventPerformanceOfFirstRunCustomizeSettings-LocalComputer

PreventPerformanceOfFirstRunCustomizeSettings_LocalComputer

PerventDeletationOfTempInternetFiles-LocalComputer, PerventDeletationOfTempInternetFiles-LocalUser

TurnOffManagingPhishingFilter-LocalComputer

AllowActiveContentFromCD-LocalComputer

AllowThird-PartyBrowserExtensions-LocalComputer

TurnOffDeleteBrowsingHistoryFunctionality-LocalComputer, TurnOffDeleteBrowsingHistoryFunctionality-LocalUser

TurnOffDeleteBrowsingHistoryFunctionality_LocalComputer

TurnOffManagingPhishingFilter_LocalComputer

TurnOffSecuritySettingsCheckFeature-LocalComputer, TurnOffSecuritySettingsCheckFeature-LocalUser

TurnOffSecuritySettingsCheckFeature_LocalComputer

AllowActiveContentFromCD_LocalComputer

AllowThird-PartyBrowserExtensions_LocalComputer

AutomaticallyCheckIEUpdates-LocalComputer, AutomaticallyCheckForIEUpdates-LocalUser

AutomaticallyCheckIEUpdates_LocalComputer

CheckServerCertificateRevocation-LocalComputer, CheckForServerCertificateRevocation-LocalUser

CheckServerCertificateRevocation_LocalComputer

AccessDataSourcesAcrossDomains-InternetZone-LocalComputer, AccessDataSourcesAcrossDomains-InternetZone-LocalUser

access_data_sources_across_domains_internet_zone_local_computer

AllowDragDropOrCopyPasteFiles-InternetZone-LocalComputer, AllowDragDropOrCopyPasteFiles-InternetZone-LocalUser

AllowDragDropOrCopyPasteFiles_InternetZone_LocalComputer

AllowScriptlets-InternetZone-LocalComputer

AllowFontDownloads-InternetZone-LocalComputer, AllowFontDownloads-InternetZone-LocalUser

AllowFontDownloads_InternetZone_LocalComputer

AllowInstallationOfDesktopItems-InternetZone-LocalComputer, AllowInstallationOfDesktopItems-InternetZone-LocalUser

AllowInstallationOfDesktopItems_InternetZone_LocalComputer

AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalComputer, AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalUser

AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints_InternetZone_LocalComputer

allow_scriptlets_internet_zone_local_computer

AllowStatusBarUpdatesViaScript-InternetZone-LocalComputer, AllowStatusBarUpdatesViaScript-InternetZone-LocalUser

allow_status_bar_updates_via_script_internet_zone_local_computer

AutomaticPromptingFileDownloads-InternetZone-LocalComputer, AutomaticPromptingFileDownloads-InternetZone-LocalUser

AutomaticPromptingFileDownloads_InternetZone_LocalComputer

DownloadSignedActiveXControls-InternetZone-LocalComputer, DownloadSignedActiveXControls-InternetZone-LocalUser

download_signed_activex_controls_InternetZone_LocalComputer

DownloadUnsignedActiveXControls-InternetZone-LocalComputer, DownloadUnsignedActiveXControls-InternetZone-LocalUser

DownloadUnsignedActiveXControls_InternetZone_LocalComputer

JavaPermissions-InternetZone-LocalUser

LooseXAMLFiles-InternetZone-LocalComputer

InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalComputer, JavaPermissions-InternetZone-LocalComputer, InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalUser

InitializeScriptActiveXControlsNotMarkedAsSafe_InternetZone_LocalComputer

java_permissions_internet_zone_local_computer

LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalComputer, LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalUser

LaunchingApplicationsAndFilesInIFRAME_InternetZone_LocalComputer

LogonOptions-InternetZone-LocalComputer, LogonOptions-InternetZone-LocalUser

LogonOptions_InternetZone_LocalComputer

LooseXAMLFiles_InternetZone_LocalComputer

NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalComputer, NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalUser

navigate_sub_frames_across_different_domains_Internet_zone_local_computer

OpenFilesBasedOnContent-InternetZone-LocalComputer, OpenFilesBasedOnContent-InternetZone-LocalUser

OpenFilesBasedOnContent_InternetZone_LocalComputer

UserdataPersistence-InternetZone-LocalComputer

XPSFiles-InternetZone-LocalComputer

DisplayMixedContent-IntranetZone-LocalComputer

SoftwareChannelPermissions-InternetZone-LocalComputer, SoftwareChannelPermissions-InternetZone-LocalUser

SoftwareChannelPermissions_InternetZone_LocalComputer

UsePop-upBlocker-InternetZone-LocalComputer, UsePop-upBlocker-InternetZone-LocalUser

UsePop-upBlocker_InternetZone_LocalComputer

UserdataPersistence_InternetZone_LocalComputer

WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalComputer, WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalUser

WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone_InternetZone_LocalComputer

DisplayMixedContent-LockedDownInternetZone-LocalComputer

display_mixed_content_locked_down_internet_zone_local_computer

display_mixed_content_intranet_zone_local_computer

DisplayMixedContent-LockedDownIntranetZone-LocalComputer

display_mixed_content-LockedDownintranet_zone_local_computer

DisplayMixedContent-LocalMachineZone-LocalComputer

display_mixed_content-local_machine_zone_local_computer

DisplayMixedContent-LockedDownLocalMachineZone-LocalComputer

display_mixed_content-LockedDownlocal_machine_zone_local_computer

AccessDataSourcesAcrossDomains-RestrictedSitesZone-LocalComputer, AccessDataSourcesAcrossDomains-RestrictedSitesZone-LocalUser

AccessDataSourcesAcrossDomains_RestrictedSitesZone_LocalComputer

AllowActiveScripting-RestrictedSitesZone-LocalComputer, AllowActiveScripting-RestrictedSitesZone-LocalUser

AllowActiveScripting_RestrictedSitesZone_LocalComputer

AllowBinaryAndScriptBehaviors-RestrictedSitesZone-LocalComputer, AllowBinaryAndScriptBehaviors-RestrictedSitesZone-LocalUser

AllowBinaryAndScriptBehaviors_RestrictedSitesZone_LocalComputer

AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-LocalComputer, AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-LocalUser

AllowDragDropOrCopyPasteFiles_RestrictedSitesZone_LocalComputer

AllowFileDownloads-RestrictedSitesZone-LocalComputer, AllowFileDownloads-RestrictedSitesZone-LocalUser

AllowFileDownloads_RestrictedSitesZone_LocalComputer

AllowFontDownloads-RestrictedSitesZone-LocalComputer, AllowFontDownloads-RestrictedSitesZone-LocalUser

AllowFontDownloads_RestrictedSitesZone_LocalComputer

AllowScriptlets-RestrictedSitesZone-LocalComputer

AllowInstallationOfDesktopItems-RestrictedSitesZone-LocalComputer, AllowInstallationOfDesktopItems-RestrictedSitesZone-LocalUser

AllowInstallationOfDesktopItems_RestrictedSitesZone_LocalComputer

AllowMETAREFRESH-RestrictedSitesZone-LocalComputer, AllowMETAREFRESH-RestrictedSitesZone-LocalUser

AllowMETAREFRESH_RestrictedSitesZone_LocalComputer

AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-RestrictedSitesZone-LocalComputer, AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-RestrictedSitesZone-LocalUser

AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints_RestrictedSitesZone_LocalComputer

AllowStatusBarUpdatesViaScript-RestrictedSitesZone-LocalComputer, AllowStatusBarUpdatesViaScript-RestrictedSitesZone-LocalUser

AllowStatusBarUpdatesViaScript_RestrictedSitesZone_LocalComputer

AutomaticPromptingFileDownloads-RestrictedSitesZone-LocalComputer, AutomaticPromptingFileDownloads-RestrictedSitesZone-LocalUser

AutomaticPromptingFileDownloads_RestrictedSitesZone_LocalComputer

DownloadSignedActiveXControls-RestrictedSitesZone-LocalComputer, DownloadSignedActiveXControls-RestrictedSitesZone-LocalUser

download_signed_activex_controls_RestrictedSitesZone_LocalComputer

DownloadUnsignedActiveXControls-RestrictedSitesZone-LocalComputer, DownloadUnsignedActiveXControls-RestrictedSitesZone-LocalUser

DownloadUnsignedActiveXControls_RestrictedSitesZone_LocalComputer

LooseXAMLFiles-RestrictedSitesZone-LocalComputer

InitializeScriptActiveXControlsNotMarkedAsSafe-RestrictedSitesZone-LocalComputer, InitializeScriptActiveXControlsNotMarkedAsSafe-RestrictedSitesZone-LocalUser

InitializeScriptActiveXControlsNotMarkedAsSafe_RestrictedSitesZone_LocalComputer

JavaPermissions-RestrictedSitesZone-LocalComputer, JavaPermissions-RestrictedSitesZone-LocalUser

java_permissions_RestrictedSitesZone_LocalComputer

LaunchingApplicationsAndFilesInIFRAME-RestrictedSitesZone-LocalComputer, LaunchingApplicationsAndFilesInIFRAME-RestrictedSitesZone-LocalUser

LaunchingApplicationsAndFilesInIFRAME_RestrictedSitesZone_LocalComputer

LogonOptions-RestrictedSitesZone-LocalComputer, LogonOptions-RestrictedSitesZone-LocalUser

LogonOptions_RestrictedSitesZone_LocalComputer

LooseXAMLFiles_RestrictedSitesZone_LocalComputer

NavigateSub-framesAcrossDifferentDomains-RestrictedSitesZone-LocalComputer, NavigateSub-framesAcrossDifferentDomains-RestrictedSitesZone-LocalUser

NavigateSub-framesAcrossDifferentDomains_RestrictedSitesZone_LocalComputer

OpenFilesBasedOnContent-RestrictedSitesZone-LocalComputer, OpenFilesBasedOnContent-RestrictedSitesZone-LocalUser

OpenFilesBasedOnContent_RestrictedSitesZone_LocalComputer

RunNETFrameworkReliantComponentsNotSignedWithAuthenticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantComponentsNotSignedWithAuthenticode-RestrictedSitesZone-LocalUser

RunNETFrameworkReliantComponentsNotSignedWithAuthenticode_RestrictedSitesZone_LocalComputer

RunNETFrameworkReliantComponentsSignedWithAuthenticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantComponentsSignedWithAuthenticode-RestrictedSitesZone-LocalUser

RunNETFrameworkReliantComponentsSignedWithAuthenticode_RestrictedSitesZone_LocalComputer

RunActiveXControlsAndPlugins-RestrictedSitesZone-LocalComputer, RunActiveXControlsAndPlugins-RestrictedSitesZone-LocalUser

RunActiveXControlsAndPlugins_RestrictedSitesZone_LocalComputer

ScriptActiveXControlsMarkedSafeForScripting-RestrictedSitesZone-LocalComputer, ScriptActiveXControlsMarkedSafeForScripting-RestrictedSitesZone-LocalUser

ScriptActiveXControlsMarkedSafeForScripting_RestrictedSitesZone_LocalComputer

ScriptingOfJavaApplets-RestrictedSitesZone-LocalComputer, ScriptingOfJavaApplets-RestrictedSitesZone-LocalUser

ScriptingOfJavaApplets_RestrictedSitesZone_LocalComputer

SoftwareChannelPermissions-RestrictedSitesZone-LocalComputer, SoftwareChannelPermissions-RestrictedSitesZone-LocalUser

SoftwareChannelPermissions_RestrictedSitesZone_LocalComputer

UsePop-upBlocker-RestrictedSitesZone-LocalComputer, UsePop-upBlocker-RestrictedSitesZone-LocalUser

UsePop-upBlocker_RestrictedSitesZone_LocalComputer

UserdataPersistence-RestrictedSitesZone-LocalComputer

UserdataPersistence_RestrictedSitesZone_LocalComputer

XPSFiles-RestrictedSitesZone-LocalComputer

DisplayMixedContent-TrustedSitesZone-LocalComputer

EnableNativeXMLHttpSupport-LocalComputer

DisableSaveThisProgramToDiskOption-LocalUser

AllowInstallOnDemandIE-LocalUser

TurnOffPageTransitions-LocalUser TurnOffPageTransitions_LocalUser

WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-RestrictedSitesZone-LocalComputer, WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-RestrictedSitesZone-LocalUser

WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone_RestrictedSitesZone_LocalComputer

DisplayMixedContent-LockedDownRestrictedSitesZone-LocalComputer

display_mixed_content-LockedDownRestrictedSitesZone_LocalComputer

display_mixed_content_trusted_sites_zone_local_computer

DisplayMixedContent-LockedDownTrustedSitesZone-LocalComputer

display_mixed_content_LockedDowntrusted_sites_zone_local_computer

EnableNativeXMLHttpSupport_LocalComputer

TurnOnAutoCompleteFeatureForUserNamesAndPasswords_LocalUser

allow_install_on_demand_ie_local_computer

DisableAutoCompleteForForms-LocalUser

AllowInstallOnDemandIE-LocalUser

DisableChangingCertificateSettings-LocalUser

DisableExternalBrandingOfIE-LocalUser

ConfigureOutlookExpress-LocalUser

InternetConnectionWizardSettings-LocalUser

DisableInternetConnectionWizard-LocalUser

DisableResetWebSettingsFeature-LocalUser

DisableAddingSchedulesForOfflinePages-LocalUser

DisableAddingChannels-LocalUser

DisableAllScheduledOfflinePages-LocalUser

DisableAutoCompleteForForms_LocalUser

DisableExternalBrandingOfIE_LocalUser

configure_outlook_express_local_user

TurnOnInternetConnectionWizardAutoDetect_LocalUser

DisableInternetConnectionWizard_LocalUser

DisableResetWebSettingsFeature_LocalUser

DisableDownloadingOfSiteSubscriptionContent-LocalUser

DisableEditingAndCreatingOfScheduleGroups-LocalUser

DisableEditingSchedulesForOfflinePages-LocalUser

DisableChannelUserInterfaceCompletely-LocalUser

DisableRemovingChannels-LocalUser

DisableRemovingSchedulesForOfflinePages-LocalUser

DisableOfflinePageHitLogging-LocalUser

JavaPermissions-LocalMachineZone-LocalComputer

JavaPermissions-LockedDownIntranetZone-LocalComputer

java_permissions_LockedDownintranet_zone_local_computer

java_permissions_local_machine_zone_local_computer

JavaPermissions-LockedDownLocalMachineZone-LocalComputer

java_permissions_LockedDownlocal_machine_zone_local_computer

site_to_zone_assignment_list_local_computer

TurnOnProtectedMode_InternetZone_LocalComputer

java_permissions_intranet_zone_local_computer

download_signed_activex_controls_locked_down_internet_zone_local_computer

java_permissions_locked_down_internet_zone_local_computer

java_permissions_LockedDownRestrictedSitesZone_LocalComputer

AllowStatusBarUpdatesViaScript_LockedDowntrusted_sites_zone_local_computer

java_permissions_LockedDowntrusted_sites_zone_local_computer

TurnOnProtectedMode_RestrictedSitesZone_LocalComputer

java_permissions_trusted_sites_zone_local_computer

oval:gov.nist.fdcc.ie7:def:1277




FDCC IE7 OVAL (fdcc-accepted-content-20080110\

fdcc-ie7-oval.xml



CCE-908-4 CCE-908



Old v4 CCE Id

CCE Parameters

The "Disable VBA for Office applications" setting should be configured correctly.

The "ActiveX Control Initialization:" setting should be configured correctly.

1 = Do not prompt | 4 = Prompt user to use control defaults | 6 = Prompt user to use persisted data

The "Enable Customer Experience Improvement Program" setting should be configured correctly.

The "Enable Customer Experience Improvement Program" setting should be configured correctly.

CCE-967-0 CCE-967

CCE-427-5 CCE-427

CCE-649-4 CCE-649


The "Online content options" setting should be configured correctly.

0 = Never show online content or entry points | 1 = Search only offline content whenever available | 2 = Search online content whenever available

The "VBA Macro Warning Settings" setting should be configured correctly for Access 2007.

1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros

The "VBA Macro Warning Settings" setting should be configured correctly for Excel 2007.


The "Trust access to Visual Basic Project" setting should be configured correctly for Excel 2007 and 2003.

CCE-567-8 CCE-567



CCE-786-4 CCE-786




The "VBA Macro Warning Settings" setting should be configured correctly for PowerPoint 2007.


The "Trust access to Visual Basic Project" setting should be configured correctly for PowerPoint 2007.

The "Disable Remember Password" setting should be configured correctly.

The "Configure Add-In Trust Level" setting should be configured correctly.

0 = Trust all or use Exchange settings if present | 1 = Trust all loaded and installed COM addins | 2 = Do NOT trust loaded and installed COM addins

The "Disable 'Remember password' for Internet e-mail accounts" setting should be configured correctly.

The "Minimum encryption settings" setting should be configured correctly.

The "Do not check e-mail address against address of certificates being using" setting should be configured correctly.




CCE-700-5 CCE-700

The "Send all signed messages as clear signed messages" setting should be configured correctly.

The "Request an S/MIME receipt for all S/MIME signed messages" setting should be configured correctly.

The "Do not display 'Publish to GAL' button" setting should be configured correctly.

The "Signature Warning" setting should be configured correctly.

0 = Let user decide if they want to be warned | 1 = Always warn about invalid signatures | 2 = Never warn about invalid signatures


CCE-395-4 CCE-395

CCE-659-3 CCE-659


The "Enable Cryptography Icons" setting should be configured correctly.

The "Retrieving CRLs (Certificate Revocation Lists)" setting should be configured correctly.

0 = Use system Default | 1 = When online always retreive the CRL | 2 = Never retreive the CRL

The "VBA Macro Warning Settings" setting should be configured correctly for Word 2007.


The "Trust access to Visual Basic Project" setting should be configured correctly for Word 2007 and 2003.



CCE-1395-3 CCE-1395

enabled/disabled

CCE-1137-9 CCE-1137

enabled/disabled

CCE-1423-3 CCE-1423

enabled/disabled

CCE-1238-5 CCE-1238

enabled/disabled

CCE-1476-1 CCE-1476

enabled/disabled

CCE-1520-6 CCE-1520

enabled/disabled

The "Warn before printing, saving or sending a file that contains tracked changes or comments" setting should be configured correctly.

The "Block updates from the Office Update Site from applying" setting should be configured correctly.The "Underline hyperlinks" setting should be configured correctly for Access 2007.

The "Number of documents in the Recent Documents list (0-9)" setting should be configured correctly for Access 2007.

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Access 2007.

The "Disable all application add-ins" setting should be configured correctly for Access 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Access 2007.

The "Disable all trusted locations" setting should be configured correctly for Access 2007.

CCE-780-7 CCE-780

enabled/disabled

CCE-1214-6 CCE-1214

enabled/disabled

CCE-1370-6 CCE-1370

enabled/disabled

CCE-1268-2 CCE-1268

enabled/disabled

CCE-1400-1 CCE-1400

enabled/disabled

CCE-1440-7 CCE-1440

enabled/disabled

CCE-581-9 CCE-581

enabled/disabled

The "Allow Trusted Locations not on the computer" setting should be configured correctly for Access 2007.

The "Modal Trust Decision Only" setting should be configured correctly for Access 2007.

The "Disable commands" setting should be configured correctly for Access 2007.

The "Disable commands - Office Button | E-Mail" setting should be configured correctly for Access 2007.

The "Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Database Tools | Encrypt with Password" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions" setting should be configured correctly for Access 2007.

CCE-1480-3 CCE-1480

enabled/disabled

CCE-1489-4 CCE-1489

enabled/disabled

CCE-1392-0 CCE-1392

enabled/disabled

CCE-1414-2 CCE-1414

enabled/disabled

CCE-1418-3 CCE-1418

enabled/disabled

CCE-1405-0 CCE-1405

enabled/disabled

CCE-1550-3 CCE-1550

enabled/disabled

The "Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard..." setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Database Tools | Encode/Decode Database" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Macro | Visual Basic" setting should be configured correctly for Access 2007.

The "Disable commands - Database Tools | Macro | Run Macro" setting should be configured correctly for Access 2007.

The "Database Tools | Macro | Convert Macros to Visual Basic" setting should be configured correctly for Access 2007.

The "Database Tools | Macro | Create Shortcut Menu from Macro" setting should be configured correctly for Access 2007.

CCE-1075-1 CCE-1075

enabled/disabled

CCE-709-6 CCE-709

enabled/disabled

CCE-1502-4 CCE-1502

enabled/disabled

CCE-1260-9 CCE-1260

enabled/disabled

CCE-1510-7 CCE-1510

enabled/disabled

CCE-1532-1 CCE-1532

enabled/disabled

CCE-1039-7 CCE-1039

enabled/disabled

The "Disable shortcut keys" setting should be configured correctly for Access 2007.

The "Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks)" setting should be configured correctly for Access 2007.

The "Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic)" setting should be configured correctly for Access 2007.

The "Default file format (Access 2007 | Access 2002-2003)" setting should be configured correctly for Access 2007.

The "Do not prompt to convert older databases" setting should be configured correctly for Access 2007.

The "Internet and network paths as hyperlinks" setting should be configured correctly for Excel 2007.

The "Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls))" setting should be configured correctly for Excel 2007.

CCE-1295-5 CCE-1295

enabled/disabled

CCE-1334-2 CCE-1334

enabled/disabled

CCE-1308-6 CCE-1308

enabled/disabled

CCE-616-3 CCE-616

enabled/disabled

CCE-1246-8 CCE-1246

enabled/disabled

CCE-1251-8 CCE-1251

enabled/disabled

CCE-1524-8 CCE-1524

enabled/disabled

CCE-1422-5 CCE-1422

enabled/disabled

The "Disable AutoRepublish" setting should be configured correctly for Excel 2007.

The "AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing)" setting should be configured correctly for Excel 2007.

The "Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks" setting should be configured correctly

The "Force file extension to match file type (Allow different | Allow different, but warn | Always match file type)" setting should be configured correctly for Excel 2007.

The "Store macro in Personal Macro Workbook by default" setting should be configured correctly

The "Disable all application add-ins" setting should be configured correctly for Excel 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Excel 2007.

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Excel 2007.

CCE-1444-9 CCE-1444

enabled/disabled

CCE-1449-8 CCE-1449

enabled/disabled

CCE-1471-2 CCE-1471

enabled/disabled

CCE-1119-7 CCE-1119

enabled/disabled

CCE-1378-9 CCE-1378

enabled/disabled

CCE-1277-3 CCE-1277

enabled/disabled

CCE-1464-7 CCE-1464

enabled/disabled

CCE-1094-2 CCE-1094

enabled/disabled

CCE-1129-6 CCE-1129

enabled/disabled

The "Allow Trusted Locations not on the computer" setting should be configured correctly for Excel 2007.

The "Disable all trusted locations" setting should be configured correctly for Excel 2007.

The "Ignore other applications " setting should be configured correctly for Excel 2007.

The "Ask to update automatic links" setting should be configured correctly for Excel 2007.

The "Number of documents in the Recent Documents list (0-17)" setting should be configured correctly for Excel 2007.

The "Save any additional data necessary to maintain formulas" setting should be configured correctly for Excel 2007.

The "Load pictures from Web pages not created in Excel" setting should be configured correctly for Excel 2007.

The "Do not show data extraction options when opening corrupt workbooks" setting should be configured correctly for Excel 2007.

The "Assume structured storage format of workbook is intact when recovering data" setting should be configured correctly for Excel 2007.

CCE-1389-6 CCE-1389

enabled/disabled

CCE-1433-2 CCE-1433

enabled/disabled

CCE-1323-5 CCE-1323

enabled/disabled

CCE-1469-6 CCE-1469

enabled/disabled

CCE-1473-8 CCE-1473

enabled/disabled

CCE-1499-3 CCE-1499

enabled/disabled

CCE-1024-9 CCE-1024

enabled/disabled

The "Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME)" setting should be configured correctly for Excel 2007.

The "Connection File Locations" setting should be configured correctly for Excel 2007.

The "Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh)" setting should be configured correctly for Excel 2007.

The "Disable commands" setting should be configured correctly for Excel 2007.

The "Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page" setting should be configured correctly for Excel 2007.

The "Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for Excel 2007.

The "Disable commands - Office Button | Send | Email" setting should be configured correctly for Excel 2007.

CCE-1530-5 CCE-1530

enabled/disabled

CCE-1120-5 CCE-1120

enabled/disabled

CCE-1252-6 CCE-1252

enabled/disabled

CCE-1151-0 CCE-1151

enabled/disabled

CCE-1301-1 CCE-1301

enabled/disabled

CCE-1310-2 CCE-1310

enabled/disabled

CCE-1213-8 CCE-1213

enabled/disabled

CCE-1362-3 CCE-1362

enabled/disabled

The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for Excel 2007.

The "Disable commands - Review | Changes | Protect Sheet" setting should be configured correctly for Excel 2007.

The "Disable commands - Review | Changes | Protect Workbook" setting should be configured correctly for Excel 2007.

The "Disable commands - Review | Changes | Protect and Share Workbook" setting should be configured correctly for Excel 2007.

The "Disable commands - View | Macros | Macros" setting should be configured correctly for Excel 2007.

The "Disable commands - Developer | Code | Macros" setting should be configured correctly for Excel 2007.

The "Disable commands - Developer | Code | Record Macro" setting should be configured correctly for Excel 2007.

The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for Excel 2007.

CCE-1156-9 CCE-1156

enabled/disabled

CCE-1429-0 CCE-1429

enabled/disabled

CCE-1182-5 CCE-1182

enabled/disabled

CCE-1525-5 CCE-1525

enabled/disabled

CCE-1547-9 CCE-1547

enabled/disabled

CCE-1300-3 CCE-1300

enabled/disabled

CCE-1331-8 CCE-1331

enabled/disabled

CCE-1468-8 CCE-1468

enabled/disabled

The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for Excel 2007.

The "Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location" setting should be configured correctly for Excel 2007.

The "Disable shortcut keys" setting should be configured correctly for Excel 2007.

The "Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for Excel 2007.

The "Disable shortcut keys - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for Excel 2007.

The "Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for Excel 2007.

The "Block opening of pre-release versions of file formats new to Excel 2007" setting should be configured correctly for Excel 2007.

The "Block opening of Open XML file types" setting should be configured correctly for Excel 2007.

CCE-1490-2 CCE-1490

enabled/disabled

CCE-1512-3 CCE-1512

enabled/disabled

CCE-1543-8 CCE-1543

enabled/disabled

CCE-1195-7 CCE-1195

enabled/disabled

CCE-554-6 CCE-554

enabled/disabled

CCE-1415-9 CCE-1415

enabled/disabled

CCE-1437-3 CCE-1437

enabled/disabled

CCE-1446-4 CCE-1446

enabled/disabled

CCE-1098-3 CCE-1098

enabled/disabled

CCE-562-9 CCE-562

enabled/disabled

The "Block opening of Binary 12 file types" setting should be configured correctly for Excel 2007.

The "Block opening of Binary file types" setting should be configured correctly for Excel 2007.

The "Block opening of Html and Xmlss files types" setting should be configured correctly for Excel 2007.

The "Block opening of Xml file types" setting should be configured correctly for Excel 2007.

The "Block opening of DIF and SYLK file types" setting should be configured correctly for Excel 2007.

The "Block opening of Text file types" setting should be configured correctly for Excel 2007.

The "Block opening of Xll file type" setting should be configured correctly for Excel 2007.

The "Block saving of Open Xml file types" setting should be configured correctly for Excel 2007.

The "Block saving of Binary12 file types" setting should be configured correctly for Excel 2007.

The "Block saving of Binary file types" setting should be configured correctly for Excel 2007.

CCE-1507-3 CCE-1507

enabled/disabled

CCE-1406-8 CCE-1406

enabled/disabled

CCE-573-6 CCE-573

enabled/disabled

CCE-1336-7 CCE-1336

enabled/disabled

CCE-1230-2 CCE-1230

enabled/disabled

CCE-1375-5 CCE-1375

enabled/disabled

CCE-1380-5 CCE-1380

enabled/disabled

CCE-1376-3 CCE-1376

enabled/disabled

CCE-1398-7 CCE-1398

enabled/disabled

The "Block saving of Html and Xmlss file types" setting should be configured correctly for Excel 2007.

The "Block saving Xml file types" setting should be configured correctly for Excel 2007.

The "Block saving DIF and SYLK file types" setting should be configured correctly for Excel 2007.

The "Block saving of Text file types" setting should be configured correctly for Excel 2007.

The "Locally cache network file storages" setting should be configured correctly for Excel 2007.

The "Locally cache PivotTable reports" setting should be configured correctly for Excel 2007.

The "OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs)" setting should be configured correctly for Excel 2007.

The "Recognize SmartTags" setting should be configured correctly for Excel 2007.

The "Number of documents in the Recent Documents list (0 - 9)" setting should be configured correctly for InfoPath 2007.

CCE-569-4 CCE-569

enabled/disabled

CCE-1065-2 CCE-1065

enabled/disabled

CCE-1361-5 CCE-1361

enabled/disabled

CCE-1096-7 CCE-1096

enabled/disabled

CCE-1391-2 CCE-1391

enabled/disabled

CCE-1519-8 CCE-1519

enabled/disabled

CCE-1523-0 CCE-1523

enabled/disabled

CCE-1171-8 CCE-1171

enabled/disabled

The "Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode)" setting should be configured correctly for InfoPath 2007.

The "Disable commands" setting should be configured correctly for InfoPath 2007.

The "Disable commands - File | Print" setting should be configured correctly for InfoPath 2007.

The "Disable commands - File | Send to Mail Recipient" setting should be configured correctly for InfoPath 2007.

The "Disable commands - File | Open from SharePoint Site" setting should be configured correctly for InfoPath 2007.

The "Disable commands - File | Print Preview" setting should be configured correctly for InfoPath 2007.

The "Disable commands - File | Page Setup" setting should be configured correctly for InfoPath 2007.

The "Disable commands - Insert | Hyperlinks..." setting should be configured correctly for InfoPath 2007.

CCE-1457-1 CCE-1457

enabled/disabled

CCE-1426-6 CCE-1426

enabled/disabled

CCE-805-2 CCE-805

enabled/disabled

CCE-1453-0 CCE-1453

enabled/disabled

CCE-1351-6 CCE-1351

enabled/disabled

CCE-620-5 CCE-620

enabled/disabled

CCE-1017-3 CCE-1017

enabled/disabled

CCE-1021-5 CCE-1021

enabled/disabled

The "Disable commands - Tools | Set Language" setting should be configured correctly for InfoPath 2007.

The "Disable commands - Tools | Customize..." setting should be configured correctly for InfoPath 2007.

The "Disable commands - Tools | Options..." setting should be configured correctly for InfoPath 2007.

The "Disable commands - Help | Microsoft Office Online" setting should be configured correctly for InfoPath 2007.

The "Disable commands - Office Diagnostics" setting should be configured correctly for InfoPath 2007.

The "Disable commands - Help | Activate Product..." setting should be configured correctly for InfoPath 2007.

The "Disable commands - Print Default" setting should be configured correctly for InfoPath 2007.

The "Disable shortcut keys" setting should be configured correctly for InfoPath 2007.

CCE-1299-7 CCE-1299

enabled/disabled

CCE-1197-3 CCE-1197

enabled/disabled

CCE-704-7 CCE-704

enabled/disabled

CCE-1105-6 CCE-1105

enabled/disabled

` CCE-1114

enabled/disabled

CCE-761-7 CCE-761

enabled/disabled

CCE-739-3 CCE-739

enabled/disabled

The "Disable shortcut keys - Print Shortcut (Ctrl+P)" setting should be configured correctly for InfoPath 2007.

The "Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K)" setting should be configured correctly for InfoPath 2007.

The "Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections)" setting should be configured correctly for InfoPath 2007.

The "Disable opening of solutions from the Internet security zone" setting should be configured correctly for InfoPath 2007.

The "Disable fully trusted solutions full access to computer" setting should be configured correctly for InfoPath 2007.

The "Allow the use of ActiveX Custom Controls in InfoPath forms" setting should be configured correctly for InfoPath 2007.

The "Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1" setting should be configured correctly for InfoPath 2007.

CCE-1259-1 CCE-1259

enabled/disabled

CCE-1267-4 CCE-1267

enabled/disabled

CCE-1060-3 CCE-1060

enabled/disabled

CCE-955-5 CCE-955

enabled/disabled

CCE-1479-5 CCE-1479

enabled/disabled

CCE-1360-7 CCE-1360

enabled/disabled

CCE-1386-2 CCE-1386

enabled/disabled

CCE-893-8 CCE-893

enabled/disabled

The "Allow file types as attachments to forms" setting should be configured correctly for InfoPath 2007.

The "Block specific file types as attachments to forms" setting should be configured correctly for InfoPath 2007.

The "Prevent users from allowing unsafe file types to be attached to forms" setting should be configured correctly for InfoPath 2007.

The "Display a warning that a form is digitally signed" setting should be configured correctly for InfoPath 2007.

The "Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.

The "Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.

The "Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.

The "Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.

CCE-1290-6 CCE-1290

enabled/disabled

CCE-1381-3 CCE-1381

enabled/disabled

CCE-1135-3 CCE-1135

enabled/disabled

CCE-1157-7 CCE-1157

enabled/disabled

CCE-1434-0 CCE-1434

enabled/disabled

CCE-1315-1 CCE-1315

enabled/disabled

CCE-1210-4 CCE-1210

enabled/disabled

The "Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)" setting should be configured correctly for InfoPath 2007.

The "Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)" setting should be configured correctly for InfoPath 2007.

The "Disable all application add-ins" setting should be configured correctly for InfoPath 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for InfoPath 2007.

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for InfoPath 2007.

The "Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run)" setting should be configured correctly for InfoPath 2007.

The "Disable sending form template with e-mail forms" setting should be configured correctly for InfoPath 2007.

CCE-1236-9 CCE-1236

enabled/disabled

CCE-884-7 CCE-884

enabled/disabled

CCE-1518-0 CCE-1518

enabled/disabled

CCE-1170-0 CCE-1170

enabled/disabled

CCE-1316-9 CCE-1316

enabled/disabled

CCE-1567-7 CCE-1567

enabled/disabled

CCE-1265-8 CCE-1265

enabled/disabled

CCE-1538-8 CCE-1538

enabled/disabled

CCE-1564-4 CCE-1564

enabled/disabled

The "Disable dynamic caching of the form template in InfoPath e-mail forms" setting should be configured correctly for InfoPath 2007.

The "Disable sending InfoPath 2003 Forms as e-mail forms" setting should be configured correctly for InfoPath 2007.

The "Disable e-mail forms running in restricted security level" setting should be configured correctly for InfoPath 2007.

The "Disable e-mail forms from the Internet security zone" setting should be configured correctly for InfoPath 2007.

The "Disable e-mail forms from the Intranet security zone" setting should be configured correctly for InfoPath 2007.

The "Disable e-mail forms from the Full Trust security zone" setting should be configured correctly for InfoPath 2007.

The "Disable InfoPath e-mail forms in Outlook" setting should be configured correctly for InfoPath 2007.

The "Information Rights Management" setting should be configured correctly for InfoPath 2007.

The "Custom code" setting should be configured correctly for InfoPath 2007.

CCE-1212-0 CCE-1212

enabled/disabled

CCE-1344-1 CCE-1344

enabled/disabled

CCE-723-7 CCE-723

enabled/disabled

CCE-1384-7 CCE-1384

enabled/disabled

CCE-1159-3 CCE-1159

enabled/disabled

CCE-1146-0 CCE-1146

enabled/disabled

CCE-1542-0 CCE-1542

enabled/disabled

CCE-582-7 CCE-582

enabled/disabled

The "Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)" setting should be configured correctly for InfoPath 2007.

The "Disable user customization of Quick Access Toolbar via UI" setting should be configured correctly

The "Disable user customization of Quick Access Toolbar via UI - Disallow in Word" setting should be configured correctly

The "Disable user customization of Quick Access Toolbar via UI - Disallow in Excel" setting should be configured correctly

The "Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint" setting should be configured correctly

The "Disable user customization of Quick Access Toolbar via UI - Disallow in Access" setting should be configured correctly

The "Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar" setting should be configured correctly

CCE-1291-4 CCE-1291

enabled/disabled

CCE-1326-8 CCE-1326

enabled/disabled

CCE-1330-0 CCE-1330

enabled/disabled

CCE-1335-9 CCE-1335

enabled/disabled

CCE-1229-4 CCE-1229

enabled/disabled

CCE-630-4 CCE-630

enabled/disabled

CCE-1154-4 CCE-1154

enabled/disabled

CCE-1410-0 CCE-1410

enabled/disabled

The "Disable all user customization of Quick Access Toolbar - Disallow in Word" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar - Disallow in Excel" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar - Disallow in Access" setting should be configured correctly

The "Disable all user customization of Quick Access Toolbar - Disallow in Outlook" setting should be configured correctly

The "Disable UI extending from documents and templates" setting should be configured correctly

The "Disable UI extending from documents and templates - Disallow in Word" setting should be configured correctly

The "Disable UI extending from documents and templates - Disallow in Excel" setting should be configured correctly

CCE-1432-4 CCE-1432

enabled/disabled

CCE-1198-1 CCE-1198

enabled/disabled

CCE-929-0 CCE-929

enabled/disabled

CCE-1074-4 CCE-1074

enabled/disabled

CCE-1458-9 CCE-1458

enabled/disabled

CCE-1233-6 CCE-1233

enabled/disabled

CCE-1379-7 CCE-1379

enabled/disabled

CCE-1401-9 CCE-1401

enabled/disabled

The "Disable UI extending from documents and templates - Disallow in PowerPoint" setting should be configured correctly

The "Disable UI extending from documents and templates - Disallow in Access" setting should be configured correctly

The "Disable UI extending from documents and templates - Disallow in Outlook" setting should be configured correctly

The "Recognize smart tags in Excel" setting should be configured correctly

The "Disable Clip Art and Media downloads from the client and from Office Online website" setting should be configured correctly

The "Disable template downloads from the client and from Office Online website" setting should be configured correctly

The "Disable access to updates, add-ins, and patches on the Office Online website" setting should be configured correctly

The "Prevents users from uploading document templates to the Office Online community." setting should be configured correctly

CCE-1528-9 CCE-1528

enabled/disabled

CCE-1533-9 CCE-1533

enabled/disabled

CCE-646-0 CCE-646

enabled/disabled

CCE-1438-1 CCE-1438

enabled/disabled

CCE-711-2 CCE-711

enabled/disabled

CCE-1292-2 CCE-1292

enabled/disabled


CCE-1191-6 CCE-1191

enabled/disabled

CCE-1587-5 CCE-1587

enabled/disabled

CCE-1486-0 CCE-1486

enabled/disabled

The "Disable training practice downloads from the Office Online website" setting should be configured correctly

The "Disable customer-submitted templates downloads from Office Online" setting should be configured correctly

The "Open Office documents as read/write while browsing" setting should be configured correctly

The "Rely on VML for displaying graphics in browsers" setting should be configured correctly

The "Allow PNG as an output format" setting should be configured correctly

The "Improve Proofing Tools" setting should be configured correctly

The "Disable Opt-in Wizard on first run" setting should be configured correctly.

The "Microsoft Office Online" setting should be configured correctlyThe "Disable Password Caching" setting should be configured correctly

The "Disable all Trust Bar notifications for security issues" setting should be configured correctly

CCE-1508-1 CCE-1508

enabled/disabled

CCE-1640-2 CCE-1640

enabled/disabled

CCE-1539-6 CCE-1539

enabled/disabled

CCE-1561-0 CCE-1561

enabled/disabled

CCE-1068-6 CCE-1068

enabled/disabled

CCE-1574-3 CCE-1574

enabled/disabled

CCE-1239-3 CCE-1239

enabled/disabled

CCE-1623-8 CCE-1623

enabled/disabled

CCE-1083-5 CCE-1083

enabled/disabled

The "Protect document metadata for rights managed Office Open XML Files" setting should be configured correctly

The "Protect document metadata for password protected files." setting should be configured correctly

The "Encryption type for password protected Office Open XML files" setting should be configured correctly

The "Encryption type for password protected Office 97-2003 files" setting should be configured correctly

The "Load Controls in Forms3 (1 | 2 | 3 | 4)" setting should be configured correctly

The "Automation Security (Disable macros by default | Use application macro security level | Macros enabled)" setting should be configured correctly

The "Prevent Word and Excel from loading managed code extensions" setting should be configured correctly

The "Disable hyperlink warnings" setting should be configured correctly

The "Disable password to open UI" setting should be configured correctly

CCE-1343-3 CCE-1343

enabled/disabled

CCE-1242-7 CCE-1242

enabled/disabled

CCE-770-8 CCE-770

enabled/disabled

CCE-903-5 CCE-903

enabled/disabled

CCE-1555-2 CCE-1555

enabled/disabled

CCE-1061-1 CCE-1061

enabled/disabled

CCE-1603-0 CCE-1603

enabled/disabled

CCE-1612-1 CCE-1612

enabled/disabled

CCE-1493-6 CCE-1493

enabled/disabled

The "Download Office Controls" setting should be configured correctly

The "Disable All ActiveX" setting should be configured correctly

The "Allow mix of policy and user locations" setting should be configured correctly

The "Disable Smart Document's use of manifests" setting should be configured correctly

The "Completely disable the Smart Documents feature in Word and Excel" setting should be configured correctly

The "Disable Internet Fax feature" setting should be configured correctly

The "Prevent users from changing permissions on rights managed content" setting should be configured correctly

The "Allow users with earlier versions of Office to read with browsers..." setting should be configured correctly

The "Always require users to connect to verify permission" setting should be configured correctly

CCE-1409-2 CCE-1409

enabled/disabled

CCE-1589-1 CCE-1589

enabled/disabled

CCE-1237-7 CCE-1237

enabled/disabled

CCE-1404-3 CCE-1404

enabled/disabled

CCE-1396-1 CCE-1396

enabled/disabled

CCE-1167-6 CCE-1167

enabled/disabled

CCE-1585-9 CCE-1585

enabled/disabled

CCE-1572-7 CCE-1572

enabled/disabled

CCE-1220-3 CCE-1220

enabled/disabled

The "Always expand groups in Office when restricting permission for documents" setting should be configured correctly

The "Never allow users to specify groups when restricting permission for documents" setting should be configured correctly

The "Disable Microsoft Passport service for content with restricted permission" setting should be configured correctly

The "Do not allow users to upgrade Information Rights Management configuration" setting should be configured correctly

The "Key Usage Filtering" setting should be configured correctlyThe "EKU filtering" setting should be configured correctly

The "Legacy format signatures" setting should be configured correctly

The "Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian)" setting should be configured correctly

The "Suppress external signature services menu item" setting should be configured correctly

CCE-1634-5 CCE-1634

enabled/disabled

CCE-1643-6 CCE-1643

enabled/disabled

CCE-1546-1 CCE-1546

enabled/disabled

CCE-1505-7 CCE-1505

enabled/disabled

CCE-1545-3 CCE-1545

enabled/disabled

CCE-1549-5 CCE-1549

enabled/disabled

CCE-1431-6 CCE-1431

enabled/disabled

The "Disable Check For Solutions" setting should be configured correctly

The "Disable inclusion of document properties in PDF and XPS output" setting should be configured correctly

The "Disable Document Information Panel" setting should be configured correctly

The "Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)" setting should be configured correctly

The "Disable the Office client from polling the Office server for published links" setting should be configured correctly

The "Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter" setting should be configured correctly

The "Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter" setting should be configured correctly

CCE-1594-1 CCE-1594

enabled/disabled

CCE-1241-9 CCE-1241

enabled/disabled

CCE-1607-1 CCE-1607

enabled/disabled

CCE-752-6 CCE-752

enabled/disabled

CCE-1166-8 CCE-1166

enabled/disabled

CCE-654-4 CCE-654

enabled/disabled

CCE-1192-4 CCE-1192

enabled/disabled

CCE-791-4 CCE-791

enabled/disabled

CCE-1456-3 CCE-1456

enabled/disabled

The "Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter" setting should be configured correctly

The "Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled)" setting should be configured correctly

The "Enable Smart Resume" setting should be configured correctly

The "Do not upload media files" setting should be configured correctly

The "Disable hyperlinks to web templates in File | New and task panes" setting should be configured correctly

The "Prevent access to Web-based file storage" setting should be configured correctly

The "Do not allow attachment previewing in Outlook" setting should be configured correctly for Outlook 2007.

The "Read e-mail as plain text" setting should be configured correctly for Outlook 2007.

The "Read signed e-mail as plain text" setting should be configured correctly for Outlook 2007.

CCE-1478-7 CCE-1478

enabled/disabled

CCE-1368-0 CCE-1368

enabled/disabled

CCE-1641-0 CCE-1641

enabled/disabled

CCE-1266-6 CCE-1266

enabled/disabled

CCE-1399-5 CCE-1399

enabled/disabled

CCE-1187-4 CCE-1187

enabled/disabled

CCE-1588-3 CCE-1588

enabled/disabled

The "Prevent publishing to Office Online" setting should be configured correctly for Outlook 2007.

The "Prevent publishing to a DAV server" setting should be configured correctly for Outlook 2007.

The "Restrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details')" setting should be configured correctly for Outlook 2007.

The "Access to published calendars" setting should be configured correctly for Outlook 2007.

The "Restrict upload method" setting should be configured correctly for Outlook 2007.

The "Hide Junk Mail UI" setting should be configured correctly for Outlook 2007.

The "Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only)" setting should be configured correctly for Outlook 2007.

CCE-1117-1 CCE-1117

enabled/disabled

CCE-1130-4 CCE-1130

enabled/disabled

CCE-1093-4 CCE-1093

enabled/disabled

CCE-1599-0 CCE-1599

enabled/disabled

CCE-1621-2 CCE-1621

enabled/disabled

CCE-1269-0 CCE-1269

enabled/disabled

CCE-1419-1 CCE-1419

enabled/disabled

CCE-1551-1 CCE-1551

enabled/disabled

The "Trust E-mail from Contacts" setting should be configured correctly for Outlook 2007.

The "Add e-mail recipients to users' Safe Senders Lists" setting should be configured correctly for Outlook 2007.

The "Dial-up options" setting should be configured correctly for Outlook 2007.

The "Dial-up options - Warn before switching dial-up connection" setting should be configured correctly for Outlook 2007.

The "Dial-up options - Hang up when finished sending, receiving, or updating" setting should be configured correctly for Outlook 2007.

The "Dial-up options - Automatically dial during a background Send/Receive" setting should be configured correctly for Outlook 2007.

The "Do not allow creating, replying, or forwarding signatures for e-mail messages" setting should be configured correctly for Outlook 2007.

The "Send copy of pictures with HTML messages instead of reference to Internet location" setting should be configured correctly for Outlook 2007.

CCE-655-1 CCE-655

enabled/disabled

CCE-1592-5 CCE-1592

enabled/disabled

CCE-1614-7 CCE-1614

enabled/disabled

CCE-1526-3 CCE-1526

enabled/disabled

CCE-1111-4 CCE-1111

enabled/disabled

CCE-1494-4 CCE-1494

enabled/disabled

CCE-1287-2 CCE-1287

enabled/disabled

CCE-1529-7 CCE-1529

enabled/disabled

The "Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format)" setting should be configured correctly for Outlook 2007.

The "Plain text options" setting should be configured correctly for Outlook 2007.

The "Plain text options - Encode attachments in UUENCODE format when sending a plain text message" setting should be configured correctly for Outlook 2007.

The "Set message format (HTML | Rich Text | Plain Text)" setting should be configured correctly for Outlook 2007.

The "Make Outlook the default program for E-mail, Contacts, and Calendar" setting should be configured correctly for Outlook 2007.

The "Do not allow folders in non-default stores to be set as folder home pages" setting should be configured correctly for Outlook 2007.

The "Use Unicode format when dragging e-mail message to file system" setting should be configured correctly for Outlook 2007.

The "Do not allow Outlook object model scripts to run for shared folders" setting should be configured correctly for Outlook 2007.

CCE-1560-2 CCE-1560

enabled/disabled

CCE-1596-6 CCE-1596

enabled/disabled

CCE-1604-8 CCE-1604

enabled/disabled

CCE-1648-5 CCE-1648

enabled/disabled

CCE-1516-4 CCE-1516

enabled/disabled

CCE-1296-3 CCE-1296

enabled/disabled

The "Do not allow Outlook object model scripts to run for public folders" setting should be configured correctly for Outlook 2007.

The "Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere)" setting should be configured correctly for Outlook 2007.

The "Display online status on a person name (Never | Everywhere except To and CC field | Everywhere)" setting should be configured correctly for Outlook 2007.

The "Turn off Enable the Person Names Smart Tag option" setting should be configured correctly for Outlook 2007.

The "Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy)" setting should be configured correctly for Outlook 2007.

The "Display Level 1 attachments" setting should be configured correctly for Outlook 2007.

CCE-1388-8 CCE-1388

enabled/disabled

CCE-1652-7 CCE-1652

enabled/disabled

CCE-1569-3 CCE-1569

enabled/disabled

CCE-1459-7 CCE-1459

enabled/disabled

CCE-1608-9 CCE-1608

enabled/disabled

CCE-1617-0 CCE-1617

enabled/disabled

CCE-1631-1 CCE-1631

enabled/disabled

CCE-1155-1 CCE-1155

enabled/disabled

CCE-1556-0 CCE-1556

enabled/disabled

The "Allow users to demote attachments to Level 2" setting should be configured correctly for Outlook 2007.

The "Do not prompt about Level 1 attachments when sending an item" setting should be configured correctly for Outlook 2007.

The "Do not prompt about Level 1 attachments when closing an item" setting should be configured correctly for Outlook 2007.

The "Allow in-place activation of embedded OLE objects" setting should be configured correctly for Outlook 2007.

The "Display OLE package objects" setting should be configured correctly for Outlook 2007.

The "Add file extensions to block as Level 1" setting should be configured correctly for Outlook 2007.

The "Remove file extensions blocked as Level 1" setting should be configured correctly for Outlook 2007.

The "Add file extensions to block as Level 2" setting should be configured correctly for Outlook 2007.

The "Remove file extensions blocked as Level 2" setting should be configured correctly for Outlook 2007.

CCE-1595-8 CCE-1595

enabled/disabled

CCE-1436-5 CCE-1436

enabled/disabled

CCE-1586-7 CCE-1586

enabled/disabled

CCE-1590-9 CCE-1590

enabled/disabled

CCE-1004-1 CCE-1004

enabled/disabled

The "Allow scripts in one-off Outlook forms" setting should be configured correctly for Outlook 2007.

The "Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly

The "Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

CCE-1273-2 CCE-1273

enabled/disabled

CCE-1172-6 CCE-1172

enabled/disabled

CCE-1568-5 CCE-1568

enabled/disabled

CCE-1573-5 CCE-1573

enabled/disabled

The "Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

CCE-1454-8 CCE-1454

enabled/disabled

CCE-1498-5 CCE-1498

enabled/disabled

CCE-1630-3 CCE-1630

enabled/disabled

CCE-1626-1 CCE-1626

enabled/disabled

CCE-1163-5 CCE-1163

enabled/disabled

CCE-1445-6 CCE-1445

enabled/disabled

CCE-1582-6 CCE-1582

enabled/disabled

The "Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.

The "Required Certificate Authority" setting should be configured correctly for Outlook 2007.

The "S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible)" setting should be configured correctly for Outlook 2007.

The "Always use Rich Text formatting in S/MIME messages" setting should be configured correctly for Outlook 2007.

The "S/MIME password settings" setting should be configured correctly for Outlook 2007.

The "S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647)" setting should be configured correctly for Outlook 2007.

The "S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647)" setting should be configured correctly for Outlook 2007.

CCE-1357-3 CCE-1357

enabled/disabled

CCE-1132-0 CCE-1132

enabled/disabled

CCE-1511-5 CCE-1511

enabled/disabled

CCE-1018-1 CCE-1018

enabled/disabled

CCE-1181-7 CCE-1181

enabled/disabled

CCE-1639-4 CCE-1639

enabled/disabled

The "Message Formats" setting should be configured correctly for Outlook 2007.

The "Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza)" setting should be configured correctly for Outlook 2007.

2007: The "Do not provide Continue option on Encryption warning dialog boxes" setting should be configured correctly for Outlook 2007. 2003: The "Disable Continue button on all Encryption warning dialogs" setting should be configured correctly.

The "Run in FIPS compliant mode" setting should be configured correctly for Outlook 2007.

The "Encrypt all e-mail messages" setting should be configured correctly for Outlook 2007 and 2003.

The "Sign all e-mail messages" setting should be configured correctly for Outlook 2007.

CCE-677-5 CCE-677

enabled/disabled

CCE-687-4 CCE-687

enabled/disabled

CCE-1613-9 CCE-1613

enabled/disabled

CCE-1402-7 CCE-1402

enabled/disabled

CCE-1658-4 CCE-1658

enabled/disabled

CCE-1662-6 CCE-1662

enabled/disabled

CCE-1080-1 CCE-1080

enabled/disabled

CCE-1076-9 CCE-1076

enabled/disabled

The "URL for S/MIME certificates" setting should be configured correctly for Outlook 2007.

The "Ensure all S/MIME signed messages have a label" setting should be configured correctly for Outlook 2007.

The "S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME )" setting should be configured correctly for Outlook 2007.

The "Fortezza certificate policies" setting should be configured correctly for Outlook 2007.

The "Require SuiteB algorithms for S/MIME operations" setting should be configured correctly for Outlook 2007.

The "Missing CRLs" setting should be configured correctly for Outlook 2007.

The "Missing CRLs - Indicate a missing CRL as a(n): (warning | error)" setting should be configured correctly for Outlook 2007.

The "Missing root certificates" setting should be configured correctly for Outlook 2007.

CCE-1636-0 CCE-1636

enabled/disabled

CCE-943-1 CCE-943

enabled/disabled

CCE-1591-7 CCE-1591

enabled/disabled

CCE-1133-8 CCE-1133

enabled/disabled

CCE-725-2 CCE-725

enabled/disabled

CCE-1347-4 CCE-1347

enabled/disabled

CCE-1475-3 CCE-1475

enabled/disabled

CCE-1497-7 CCE-1497

enabled/disabled

The "Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error)" setting should be configured correctly for Outlook 2007.

The "Promote Level 2 errors as errors, not warnings" setting should be configured correctly for Outlook 2007.

The "Attachment Secure Temporary Folder" setting should be configured correctly for Outlook 2007.

The "Display pictures and external content in HTML e-mail" setting should be configured correctly for Outlook 2007.

The "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" setting should be configured correctly for Outlook 2007.

The "Do not permit download of content from safe zones" setting should be configured correctly for Outlook 2007.

The "Block Trusted Zones" setting should be configured correctly for Outlook 2007.

The "Include Internet in Safe Zones for Automatic Picture Download" setting should be configured correctly for Outlook 2007.

CCE-1501-6 CCE-1501

enabled/disabled

CCE-1030-6 CCE-1030

enabled/disabled

CCE-1052-0 CCE-1052

enabled/disabled

CCE-1462-1 CCE-1462

enabled/disabled

CCE-1281-5 CCE-1281

enabled/disabled

CCE-1303-7 CCE-1303

enabled/disabled

CCE-1082-7 CCE-1082

enabled/disabled

The "Include Intranet in Safe Zones for Automatic Picture Download" setting should be configured correctly for Outlook 2007.

The "Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check)" setting should be configured correctly for Outlook 2007.

The "Enable links in e-mail messages" setting should be configured correctly for Outlook 2007.

The "Apply macro security settings to macros, add-ins, and SmartTags" setting should be configured correctly for Outlook 2007.

The "Automatically configure profile based on Active Directory Primary SMTP address" setting should be configured correctly for Outlook 2007.

The "Do not allow users to change permissions on folders" setting should be configured correctly for Outlook 2007.

The "Enable RPC encryption" setting should be configured correctly for Outlook 2007.

CCE-1712-9 CCE-1712

enabled/disabled

CCE-1131-2 CCE-1131

enabled/disabled

CCE-1620-4 CCE-1620

enabled/disabled

CCE-1541-2 CCE-1541

enabled/disabled

CCE-1311-0 CCE-1311

enabled/disabled

CCE-1682-4 CCE-1682

enabled/disabled

CCE-1461-3 CCE-1461

enabled/disabled

The "Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication)" setting should be configured correctly for Outlook 2007.

The "Synchronize Outlook RSS Feeds with Common Feed List" setting should be configured correctly for Outlook 2007.

The "Turn off RSS feature" setting should be configured correctly for Outlook 2007.

The "Automatically download enclosures" setting should be configured correctly for Outlook 2007.

The "Download full text of articles as HTML attachments" setting should be configured correctly for Outlook 2007.

The "Automatically download attachments" setting should be configured correctly for Outlook 2007.

The "Do not include Internet Calendar integration in Outlook" setting should be configured correctly for Outlook 2007.

CCE-1041-3 CCE-1041

enabled/disabled

CCE-1565-1 CCE-1565

enabled/disabled

CCE-1719-4 CCE-1719

enabled/disabled

CCE-1477-9 CCE-1477

enabled/disabled

CCE-1142-9 CCE-1142

enabled/disabled

CCE-1649-3 CCE-1649

enabled/disabled

CCE-1279-9 CCE-1279

enabled/disabled

The "Disable user entries to server list (Publish default, allow others | Publish default, disallow others)" setting should be configured correctly for Outlook 2007.

The "Do not expand distribution lists" setting should be configured correctly for Outlook 2007.

The "Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt))" setting should be configured correctly for PowerPoint 2007.

The "Number of documents in the Recent Documents list (0 - 50)" setting should be configured correctly for PowerPoint 2007.

The "Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations" setting should be configured correctly for PowerPoint 2007.

The "Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting))" setting should be configured correctly for PowerPoint 2007.

The "Make hidden markup visible" setting should be configured correctly for PowerPoint 2007.

CCE-1451-4 CCE-1451

enabled/disabled

CCE-1204-7 CCE-1204

enabled/disabled

CCE-1107-2 CCE-1107

enabled/disabled

CCE-743-5 CCE-743

enabled/disabled

CCE-747-6 CCE-747

enabled/disabled

CCE-782-3 CCE-782

enabled/disabled

CCE-1327-6 CCE-1327

enabled/disabled

CCE-1723-6 CCE-1723

enabled/disabled

The "Unblock automatic download of linked images" setting should be configured correctly for PowerPoint 2007.

The "Disable all application add-ins" setting should be configured correctly for PowerPoint 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for PowerPoint 2007.

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for PowerPoint 2007.

The "Allow Trusted Locations not on the computer" setting should be configured correctly for PowerPoint 2007.

The "Disable all trusted locations" setting should be configured correctly for PowerPoint 2007.

The "Disable commands" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for PowerPoint 2007.

CCE-1366-4 CCE-1366

enabled/disabled

CCE-1679-0 CCE-1679

enabled/disabled

CCE-1173-4 CCE-1173

enabled/disabled

CCE-1714-5 CCE-1714

enabled/disabled

CCE-1485-2 CCE-1485

enabled/disabled

CCE-1687-3 CCE-1687

enabled/disabled

CCE-1709-5 CCE-1709

enabled/disabled

CCE-1463-9 CCE-1463

enabled/disabled

The "Disable commands - Office Button | Send | Email" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Review | Proofing | Language" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - View | Macros | Macros" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Developer | Code | Macros" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location" setting should be configured correctly for PowerPoint 2007.

CCE-1467-0 CCE-1467

enabled/disabled

CCE-1740-0 CCE-1740

enabled/disabled

CCE-1780-6 CCE-1780

enabled/disabled

CCE-1661-8 CCE-1661

enabled/disabled

CCE-1688-1 CCE-1688

enabled/disabled

CCE-1701-2 CCE-1701

enabled/disabled

CCE-1348-2 CCE-1348

enabled/disabled

CCE-1644-4 CCE-1644

enabled/disabled

CCE-1194-0 CCE-1194

enabled/disabled

The "Disable commands - Disable shortcut keys" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for PowerPoint 2007.

The "Disable commands - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for PowerPoint 2007.

The "Block opening of pre-release versions of file formats new to PowerPoint 2007" setting should be configured correctly for PowerPoint 2007.

The "Block opening of Open Xml files types" setting should be configured correctly for PowerPoint 2007.

The "Block opening of Binary file types" setting should be configured correctly for PowerPoint 2007.

The "Block opening of Html file types" setting should be configured correctly for PowerPoint 2007.

The "Block opening of Outlines" setting should be configured correctly for PowerPoint 2007.

CCE-1216-1 CCE-1216

enabled/disabled

CCE-1506-5 CCE-1506

enabled/disabled

CCE-1136-1 CCE-1136

enabled/disabled

CCE-1766-5 CCE-1766

enabled/disabled

CCE-1180-9 CCE-1180

enabled/disabled

CCE-1722-8 CCE-1722

enabled/disabled

CCE-1731-9 CCE-1731

enabled/disabled

CCE-885-4 CCE-885

enabled/disabled

The "Block opening of Converters" setting should be configured correctly for PowerPoint 2007.

The "Block saving of Open Xml file types" setting should be configured correctly for PowerPoint 2007.

The "Block saving of Binary file types" setting should be configured correctly for PowerPoint 2007.

The "Block saving of Html file types" setting should be configured correctly for PowerPoint 2007.

The "Block saving of Outlines" setting should be configured correctly for PowerPoint 2007.

The "Block saving of GraphicFilters" setting should be configured correctly for PowerPoint 2007.

The "Disable Slide Update" setting should be configured correctly for PowerPoint 2007.

The "Hidden text" setting should be configured correctly for Word 2007.

CCE-1656-8 CCE-1656

enabled/disabled

CCE-1537-0 CCE-1537

enabled/disabled

CCE-1249-2 CCE-1249

enabled/disabled

CCE-1509-9 CCE-1509

enabled/disabled

The "Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml))" setting should be configured correctly for The "Number of documents in the Recent Documents list (0-50)" setting should be configured correctly for Word 2007.

The "Update automatic links at Open" setting should be configured correctly for Word 2007.

The "Save smart tags in e-mail" setting should be configured correctly for Word 2007.

CCE-1280-7 CCE-1280

enabled/disabled

CCE-1681-6 CCE-1681

enabled/disabled

CCE-1562-8 CCE-1562

enabled/disabled

CCE-1333-4 CCE-1333

enabled/disabled

CCE-1355-7 CCE-1355

enabled/disabled

CCE-1637-8 CCE-1637

enabled/disabled

CCE-1659-2 CCE-1659

enabled/disabled

CCE-1329-2 CCE-1329

enabled/disabled

The "Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents" setting should be configured correctly for Word 2007.

The "Disable all application add-ins" setting should be configured correctly for Word 2007.

The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Word 2007.

The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Word 2007.

The "Allow Trusted Locations not on the computer" setting should be configured correctly for Word 2007.

The "Disable all trusted locations" setting should be configured correctly for Word 2007.

The "Disable commands" setting should be configured correctly for Word 2007.

The "Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page" setting should be configured correctly for Word 2007.

CCE-1632-9 CCE-1632

enabled/disabled

CCE-1425-8 CCE-1425

enabled/disabled

CCE-1196-5 CCE-1196

enabled/disabled

CCE-936-5 CCE-936

enabled/disabled

CCE-1354-0 CCE-1354

enabled/disabled

CCE-1125-4 CCE-1125

enabled/disabled

CCE-1742-6 CCE-1742

enabled/disabled

CCE-1782-2 CCE-1782

enabled/disabled

The "Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for Word 2007.

The "Disable commands - Office Button | Send | Email" setting should be configured correctly for Word 2007.

The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for Word 2007.

The "Disable commands - Review | Protect | Protect Document" setting should be configured correctly for Word 2007.

The "Disable commands - View | Macros | Macros" setting should be configured correctly for Word 2007.

The "Disable commands - Developer | Code | Macros" setting should be configured correctly for Word 2007.

The "Disable commands - Developer | Code | Record Macro" setting should be configured correctly for Word 2007.

The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for Word 2007.

CCE-1306-0 CCE-1306

enabled/disabled

CCE-1548-7 CCE-1548

enabled/disabled

CCE-1716-0 CCE-1716

enabled/disabled

CCE-1597-4 CCE-1597

enabled/disabled

CCE-1689-9 CCE-1689

enabled/disabled

CCE-1570-1 CCE-1570

enabled/disabled

CCE-1720-2 CCE-1720

enabled/disabled

CCE-1746-7 CCE-1746

enabled/disabled

The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for Word 2007.

The "Disable commands - Developer | Templates | Document Template" setting should be configured correctly for Word 2007.

The "Disable shortcut keys" setting should be configured correctly for Word 2007.

The "Disable shortcut keys - Ctrl+F (Home | Editing | Find)" setting should be configured correctly for Word 2007.

The "Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for Word 2007.

The "Disable shortcut keys - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for Word 2007.

The "Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for Word 2007.

The "Block opening of pre-release versions of file formats new to Word 2007" setting should be configured correctly for Word 2007.

CCE-1504-0 CCE-1504

enabled/disabled

CCE-1654-3 CCE-1654

enabled/disabled

CCE-1160-1 CCE-1160

enabled/disabled

CCE-958-9 CCE-958

enabled/disabled

CCE-1579-2 CCE-1579

enabled/disabled

CCE-984-5 CCE-984

enabled/disabled

CCE-1072-8 CCE-1072

enabled/disabled

CCE-1503-2 CCE-1503

enabled/disabled

CCE-1371-4 CCE-1371

enabled/disabled

CCE-1019-9 CCE-1019

enabled/disabled

The "Block opening of Open XML file types" setting should be configured correctly for Word 2007.

The "Block opening of Binary file types" setting should be configured correctly for Word 2007.

The "Block opening of HTML file types" setting should be configured correctly for Word 2007.

The "Block opening of Word 2003 XML file types" setting should be configured correctly for Word 2007.

The "Block opening of RTF file types" setting should be configured correctly for Word 2007.

The "Block open Converters" setting should be configured correctly for Word 2007.

The "Block opening of Text file types" setting should be configured correctly for Word 2007.

The "Block opening of Internal file types" setting should be configured correctly for Word 2007.

The "Block opening of files before version" setting should be configured correctly for Word 2007.

The "Block saving of Open XML file types" setting should be configured correctly for Word 2007.

CCE-1684-0 CCE-1684

enabled/disabled

CCE-1675-8 CCE-1675

enabled/disabled

CCE-1200-5 CCE-1200

enabled/disabled

CCE-1741-8 CCE-1741

enabled/disabled

CCE-1231-0 CCE-1231

enabled/disabled

CCE-1755-8 CCE-1755

enabled/disabled

CCE-1169-2 CCE-1169

The InfoPath APTCA Assemblyenabled/disabled

CCE-1735-0 CCE-1735

The Windows Internet Explorenabled/disabled

The "Block saving of Binary file types" setting should be configured correctly for Word 2007.

The "Block saving of HTML file types" setting should be configured correctly for Word 2007.

The "Block saving of Word 2003 XML file types" setting should be configured correctly for Word 2007.

The "Block saving of RTF file types" setting should be configured correctly for Word 2007.

The "Block saving of Converters" setting should be configured correctly for Word 2007.

The "Block saving of Text file types" setting should be configured correctly for Word 2007.

CCE-1739-2 CCE-1739

The InfoPath APTCA Assemblyenabled/disabled

CCE-933-2 CCE-933

The Disable Package Repair enabled/disabled

CCE-1563-6 CCE-1563

The Disable user name and penabled/disabled

CCE-1215-3 CCE-1215


CCE-1484-5 CCE-1484


CCE-1629-5 CCE-1629


CCE-1762-4 CCE-1762


CCE-1660-0 CCE-1660


CCE-1057-9 CCE-1057


CCE-1285-6 CCE-1285


CCE-1669-1 CCE-1669

The Bind to object setting s enabled/disabled

CCE-1691-5 CCE-1691

The Bind to object - excel.exenabled/disabled

CCE-1338-3 CCE-1338

The Bind to object - powerpnenabled/disabled

CCE-1717-8 CCE-1717

The Bind to object - pptview enabled/disabled

CCE-1488-6 CCE-1488

The Bind to object - winwordenabled/disabled

CCE-1638-6 CCE-1638

The Bind to object - outlook.enabled/disabled

CCE-1647-7 CCE-1647

The Bind to object - spDesigenabled/disabled

CCE-1294-8 CCE-1294

The Bind to object - msaccesenabled/disabled

CCE-1193-2 CCE-1193

The Saved from URL setting enabled/disabled

CCE-1352-4 CCE-1352

The Saved from URL - excel.enabled/disabled

CCE-928-2 CCE-928

The Saved from URL - powerpenabled/disabled

CCE-1576-8 CCE-1576

The Saved from URL - pptvieenabled/disabled

CCE-1100-7 CCE-1100

The Saved from URL - pptvieenabled/disabled

CCE-1232-8 CCE-1232

The Saved from URL - outlooenabled/disabled

CCE-1774-9 CCE-1774

The Saved from URL - spDesienabled/disabled

CCE-906-8 CCE-906

The Saved from URL - msacceenabled/disabled

CCE-1034-8 CCE-1034

The Navigate URL setting shenabled/disabled

CCE-1435-7 CCE-1435

The Navigate URL - excel.exeenabled/disabled

CCE-1708-7 CCE-1708

The Navigate URL - powerpntenabled/disabled

CCE-808-6 CCE-808

The Navigate URL - pptview.eenabled/disabled

CCE-1650-1 CCE-1650

The Navigate URL - winword.enabled/disabled

CCE-1223-7 CCE-1223

The Navigate URL - outlook.eenabled/disabled

CCE-1764-0 CCE-1764

The Navigate URL - spDesignenabled/disabled

CCE-1769-9 CCE-1769

The Navigate URL - msaccessenabled/disabled

CCE-1152-8 CCE-1152

The Block popups setting shoenabled/disabled

CCE-1566-9 CCE-1566

The Block popups - excel.exeenabled/disabled

CCE-1077-7 CCE-1077

The Block popups - powerpntenabled/disabled

CCE-1606-3 CCE-1606

The Block popups - pptview.eenabled/disabled

CCE-1738-4 CCE-1738

The Block popups - winword.enabled/disabled

CCE-1262-5 CCE-1262

The Block popups - outlook.eenabled/disabled

CCE-1663-4 CCE-1663

The Block popups - spDesignenabled/disabled

CCE-1544-6 CCE-1544

The Block popups - msaccessenabled/disabled

CCE-1443-1 CCE-1443 1 = Enabled

CCE-1161-9 CCE-1161

CCE-1421-7 CCE-1421

The "Prevent users from customizing attachment security settings" setting should be configured correctly.

The "Access: Macro Security Level" setting should be configured correctly.

1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High

The "Access: Trust all installed add – ins and templates" setting should be configured correctly.

0 = Enabled | 1 = Disabled

CCE-1571-9 CCE-1571

CCE-1721-0 CCE-1721

CCE-1602-2 CCE-1602

CCE-1624-6 CCE-1624

CCE-1522-2 CCE-1522

The "Excel: Macro Security Level" setting should be configured correctly.


The "Excel: Trust all installed add – ins and templates" setting should be configured correctly.


The "Outlook: Macro Security Level" setting should be configured correctly.


The "Outlook: Trust all installed add-ins and templates" setting should be configured correctly.


The "Outlook virus security settings" setting should be configured correctly.

0 = Uses default administrative settings | 1 = Look in the Outlook Security Settings folder | 2 = Look in the Outlook 10 Security Settings folder

CCE-1183-3 CCE-1183

CCE-1611-3 CCE-1611

CCE-1633-7 CCE-1633

CCE-822-7 CCE-822

CCE-1734-3 CCE-1734

CCE-1628-7 CCE-1628

The "S/MIME receipt requests" setting should be configured correctly.

0 = Open message if receipt can't be sent | 1 = Always prompt before sending receipt | 2 = Never send S/MIME receipts | 3 = Don't open message if receipt can't be sent

The "PowerPoint: Macro Security Level" setting should be configured correctly.


The "PowerPoint: Trust all installed add – ins and templates" setting should be configured correctly.


The "Publisher: Macro Security Level" setting should be configured correctly.


The "Publisher: Trust all installed add–ins and templates" setting should be configured correctly.


The "Word: Macro Security Level" setting should be configured correctly.


CCE-1761-6 CCE-1761

CCE-1302-9 CCE-1302

CCE-1307-8 CCE-1307

The "Word: Trust all installed add–ins and templates" setting should be configured correctly.


The "Store random number to improve merge accuracy" setting should be configured correctly.


The "Prevent Users from Changing Office Encryption Settings" setting should be configured correctly.

0 = Disabled | 1 = Enabled


Table 1.3. ActiveX Control Initialization

Microsoft Threats and Countermeasures guide

2007: GPO Settings:Computer Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 System / Security Settings , Registry Keys: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\12.0\Common\VbaOff 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Disable VBA for Office applications (2) HKLM\Software\Policies\Microsoft\Office\11.0\Common - VbaOff (3) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Disable VBA for Office applications (4) HKCU\Software\Policies\Microsoft\Office\11.0\Common - VbaOff

Table 1.124. Disable VBA for Office applications, Table 2.5. Disable VBA for Office applications

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 system / Security /ActiveX Control InitializationSettings , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\Security\UFIControls 2003: (1) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\ActiveX Control Initialization (2) HKCU\Software\Policies\Microsoft\Office\Common\Security - UFIControls

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Privacy / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\QMEnable

Table 1.148. Enable Customer Experience Improvement Program

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Privacy / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\UpdateReliabilityData

Table 1.23. Automatically receive small updates to improve reliability

Table 1.179. Online content options

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 system / Tools / Options / General / Service Options / Online Content , Registry Keys: HKEY_CURRENT_USER\Softtware\Polices\Microsoft\Office\12.0\Common\Internet\UseOnlineContent

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Access 2007 / Application Settings / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Access\Security\VBAWarnings

Table 1.234. VBA Macro Warning Settings

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Excel 2007 / Excel Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\VBAWarnings


2007GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Excel 2007 / Excel Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\AccessVBOM 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Trust access to Visual Basic Project (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - AccessVBOM (3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Trust access to Visual Basic Project (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - AccessVBOM

Table 1.225. Trust access to Visual Basic Project

Table 1.72. Configure trusted add-ins

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office PowerPoint 2007 / PowerPoint Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings


GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office PowerPoint 2007 / PowerPoint Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\AccessVBOM


GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\EnableRememberPwd

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\AddinTrust 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Configure Add-In Trust Level (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - AddinTrust

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\EnableRememberPwd

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\MinEncKey

Table 1.173. Minimum encryption settings

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\SupressNameChecks

Table 1.134. Do not check e-mail address against address of certificates being using

Table 1.220. Signature Warning

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\ClearSign 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Send all signed messages as clear signed messages (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - ClearSign

Table 1.214. Send all signed messages as clear signed messages

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\RequestSecureReceipt

Table 1.198. Request an S/MIME receipt for all S/MIME signed messages

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\PublishToGalDisabled 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Disable 'Publish to GAL' button (2) HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security - PublishToGalDisabled

Table 1.135. Do not display 'Publish to GAL' button

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\WarnAboutInvalid 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Signature Warning (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - WarnAboutInvalid

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\ConvertSMIMEBlobSignedIcons 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Enable cryptography icons (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - ConvertSMIMEBlobSignedIcons

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography / Signature Status Dialog Box , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\UseCRLChasing

Table 1.204. Retrieving CRLs (Certificate Revocation Lists)

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\VBAWarnings


2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Policies\Microsoft\Office\12.0\Word\Security\AccessVBOM 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Trust access to Visual Basic Project (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - AccessVBOM (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Trust access to Visual Basic Project (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security - AccessVBOM


Table 1.230. Underline hyperlinks

Table 1.89. Disable all trusted locations

2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Options\vpref\fWarnRevisions_1805_1 2003: (1) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Options\Security\Warn before printing or saving or sending a file that contains tracked changes or comments (2) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vpre

GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Miscellaneous , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\OfficeUpdate\BlockUpdates

Table 1.64. Block updates from the Office Update Site from applying

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Web Options\General\Underline hyperlinks (2) Software\Policies\Microsoft\Office\12.0\Access\Internet

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\General\General\Number of documents in the Recent Documents list (0-9) (2) Software\Policies\Microsoft\Office\12.0\Access\Settings

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Access\Security

Table 1.120. Disable Trust Bar Notification for unsigned application add-ins

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Access\Security

Table 1.87. Disable all application add-ins

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Access\Security

Table 1.200. Require that application add-ins are signed by Trusted Publisher

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations

Table 1.176. Modal Trust Decision Only

Table 1.94. Disable commands





(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Allow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations

Table 1.11. Allow Trusted Locations not on the computer

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Modal Trust Decision Only (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | E-Mail (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encrypt with Password (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes






(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard... (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encode/Decode Database (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Run Macro (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Convert Macros to Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Create Shortcut Menu from Macro (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes

Table 1.114. Disable shortcut keys



Table 1.80. Default file format

Table 1.211. Save Excel files as

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks) (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Default file format (Access 2007 | Access 2002-2003) (2) Software\Policies\Microsoft\Office\12.0\Access\Settings

(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Do not prompt to convert older databases (2) Software\Policies\Microsoft\Office\12.0\Access\Settings

Table 1.141. Do not prompt to convert older databases

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Proofing\Autocorrect Options\Internet and network paths as hyperlinks (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

Table 1.164. Internet and network paths as hyperlinks

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls)) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

Table 1.91. Disable AutoRepublish(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Disable AutoRepublish (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

Table 1.25. AutoRepublish Warning Alert

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks (2) Software\Policies\Microsoft\Office\12.0\Excel\Security

Table 1.81. Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Force file extension to match file type (Allow different | Allow different, but warn | Always match file type) (2) Software\Policies\Microsoft\Office\12.0\Excel\Security

Table 1.155. Force file extension to match file type

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Store macro in Personal Macro Workbook by default (2) Software\Policies\Microsoft\Office\12.0\Excel\Security

Table 1.221. Store macro in Personal Macro Workbook by default

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Excel\Security


(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Excel\Security


(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Excel\Security



Table 1.159. Ignore other applications

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted Locations


(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ignore other applications (2) Software\Policies\Microsoft\Office\12.0\Excel\Options\BinaryOptions

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ask to update automatic links (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

Table 1.17. Ask to update automatic links

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Number of documents in the Recent Documents list (0-17) (2) Software\Policies\Microsoft\Office\12.0\Excel\File MRU

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralSave any additional data necessary to maintain formulas (2) Software\Policies\Microsoft\Office\12.0\Excel\Internet

Table 1.210. Save any additional data necessary to maintain formulas

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralLoad pictures from Web pages not created in Excel (2) Software\Policies\Microsoft\Office\12.0\Excel\Internet

Table 1.169. Load pictures from Web pages not created in Excel

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Do not show data extraction options when opening corrupt workbooks (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

Table 1.143. Do not show data extraction options when opening corrupt workbooks

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Assume structured storage format of workbook is intact when recovering data (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Connection File Locations (2) Software\Policies\Microsoft\Office\Common\Server Links\Published

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh) (2) Software\Policies\Microsoft\Office\Common\Server Links\Published

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Sheet (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Workbook (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect and Share Workbook (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes





(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Excel 2007 (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

Table 1.34. Block opening of files created by pre-release versions of Excel 2007

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

Table 1.38. Block opening of Open XML file types

Table 1.48. Block opening of Xll file type

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary 12 file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

Table 1.29. Block opening of Binary 12 file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

Table 1.30. Block opening of Binary file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Html and Xmlss files types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

Table 1.35. Block opening of Html and Xmlss files types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

Table 1.49. Block opening of Xml file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of DIF and SYLK file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

Table 1.32. Block opening of DIF and SYLK file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Text file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

Table 1.46. Block opening of Text file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xll file type (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Open Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

Table 1.57. Block saving of Open Xml file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary12 file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

Table 1.52. Block saving of Binary12 file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Html and Xmlss file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

Table 1.55. Block saving of Html and Xmlss file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving DIF and SYLK file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

Table 1.50. Block saving DIF and SYLK file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Text file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock

Table 1.60. Block saving of Text file types

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache network file storages (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache PivotTable reports (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Recognize SmartTags (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\General\Number of documents in the Recent Documents list (0 - 9) (2) Software\Policies\Microsoft\Office\12.0\InfoPath

Table 1.178. Offline Mode status








(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Editor\Offline

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Send to Mail Recipient (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Open from SharePoint Site (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print Preview (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Page Setup (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Insert | Hyperlinks... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes









(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Set Language (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Customize... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Options... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Microsoft Office Online (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Office Diagnostics (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Activate Product... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Print Default (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes



(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Print Shortcut (Ctrl+P) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.73. Control behavior for Windows SharePoint Services gradual upgrade

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable opening of solutions from the Internet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.109. Disable opening of solutions from the Internet security zone

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable fully trusted solutions full access to computer (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.102. Disable fully trusted solutions full access to computer

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow the use of ActiveX Custom Controls in InfoPath forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1 (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow file types as attachments to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.7. Allow file types as attachments to forms

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Block specific file types as attachments to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.62. Block specific file types as attachments to forms

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Prevent users from allowing unsafe file types to be attached to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.186. Prevent users from allowing unsafe file types to be attached to forms

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Display a warning that a form is digitally signed (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors

Table 1.74. Control behavior when opening forms in the Internet security zone

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors

Table 1.75. Control behavior when opening forms in the Intranet security zone

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors

Table 1.76. Control behavior when opening forms in the Trusted Site security zone

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.26. Beaconing UI for forms opened in InfoPath

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.27. Beaconing UI for forms opened in InfoPath Editor ActiveX

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security


(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security


(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security


(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.77. Control behavior when opening InfoPath e-mail forms containing code or script

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending form template with e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment

Table 1.112. Disable sending form template with e-mail forms

Table 1.79. Custom code

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable dynamic caching of the form template in InfoPath e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment

Table 1.97. Disable dynamic caching of the form template in InfoPath e-mail forms

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending InfoPath 2003 Forms as e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath

Table 1.113. Disable sending InfoPath 2003 Forms as e-mail forms

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms running in restricted security level (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.101. Disable e-mail forms running in restricted security level

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Internet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.99. Disable e-mail forms from the Internet security zone

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Intranet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.100. Disable e-mail forms from the Intranet security zone

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Full Trust security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 1.98. Disable e-mail forms from the Full Trust security zone

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable InfoPath e-mail forms in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.106. Disable InfoPath e-mail forms in Outlook

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Information Rights Management (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\RestrictedFeatures

Table 1.163. Information Rights Management

(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Custom code (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\RestrictedFeatures

Table 1.147. Email Forms Beaconing UI(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Miscellaneous\Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

Table 1.122. Disable user customization of Quick Access Toolbar via UI

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

Table 1.90. Disable all user customization of Quick Access Toolbar

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars

Table 1.121. Disable UI extending from documents and templates

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars


(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint and Access)\Recognize smart tags in Excel (2) Software\Policies\Microsoft\Office\12.0\Excel\Options

Table 1.194. Recognize smart tags in Excel

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable Clip Art and Media downloads from the client and from Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.93. Disable Clip Art and Media downloads from the client and from Office Online website

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable template downloads from the client and from Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.117. Disable template downloads from the client and from Office Online website

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable access to updates, add-ins, and patches on the Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.85. Disable access to updates, add-ins, and patches on the Office Online website

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Prevents users from uploading document templates to the Office Online community. (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.188. Prevents users from uploading document templates to the Office Online community

Table 1.160. Improve Proofing Tools

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable training practice downloads from the Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.119. Disable training practice downloads from the Office Online website

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable customer-submitted templates downloads from Office Online (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.95. Disable customer-submitted templates downloads from Office Online

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Files\Open Office documents as read/write while browsing (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.180. Open Office documents as read/write while browsing

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Rely on VML for displaying graphics in browsers (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.195. Rely on VML for displaying graphics in browsers

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Allow PNG as an output format (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.9. Allow PNG as an output format

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | Spelling\Proofing Data Collection\Improve Proofing Tools (2) Software\Policies\Microsoft\Office\12.0\Common\PTWatson

(1) User Configuration\Administrative Templates\Classic Administrative Templates\Microsoft Office 2007\Privacy \Trust Center\Disable Opt-in Wizard on first run (2) HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\QMEnable

Table 1.110. Disable Opt-in Wizard on first run

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Help\Microsoft Office Online (2) Software\Policies\Microsoft\Office\12.0\Common\Internet(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable Password Caching (2) Software\Policies\Microsoft\Office\12.0\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable all Trust Bar notifications for security issues (2) Software\Policies\Microsoft\Office\12.0\Common\TrustCenter

Table 1.88. Disable all Trust Bar notifications for security issues

Table 1.168. Load Controls in Forms3

Table 1.24. Automation Security

Table 1.103. Disable hyperlink warnings

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for rights managed Office Open XML Files (2) Software\Policies\Microsoft\Office\12.0\Common\Security

Table 1.191. Protect document metadata for rights managed Office Open XML Files

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for password protected files. (2) Software\Policies\Microsoft\Office\12.0\Common\Security

Table 1.190. Protect document metadata for password protected files

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office Open XML files (2) Software\Policies\Microsoft\Office\12.0\Common\Security

Table 1.153. Encryption type for password protected Office Open XML files

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office 97-2003 files (2) Software\Policies\Microsoft\Office\12.0\Common\Security

Table 1.152. Encryption type for password protected Office 97-2003 files

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Load Controls in Forms3 (1 | 2 | 3 | 4) (2) Software\Policies\Microsoft\VBA\Security

2007: (1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Automation Security (Disable macros by default | Use application macro security level | Macros enabled) (2) Software\Policies\Microsoft\Office\Common\Security 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Automation Security (2) HKLM\Software\Policies\Microsoft\Office\11.0\Common\Security - AutomationSecurity

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Prevent Word and Excel from loading managed code extensions (2) Software\Policies\Microsoft\Office\Common\Smart Tag

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable hyperlink warnings (2) Software\Policies\Microsoft\Office\12.0\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable password to open UI (2) Software\Policies\Microsoft\Office\12.0\Common\Security

Table 1.111. Disable password to open UI

Table 1.86. Disable All ActiveX

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Download Office Controls (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable All ActiveX (2) Software\Policies\Microsoft\Office\Common\Security

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Trust Center\Allow mix of policy and user locations (2) Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations

Table 1.8. Allow mix of policy and user locations

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Disable Smart Document's use of manifests (2) Software\Policies\Microsoft\Office\Common\Smart Tag

Table 1.116. Disable Smart Document's use of manifests

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Completely disable the Smart Documents feature in Word and Excel (2) Software\Policies\Microsoft\Office\Common\Smart Tag

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Services\Fax\Disable Internet Fax feature (2) Software\Policies\Microsoft\Office\12.0\Common\Services\Fax

Table 1.107. Disable Internet Fax feature

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

Table 1.187. Prevent users from changing permissions on rights managed content

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Allow users with earlier versions of Office to read with browsers... (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

Table 1.13. Allow users with earlier versions of Office to read with browsers…

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always require users to connect to verify permission (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

Table 1.15. Always require users to connect to verify permission

Table 1.166. Key Usage Filtering

Table 1.146. EKU filtering

Table 1.167. Legacy format signatures

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always expand groups in Office when restricting permission for documents (2) Software\Policies\Microsoft\Office\12.0\Common\DRM\AutoExpandDls

Table 1.14. Always expand groups in Office when restricting permission for documents

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Never allow users to specify groups when restricting permission for documents (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

Table 1.177. Never allow users to specify groups when restricting permission for documents

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Disable Microsoft Passport service for content with restricted permission (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

Table 1.108. Disable Microsoft Passport service for content with restricted permission

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Do not allow users to upgrade Information Rights Management configuration (2) Software\Policies\Microsoft\Office\12.0\Common\DRM

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Key Usage Filtering (2) Software\Policies\Microsoft\Office\12.0\Common\General(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\EKU filtering (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Legacy format signatures (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian) (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures

Table 1.223. Suppress Office Signing Providers

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress external signature services menu item (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures

Table 1.222. Suppress external signature services menu item

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office Diagnostics\Disable Check For Solutions (2) Software\Policies\Microsoft\Office\Common\OffDiag

Table 1.92. Disable Check For Solutions

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Microsoft Save As PDF and XPS add-ins\Disable inclusion of document properties in PDF and XPS output (2) Software\Policies\Microsoft\Office\12.0\Common\FixedFormat

Table 1.105. Disable inclusion of document properties in PDF and XPS output

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Disable Document Information Panel (2) Software\Policies\Microsoft\Office\12.0\Common\DocumentInformationPanel

Table 1.96. Disable Document Information Panel

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\Common\DocumentInformationPanel

Table 1.144. Document Information Panel Beaconing UI

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Server Settings\Disable the Office client from polling the Office server for published links (2) Software\Policies\Microsoft\Office\12.0\Common\Portal

Table 1.118. Disable the Office client from polling the Office server for published links

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

Table 1.44. Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock

Table 1.40. Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter

Table 1.78. Control blogging

Table 1.192. Read e-mail as plain text

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

Table 1.42. Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled) (2) Software\Policies\Microsoft\Office\12.0\Common\Blog

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Enable Smart Resume (2) Software\Policies\Microsoft\Office\12.0\Common\Restore Workspace

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Do not upload media files (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Disable hyperlinks to web templates in File | New and task panes (2) Software\Policies\Microsoft\Office\12.0\Common\Internet

Table 1.104. Disable hyperlinks to web templates from the client and from Office Online website

(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Prevent access to Web-based file storage (2) Software\Policies\Microsoft\Office\12.0\Common\WebServices

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Do not allow attachment previewing in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Preferences

Table 1.128. Do not allow attachment previewing in Outlook

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read e-mail as plain text (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read signed e-mail as plain text (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.193. Read signed e-mail as plain text

Table 1.203. Restrict upload method

Table 1.158. Hide Junk Mail UI

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to Office Online (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

Table 1.185. Prevent publishing to Office Online

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to a DAV server (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

Table 1.184. Prevent publishing to a DAV server

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details') (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

Table 1.202. Restrict level of calendar details users can publish

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceAccess to published calendars (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

Table 1.1. Access to published calendars

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict upload method (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Hide Junk Mail UI (2) Software\Policies\Microsoft\Office\12.0\Outlook

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.165. Junk E-mail protection level

Table 1.226. Trust E-mail from Contacts

Table 1.4. Add e-mail recipients to users

Table 1.84. Dial-up options




(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Trust E-mail from Contacts (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Add e-mail recipients to users' Safe Senders Lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Warn before switching dial-up connection (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Hang up when finished sending, receiving, or updating (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Automatically dial during a background Send/Receive (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Do not allow creating, replying, or forwarding signatures for e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Common\MailSettings

Table 1.129. Do not allow creating, replying, or forwarding signatures for e-mail messages

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Send copy of pictures with HTML messages instead of reference to Internet location (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.181. Outlook Rich Text options

Table 1.183. Plain text options

Table 1.183. Plain text options

Table 1.217. Set message format

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options - Encode attachments in UUENCODE format when sending a plain text message (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Message FormatSet message format (HTML | Rich Text | Plain Text) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Make Outlook the default program for E-mail, Contacts, and Calendar (2) software\policies\microsoft\office\12.0\outlook\options\general

Table 1.171. Make Outlook the default program for E-mail, Contacts, and Calendar

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow folders in non-default stores to be set as folder home pages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.130. Do not allow folders in non-default stores to be set as folder home pages

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Use Unicode format when dragging e-mail message to file system (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\General

Table 1.233. Use Unicode format when dragging e-mail message to file system

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for shared folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.132. Do not allow Outlook object model scripts to run for shared folders

Table 1.182. Outlook Security Mode

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for public folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.131. Do not allow Outlook object model scripts to run for public folders

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere) (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM

Table 1.216. Set maximum level of online status on a person name

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Display online status on a person name (Never | Everywhere except To and CC field | Everywhere) (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM

Table 1.126. Display online status on a person name

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Turn off Enable the Person Names Smart Tag option (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM

Table 1.227. Turn off Enable the Person Names Smart Tag option

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display Level 1 attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.125. Display Level 1 attachments

Table 1.5. Add file extensions to block as

Table 1.6. Add file extensions to block as

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow users to demote attachments to Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.12. Allow users to demote attachments to Level 2

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when sending an item (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.140. Do not prompt about Level 1 attachments when sending an item

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when closing an item (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.139. Do not prompt about Level 1 attachments when closing an item

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow in-place activation of embedded OLE objects (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display OLE package objects (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 1 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 1 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.196. Remove file extensions blocked as Level 1

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.197. Remove file extensions blocked as Level 2

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.10. Allow scripts in one-off Outlook forms

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.218. Set Outlook object model Custom Actions execution prompt

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.215. Set control ItemProperty prompt

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.71. Configure Outlook object model prompt when sending mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.65. Configure Outlook object model prompt when accessing an address book

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.69. Configure Outlook object model prompt when reading address information

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.70. Configure Outlook object model prompt when responding to meeting and task requests

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.68. Configure Outlook object model prompt when executing Save As

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.67. Configure Outlook object model prompt When accessing the Formula property of a UserProperty object

Table 1.208. S/MIME password settings



(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.66. Configure Outlook object model prompt when accessing address information via UserProperties.Find

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Required Certificate Authority (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.201. Required Certificate Authority

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.207. S/MIME interoperability with external clients:

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Always use Rich Text formatting in S/MIME messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647) (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647) (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0

Table 1.172. Message Formats

Table 1.172. Message Formats

Table 1.219. Sign all e-mail messages

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

2007: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not provide Continue option on Encryption warning dialog boxes (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Disable Continue button on all Encryption warning dialogs (2) HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security - DisableContinue

Table 1.142. Do not provide Continue option on Encryption warning dialog boxes

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Run in FIPS compliant mode (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.205. Run in FIPS compliant mode

2007: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Encrypt all e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Encrypt all e-mail messages (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - AlwaysEncrypt

Table 1.151. Encrypt all e-mail messages

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Sign all e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.209. S/MIME receipt requests

Table 1.174. Missing CRLs

Table 1.174. Missing CRLs

Table 1.175. Missing root certificates

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\URL for S/MIME certificates (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.232. URL for S/MIME certificates

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Ensure all S/MIME signed messages have a label (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.154. Ensure all S/MIME signed messages have a label

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME ) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Fortezza certificate policies (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.156. Fortezza certificate policies

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Require SuiteB algorithms for S/MIME operations (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.199. Require SuiteB algorithms for S/MIME operations

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs - Indicate a missing CRL as a(n): (warning | error) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.175. Missing root certificates

Table 1.63. Block Trusted Zones

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as errors, not warnings (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.189. Promote Level 2 errors as errors, not warnings

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Attachment Secure Temporary Folder (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.18. Attachment Secure Temporary Folder

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Display pictures and external content in HTML e-mail (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.127. Display pictures and external content in HTML e-mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.22. Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Do not permit download of content from safe zones (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.138. Do not permit download of content from safe zones

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Block Trusted Zones (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Internet in Safe Zones for Automatic Picture Download (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.161. Include Internet in Safe Zones for Automatic Picture Download

Table 1.213. Security setting for macros

Table 1.150. Enable RPC encryption

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Intranet in Safe Zones for Automatic Picture Download (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.162. Include Intranet in Safe Zones for Automatic Picture Download

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Enable links in e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.149. Enable links in e-mail messages

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Apply macro security settings to macros, add-ins, and SmartTags (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.16. Apply macro security settings to macros, add-ins, and SmartTags

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Automatically configure profile based on Active Directory Primary SMTP address (2) Software\Policies\Microsoft\Office\12.0\Outlook\AutoDiscover

Table 1.20. Automatically configure profile based on Active Directory Primary SMTP address

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Do not allow users to change permissions on folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Folders

Table 1.133. Do not allow users to change permissions on folders

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Enable RPC encryption (2) Software\Policies\Microsoft\Office\12.0\Outlook\RPC

Table 1.228. Turn off RSS feature

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security

Table 1.19. Authentication with Exchange Server

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Synchronize Outlook RSS Feeds with Common Feed List (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

Table 1.224. Synchronize Outlook RSS Feeds with Common Feed List

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn off RSS feature (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Automatically download enclosures (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Download full text of articles as HTML attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS

Table 1.145. Download full text of articles as HTML attachments

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Automatically download attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebCal

Table 1.21. Automatically download attachments

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Do not include Internet Calendar integration in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebCal

Table 1.137. Do not include Internet Calendar integration in Outlook

Table 1.212. Save files in this format

Table 1.206. Run Programs

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Meeting Workspace\Disable user entries to server list (Publish default, allow others | Publish default, disallow others) (2) Software\Policies\Microsoft\Office\12.0\Meetings\Profile

Table 1.123. Disable user entries to server list

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous\Do not expand distribution lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail

Table 1.136. Do not expand distribution lists

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Save\Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt)) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Options

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Advanced\Number of documents in the Recent Documents list (0 - 50) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\File MRU

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

Table 1.82. Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting)) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Make hidden markup visible (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

Table 1.170. Make hidden markup visible




(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Unblock automatic download of linked images (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security

Table 1.229. Unblock automatic download of linked images

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Trusted Locations


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes









(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Review | Proofing | Language (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes

Table 1.39. Block opening of Outlines

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes

Table 1.94. Disable commands, Table 1.114. Disable shortcut keys

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to PowerPoint 2007 (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

Table 1.41. Block opening of pre-release versions of file formats new to PowerPoint 2007

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Open Xml files types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Html file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

Table 1.36. Block opening of HTML file types

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Outlines (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

Table 1.58. Block saving of Outlines

Table 1.115. Disable Slide Update

Table 1.157. Hidden text

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Converters (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock

Table 1.31. Block opening of Converters

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Open Xml file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock


(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock

Table 1.51. Block saving of Binary file types

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Html file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock

Table 1.56. Block saving of HTML file types

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Outlines (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of GraphicFilters (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock

Table 1.54. Block saving of GraphicFilters

(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Miscellaneous\Disable Slide Update (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\slide libraries

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Display\Hidden text (2) Software\Policies\Microsoft\Office\12.0\Word\Options\vpref

Table 1.212. Save files in this format(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Save\Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml)) (2) Software\Policies\Microsoft\Office\12.0\Word\Options

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Number of documents in the Recent Documents list (0-50) (2) Software\Policies\Microsoft\Office\12.0\Word\File MRU

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Update automatic links at Open (2) Software\Policies\Microsoft\Office\12.0\Word\Options

Table 1.231. Update automatic links at Open

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\E-mail Options\Save smart tags in e-mail (2) Software\Policies\Microsoft\Office\12.0\Word\Options\vpref




(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents (2) Software\Policies\Microsoft\Office\12.0\Word\Security

Table 1.83. Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Word\Security


(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Word\Security


(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Word\Security


(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations


(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes









(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Review | Protect | Protect Document (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes








(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Templates | Document Template (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+F (Home | Editing | Find) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Word 2007 (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

Table 1.43. Block opening of pre-release versions of file formats new to Word 2007

Table 1.28. Block open Converters

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock


(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock


(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of HTML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

Table 1.36. Block opening of HTML file types

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Word 2003 XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

Table 1.47. Block opening of Word 2003 XML file types

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of RTF file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

Table 1.45. Block opening of RTF file types

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block open Converters (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Text file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

Table 1.46. Block opening of Text file types

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Internal file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

Table 1.37. Block opening of Internal file types

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of files before version (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock

Table 1.33. Block opening of files before version

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock


Table 1.53. Block saving of Converters

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

Table 1.51. Block saving of Binary file types

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of HTML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

Table 1.56. Block saving of HTML file types

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Word 2003 XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

Table 1.61. Block saving of Word 2003 XML file types

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of RTF file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

Table 1.59. Block saving of RTF file types

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Converters (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Text file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock

Table 1.60. Block saving of Text file types

(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security\APTCA

Table 2.6. InfoPath APTCA Assembly allowable list

(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 2.3. Disable Package Repair

(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist Enforcement (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security

Table 2.7. InfoPath APTCA Assembly Allowable List Enforcement

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable Package Repair (2) Software\Policies\Microsoft\Office\12.0\Common\OpenXMLFormat

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE

Table 2.4. Disable user name and password

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE


(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE


(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE


(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE


Table 2.1. Bind to object





(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE


(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE


(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE


(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT




Table 2.9. Saved from URL





(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK




Table 2.8. Navigate URL





(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL




Table 2.2. Block popups





(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT




(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Prevent users from customizing attachment security settings (2) HKCU\Software\Policies\Microsoft\Office\12.0\Outlook - DisallowAttachmentCustomization

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Access: Macro Security Leve (2) HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Access 2003\Tools\Macros\Security\Security level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security - Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Access: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Access 2003\Tools\Macros\Security\Trust all installed add-ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security - DontTrustInstalledFiles

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - Level(3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Security level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Trust all installed add-ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - DontTrustInstalledFiles

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Outlook: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Outlook\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Macros\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook - Security\Level

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Macros\Security\Outlook: Trust all installed add-ins and templates (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - DontTrustInstalledFiles

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Outlook virus security settings (2) HKCU\Software\Policies\Microsoft\Security - CheckAdminSettings

(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\S/MIME receipt requests (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - RespondToReceiptRequests

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\PowerPoint: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2003\Tools\Macro\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint - Security\Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\PowerPoint: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2003\Tools\Macro\Security\Trust all installed add – ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - DontTrustInstalledFiles

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Publisher: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Security - Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Publisher: Trust all installed add–ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Security - DontTrustInstalledFiles

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word - Security\Level

(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Trust all installed add–ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Trust all installed add – ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security - DontTrustInstalledFiles

(1) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Options\Security\Store random number to improve merge accuracy (2) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vpref - fDontSaveRSID_1804_1

(1) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Prevent Users from Changing Office Encryption Settings (2) HKCU\Software\Policies\Microsoft\Office\11.0\Common\Security - DisableCustomEncryption





Microsoft Office 2007 Recommendations (Security

Settings for Office 2007 Applications.xlsx)

NIST SCAP Microsoft Office 2007 OVAL (SCAP-Office2007-OVAL-Beta-

v1.xml)

NIST SCAP Microsoft Office

2007 XCCDF (SCAP-Office2007-

XCCDF-Beta-v1.xml )

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable VBA for Office applications, Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable VBA for Office applications

DisableVBAForOfficeApplications

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\ActiveX Control Initialization (1 | 2 | 3 | 4 | 5 | 6)

ActiveXControlInitialization

User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Enable Customer Experience Improvement Program

EnableCustomerExperienceImprovementProgram

User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Automatically receive small updates to improve reliability

AutomaticallyReceiveSmallUpdatesToImproveReliability

oval:org.mitre.oval:def:1302 OnlineContentOptions




User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Service Options...\Online Content\Online content options (Never show online content or entry points | Search only offline content whenever available | Search online content whenever available)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))

VBAMacroWarningSettings-Access

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))

VBAMacroWarningSettings-Excel

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trust access to Visual Basic Project

TrustAccessToVisualBasicProject-Excel








User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))

VBAMacroWarningSettings-PowerPoint

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trust access to Visual Basic Project TrustAccessToVisualBasi

cProject-PowerPoint

DisableRememberPassword

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Trusted Add-insConfigure trusted add-ins

ConfigureAddInTrustLevel

DisableRememberPasswordForInternetEmailAccounts

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Minimum encryption settings

MinimumEncryptionSettings

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not check e-mail address against address of certificates being used DoNotCheckEmailAddres

sAgainstAddressOfCertificatesBeingUsed




oval:org.mitre.oval:def:756 SignatureWarning

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Send all signed messages as clear signed messages

SendAllSignedMessagesAsClearSignedMessages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Request an S/MIME receipt for all S/MIME signed messages RequestAnSMIMEReceip

tForAllSMIMESignedMessages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not display 'Publish to GAL' button

DoNotDisplayPublishToGALButton

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Warning (Let user decide if they want to be warned | Always warn about invalid signatures | Never warn about invalid signatures)

oval:org.mitre.oval:def:1716 EnableCryptographyIcons

oval:org.mitre.oval:def:1700 RetrievingCRLs



User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Enable Cryptography Icons

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Retrieving CRLs (Certificate Revocation Lists) (Use system Default | When online always retreive the CRL | Never retreive the CRL)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No )

VBMacroWarningSettings-Word

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trust access to Visual Basic Project

TrustAccessToVisualBasicProject-Word



WarnBeforePrintingSavingOrSendingAFileThatContainsTrackedChangesOrComments

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Block updates from the Office Update Site from applying

BlockUpdatesFromTheOfficeUpdateSiteFromApplying

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Web Options\General\Underline hyperlinks

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\General\General\Number of documents in the Recent Documents list (0-9)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Disable all trusted locations

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Allow Trusted Locations not on the computer

User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Modal Trust Decision Only

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | E-Mail

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encrypt with Password

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard...

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encode/Decode Database

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Visual Basic

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Run Macro

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Convert Macros to Visual Basic

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Create Shortcut Menu from Macro

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Default file format (Access 2007 | Access 2002-2003)

User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Do not prompt to convert older databases

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Proofing\Autocorrect Options\Internet and network paths as hyperlinks

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls))

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Disable AutoRepublish

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Force file extension to match file type (Allow different | Allow different, but warn | Always match file type)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Store macro in Personal Macro Workbook by default

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsDisable all trusted locations

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ignore other applications

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ask to update automatic links

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Number of documents in the Recent Documents list (0-17)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralSave any additional data necessary to maintain formulas

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralLoad pictures from Web pages not created in Excel

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Do not show data extraction options when opening corrupt workbooks

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Assume structured storage format of workbook is intact when recovering data

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Connection File Locations

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Sheet

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Workbook

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect and Share Workbook

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Excel 2007

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Open XML file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary 12 file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Html and Xmlss files types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xml file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of DIF and SYLK file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Text file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xll file type

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Open Xml file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary12 file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Html and Xmlss file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving Xml file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving DIF and SYLK file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Text file types

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache network file storages

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache PivotTable reports

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs)

User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Recognize SmartTags

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\General\Number of documents in the Recent Documents list (0 - 9)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Send to Mail Recipient

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Open from SharePoint Site

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print Preview

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Page Setup

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Insert | Hyperlinks...

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Set Language

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Customize...

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Options...

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Microsoft Office Online

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Office Diagnostics

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Activate Product...

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Print Default

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Print Shortcut (Ctrl+P)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable opening of solutions from the Internet security zone

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable fully trusted solutions full access to computer

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow the use of ActiveX Custom Controls in InfoPath forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow file types as attachments to forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Block specific file types as attachments to forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Prevent users from allowing unsafe file types to be attached to forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Display a warning that a form is digitally signed

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run)

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending form template with e-mail forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable dynamic caching of the form template in InfoPath e-mail forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending InfoPath 2003 Forms as e-mail forms

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms running in restricted security level

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Internet security zone

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Intranet security zone

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Full Trust security zone

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable InfoPath e-mail forms in Outlook

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Information Rights Management

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Custom code

User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Miscellaneous\Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Word

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Access

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Word

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Access

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Outlook

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Word

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in PowerPoint

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Access

User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Outlook

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint and Access)\Recognize smart tags in Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable Clip Art and Media downloads from the client and from Office Online website

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable template downloads from the client and from Office Online website

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable access to updates, add-ins, and patches on the Office Online website

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Prevents users from uploading document templates to the Office Online community.

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable training practice downloads from the Office Online website

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable customer-submitted templates downloads from Office Online

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Files\Open Office documents as read/write while browsing

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Rely on VML for displaying graphics in browsers

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Allow PNG as an output format

User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | Spelling\Proofing Data Collection\Improve Proofing Tools

User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Disable Opt-in Wizard on first run

User Configuration\Administrative Templates\Microsoft Office 2007 system\Help\Microsoft Office OnlineUser Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable Password Caching

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable all Trust Bar notifications for security issues

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for rights managed Office Open XML Files

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for password protected files.

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office Open XML files

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office 97-2003 files

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Load Controls in Forms3 (1 | 2 | 3 | 4)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Automation Security (Disable macros by default | Use application macro security level | Macros enabled)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Prevent Word and Excel from loading managed code extensions

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable hyperlink warnings

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable password to open UI

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Download Office Controls

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable All ActiveX

User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Trust Center\Allow mix of policy and user locations

User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Disable Smart Document's use of manifests

User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Completely disable the Smart Documents feature in Word and Excel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Services\Fax\Disable Internet Fax feature

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Allow users with earlier versions of Office to read with browsers...

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always require users to connect to verify permission

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always expand groups in Office when restricting permission for documents

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Never allow users to specify groups when restricting permission for documents

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Disable Microsoft Passport service for content with restricted permission

User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Do not allow users to upgrade Information Rights Management configuration

User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Key Usage FilteringUser Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\EKU filtering

User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Legacy format signatures

User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress external signature services menu item

User Configuration\Administrative Templates\Microsoft Office 2007 system\Office Diagnostics\Disable Check For Solutions

User Configuration\Administrative Templates\Microsoft Office 2007 system\Microsoft Save As PDF and XPS add-ins\Disable inclusion of document properties in PDF and XPS output

User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Disable Document Information Panel

User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Server Settings\Disable the Office client from polling the Office server for published links

User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter

User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter

User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled)

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Enable Smart Resume

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Do not upload media files

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Disable hyperlinks to web templates in File | New and task panes

User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Prevent access to Web-based file storage

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Do not allow attachment previewing in Outlook

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read e-mail as plain text

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read signed e-mail as plain text

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to Office Online

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to a DAV server

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details')

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceAccess to published calendars

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict upload method

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Hide Junk Mail UI

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Trust E-mail from Contacts

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Add e-mail recipients to users' Safe Senders Lists

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Warn before switching dial-up connection

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Hang up when finished sending, receiving, or updating

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Automatically dial during a background Send/Receive

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Do not allow creating, replying, or forwarding signatures for e-mail messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Send copy of pictures with HTML messages instead of reference to Internet location

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options - Encode attachments in UUENCODE format when sending a plain text message

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Message FormatSet message format (HTML | Rich Text | Plain Text)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Make Outlook the default program for E-mail, Contacts, and Calendar

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow folders in non-default stores to be set as folder home pages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Use Unicode format when dragging e-mail message to file system

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for shared folders

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for public folders

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Display online status on a person name (Never | Everywhere except To and CC field | Everywhere)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Turn off Enable the Person Names Smart Tag option

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display Level 1 attachments

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow users to demote attachments to Level 2

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when sending an item

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when closing an item

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow in-place activation of embedded OLE objects

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display OLE package objects

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 1

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 1

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 2

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 2

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Required Certificate Authority

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Always use Rich Text formatting in S/MIME messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not provide Continue option on Encryption warning dialog boxes

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Run in FIPS compliant mode

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Encrypt all e-mail messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Sign all e-mail messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\URL for S/MIME certificates

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Ensure all S/MIME signed messages have a label

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME )

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Fortezza certificate policies

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Require SuiteB algorithms for S/MIME operations

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs - Indicate a missing CRL as a(n): (warning | error)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as errors, not warnings

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Attachment Secure Temporary Folder

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Display pictures and external content in HTML e-mail

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Do not permit download of content from safe zones

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Block Trusted Zones

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Internet in Safe Zones for Automatic Picture Download

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Intranet in Safe Zones for Automatic Picture Download

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Enable links in e-mail messages

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Apply macro security settings to macros, add-ins, and SmartTags

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Automatically configure profile based on Active Directory Primary SMTP address

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Do not allow users to change permissions on folders

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Enable RPC encryption

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Synchronize Outlook RSS Feeds with Common Feed List

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn off RSS feature

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Automatically download enclosures

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Download full text of articles as HTML attachments

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Automatically download attachments

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Do not include Internet Calendar integration in Outlook

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Meeting Workspace\Disable user entries to server list (Publish default, allow others | Publish default, disallow others)

User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous\Do not expand distribution lists

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Save\Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt))

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Advanced\Number of documents in the Recent Documents list (0 - 50)

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting))

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Make hidden markup visible

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Unblock automatic download of linked images

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsDisable all trusted locations

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Review | Proofing | Language

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Insert | Links | Hyperlink)

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F8 (Developer | Code | Macros)

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Developer | Code | Visual Basic)

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to PowerPoint 2007

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Open Xml files types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Binary file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Html file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Outlines

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Converters

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Open Xml file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Binary file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Html file types

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Outlines

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of GraphicFilters

User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Miscellaneous\Disable Slide Update

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Display\Hidden text

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Save\Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml))

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Number of documents in the Recent Documents list (0-50)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Update automatic links at Open

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\E-mail Options\Save smart tags in e-mail

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable all application add-ins

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer

User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsDisable all trusted locations

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Review | Protect | Protect Document

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Templates | Document Template

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+F (Home | Editing | Find)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Word 2007

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Open XML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Binary file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of HTML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Word 2003 XML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of RTF file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block open Converters

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Text file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Internal file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of files before version

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Open XML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Binary file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of HTML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Word 2003 XML file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of RTF file types

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Converters

User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Text file types

Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist

Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting)

Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist Enforcement

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable Package Repair

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - msaccess.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - msaccess.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - msaccess.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - msaccess.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - excel.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - powerpnt.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - pptview.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - winword.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - outlook.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - spDesign.exe

Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - msaccess.exe


CCE-3416-5

enabled / disabled

CCE-4218-4

enabled / disabled

CCE-4209-3

installed / uninstalled

CCE-4249-9

enabled / disabled

CCE-3522-0

enabled / disabled

CCE-4275-4

enabled / disabled

CCE-4042-8

enabled / disabled

CCE-3685-5

CCE-4187-1

loaded / not loaded

CCE-4006-3


CCE-4173-1

enabled / disabled

CCE Parameters

The rhnsd service should be enabled or disabled as appropriate.

The yum-updatesd service should be enabled or disabled as appropriate.The AIDE package should be installed or not as appropriate

The nodev option should be enabled or disabled as appropriate for all non-root partitions.

The nodev option should be enabled or disabled as appropriate for all removable media.

The noexec option should be enabled or disabled as appropriate for all removable media.

The nosuid option should be enabled or disabled as appropriate for all removable media.Console device ownership should be restricted to root-only as appropriate.

root-only / not root-only

The USB device support module should be loaded or not as appropriate

The USB device support module should be installed or not as appropriateUSB kernel support should be enabled or disabled as appropriate.

CCE-3944-6

enabled / disabled

CCE-4072-5

enabled / disabled

CCE-4231-7

enabled / disabled

CCE-3988-3

group

CCE-3883-6

group

CCE-3276-3

user

CCE-3932-1

permissions

CCE-4064-2

group

CCE-4210-1

user

CCE-3918-0

user

CCE-3566-7

permissions

CCE-3958-6

user

CCE-3967-7

permissions

CCE-3495-9

group

CCE-4130-1

permissions

The ability to boot from USB devices should be enabled or disabled as appropriateThe autofs service should be enabled or disabled as appropriate.

The GNOME automounter (gnome-volume-manager) should be enabled or disabled as appropriateThe /etc/shadow file should be owned by the appropriate group.The /etc/group file should be owned by the appropriate group.The /etc/group file should be owned by the appropriate user.File permissions for /etc/gshadow should be set correctly.The /etc/gshadow file should be owned by the appropriate group.The /etc/gshadow file should be owned by the appropriate user.The /etc/shadow file should be owned by the appropriate user.File permissions for /etc/passwd should be set correctly.The /etc/passwd file should be owned by the appropriate user.File permissions for /etc/group should be set correctly.The /etc/passwd file should be owned by the appropriate group.File permissions for /etc/shadow should be set correctly.

CCE-3399-3

set / not set

CCE-3795-2

enabled / disabled

CCE-4178-0

set / not set

CCE-3324-1

set / not set

CCE-4223-4user / none

CCE-3573-3group / none

CCE-4220-0

permissions mask

CCE-4225-9

enabled / disabled

CCE-4247-3

enabled / disabled

CCE-4146-7

enabled / disabled

CCE-4168-1

enabled / disabled

CCE-4172-3

enabled / disabled

CCE-4177-2

enabled / disabled

CCE-3820-8

enabled/disabled

The sticky bit should be set or not set as appropriate for all world-writable directories.

The world-write permission should be enabled or disabled as appropriate for all files.The sgid bit should be set or not set as appropriate for all files.The suid bit should be set or not set as appropriate for all files.All files should be owned by a user as appropriateAll files should be owned by a group as appropriateThe daemon umask should be set as appropriate

Core dumps for all users should be enabled or disabled as appropriateCore dumps for setuid programs should be enabled or disabled as appropriate

ExecShield randomized placement of virtual memory regions should be enabled or disabled as appropriate

ExecShield should be enabled or disabled as appropriateKernel support for the XD/NX processor feature should be enabled or disabled as appropriate

The XD/NX processor feature should be enabled or disabled as appropriate in the BIOS

Logins through the specified virtual console interface should be enabled or disabled as appropriate

CCE-3485-0

enabled/disabled

CCE-4111-1

enabled/disabled

CCE-4256-4

enabled/disabled

CCE-4274-7

enabled/disabled

CCE-4044-4

grant/reject

CCE-3987-5

enabled/disabled

CCE-4238-2

enabled/disabled

CCE-4009-7

enabled/disabled

CCE-4154-1

length of password

CCE-4180-6

number of days

CCE-4092-3

number of days

CCE-4097-2

number of days

CCE-4114-5

CCE-3762-2

password strength

Logins through the specified virtual console device should be enabled or disabled as appropriate

Logins through the primary console device should be enabled or disabled as appropriate

Login prompts on serial ports should be enabled or disabled as appropriate.

Command access to the root account should be enabled or disabled as appropriate.Sudo privileges should granted or rejected to the wheel group as appropriate

Login access to non-root system accounts should be enabled or disabled as appropriate

Login access to accounts without passwords should be enabled or disabled as appropriate

Anonymous root logins are enabled or disabled as appropriateThe password minimum length should be set appropriately

The "minimum password age" policy should meet minimum requirements. The "maximum password age" policy should meet minimum requirements. The password warn age should be set appropriately

NIS file inclusions should be set appropriately in the /etc/passwd fileThe password strength should meet minimum requirements

CCE-3410-8 number of attempts

CCE-4185-5

group

CCE-3952-9

permissions

CCE-3301-9

path

CCE-4090-7

permissions

CCE-3844-8

umask

CCE-4227-5

CCE-3870-3

CCE-4144-2

user

CCE-3923-0

permissions

CCE-3818-2

password

CCE-4197-0

group

CCE-4241-6

enabled/disabled

CCE-4245-7

enabled/disabled

The "account lockout threshold" policy should meet minimum requirements. The /usr/sbin/userhelper file should be owned by the appropriate group.File permissions for /usr/sbin/userhelper should be set correctly.The PATH variable should be set correctly for user root

File permissions should be set correctly for the home directories for all user accounts.

The default umask for all users should be set correctly for the bash shellThe default umask for all users should be set correctly for the csh shellThe default umask for all users should be set correctlyThe /etc/grub.conf file should be owned by the appropriate user.File permissions for /etc/grub.conf should be set correctly.The grub boot loader should have password protection enabled or disabled as appropriate

The /etc/grub.conf file should be owned by the appropriate group.

The requirement for a password to boot into single-user mode should be configured correctly.The ability for users to perform interactive startups should be enabled or disabled as appropriate.

CCE-3689-7

number of minutes

CCE-3707-7

number of minutes

CCE-3315-9

number of minutes

CCE-3910-7

number of minutes

CCE-4060-0

banner text

CCE-4188-9

banner text/xml

CCE-3977-6

CCE-3999-0

CCE-3624-4

targeted / strict / mls

CCE-4254-9

enabled / disabled

CCE-4148-3


CCE-3668-1

enabled / disabled

CCE-4129-3

enabled / disabled

CCE-4151-7 enabled / disabled

The idle time-out value for the default /bin/tcsh shell should meet the minimum requirements.

The idle time-out value for the default /bin/bash shell should meet the minimum requirements.

The allowed period of inactivity gnome desktop lockout should be configured correctly.The vlock package should be installed or not as appropriateThe system login banner text should be set correctly.The direct gnome login warning banner should be set correctly.SELinux should be enabled or disabled as appropriate

enforcing / permissive / disabled

The SELinux state should be set appropriately.

enforcing / permissive / disabled

The SELinux policy should be set appropriately.

The setroubleshoot service should be enabled or disabled as appropriate.The setroubleshoot package should be installed or uninstalled as appropriate.

The mcstrans service should be enabled or disabled as appropriate.The restorecond service should be enabled or disabled as appropriate.The default setting for sending ICMP redirects should be enabled or disabled for network interfaces as appropriate.











Sending ICMP redirects should be enabled or disabled for all interfaces as appropriate.

IP forwarding should be enabled or disabled as appropriate.Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for all interfaces as appropriate.

Accepting ICMP redirects should be enabled or disabled for all interfaces as appropriate.

Ignoring bogus ICMP responses to broadcasts should be enabled or disabled as appropriate.

Sending TCP syncookies should be enabled or disabled as appropriate.Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be enabled or disabled as appropriate.

The default setting for accepting ICMP redirects should be enabled or disabled for network interfaces as appropriate.

Performing source validation by reverse path should be enabled or disabled for all interfaces as appropriate.

The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for network interfaces as appropriate.





CCE-3628-5

enabled / disabled

CCE-4276-2

enabled / disabled

CCE-4170-7

included / excluded

CCE-3562-6

enabled / disabled

CCE-3377-9

enabled / disabled

CCE-4296-0

enabled / disabled

CCE-3381-1

enabled / disabled

Logging of "martian" packets (those with impossible addresses) should be enabled or disabled for all interfaces as appropriate.

The default setting for performing source validation by reverse path should be enabled or disabled for network interfaces as appropriate.

The default setting for accepting source routed packets should be enabled or disabled for network interfaces as appropriate.

Accepting source routed packets should be enabled or disabled for all interfaces as appropriate.

All wireless devices should be enabled or disabled in the BIOS as appropriate.

All wireless interfaces should be enabled or disabled as appropriate.Device drivers for wireless devices should be included or excluded from the kernel as appropriate.

Automatic loading of the IPv6 kernel module should be enabled or disabled as appropriate.

Global IPv6 initialization should be enabled or disabled as appropriate.IPv6 configuration should be enabled or disabled as appropriate for all interfaces.

The default setting for IPv6 configuration should be enabled or disabled for network interfaces as appropriate.

CCE-4269-7

enabled / disabled

CCE-4291-1

enabled / disabled

CCE-4313-3

enabled / disabled

CCE-4198-8

enabled / disabled

CCE-3842-2

CCE-4221-8

enabled / disabled

CCE-4137-6

number

CCE-4159-0

number

CCE-3895-0

number

Accepting IPv6 router advertisements should be enabled or disabled as appropriate for all network interfaces.

The default setting for accepting IPv6 router advertisements should be enabled or disabled for network interfaces as appropriate.

Accepting redirects from IPv6 routers should be enabled or disabled as appropriate for all network interfaces.

The default setting for accepting redirects from IPv6 routers should be enabled or disabled for network interfaces as appropriate.

IPv6 privacy extensions should be configured appropriately for all interfaces.

disabled / lightweight / rfc3041 (alias yes)

The default setting for accepting router preference via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate.

The default number of global unicast IPv6 addresses allowed per network interface should be set appropriately.

The default number of IPv6 router solicitations for network interfaces to send should be set appropriately.

The default number of IPv6 duplicate address detection solicitations for network interfaces to send per configured address should be set appropriately.

CCE-4287-9

enabled / disabled

CCE-4058-4

enabled / disabled

CCE-4128-5

enabled / disabled

CCE-4167-3

enabled / disabled

CCE-4189-7

enabled / disabled

CCE-3679-8

enabled / disabled

CCE-3701-0

group

CCE-4233-3

permissions

CCE-4366-1

user

CCE-4260-6

sent / not sent

CCE-3382-9

accept / reject

CCE-4182-2

enabled / disabled

The default setting for autoconfiguring network interfaces using prefix information in IPv6 router advertisements should be enabled or disabled as appropriate.

The default setting for accepting prefix information via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate.

The default setting for accepting a default router via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate.

The ip6tables service should be enabled or disabled as appropriate.The iptables service should be enabled or disabled as appropriate.The syslog service should be enabled or disabled as appropriate.

All syslog log files should be owned by the appropriate group.File permissions for all syslog log files should be set correctly.

All syslog log files should be owned by the appropriate user.Syslog logs should be sent to a remote loghost or not as appropriateSyslogd should accept remote messages or not as appropriateThe logrotate (syslog rotater) service should be enabled or disabled as appropriate.

CCE-4323-2

enabled / disabled

CCE-4292-9

enabled / disabled

CCE-4234-1

enabled / disabled

CCE-4252-3

enabled / disabled

CCE-4023-8


CCE-4164-0


CCE-3390-2

enabled / disabled

CCE-4330-7


CCE-3974-3

enabled / disabled

CCE-4141-8

enabled / disabled

CCE-3537-8

enabled / disabled

CCE-4308-3


CCE-3705-1

enabled / disabled

CCE-4348-9


CCE-4273-9

enabled / disabled

The logwatch service should be enabled or disabled as appropriate

The auditd service should be enabled or disabled as appropriate.The inetd service should be enabled or disabled as appropriate.The xinetd service should be enabled or disabled as appropriate.The inetd package should be installed or uninstalled as appropriate.The xifnetd package should be installed or uninstalled as appropriate.

The telnet service should be enabled or disabled as appropriate.The telnet-server package should be installed or uninstalled as appropriate.

The rcp service should be enabled or disabled as appropriate.The rsh service should be enabled or disabled as appropriate.The rlogin service should be enabled or disabled as appropriate.The rsh packagee should be installed or uninstalled as appropriate.The ypbind service should be enabled or disabled as appropriate.The ypserv package should be installed or uninstalled as appropriate.

The tftp service should be enabled or disabled as appropriate.

CCE-3916-4



CCE-4229-1

enabled / disabled

CCE-4123-6

enabled / disabled

CCE-4286-1

enabled / disabled

CCE-3425-6

enabled / disabled

CCE-4211-9

enabled / disabled

CCE-3854-7

enabled / disabled

CCE-4356-2

enabled / disabled

CCE-4369-5

enabled / disabled

CCE-4100-4

enabled / disabled

CCE-3455-3

enabled / disabled

CCE-4421-4

enabled / disabled

CCE-4302-6

enabled / disabled

CCE-3822-4

enabled / disabled

The tftp-server package should be installed or uninstalled as appropriate.

The firstboot service should be enabled or disabled as appropriate.The gpm service should be enabled or disabled as appropriate.The irqbalance service should be enabled or disabled as appropriate.The isdn service should be enabled or disabled as appropriate.The kdump service should be enabled or disabled as appropriate.The kudzu service should be enabled or disabled as appropriate.The mdmonitor service should be enabled or disabled as appropriate.The microcode_ctl service should be enabled or disabled as appropriate.

The network service should be enabled or disabled as appropriate.The pcscd service should be enabled or disabled as appropriate.The smartd service should be enabled or disabled as appropriate.The readahead_early service should be enabled or disabled as appropriate.

The readahead_later service should be enabled or disabled as appropriate.

The messagebus service should be enabled or disabled as appropriate.

CCE-4364-6

enabled / disabled

CCE-4355-4

enabled / disabled

CCE-4377-8

enabled / disabled

CCE-4289-5

enabled / disabled

CCE-4298-6

enabled / disabled

CCE-4051-9

enabled / disabled

CCE-4324-0

enabled / disabled

CCE-4406-5

enabled / disabled

CCE-4428-9


CCE-4322-4

group

CCE-4450-3

permissions

CCE-4331-5

group

CCE-3851-3

user

CCE-4379-4

user

CCE-4388-5

permissions

CCE-4054-3

group

The haldaemon service should be enabled or disabled as appropriate.The bluetooth service should be enabled or disabled as appropriate.The hidd service should be enabled or disabled as appropriate.The apmd service should be enabled or disabled as appropriate.The acpid service should be enabled or disabled as appropriate.The cpuspeed service should be enabled or disabled as appropriate.The crond service should be enabled or disabled as appropriate.The anacron service should be enabled or disabled as appropriate.The anacron package should be installed or uninstalled as appropriate.

The /etc/cron.monthly file should be owned by the appropriate group.File permissions for /etc/cron.daily should be set correctly.The /etc/cron.weekly file should be owned by the appropriate group.The /etc/crontab file should be owned by the appropriate user.The /etc/anacrontab file should be owned by the appropriate user.File permissions for /etc/crontab should be set correctly.The /etc/cron.hourly file should be owned by the appropriate group.

CCE-4441-2

user

CCE-4212-7

group

CCE-4380-2

user

CCE-3833-1

user

CCE-3604-6

group

CCE-4106-1

permissions

CCE-3983-4

user

CCE-3626-9

group

CCE-4022-0

user

CCE-4304-2

permissions

CCE-4203-6

permissions

CCE-4251-5

permissions

CCE-3481-9

group

CCE-4250-7

permissions

CCE-4268-9

enabled / disabled

CCE-4272-1


The /etc/cron.monthly file should be owned by the appropriate user.The /etc/cron.d file should be owned by the appropriate group.The /etc/cron.d file should be owned by the appropriate user.The /etc/cron.weekly file should be owned by the appropriate user.The /etc/anacrontab file should be owned by the appropriate group.File permissions for /etc/cron.hourly should be set correctly.The /etc/cron.hourly file should be owned by the appropriate user.The /etc/crontab file should be owned by the appropriate group.The /etc/cron.daily file should be owned by the appropriate user.File permissions for /etc/anacrontab should be set correctly.File permissions for /etc/cron.weekly should be set correctly.File permissions for /etc/cron.monthly should be set correctly.The /etc/cron.daily file should be owned by the appropriate group.File permissions for /etc/cron.d should be set correctly.The sshd service should be enabled or disabled as appropriate.SSH should be installed or uninstalled as appropriate

CCE-4295-2

allow / deny

CCE-4325-7

CCE-3845-5

integer (seconds)

CCE-4475-0

enabled / disabled

CCE-4370-3

enabled / disabled

CCE-4387-7

enabled / disabled

CCE-3660-8

enabled / disabled

CCE-4431-3

enabled / disabled

CCE-4462-8

enabled / disabled

CCE-4422-2

installed/removed

CCE-4303-4

enabled / disabled

CCE-4448-7

enabled / disabled

CCE-4074-1

enabled / disabled

Inbound connections to the ssh port should be allowed or denied as appropriate

SSH version 1 protocol support should be enabled or disabled as appropriate.

permitted / not permitted

The SSH idle timout interval should be set to an appropriate valueEmulation of the rsh command through the ssh server should be enabled or disabled as appropriate

SSH host-based authentication should be enabled or disabled as appropriate

Root login via SSH should be enabled or disabled as appropriateRemote connections from accounts with empty passwords should be enabled or disabled as appropriate

SSH warning banner should be enabled or disabled as appropriateX Windows should be enabled or disabled at system boot as appropriate

X Windows should be installed or removed as appropriateX Font Server should be enabled or disabled as appropriateThe xfs service should be enabled or disabled as appropriate.X Windows System Listening for remote connections should be enabled or disabled as appropriate

CCE-3717-6

enabled / disabled

CCE-4365-3

enabled / disabled

CCE-4136-8

serve / not serve

CCE-4409-9

serve / not serve

CCE-4426-3

accept / reject

CCE-4193-9

allow / disallow

CCE-4444-6

enabled / disabled

CCE-4352-1

enabled / disabled

CCE-4433-9

enabled / disabled

CCE-4451-1

enabled / disabled

CCE-4341-4

enabled / disabled

CCE-4358-8

enabled / disabled

CCE-4112-9

enabled / disabled

Warning banners for gui login users should be enabled or disabled as appropriate

The avahi-daemon service should be enabled or disabled as appropriate.The Avahi daemon should be configured to serve via Ipv6 or not as appropriateThe Avahi daemon should be configured to serve via Ipv4 or not as appropriateAvahi should be configured to accept packets with a TTL field not equal to 255 or not as appropriate

Avahi should be configured to allow other stacks from binding to port 5353 or not as appropriate

Avahi publishing of local information should be enabled or disabled as appropriate

Avahi publishing of local information by user applications should be enabled or disabled as appropriate

Avahi publishing of hardware information should be enabled or disabled as appropriate

Avahi publishing of workstation name should be enabled or disabled as appropriate

Avahi publishing of IP addresses should be enabled or disabled as appropriate

Avahi publishing of domain name should be enabled or disabled as appropriate

The cups service should be enabled or disabled as appropriate.

CCE-3755-6

enabled/disabled

CCE-3649-1

enabled / disabled

CCE-4420-6

enabled / disabled

CCE-4407-3

allow / deny

CCE-4425-5

enabled / disabled

CCE-4191-3

enabled / disabled

CCE-4336-4

enabled / disabled

CCE-4464-4


CCE-4257-2

enabled / disabled

CCE-4403-2

accepted / denied

CCE-4345-5

accepted / denied

CCE-3724-2

sent / not sent

CCE-4243-2

sent / not sent

CUPS service should be enabled or disabled as appropriateFirewall access to printing service should be enabled or disabled as appropriate

Remote print browsing should be enabled or disabled as appropriateCUPS should be allowed or denied the ability to listen for Incoming printer information as appropriate

The hplip service should be enabled or disabled as appropriate.The dhcp client service should be enabled or disabled as appropriate for each interface.

The dhcpd service should be enabled or disabled as appropriate.The dhcp package should be installed or uninstalled as appropriate.The dynamic DNS feature of the DHCP server should be enabled or disabled as appropriate

DHCPDECLINE messages should be accepted or denied by the DHCP server as appropriate

BOOTP queries should be accepted or denied by the DHCP server as appropriate

Domain name server information should be sent or not sent by the DHCP server as appropriate.

Default routers should be sent or not sent by the DHCP server as appropriate.

CCE-4389-3

sent / not sent

CCE-3913-1

sent / not sent

CCE-4169-9

sent / not sent

CCE-4318-2

sent / not sent

CCE-4319-0

sent / not sent

CCE-3733-3

enabled / disabled

CCE-4376-0

enabled / disabled

CCE-4134-3

allow / deny

CCE-4385-1

ip address

CCE-4032-9


CCE-4424-8

enabled / disabled

CCE-3487-6

local ntp server

CCE-4416-4

enabled / disabled

CCE-4293-7

enabled / disabled

Domain name should be sent or not sent by the DHCP server as appropriate.

NIS domain should be sent or not sent by the DHCP server as appropriate.

NIS servers should be sent or not sent by the DHCP server as appropriate.

Time offset should be sent or not sent by the DHCP server as appropriate.

NTP servers should be sent or not sent by the DHCP server as appropriate.

dhcpd logging should be enabled or disabled as appropriate.The ntpd service should be enabled or disabled as appropriate.Network access to ntpd should be allowed or denied as appropriateA remote NTP Server for time synchronization should be specified or not as appropriate

OpenNTPD should be installed or uninstalled as appropriateThe ntp daemon should be enabled or disabled as appropriateThe ntp daemon synchronization server should be set appropriately

The sendmail service should be enabled or disabled as appropriate.The listening sendmail daemon should be enabled or disabled as appropriate.

CCE-3501-4

enabled / disabled

CCE-4360-4

permissions

CCE-4378-6

permissions

CCE-4492-5

user

CCE-4263-0

permissions

CCE-3502-2

user

CCE-4449-5

user

CCE-4361-2

permissions

CCE-4427-1

group

CCE-4321-6

group

CCE-4339-8

group

CCE-4105-3

user

The ldap service should be enabled or disabled as appropriate.

File permissions for /etc/pki/tls/CA/cacert.pem should be set correctly.

File permissions for /etc/pki/tls/ldap/serverkey.pem should be set correctly.The /etc/pki/tls/ldap file should be owned by the appropriate user.

File permissions for /etc/pki/tls/ldap/servercert.pem should be set correctly.

The /etc/pki/tls/ldap/serverkey.pem file should be owned by the appropriate user.

The /etc/pki/tls/CA/cacert.pem file should be owned by the appropriate user.File permissions for /etc/pki/tls/ldap should be set correctly.

The /etc/pki/tls/CA/cacert.pem file should be owned by the appropriate group.

The /etc/pki/tls/ldap/serverkey.pem file should be owned by the appropriate group.The /etc/pki/tls/ldap file should be owned by the appropriate group.

The /etc/pki/tls/ldap/servercert.pem file should be owned by the appropriate user.

CCE-3718-4

group

CCE-4484-2

group

CCE-4502-1

user

CCE-4396-8

enabled / disabled

CCE-3535-2

enabled / disabled

CCE-3568-3

enabled / disabled

CCE-4533-6

enabled / disabled

CCE-4550-0

enabled / disabled

CCE-4559-1

static / dynamic

CCE-4015-4

static / dynamic

CCE-3667-3

static / dynamic

CCE-4310-9

static / dynamic

The /etc/pki/tls/ldap/servercert.pem file should be owned by the appropriate group.The /var/lib/ldap/* files should be owned by the appropriate group.The /var/lib/ldap/* files should be owned by the appropriate user.The nfslock service should be enabled or disabled as appropriate.The rpcgssd service should be enabled or disabled as appropriate.The rpcidmapd service should be enabled or disabled as appropriate.The netfs service should be enabled or disabled as appropriate.The portmap service should be enabled or disabled as appropriate.The lockd service should be configured to use a static port or a dynamic portmapper port for TCP as appropriate

The statd service should be configured to use an outgoing static port or an outgoing dynamic portmapper port as appropriate

The statd service should be configured to use a static port or a dynamic portmapper port as appropriate

The lockd service should be configured to use a static port or a dynamic portmapper port for UDP as appropriate

CCE-4438-8

static / dynamic

CCE-3579-0

static / dynamic

CCE-4473-5

enabled / disabled

CCE-4491-7

enabled / disabled

CCE-4368-7

enabled / disabled

CCE-4024-6

enabled / disabled

CCE-4526-0

enabled / disabled

CCE-4544-3

enabled / disabled

CCE-4465-1

enabled / disabled

CCE-4350-5

enabled / disabled

CCE-3578-2

enabled / disabled

CCE-4219-2


CCE-3985-9

group

The mountd service should be configured to use a static port or a dynamic portmapper port as appropriate

The rquotad service should be configured to use a static port or a dynamic portmapper port as appropriate

The nfs service should be enabled or disabled as appropriateThe rpcsvcgssd service should be enabled or disabled as appropriateThe nodev option should be enabled or disabled for all NFS mounts as appropriate

The nosuid option should be enabled or disabled for all NFS mounts as appropriate

The noexec option should be enabled or disabled for all NFS mounts as appropriate

Root squashing should be enabled or disabled as appropriate for all NFS shares

Restriction of NFS clients to privileged ports should be enabled or disabled as appropriate

Write access to NFS shares should be enabled or disabled as appropriateThe named service should be enabled or disabled as appropriate.The bind package should be installed or uninstalled as appropriate.

The /var/named/chroot/etc/named.conf file should be owned by the appropriate group.

CCE-4487-5

permissions

CCE-4258-0

user

CCE-4399-2

enabled / disabled

CCE-3919-8

enabled / disabled

CCE-4549-2

enabled / disabled

CCE-4554-2

enabled / disabled

CCE-4443-8

enabled / disabled

CCE-4461-0

enabled / disabled

CCE-4338-0

enabled / disabled

CCE-4514-6


CCE-4346-3


CCE-4474-3

text

CCE-3756-4

CCE-4509-6

permissions

File permissions for /var/named/chroot/etc/named.conf should be set correctly.

The /var/named/chroot/etc/named.conf file should be owned by the appropriate user.LDAP's dynamic updates feature should be enabled or disabled as appropriateThe vsftpd service should be enabled or disabled as appropriate.Logging of vsftpd transactions should be enabled or disabled as appropriate

A warning banner for all FTP users should be enabled or disabled as appropriate

Local user login to the vsftpd service should be enabled or disabled as appropriate

File uploads via vsftpd should be enabled or disabled as appropriateThe httpd service should be enabled or disabled as appropriate.The httpd package should be installed or uninstalled as appropriate.The apache 2 server software should be installed or removed as appropriate

The apache2 server's ServerTokens value should be set appropriately

The apache2 server's ServerSignature value should be set appropriately

File permissions for /etc/httpd/conf should be set correctly.

CCE-4386-9

permissions

CCE-4029-5

permissions

CCE-3581-6

CCE-4574-0

permissions

CCE-3847-1

enabled / disabled

CCE-4239-0


CCE-4384-4

support / not support

CCE-3887-7


CCE-4530-2


CCE-4547-6


CCE-4552-6

enabled / disabled

CCE-4371-1

enabled / disabled

CCE-4410-7

enabled / disabled

File permissions for /etc/httpd/conf/* should be set correctly.File permissions for /usr/sbin/httpd should be set correctly.The /etc/httpd/conf/* files should be owned by the appropriate group.File permissions for /var/log/httpd should be set correctly.The dovecot service should be enabled or disabled as appropriate.The dovecot package should be installed or uninstalled as appropriate.

Dovecot should be configured to support the imaps protocol or not as necessary

Dovecot should be configured to support the pop3s protocol or not as necessary

Dovecot should be configured to support the pop3 protocol or not as necessary

Dovecot should be configured to support the imap protocol or not as necessary

Dovecot plaintext authentication of clients should be enabled or disabled as necessary

The Dovecot option to drop privileges to user before executing mail process should be enabled or not as appropriate

The Dovecot option to spawn a new login process per connection should be enabled or not as appropriate

CCE-4551-8

enabled / disabled

CCE-4556-7

enabled / disabled

CCE-4076-6


CCE-4454-5

enabled / disabled

CCE-4353-9

data length

CCE-4503-9

enabled / disabled

CCE-3585-7

enabled / disabled

CCE-4419-8

data length

CCE-3692-1

user

CCE-4459-4

enabled / disabled

CCE-4476-8

group

CCE-4181-4

enabled / disabled

The smb service should be enabled or disabled as appropriate.The squid service should be enabled or disabled as appropriate.The squid package should be installed or uninstalled as appropriate.

The Squid option to force FTP passive connections should be enabled or not as appropriate

The Squid max request HTTP header length should be set to an appropriate value

The Squid option to check for RFC compliant hostnames should be enabled or not as appropriate

The Squid option to ignore unknown nameservers should be enabled or not as appropriate

The Squid max reply HTTP header length should be set to an appropriate value

The Squid EUID should be set to an appropriate user

The Squid option to perform FTP sanity checks should be enabled or not as appropriate

The Squid GUID should be set to an appropriate group

The Squid option to show proxy client IP addresses in HTTP headers should be enabled or disabled as appropriate

CCE-4577-3

enabled / disabled

CCE-4344-8

enabled / disabled

CCE-4494-1

enabled / disabled

CCE-4511-2

allow / deny

CCE-4529-4

allow / deny

CCE-3610-3

allow / deny

CCE-4466-9

allow / deny

CCE-4607-8

allow / deny

CCE-4255-6

allow / deny

CCE-4127-7

allow / deny

CCE-4519-5

allow / deny

CCE-4413-1

allow / deny

The Squid option to log HTTP MIME headers should be enabled or disabled as appropriate

The Squid option to allow underscores in hostnames should be enabled or disabled as appropriate

The Squid option to suppress the httpd version string should be enabled or disabled as appropriate

Squid should be configured to allow gss-http traffic or not as appropriate

Squid should be configured to allow https traffic or not as appropriate

Squid should be configured to allow wais traffic or not as appropriate

Squid should be configured to allow multiling http traffic or not as appropriate

Squid should be configured to allow http traffic or not as appropriate

Squid should be configured to allow ftp traffic or not as appropriate

Squid should be configured to allow gopher traffic or not as appropriate

Squid should be configured to allow filemaker traffic or not as appropriate

Squid proxy access to localhost should be allowed or denied as appropriate

CCE-4373-7

allow / deny

CCE-3765-5

enabled / disabled

CCE-4404-0


Squid should be configured to allow http-mgmt traffic or not as appropriate

The snmpd service should be enabled or disabled as appropriate.The net-smtp package should be installed or uninstalled as appropriate.


via chkconfig 2.1.2.2

via chkconfig 2.1.2.3.2

via yum 2.1.3.1.1

via /etc/fstab 2.2.1.1



2.2.1.2

via /etc/security/console.perms.d/50-default.perms 2.2.2.1

via /etc/modprobe.conf 2.2.2.2.1

via kernel 2.2.2.2.2

via /etc/grub.conf 2.2.2.2.3

NSA "Guide to the Secure Configuration of

Red Hat Enterprise Linux 5" (Section)

via BIOS 2.2.2.2.4


via gconf 2.2.2.4

via chown 2.2.3.1

via chown 2.2.3.1

via chown 2.2.3.1

via chmod 2.2.3.1

via chown 2.2.3.1

via chown 2.2.3.1

via chown 2.2.3.1

via chmod 2.2.3.1

via chown 2.2.3.1

via chmod 2.2.3.1

via chown 2.2.3.1

via chmod 2.2.3.1

via chmod 2.2.3.2

via chmod 2.2.3.3

via chmod 2.2.3.4

via chmod 2.2.3.4

via chown 2.2.3.5

via chgrp 2.2.3.5

via /etc/sysconfig/init 2.2.4.1

via /etc/security/limits.conf 2.2.4.2

via sysctl - fs.suid_dumpable 2.2.4.2

via sysctl - kernel.randomize_va_space 2.2.4.3

via sysctl - kernel.exec-shield 2.2.4.3

via kernel-PAE 2.2.4.4.2

via BIOS 2.2.4.4.3

via /etc/securetty 2.3.1.1




via pam 2.3.1.2

vi /etc/sudoers 2.3.1.3

via /etc/passwd 2.3.1.4

via /etc/shadow 2.3.1.5

via /etc/passwd 2.3.1.6

via /etc/login.defs 2.3.1.7




2.3.1.8

via PAM 2.3.3.1

via PAM 2.3.3.2

via chgrp 2.3.3.4

via chmod 2.3.3.4

2.3.4.1

2.3.4.2

umask 2.3.4.4

2.3.4.4

2.3.4.4

via chown 2.3.5.2

via chmod 2.3.5.2

via /etc/grub.conf 2.3.5.2

via chown 2.3.5.2

via /etc/inittab 2.3.5.3

via /etc/sysconfig/init 2.3.5.4

via autolockout 2.3.5.5

via /etc/profile.d 2.3.5.5

via gconftool-2 2.3.5.6.1

via gconftool-2 2.3.5.6.1

via /etc/issue 2.3.7.1

via RHEL.xml 2.3.7.2

via /etc/selinux/config 2.4.2




via yum 2.4.3.1



via sysctl - net.ipv4.conf.default.send_redirects 2.5.1.1

via sysctl - net.ipv4.conf.all.send_redirects 2.5.1.1

via sysctl - net.ipv4.ip_forward 2.5.1.1

via sysctl - net.ipv4.conf.all.secure_redirects 2.5.1.2

via sysctl - net.ipv4.conf.all.accept_redirects 2.5.1.2

via sysctl - net.ipv4.icmp_ignore_bogus_error_messages 2.5.1.2

via sysctl - net.ipv4.tcp_syncookies 2.5.1.2

via sysctl - net.ipv4.icmp_echo_ignore_broadcasts 2.5.1.2

via sysctl - net.ipv4.conf.default.accept_redirects 2.5.1.2

via sysctl - net.ipv4.conf.all.rp_filter 2.5.1.2

via sysctl - net.ipv4.conf.default.secure_redirects 2.5.1.2

via sysctl - net.ipv4.conf.all.log_martians 2.5.1.2

via sysctl - net.ipv4.conf.default.rp_filter 2.5.1.2

via sysctl - net.ipv4.conf.default.accept_source_route 2.5.1.2

via sysctl - net.ipv4.conf.all.accept_source_route 2.5.1.2

via BIOS menus 2.5.2.2.1

via ifconfig 2.5.2.2.2

via modprobe 2.5.2.2.3

via /etc/modprobe.conf 2.5.3.1.1

via /etc/sysconfig/network 2.5.3.1.2

via IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-<interface> 2.5.3.1.2

via /etc/sysconfig/network 2.5.3.1.2

2.5.3.2.1

2.5.3.2.1

2.5.3.2.1

2.5.3.2.1

2.5.3.2.3

via sysctl - net.ipv6.conf.default.accept_ra_rtr_pref 2.5.3.2.5

via sysctl - net.ipv6.conf.default.max_addresses 2.5.3.2.5

via sysctl - net.ipv6.conf.default.router_solicitations 2.5.3.2.5

via sysctl - net.ipv6.conf.default.dad_transmits 2.5.3.2.5

(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network




via IPV6_PRIVACY in /etc/sysconfig/network-scripts/ifcfg-<interface>

via sysctl - net.ipv6.conf.default.autoconf 2.5.3.2.5

via sysctl - net.ipv6.conf.default.accept_ra_pinfo 2.5.3.2.5

via sysctl - net.ipv6.conf.default.accept_ra_defrtr 2.5.3.2.5



via chkconfig 2.6.1

via chown 2.6.1.2

via chmod 2.6.1.2

via chown 2.6.1.2

via /etc/syslog.conf 2.6.1.3

via /etc/sysconfig/syslog 2.6.1.4

via cron 2.6.1.5

via cron 2.6.1.6


via chkconfig 3.2.1

via chkconfig 3.2.1

via yum 3.2.1

via yum 3.2.1

via chkconfig 3.2.2

via yum 3.2.2




via yum 3.2.3.1

via chkconfig 3.2.4

via yum 3.2.4

via chkconfig 3.2.5

via yum 3.2.5

via chkconfig 3.3.1

via chkconfig 3.3.2

via chkconfig 3.3.3

via chkconfig 3.3.4

via chkconfig 3.3.5

via chkconfig 3.3.6

via chkconfig 3.3.7

via chkconfig 3.3.8

via chkconfig 3.3.9

via chkconfig 3.3.10











via chkconfig 3.4

via chkconfig 3.4.1

via yum 3.4.1

via chown 3.4.2

via chmod 3.4.2

via chown 3.4.2

via chown 3.4.2

via chown 3.4.2

via chmod 3.4.2

via chown 3.4.2

via chown 3.4.2

via chown 3.4.2

via chown 3.4.2

via chown 3.4.2

via chown 3.4.2

via chmod 3.4.2

via chown 3.4.2

via chowns

3.4.2

via chown 3.4.2

via chmod 3.4.2

via chmod 3.4.2

via chmod 3.4.2

via chown 3.4.2

via chmod 3.4.2


via yum 3.5.1.1

/etc/sysconfig/iptables 3.5.1.2

via /etc/ssh/sshd_config 3.5.2.1







via /etc/inittab 3.6.1.1

via yum 3.6.1.2



via /etc/X11/xinit/xserverrc 3.6.1.3.2

via /etc/gdm/custom.conf 3.6.2.1


via /etc/avahi/avahi-daemon.conf 3.7.2.1










via chkconfig 3.8.1

via chkconfig 3.8.1

via /etc/sysconfig/iptables 3.8.2

via /etc/cups/cupsd.conf 3.8.3.1.1

via /etc/cups/cupsd.conf 3.8.3.1.1


via /etc/sysconfig/network-scripts/ifcfg-IFACE 3.9.1

via chkconfig 3.9.3

via yum 3.9.3

via /etc/dhcpd.conf 3.9.4.1










via /etc/syslog.conf 3.9.4.5


via /etc/ntp.conf 3.10.2.2.2

via /etc/ntp.conf 3.10.2.2.3

via openntpd package 3.10.3.1

via /etc/rc.local 3.10.3.2.1

via /usr/local/etc/ntpd.conf 3.10.3.2.2

via chkconfig 3.11

via /etc/sysconfig/sendmail 3.11.2.1


via chmod 3.12.3.4.2


via chown 3.12.3.4.2










via chown 3.12.3.7

via chown 3.12.3.7






via /etc/sysconfig/nfs 3.13.2.3











via /etc/exports 3.13.4.1.2




via yum 3.14.1

via chown 3.14.3.2

via chmod 3.14.3.2

via chown 3.14.3.2

via /etc/named.conf 3.14.4.5


via /etc/vsftpd.conf 3.15.3.1


via /etc/vsftpd.conf 3.15.3.3.1



via yum 3.16.1

via yum 3.16.2.1

via /etc/httpd/conf/httpd.conf 3.16.3.1

via /etc/httpd/conf/httpd.conf 3.16.3.1

via chmod 3.16.5.1

via chmod 3.16.5.1

via chmod 3.16.5.1

via chgrp 3.16.5.1

via chmod 3.16.5.1


via yum 3.17.1

via /etc/dovecot.conf 3.17.2.1




via /etc/dovecot.conf 3.17.2.2.4





via yum 3.19.1

via /etc/squid/squid.conf 3.19.2.2











via yum 3.20.1

disabled

CCE-U-203disabled

CCE-U-203installed

enabled

enabled

Similar to CCE-U-170enabled

Similar to CCE-U-170enabled CCE-U-170

root-only

not loaded

uninstalled

disabled

NSA "Guide to the Secure Configuration of

Red Hat Enterprise Linux 5"

(Recommended Value)

Old "Unix-CCE-DRAFT-2" ID

disabled

disabled

CCE-U-203disabled

CCE-U-203root

CCE-U-23root

CCE-U-202root

CCE-U-201400

CCE-U-200root

CCE-U-202root

CCE-U-201root

CCE-U-22644

CCE-U-19root

CCE-U-20644

CCE-U-200root

CCE-U-21400

CCE-U-24

set CCE-U-171

disabled

CCE-U-24not set

not set

user

group

027

disabled

disabled

enabled

enabled

enabled

enabled

enabled

CCE-U-200

enabled

CCE-U-200enabled

CCE-U-200enabled

CCE-U-155enabled

CCE-U-15granted

CCE-U-200disabled

CCE-U-200disabled

CCE-U-200disabled

CCE-U-2008

CCE-U-2007

CCE-U-7180

CCE-U-88

CCE-U-200

CCE-U-200???

CCE-U-200

???

CCE-U-4usergroup

CCE-U-2024710

???

CCE-U-26g-w,o-rwx

CCE-U-162077

CCE-U-31077

CCE-U-31077

CCE-U-31root

CCE-U-201600

CCE-U-200???

root

CCE-U-202enabled

CCE-U-1disabled

CCE-U-200

10

10

10

CCE-U-6

enabled

enforcing

targeted

disabled

CCE-U-203uninstalled

disabled

CCE-U-203enabled CCE-U-203

disabled

disabled

disabled

CCE-U-134disabled

disabled

enabled

enabled

enabled

disabled

enabled

disabled

enabled

enabled

disabled

disabled

disabled

disabled

excluded

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

rfc3041

disabled

1

0

0

disabled

disabled

disabled

enabled CCE-U-203

enabled CCE-U-203

enabled CCE-U-203

root

CCE-U-202?600

CCE-U-200?root

CCE-U-201?sent

accept

CCE-U-131enabled

CCE-U-203

disabled

CCE-U-203enabled

CCE-U-203disabled CCE-U-72

disabled CCE-U-73

uninstalled

uninstalled

disabled CCE-U-104

uninstalled

disabled CCE-U-203

disabled CCE-U-83

disabled CCE-U-82

uninstalled

disabled CCE-U-203

uninstalled

disabled CCE-U-118

uninstalled

disabled


enabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

enabled CCE-U-203

disabled CCE-U-203

enabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

enabled CCE-U-203

enabled CCE-U-203

enabled CCE-U-203

disabled CCE-U-203

uninstalled

root

CCE-U-202700

CCE-U-200root

CCE-U-202root

CCE-U-201root

CCE-U-201600

CCE-U-200root

CCE-U-202

root

CCE-U-201root

CCE-U-202root

CCE-U-201root

CCE-U-201root

CCE-U-202700

CCE-U-200root

CCE-U-201root

CCE-U-202root

CCE-U-201600

CCE-U-200700

CCE-U-200700

CCE-U-200root

CCE-U-202700


uninstalled

disabled

not permitted

CCE-U-132no suggestion

disabled

disabled

disabled

disabled

enabled

disabled

uninstalled

disabled

disabled CCE-U-203

disabled

enabled

disabled CCE-U-203

no suggestion

no suggestion

reject

disallow

disabled

disabled

disabled

disabled

disabled

disabled

disabled CCE-U-203

disabled

disabled

disabled

deny

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

uninstalled

disabled

denied

denied

not sent

not sent

not sent

not sent

not sent

not sent

not sent

enabled

disabled CCE-U-203

deny

no suggestion

no suggestion

enabled

ntp server

enabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

644

CCE-U-200755

CCE-U-200root

CCE-U-201755

CCE-U-200root

CCE-U-201root

CCE-U-201755

CCE-U-200root

CCE-U-202ldap

CCE-U-202root

CCE-U-202root

CCE-U-201

ldap

CCE-U-202root

CCE-U-202ldap


disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

disabled CCE-U-203

static

static

static

static

static

static

disabled

disabled

enabled

enabled

enabled

enabled

disabled

disabled

disabled CCE-U-203

uninstalled

root

CCE-U-202

644

CCE-U-200root

CCE-U-201disabled

disabled CCE-U-203

enabled

enabled

disabled

disabled

disabled CCE-U-203

uninstalled

installed

Prod

Off

750

CCE-U-200

640

CCE-U-200511

CCE-U-200apache

CCE-U-202750


uninstalled

not support

not support

not support

not support

disabled

enabled

enabled

disabled CCE-U-203

disabled CCE-U-160

uninstalled

enabled

20kb

enabled

enabled

20kb

squid

enabled

squid

disabled

enabled

disabled

enabled

deny

allow

deny

deny

allow

allow

deny

deny

deny

deny

disabled CCE-U-203

uninstalled


CCE-4508-8

CCE-4327-3

CCE-4468-5

CCE-4512-0

CCE-4375-2

CCE-4393-5

CCE-3662-4

CCE-4442-0

CCE-4596-3

CCE-4486-7

CCE-4362-0

CCE-3622-8

CCE-4299-4

CCE Parameters

The tooltalk service should be enabled or disabled as appropriate

enabled / disabled / offline

The calendar manager should be enabled or disabled as appropriate.


The GNOME logon service should be enabled or disabled as appropriate


The CDE logon service should be enabled or disabled as appropriate.


The sendmail services should be enabled or disabled as appropriate.


The web console should be enabled or disabled as appropriate.


The WBEM services should be enabled or disabled as appropriate.


The BSD line printer protocol should be enabled or disabled as appropriate.


The keyserv service should be enabled or disabled as appropriate.


The NIS server daemon should be enabled or disabled as appropriate


The NIS passwd daemon should be enabled or disabled as appropriate


The NIS update daemon should be enabled or disabled as appropriate


The NIS xfr daemon should be enabled or disabled as appropriate


CCE-4592-2

CCE-4614-4

CCE-4279-6

CCE-4557-5

CCE-4588-0

CCE-4354-7

CCE-4240-8

CCE-4517-9

CCE-4284-6

CCE-4429-7

CCE-4306-7

CCE-4499-0

CCE-4266-3

CCE-4411-5

CCE-4305-9

The NIS client daemons should be enabled or disabled as appropriate


The nisplus daemons should be enabled or disabled as appropriate


The ldap cache manager should be enabled or disabled as appropriate


The Kerberos TGT Expiration warning should be enabled or disabled as appropriate


The Generic Security Service daemons should be enabled or disabled as appropriate


The volfs service should be enabled or disabled as appropriate


The smserver service should be enabled or disabled as appropriate


The Samba smbd service should be enabled or disabled as approriate


The Samba nmbd service should be enabled or disabled as approriate


The automount daemon should be enabled or disabled as appropriate


The apache web servicer should be enabled or disabled as appropriate


The mpxio-upgrade service should be enabled or disabled as appropriate


The metainit service (Solaris 10 <= 11/06) should be enabled or disabled as appropriate


The mdmonitor service (Solaris 10 <= 11/06) should be enabled or disabled as appropriate


The volume manager GUI mdcomm service should be enabled or disabled as appropriate


CCE-4477-6

CCE-3650-9

CCE-4571-6

CCE-3950-3

CCE-4470-1

CCE-4598-9

CCE-4620-1

CCE-4333-1

CCE-3857-0

CCE-4359-6

CCE-4615-1

CCE-4007-1

CCE-3901-6

CCE-4553-4

The meta service should be enabled or disabled as appropriate


The metaed service should be enabled or disabled as appropriate


The metamh service should be enabled or disabled as appropriate


The local rpc port mapping service should be enabled or disabled as appropriate


The Kerberos kadmind service should be enabled or disabled as appropriate.


The Kerberos krb5kdc service should be enabled or disabled as appropriate.


The Kerberos kpropd service should be enabled or disabled as appropriate.


The Kerberos ktkt_warnd service should be enabled or disabled as appropriate.


NFS server functionality should be enabled or disabled as appropriate.


NFS client functionality should be enabled or disabled as appropriate.


The telnet service should be enabled or disabled as appropriate.


The FTP service should be enabled or disabled as appropriate.


The BOOTP service should be enabled or disabled as appropriate.


The RARP service should be enabled or disabled as appropriate.


CCE-4584-9

CCE-4611-0

CCE-3655-8

CCE-4541-9

CCE-4483-4

CCE-3663-2

CCE-4037-8

CCE-4540-1 string


CCE-4570-8 user

CCE-4478-4 group

CCE-4623-5 permissions

CCE-4522-9 enabled/disabled


The DHCP server functionality should be enabled or disabled as appropriate.


The DNS server functionality should be enabled or disabled as appropriate.


The TFTP server functionality should be configured and enabled or disabled as appropriate.


The BSD print spooler should enabled or disabled as appropriate.


The Solaris print server functionality should be enabled or disabled as appropriate.


The IPP listener should be enabled or disabled as appropriate.


The SNMP service should be enabled or disabled as appropriate.


The read-only SNMP community string should be set appropriately.

TCP Wrappers should be enabled or disabled as appropriate for all services.

The core dump directory owner should be restricted.The core dump directory group owner should be restricted.File permissions for the core dump directory should be set correctly.Core dumps should be enabled/disabled as appropriateKernel stack protection should be enabled or disabled as appropriate.






CCE-3752-3 numeral

CCE-4417-2 numeral





CCE-4642-5 numeral

CCE-4532-8 numeral


Strong TCP Sequence numbers should be enabled or disabled as appropriate.

IPv4 source route forwarding should be enabled or disabled as appropriate.

IPv6 source route forwarding should be enabled or disabled as appropriate.

Reverse source routed packets should be enabled or disabled as appropriate.Forwarding broadcasts should be enabled or disabled as appropriate.Unestablished tcp connection queue should be set appropriately.Established tcp connection queue should be set appropriately.

Respond to ICMP timestamp request should be enabled or disabled.

Respond to ICMP broadcast timestamp request should be enabled or disabled.

Respond to ICMP netmask request should be enabled or disabled as appropriate.

Respond to ICMP echo broadcast request should be enabled or disabled as appropriate.The ARP cache cleanup interval should be set appropriately.The ARP IRE scan rate should be set appropriately.The IPv4 ICMP redirect should be enabled or disabled


CCE-4676-3









CCE-4397-6 user


CCE-4560-9 group



CCE-4124-4 user

The IPv6 ICMP redirect should be enabled or disabled as appropriate.Extended TCP reserved ports should be set appropriately.

list of ports above 1023

IPv4 strict multihoming should be enabled or disabled as appropriate.IPv6 strict multihoming should be enabled or disabled as appropriate.ICMPv4 redirects should be enabled or disabled as appropriate.ICMPv6 redirects should be enabled or disabled as appropriate.IP forwarding should enabled or disabled as appropriate.IP routing should be enabled or disabled as appropriate.inetd tracing should be enabled as appropriate.

The logging option for the ftp service should be enabled or disabled as appropriate.

The daemon debug log file owner should be restricted.The daemon debug log file permissions should be set appropriately.The daemon debug log file group owner should be restricted.

The debug logging option for daemons should be enabled or disabled as appropriate.

Capture of syslog AUTH Messages should be enabled or disabled as appropriateThe loginlog file owner should be restricted.


CCE-4635-9 group


CCE-4309-1 numeric value


CCE-4490-9 user

CCE-4683-9 group



CCE-4481-8 user

CCE-4630-0 group



CCE-4679-7

CCE-4075-8

The loginlog file permissions should be set appropriately.

The loginlog file group owner should be restricted.

Capture of failed login attempts should be enabled or disabled as appropriate

The threshold of syslog logging of failed login attempts should be configured correctly.Cron logging should be enabled or disabled as appropriate.Cron log file owner should be restrictedCron log file group owner should be restricted

Cron log file permissions should be set appropriatelySystem Accounting should be enabled or disabled as appropriate

The system accounting file owner should be restricted.The systems accounting file group owner should be restricted.The system accounting file permissions should be set appropriately.Kernel level auditing should be enabled or disabled as appropriate

Kernel level auditing for login/logout should be enabled or disabled as appropriate

successfull/unsuccesfull

Kernel level auditing for administrative actions should be enabled or disabled as appropriate


CCE-4600-3

CCE-4498-2

CCE-4401-6

CCE-4337-2

CCE-4606-0

CCE-4610-2

CCE-4126-9 user

CCE-4633-4 group


CCE-4672-2 string

CCE-4315-8 string

CCE-3760-6

CCE-4312-5

Kernel level auditing for file attribute modification should be enabled or disabled as appropriate


Kernel level auditing for process start/stop should be enabled or disabled as appropriate


Kernel level auditing for process modify should be enabled or disabled as appropriate


Kernel level auditing for processes should be enabled or disabled as appropriate


Kernel level auditing for exec should be enabled or disabled as appropriate


Kernel level auditing for root login/logout should be enabled or disabled as appropriate


Audit log file ownership should be restricted.Audit log file group ownership should be restricted.Audit log permissions should be restricted.The daemon user's umask should be set appropriately.

The setuid option should be enabled or disabled on removable media as appropriate.

The pkgchk utility should be used to verify ownership, group ownership, and access permissions for installed packages as appropriate.

list of packages, or all packages

The pkgchk utility should be used to force default settings for ownership, group ownership, and access permissions for installed packages as appropriate.

list of packages, or all packages





CCE-4660-7

CCE-4682-1


CCE-4576-5 string

CCE-4726-6 string

CCE-4638-3 string yes/no

CCE-4748-0 numeral

CCE-4395-0 numeral


The sticky bit should be enabled or disabled as appropriate for all world-writable directories.

World-writable files should be found and examined for appropriateness.setgid files should be found and examined for appropriatenesssetuid files should be found and examined for appropriateness

Unowned files should be found and removed or given to a valid user as appropriate.

Files with extended attributes should be found and handled as appropriate.Serial port login prompts should be enabled or disabled as appropriate.

Access to secure RPC for the 'nobody' user should be enabled or disabled as appropriate.SSH version 2 protocol should be enabled or disabled as appropriate.SSH X11 forwarding should be enabled or disabled as appropriate.

SSH maximum number of retries for authentication should be set as appropriate.

SSH maximum number or retries for authentication log should be set as appropriate.

SSH integration with .rhosts should be enabled or disabled as appropriate.





CCE-4603-7 uncomment string











SSH integration with .rhosts/hosts.equiv should be enabled or disabled as appropriate.

SSH Rhosts RSA Authentication should be enabled or disabled as appropriate.Root login via SSH should be enabled or disabled as appropriate.

SSH should be configured to enable or disable empty passwords as appropriate.The SSH banner should be enabled or disabled as appropriate.PAM Rhosts support should be enabled or disabled.The ftpusers file should restrict the root account as appropriate.The ftpusers file should restrict the daemon account as appropriate.The ftpusers file should restrict the bin account as appropriate.The ftpusers file should restrict the sys account as appropriate.The ftpusers file should restrict the adm account as appropriate.The ftpusers file should restrict the lp account as appropriate.The ftpusers file should restrict the uucp account as appropriate.The ftpusers file should restrict the smmsp account as appropriate.The ftpusers file should restrict the listen account as appropriate.






CCE-4432-1 number of seconds

CCE-4705-0 number of minutes

CCE-4723-3 number of minutes

CCE-4622-7 boolean true/false



CCE-4437-0 user

CCE-4706-8 group



The ftpusers file should restrict the gdm account as appropriate.The ftpusers file should restrict the webservd account as appropriate.The ftpusers file should restrict the nobody account as appropriate.The ftpusers file should restrict the noaccess account as appropriate.The ftpusers file should restrict the nobody4 account as appropriate.The failed login delay should be set appropriately.

The default CDE screenlock timeout should be set appropriately.

The default GNOME screenlock timeout should be set appropriately.The GNOME screenlock should be enabled or disabled as appropriate.Use of the cron.allow file should be enabled or disabled as appropriateUse of the at.allow file should be enabled or disabled as appropriateThe /etc/cron.d/cron.allow file should be owned by the appropriate user.The /etc/cron.d/cron.allow file should be owned by the appropriate group.

File permissions for the /etc/cron.d/cron.allow file should be configured correctly.

File permissions for the /etc/cron.d/at.allow file should be configured correctly.

CCE-4230-9 user

CCE-4445-3 group


CCE-4102-0 number of retries

CCE-4754-8 yes/no

CCE-4648-2 none/full/command

CCE-3826-5 password

CCE-4525-2

CCE-4657-3

CCE-4661-5 path

CCE-4807-4

CCE-4701-9 path

CCE-4669-8

CCE-4436-2 path

CCE-4815-7

CCE-4696-1 path

The /etc/cron.d/at.allow file should be owned by the appropriate user.The /etc/cron.d/at.allow file should be owned by the appropriate group.The ability to login as root directly should be configured correctly.

The "account lockout threshold" policy should meet minimum requirements. Account lockout should be enabled or disabled as appropriate.The eeprom security mode should be configured appropriately.

The grub menu password protection should be enabled or disabled as appropriate.The daemon account should be locked or unlocked as appropriate.

locked / unlocked / non-login

The bin account should be locked or unlocked as appropriate.


The shell for the bin account should be assigned appropriately.The nuucp account should be locked or unlocked as appropriate.


The shell for the nuucp account should be assigned appropriately.The smmsp account should be locked or unlocked as appropriate.


The shell for the smmsp account should be assigned appropriately.The listen account should be locked or unlocked as appropriate.


The shell for the listen account should be assigned appropriately.

CCE-4216-8

CCE-4758-9 path

CCE-4621-9

CCE-4515-3 path

CCE-4282-0

CCE-4802-5 path

CCE-4806-6

CCE-4471-9 path

CCE-4617-7

CCE-4418-0 path

CCE-4810-8

CCE-3955-2

CCE-3834-9 path

CCE-4408-1

CCE-4536-9 path

CCE-4809-0

The gdm account should be locked or unlocked as appropriate.


The shell for the gdm account should be assigned appropriately.The webservd account should be locked or unlocked as appropriate.


The shell for the webservd account should be assigned appropriately.The nobody account should be locked or unlocked as appropriate.


The shell for the nobody account should be assigned appropriately.The noaccess account should be locked or unlocked as appropriate.


The shell for the noaccess account should be assigned appropriately.The nobody4 account should be locked or unlocked as appropriate.


The shell for the nobody4 account should be assigned appropriately.The sys account should be locked or unlocked as appropriate.


The adm account should be locked or unlocked as appropriate.


The shell for the adm account should be assigned appropriately.The lp account should be locked or unlocked as appropriate.


The shell for the lp account should be assigned appropriately.The uucp account should be locked or unlocked as appropriate.


CCE-3841-4 path

CCE-4724-1

CCE-4367-9 numeral

CCE-4165-7 numeral

CCE-4836-3 numeral

CCE-4625-0 numeral

CCE-4770-4 yes/no

CCE-4563-3 numeral

CCE-4832-2 numeral

CCE-4572-4 numeral

CCE-4480-0 numeral

CCE-4731-6 numeral

CCE-4753-0 numeral

The shell for the uucp account should be assigned appropriately.

All user login accounts with empty passwords should be locked or unlocked as appropriate.


The "minimum password age" policy should meet minimum requirements. The "maximum password age" policy should meet minimum requirements.The password expiration warning time should be set appropriately

The strong password PASSLENGTH value should meet minimum requirements

The strong password NAMECHECK value should meet minimum requirements

The strong password HISTORY value should meet minimum requirements

The strong password MINDIFF value should meet minimum requirements

The strong password MINALPHA value should meet minimum requirements

The strong password MINUPPER value should meet minimum requirements

The strong password MINLOWER value should meet minimum requirements

The strong password MINNONALPHA value should meet minimum requirements

CCE-4775-3 numeral

CCE-3856-2 yes / no

CCE-4402-4 path

CCE-4670-6 path

CCE-4314-1 file list

CCE-4816-5 account list

CCE-4834-8 group

CCE-4728-2 path

CCE-4631-8




CCE-4843-9 true/false

CCE-4737-3 permissions mask

The strong password MAXREPEATS value should meet minimum requirements

The strong password WHITESPACE value should meet minimum requirements

The strong password DICTIONDBDIR value should be configured correctly

The strong password DICTIONLIST value should be configured correctly

No Legacy "+" entries in passwd, shadow, and group files should be verified to be appropriateNo UID 0 Accounts exist other than root should be verified to be appropriateDefault group for root account should be configured correctlyThe home directory of the root user should be set correctly.

The PATH for the root user should be configured correctly.

1) Set of directories to include 2) Set of directories to exclude

File permissions should be set correctly for the home directories for all user accounts.File permissions should be set correctly for user configuration files.

File permissions should be set correctly for .netrc files.Presence of .rhost files should be checked to be appropriateThe default umask should be configured correctly.

CCE-3897-6 permissions mask


CCE-4760-5 banner text







CCE-4663-1 string

The default umask for ftp users should be set appropriately.

The default setting for all users to allow terminal messages via the mesg utility should be configured correctly.

General login services should display a banner as appropriate before authentication.

General login services should display a banner as appropriate after authentication.CDE should display a banner as appropriate before authentication.GNOME should display a banner as appropriate before authentication.

The FTP service should display a banner as appropriate before authentication.The telnet service banner should be set appropriately.The power-on banner should be set appropriately.The sendmail greeting should be set appropriately.


(1) via svcadm 2.2.1









via svcadm 2.3.2

via svcadm 2.3.2

via svcadm 2.3.2

via svcadm 2.3.2

CIS Solaris 10 Benchmark v4.0

(Section)

via svcadm 2.3.3

via svcadm 2.3.4

via svcadm 2.3.5

via svcadm 2.3.6

via svcadm 2.3.7

via svcadm 2.3.8

via svcadm 2.3.8

2.3.9

2.3.9

via svcadm 2.3.10

via svcadm 2.3.11

via svcadm 2.3.12

via svcadm 2.3.12

via svcadm 2.3.12

via svcadm 2.3.13

(1) Solaris 10 <= 11/06 /etc/init.d/samba stop, mv /etc/sfw/smb.conf /etc/sfw/smb.conf.CIS (2) Solaris 10 >= 8/07via svcadm(1) Solaris 10 <= 11/06 /etc/init.d/samba stop, mv /etc/sfw/smb.conf /etc/sfw/smb.conf.CIS (2) Solaris 10 >= 8/07via svcadm

via svcadm 2.3.13

via svcadm 2.3.13

via svcadm 2.3.13

via svcadm 2.3.14

via svcadm 2.4.1

via svcadm 2.4.1

via svcadm 2.4.1

via svcadm 2.4.1

/etc/dfs/dfstab 2.4.2

/etc/vfstab 2.4.3

via svcadm 2.4.4

via svcadm 2.4.5

via svcadm 2.4.6

via svcadm 2.4.7

via svcadm 2.4.8

via svcadm 2.4.9

/etc/inetd.conf 2.4.10

via inetadm and svcadm 2.4.11

via svcadm 2.4.11

via svcadm 2.4.11

via svcadm 2.4.12

/etc/snmp/conf/snmpd.conf 2.4.12

via inetadm -M 2.5

/var/core 3.1

/var/core 3.1

/var/core 3.1

/etc/coreadm.conf 3.1

/etc/system 3.2

/etc/default/inetinit 3.3

/lib/svc/method/cis_netconfig.sh 3.4



















via routeadm 3.5

via routeadm 3.5

via inetadm -M 4.1

via inetadm -m 4.2

/var/log/connlog 4.3



/etc/syslog.conf 4.3

/etc/syslog.conf 4.4

/var/adm/loginlog 4.5




/etc/default/login 4.6

/etc/default/cron 4.7

/var/cron/log 4.7

/var/cron/log 4.7

/var/cron/log 4.7

via svcadm enable –r svc:/system/sar:default 4.8

/var/adm/sa/* 4.8

/var/adm/sa/* 4.8

/var/adm/sa/* 4.8

via /etc/security/bsmconv 4.9

/etc/security/audit_control 4.9







/etc/security/audit_user 4.9

/var/audit/* 4.9

/var/audit/* 4.9

/var/audit/* 4.9

/etc/default/init 5.1

/etc/rmmount.conf 5.2

via pkgchk 5.3

via pkgchk -f 5.3

via chmod 5.4

5.5

5.6.1

5.6.2

via chown or rm 5.7

5.8

via pmadm 6.1

/etc/default/keyserv 6.2

/etc/ssh/sshd_config 6.3










/etc/pam.conf 6.4

/etc/ftpd/ftpusers 6.5















/usr/dt/config/*/sys.resources 6.7

/usr/openwin/lib/app-defaults/Xscreensaver 6.8

/usr/openwin/lib/app-defaults/Xscreensaver 6.8

/etc/cron.d/cron.allow 6.9

/etc/cron.d/at.allow 6.9









/etc/security/policy.conf 6.11

via eeprom at OS command line or setenv at ok> prompt 6.12

vi grub> prompt md5cyrpt command 6.13

via passwd 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.1

via passmgmt 7.1

via passwds

7.1

via passmgmt 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.1

via passmgmt 7.1

via passwd 7.2

Use the set-user-password-reqs.fin Finish script 7.3



7.4

7.4

7.4

7.4

7.4

7.4

7.4

7.4

Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts








7.4

7.4

7.4

7.4

Use the check-include-nis-map.aud Audit script. 7.5

Use the check-uids-unique.aud Audit script 7,6

Use the set-root-group.fin Finish script 7.7

Use the set-root-home-dir.fin Finish script 7.8

Use the check-root-path.aud Audit script 7.9

Use the check-home-permissions.aud Audit script. 7.1

Use the check-hidden-files.aud Audit script 7.11

Use the check-netrc-files.aud Audit script 7.12

Use the print-rhosts.aud Audit script 7.13

Use the set-user-umask.fin Finish script 7.14





Use the set-ftpd-umask.fin Finish script. 7.15

Use the disable-mesg.fin Finish script 7.16

/etc/issue 8.1

/etc/motd 8.1.1

/usr/dt/config/*/Xresources 8.2

/etc/X11/gdm/gdm.conf 8.3

/etc/ftpd/banner.msg 8.4

/etc/default/telnetd 8.5

8.6

8.7

via the 'eeprom oem-banner=' command (provide a string after the =) then the "eeprom oem-banner\?=true" command

via the "O SmtpGreetingMessage" setting in /etc/mail/sendmail.cf

disabled

disabled

disabled CCE-U-120

disabled CCE-U-120

disabled

disabled

disabled

disabled

disabled CCE-U-203

disabled

disabled

disabled

disabled

CIS Solaris 10 Benchmark v4.0

(Recommended Value)

Old "Unix-CCE-

DRAFT-2" ID

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled CCE-U-142

disabled CCE-U-142

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled

disabled CCE-U-104

disabled CCE-U-103

disabled

disabled

disabled

disabled

disabled CCE-U-118

disabled

disabled

disabled

disabled

disabled CCE-U-122

enabled

root CCE-U-65

root CCE-U-66

700 CCE-U-67

disabled

enabled CCE-U-68

2 CCE-U-70

disabled

disabled

disabled

disabled

4096

1024

disabled

disabled

disabled

disabled

60000

60000

enabled

enabled

6112

enabled

enabled

disabled

disabled

disabled

disabled

enabled CCE-U-80

enabled CCE-U-113

root

600

root

enabled

enabled CCE-U-2

root

600

sys

enabled CCE-U-2

0 CCE-U-2

enabled CCE-U-38

root

root

600

enabled

sys

sys

600

enabled

enabled

enabled

enabled

enabled

enabled

enabled

enabled

enabled

root

root

600

at least 022

disabled CCE-U-170

all packages

enabled CCE-U-171

disabled CCE-U-155

disabled CCE-U-161

enabled CCE-U-132

disabled

5

0

yes

no

no

no

no

enabled

disabled CCE-U-28

disabled CCE-U-105

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

disabled CCE-U-108

4 CCE-U-5

10 CCE-U-158

10

1

root CCE-U-32

null CCE-U-47

root CCE-U-40

root CCE-U-41

400 CCE-U-36

400 CCE-U-51

root CCE-U-54

root CCE-U-55

disabled CCE-U-15

3 CCE-U-4

yes

command

enabled

Locked CCE-U-174

Locked CCE-U-175

/usr/bin/false

Locked CCE-U-180

/usr/bin/false

Locked CCE-U-181

/usr/bin/false

Locked CCE-U-182

/usr/bin/false

Locked

/usr/bin/false

Locked

/usr/bin/false

Locked CCE-U-183

/usr/bin/false

Locked CCE-U-184

/usr/bin/false

Locked CCE-U-185

/usr/bin/false

Non-login CCE-U-176

Non-login CCE-U-177

/usr/bin/false

Non-login CCE-U-178

/usr/bin/false

Non-login CCE-U-179

/usr/bin/false

Locked

7 days CCE-U-7

91 days CCE-U-8

28 days

8

yes

10 CCE-U-10

3

2

1

1

1

0

yes

/var/passwd

=/usr/share/lib/dict/words

None

None

GID 0

/root CCE-U-11

Exclude '.' and any writeable dir CCE-U-13

IAW site policy CCE-U-162

IAW site policy

IAW site policy

dependent upon 6.4

77 CCE-U-31

77 CCE-U-115

enabled CCE-U-25

empty string, ""

mailer ready (string) CCE-U-97


CCE-2715-1 CCE-733

CCE-2363-0 CCE-980

CCE-3177-3 CCE-658







Old v4 CCE Id

CCE Parameters

The "reset account lockout counter after" policy should meet minimum requirements.

(1) number of minutes

The "account lockout duration" policy should meet minimum requirements.


The "account lockout threshold" policy should meet minimum requirements.

(1) number of attempts

Auditing of "account logon" events on success should be enabled or disabled as appropriate..

Auditing of "account logon" events on failure should be enabled or disabled as appropriate..

Auditing of "account management" events on success should be enabled or disabled as appropriate..

Auditing of "account management" events on failure should be enabled or disabled as appropriate..

Auditing of "directory service access" events on success should be enabled or disabled as appropriate..

Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..













Auditing of "logon" events on success should be enabled or disabled as appropriate..

Auditing of "logon" events on failure should be enabled or disabled as appropriate..

Auditing of "object access" events on success should be enabled or disabled as appropriate..

Auditing of "object access" events on failure should be enabled or disabled as appropriate..

Auditing of "policy change" events on success should be enabled or disabled as appropriate..

Auditing of "policy change" events on failure should be enabled or disabled as appropriate..

Auditing of "privilege use" events on success should be enabled or disabled as appropriate..

Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..

Auditing of "process tracking" events on success should be enabled or disabled as appropriate..

Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..

Auditing of "system" events on success should be enabled or disabled as appropriate..

Auditing of "system" events on failure should be enabled or disabled as appropriate..


CCE-3015-5 CCE-185 (1) size of file

CCE-2905-8 CCE-285 type of retention







CCE-2967-8 CCE-871 (1) number of days




The "restrict guest access to application log" policy should be set correctly.

The application log maximum size should be configured correctly..

The "when maximum log size is reached" property should be set correctly for the Application log.

The "restrict guest access to security log" policy should be set correctly.

The security log maximum size should be configured correctly..

The "when maximum log size is reached" property should be set correctly for the Security log.

The "restrict guest access to system log" policy should be set correctly.

The system log maximum size should be configured correctly..

The "when maximum log size is reached" property should be set correctly for the System log. The "maximum password age" policy should meet minimum requirements. The "minimum password age" policy should meet minimum requirements.

The "minimum password length" policy should meet minimum requirements.

The "password must meet complexity requirments" policy should be set correctly.

CCE-2323-4 CCE-60


CCE-3316-7 CCE-729

CCE-3082-5 CCE-232

CCE-3232-6 CCE-195

CCE-3272-2 CCE-318




CCE-3314-2 CCE-23 (1) text caption

CCE-3336-5 CCE-829 (1) text statement


The "enforce password history" policy should meet minimum requirements.

(1) number of passwords remembered

The "store password using reversible encryption for all users in the domain" policy should be set correctly.

The startup type of the Messenger service should be correct.

(1) disabled/manual/automatic

The startup type of the NetMeeting Remote Desktop Sharing service should be correct.


The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.

(1) restricted/unrestricted

The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.


The behavior surrounding Anonymous SID/Name translation should be correct.

Use of the built-in Guest account should be enabled or disabled as appropriate.

Use of the built-in Administrator account should be enabled or disabled as appropriate.

The "Message title for users attempting to log on" policy should be set correctly.

The "Message text for users attempting to log on" policy should be set correctly.

Automatic Logon should be properly configured.


CCE-3239-1 CCE-150 (1) enabled/ignored




CCE-3067-6 CCE-139 (1) available/hidden


CCE-3142-7 CCE-188



CCE-3181-5 CCE-125 (1) warning level


CCE-2714-4 CCE-438 (1) valid names


CCE-2519-7 CCE-222


Autoplay on all Drive Types should be properly configured.

ICMP Redirects should be properly configured.

IP Source Routing should be properly configured.

IRDP should be properly configured. Display Last User Name in Logon Screen should be properly configured. System availability to Master Browser should be properly configured. TCP/IP Dead Gateway Detection should be properly configured. The TCP/IP KeepAlive Time should be set correctly .

(1) number of milliseconds

TCP/IP NetBIOS Name Release on Request Prevented should be properly configured. TCP/IP SYN Flood Attack Protection should be properly configured. Security Audit log warning level should be properly configured. Safe DLL Search Mode should be properly configured. The built-in Administrator account should be correctly named. The built-in Guest account should be correctly named.

The amount of idle time required before disconnecting a session should be set correctly.


The "Audit the access of global system objects" policy should be set correctly.








CCE-3230-0 CCE-814




The "Audit the use of backup and restore privilege" policy should be set correctly.

The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.

The "Prevent Users from Installing Printer Drivers" policy should be set correctly.

The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.

The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.

The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.

The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.

The "Users Prompted to Change Password Before Expiration" policy should be set correctly.

(1) number of days prior to expiration

The "Shut Down system immediately if unable to log security audits" policy should be set correctly.

The "Digitally Sign Client Communication (Always)" policy should be set correctly.

The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.



CCE-2376-2 CCE-773

CCE-3225-0 CCE-919 (1) Group(s)




CCE-3251-6 CCE-443 (1) behavior




The "Digitally Sign Server Communication (Always)" policy should be set correctly.

The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.

The "Number of Previous Logons to Cache" policy should be set correctly.

(1) number of logons

The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.

The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.

The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.

The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.

The "Smart Card Removal Behavior" policy should be set correctly.

The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.

The "Limit local account user of blank passwords to console logon only" policy should be set correctly.

The "Allow undock without having to logon" policy should be set correctly.







CCE-2825-8 CCE-189 (1) set of paths

CCE-3349-8 CCE-942 (1) set of shares

CCE-3367-0 CCE-343



CCE-3050-2 CCE-830 (1) time in seconds

The "Maximum machine account password age" policy should be set correctly.

The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.

The "Disconnect clients when logon hours expire" policy should be set correctly.

The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.

The "Let Everyone permissions apply to anonymous users" policy should be set correctly.

The "Named Pipes that can be accessed anonymously" policy should be set correctly.

The "Remotely accessible registry paths" policy should be set correctly.

The "Shares that can be accessed anonymously" policy should be set correctly.

The "Sharing and security model for local accounts" policy should be set correctly.

(1) Classic/Guest only

The "Do not store LAN Manager hash value on next password change" policy should be set correctly. The "Force logoff when logon hours expire" policy should be set correctly.

The "Current user screensaver timeout" policy should be set correctly.




CCE-3358-9 CCE-306

CCE-3345-6 CCE-989

CCE-3363-9 CCE-1

CCE-2462-0 CCE-641

CCE-2852-2 CCE-804

CCE-3371-2 CCE-458

CCE-3266-4 CCE-740

The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.

The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.

The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.The "Configure Automatic Updates" should be set correctly

The "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" should be set correctly

The "Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box" should be set correctlyThe "No auto-restart for scheduled Automatic Updates installations

The "Reschedule Automatic Updates scheduled installations" should be set correctly

The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.

The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.

CCE-3411-6 CCE-22


CCE-3292-0 CCE-638

CCE-3459-5 CCE-577

CCE-3460-3 CCE-872

CCE-3244-1 CCE-511 (1) reg_dword






CCE-3158-3 CCE-771

The "Display user information when the session is locked" setting should be configured correctly.

The "Interactive logon: Requre smart card" setting should be configured correctly.

The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly.

MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged

(1) number of secondsMSS:

(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted

(1) number of seconds

MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames.RPC Endpiont Mapper Client Authentication (SP2 only)Restrictions for Unauthenticated RPC clients (SP2 only)Domain Profile: Protect all network connections (SP2 only)Domain Profile: Do not allow exceptions (SP2 only)

Domain Profile: Allow local program exceptions

Domain Profile: Allow remote administration

(1) enabled/disabled (2) subnets for internal support only


CCE-3458-7 CCE-832




CCE-2533-8 CCE-793 (1) File path

CCE-3299-5 CCE-57 (1) Size limit (KB)


Domain Profile: Allow file and printer sharing exception (SP2 only)

Domain Profile: Allow Remote Desktop exception (SP2 only)


Domain Profile: Allow UPnP framework exception (SP2 only)

The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile.

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile.

The log file path and name for the Windows Firewall should be configured correctly for the Domain Profile.

The log file size limit for the Windows Firewall should be configured correctly for the Domain Profile.

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile.














Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile.

Domain Profile: Define port exceptions (SP2 only)

Domain Profile: Allow local port exceptions (SP2 only)Standard Profile: Protect all network connections (SP2 only)Standard Profile: Do not allow exceptions (SP2 only)Standard Profile: Allow local program exceptions (SP2 only)Standard Profile: Allow remote administration exception (SP2 only)

Standard Profile: Allow file and printer sharing exception (SP2 only)Standard Profile: Allow Remote Desktop exception (SP2 only)Standard Profile: Allow UPnP framework exception (SP2 only)

The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile.

Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile.

Standard Profile: Define port exceptions (SP2 only)


CCE-2999-1 CCE-249

CCE-3439-7 CCE-485

CCE-3457-9 CCE-400

CCE-2977-7 CCE-584

CCE-3373-8 CCE-7

CCE-3395-1 CCE-29

CCE-3166-6 CCE-32

CCE-3417-3 CCE-38

Standard Profile: Allow local port exceptions (SP2 only)

Domain Profile - Inbound Connections

Domain Profile - Outbound Connections

Domain Profile - Apply Local Firewall Rules

Domain Profile - Apply Local Connection Security Rules

Private Profile- Firewall State

Private Profile - Inbound Connections

Private Profile - Outbound Connections

User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Private Profile.

yes/no/not configured


CCE-3360-5 CCE-117

CCE-2854-8 CCE-199

CCE-3246-6 CCE-295

CCE-3263-1 CCE-338

CCE-3351-4 CCE-342

CCE-2998-3 CCE-390


Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile.

Private Profile - Apply Local Firewall Rules

Private Profile - Apply Local Connection Security Rules

Public Profile- Firewall State

Public Profile - Inbound Connections

Public Profile - Outbound Connections

User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Public Profile.


Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile.

CCE-2650-0 CCE-421

CCE-3426-4 CCE-437

CCE-3320-9 CCE-503

CCE-3086-6 CCE-583

CCE-3452-0 CCE-584

CCE-3364-7 CCE-691

CCE-3259-9 CCE-722

CCE-2778-9 CCE-818

CCE-3421-5 CCE-852 Turn off printing over HTTP

CCE-2754-0 CCE-887

Public Profile - Apply Local Firewall Rules

Public Profile - Apply Local Connection Security Rules

Logon - Do not process the legacy run list

Logon - Do not process the run once list

Group Policy - Registry policy processing

Turn off Internet download for Web publishing and online ordering wizards

Turn off the Windows Messenger Customer Experience Improvement Program

Turn off Search Companion content file updates

Turn off downloading of print drivers over HTTP

CCE-3278-9 CCE-927

CCE-2471-1 CCE-935

CCE-3310-0 CCE-255

CCE-3327-4 CCE-466

CCE-2975-1 CCE-976

CCE-2874-6 CCE-648

CCE-3415-7 CCE-405

CCE-3169-0 CCE-509

CCE-3437-1 CCE-12

CCE-2979-3 CCE-58

CCE-3300-1 CCE-372

CCE-3305-0 CCE-886

Turn off Windows Update device driver searching

Enumerate administrator accounts on elevation

Require trusted path for credential entry

Deny all add-ons unless specifically allowed in the Add-on List

The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.

The "Do not allow drive redirection" setting should be configured correctly for Terminal Services.

Access to registry editing tools is set correctly.

Prompt for password on resume from hibernate/suspend is set correctly.

Do not preserve zone information in file attachments is set correcly.

Hide mechanisms to remove zone information is set correcly.

Notify antivirus programs when opening attachments is set correcly.

Outlook Express attachment blocking is set correctly.

CCE-3450-4 CCE-111











Audit: Force audit policy subcategory settings are set correcly.The "Log Access For Setup Log" setting should be configured correctly.

The startup type of the Windows Search service should be configured correctly.

The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.

The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.

The "Allow remote access to the PnP interface" setting should be configured correctly.

The "Do not create system restore point when new device driver installed" setting should be configured correctly.

The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.

The "Turn Off Access to All Windows Update Feature" setting should be configured correctly.

The "Turn Off Automatic Root Certificates Update" setting should be configured correctly.

The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.











The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.

The "Turn Off Help and Support Center "Did You Know?" Content" setting should be configured correctly.

The "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting should be configured correctly.

The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

The "Turn Off Internet File Association Service" setting should be configured correctly.

The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.

The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.

The "Turn Off Windows Movies Maker Automatic Codec Downloads" setting should be configured correctly.

The "Turn Off Windows Movie Maker Online Web Links" setting should be configured correctly.













The "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting should be configured correctly.

The "Don't Display the Getting Started Welcome Screen at Logon" setting should be configured correctly.

The "Turn off Windows Startup Sound" setting should be configured correctly.

The "Require a Password when a Computer Wakes (On Battery)" setting should be configured correctly.

The "Require a Password when a Computer Wakes (Plugged)" setting should be configured correctly.

The "Allow only Vista or later connections" setting should be configured correctly.

The "Customization Warning Messages" setting should be configured correctly.

The "Turn on bandwidth optimization" setting should be configured correctly.The "Turn on session logging" setting should be configured correctly.

The "Prevent IIS Installation" setting should be configured correctly.The "Turn off Active Help" setting should be configured correctly.The "Turn off Untrusted Content" setting should be configured correctly.













The "Turn off downloading of enclosures" setting should be configured correctly.

The "Allow indexing of encrypted files" setting should be configured correctly.

The "Prevent indexing uncached Exchange folders" setting should be configured correctly.The "Turn off Windows Calendar" setting should be configured correctly.

The "Allow Corporate redirection of Customer Experience Improvement uploads" setting should be configured correctly.The "Turn off Windows Defender" setting should be configured correctly.

The "Turn off Heap termination on corruption" setting should be configured correctly.

The "Turn off shell protocol protected mode" setting should be configured correctly.

The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.

The "Report Logon Server Not Available During User logon" setting should be configured correctly.

The "Turn off the communitication features" setting should be configured correctly.

The "Turn off Windows Mail application" setting should be configured correctly.












CCE-4666-4 CCE-6

The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.

The "Turn off Windows Meeting Space" setting should be configured correctly.

The "Turn on Windows Meeting Space audting" setting should be configured correctly.

The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly.

The "Override the More Gadgets Link" setting should be configured correctly.

The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly.

The "Do not allow Digital Locker to run" setting should be configured correctly.

The "Turn Off Downloading of Game Information" setting should be configured correctly.

The "IPv6 Block of Protocols 41" setting should be configured correctly.

The "IPv6 Block of UDP 3544" setting should be configured correctly.The "Enforce user logon restrictions" policy should be set correctly. The "Maximum Service Ticket Litfetime" policy should be set correctly.


CCE-3936-2 CCE-37 (1) number of hours


CCE-4702-7 CCE-588



CCE-4781-1 CCE-1185 set of paths

CCE-4922-1 CCE-719







The "Maximum User Ticket Lifetime" policy should be set correctly. The "Maximum User Renewal Lifetime" policy should be set correctly.

The "Maximum tolerance for computer clock synchronization" policy should be set correctly.


TCP/IP PMTU Discovery should be properly configured.

Kerberos and RSVP Traffic Protected by IPSec should be properly configured.

The "Remotely accessible registry paths and subpaths" policy should be set correctly.

The "LAN Manager Authentication Level" policy should be set correctly.

(1) authentication level

The "LDAP client signing requirements" policy should be set correctly.

The "Minimum session security for NTLM SSP based clients" policy should be set correctly.

The "Minimum session security for NTLM SSP based servers" policy should be set correctly.

The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.

The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.

The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.






CCE-4016-2 CCE-1063

CCE-4969-2 CCE-1067



The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.

The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.

The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.

The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.

The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.

The "Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.

Prompt for consent/Prompt for credentials/Automatically deny

The "Behavior of the elevation prompt for standard users" setting should be configured correctly.

Prompt for credentials/Automatically deny

The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly.

The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly.





CCE-4334-9 CCE-532 (1) set of accounts






The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly.

The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly.

The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly.

The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.

The "access this computer from the network" user right should be assigned to the correct accounts.

The "act as part of the operating system" user right should be assigned to the correct accounts.

The "adjust memory quotas for a process" user right should be assigned to the correct accounts. The "log on locally" user right should be assigned to the correct accounts.

The "allow logon through Terminal Services" user right should be assigned to the correct accounts.

The "back up files and directories" user right should be assigned to the correct accounts.



CCE-5008-8 CCE-470 list of accounts










The "bypass traverse checking" user right should be assigned to the correct accounts.

The "change the system time" user right should be assigned to the correct accounts.

The "Change the time zone" user right should be assigned to the appropriate accounts.

The "create a pagefile" user right should be assigned to the correct accounts.

The "Create a token object" user right should be assigned to the correct accounts.

The "Create global objects" user right should be assigned to the correct accounts.

The "create permanent shared objects" user right should be assigned to the correct accounts.

The "debug programs" user right should be assigned to the correct accounts.

The "deny access to this computer from the network" user right should be assigned to the correct accounts.

The "deny logon as a batch job" user right should be assigned to the correct accounts.

The "deny logon as a service" user right should be assigned to the correct accounts.

The "deny logon locally" user right should be assigned to the correct accounts.





CCE-4651-6 CCE-1027








The "deny logon through Terminal Services" user right should be assigned to the correct accounts.

The "force shutdown from a remote system" user right should be assigned to the correct accounts.

The "generate security audits" user right should be assigned to the correct accounts.

The "Impersonate a client after authentication" user right should be assigned to the correct accounts.

The "Increase a Process Working Set" setting should be configured correctly.

Set of users or groups

The "increase scheduling priority" user right should be assigned to the correct accounts.

The "load and unload device drivers" user right should be assigned to the correct accounts.

The "lock pages in memory" user right should be assigned to the correct accounts.

The "log on as a batch job" user right should be assigned to the correct accounts.

The "log on as a service" user right should be assigned to the correct accounts.

The "manage auditing and security log" user right should be assigned to the correct accounts.

The "Modify an object label" user right should be assigned to the appropriate accounts.











CCE-4627-6 CCE-957

The "modify firmware environment values" user right should be assigned to the correct accounts.

The "perform volume maintenance tasks" user right should be assigned to the correct accounts.

The "profile single process" user right should be assigned to the correct accounts.

The "profile system performance" user right should be assigned to the correct accounts.

The "remove computer from docking station" user right should be assigned to the correct accounts.

The "replace a process-level token" user right should be assigned to the correct accounts.

The "restore files and directories" user right should be assigned to the correct accounts.

The "shut down the system" user right should be assigned to the correct accounts.

The "synchronize directory service data" user right should be assigned to the correct accounts.

The "take ownership of files or other objects" user right should be assigned to the correct accounts.

The required permissions for the WLAN AutoConfig service should be assigned.

(1) set of accounts (2) list of permissions (3) applicability





CCE-4078-2 CCE-672


Internet Explorer Processes (Zone Elevation Protection)

The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the domain profile.

Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.

The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.

The startup type of the Internet Connection Sharing service should be correct.


The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet (UPnP).



CCE-4813-2 CCE-231 (1) logon type



CCE-4501-3 CCE-648

CCE-4866-0 CCE-397 (1) encryption level

CCE-5007-0 CCE-920

CCE-4267-1 CCE-123

CCE-4761-3 CCE-312


The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly.The "Enable Error Reporting" policy should be set correctly.

Use Classic Logon should be properly configured.

The 'Approved Installation Sites for ActiveX Controls' security mechanism should be enabled or disabled as appropriate.The setup log maximum size should be configured correctly.

The "Do not allow drive redirection" setting should be configured correctly for Terminal Services.

The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.

The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.

(1) Time Limit (minutes)

The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.

(1) Time limit (minutes)

Computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender should be enabled or disabled as appropriate.

enabled, disabled, or not configured

The "Disable Logging" setting should be configured correctly.












The "Disable Windows Error Reporting" setting should be configured correctly.

The "Display Error Notification" setting should be configured correctly.

The "Do not send additional data" setting should be configured correctly.The "Set Safe for Scripting" policy should be set correctly. The "Enable User Control Over Installs" policy should be set correctly.

The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.

The "Disable Media Player for automatic updates" policy should be set correctly.

The "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly.

The "Do Not Automatically Start Windows Messenger" policy should be set correctly.

The "Current user screensaver secure" policy should be set correctly.

The "Prevent users from sharing files within their profile" setting should be configured correctly.









Auditing of "Account Management: Application Group Management" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: Application Group Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: Computer Account Management" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: Computer Account Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: Distribution Group Management" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: Distribution Group Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: Other Account Management Events" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: Other Account Management Events" events on failure should be enabled or disabled as appropriate.









Auditing of "Account Management: Security Group Management" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: Security Group Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Management: User Account Management" events on success should be enabled or disabled as appropriate.

Auditing of "Account Management: User Account Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: DPAPI Activity" events on success should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: DPAPI Activity" events on failure should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: Process Creation" events on success should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: Process Creation" events on failure should be enabled or disabled as appropriate.










Auditing of "Detailed Tracking: Process Termination" events on success should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: Process Termination" events on failure should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: RPC Events" events on success should be enabled or disabled as appropriate.

Auditing of "Detailed Tracking: RPC Events" events on failure should be enabled or disabled as appropriate.

Auditing of "DS Access: Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate.

Auditing of "DS Access: Detailed Directory Service Replication" events on failure should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Access" events on success should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Access" events on failure should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Changes" events on success should be enabled or disabled as appropriate.










Auditing of "DS Access: Directory Service Changes" events on failure should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Replication" events on success should be enabled or disabled as appropriate.

Auditing of "DS Access: Directory Service Replication" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Account Lockout" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Account Lockout" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Extended Mode" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Extended Mode" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Main Mode" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Main Mode" events on failure should be enabled or disabled as appropriate.











Auditing of "Logon/Logoff: IPsec Quick Mode" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: IPsec Quick Mode" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Logoff" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Logoff" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Logon" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Logon" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Special Logon" events on success should be enabled or disabled as appropriate.

Auditing of "Logon/Logoff: Special Logon" events on failure should be enabled or disabled as appropriate.










Auditing of "Object Access: Application Generated" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Application Generated" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Certification Services" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Certification Services" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: File Share" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: File Share" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: File System" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: File System" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Filtering Platform Connection" events on success should be enabled or disabled as appropriate.









Auditing of "Object Access: Filtering Platform Connection" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Filtering Platform Packet Drop" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Handle Manipulation" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Handle Manipulation" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Kernel Object" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Kernel Object" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Other Object Access Events" events on success should be enabled or disabled as appropriate.










Auditing of "Object Access: Other Object Access Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: Registry" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: Registry" events on failure should be enabled or disabled as appropriate.

Auditing of "Object Access: SAM" events on success should be enabled or disabled as appropriate.

Auditing of "Object Access: SAM" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: Audit Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: Audit Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: Authentication Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: Authentication Policy Change" events on failure should be enabled or disabled as appropriate.









Auditing of "Policy Change: Authorization Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: Authorization Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: Filtering Platform Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Policy Change: Other Policy Change Events" events on success should be enabled or disabled as appropriate.

Auditing of "Policy Change: Other Policy Change Events" events on failure should be enabled or disabled as appropriate.










Auditing of "Privilege Use: Non Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Non Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Other Privilege Use Events" events on success should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Privilege Use: Other Privilege Use Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.

Auditing of "Privilege Use: Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.

Auditing of "System: Ipsec Driver" events on success should be enabled or disabled as appropriate.

Auditing of "System: Ipsec Driver" events on failure should be enabled or disabled as appropriate.

Auditing of "System: Other System Events" events on success should be enabled or disabled as appropriate.








CCE-4941-1 CCE-1047

Auditing of "System: Other System Events" events on failure should be enabled or disabled as appropriate.

Auditing of "System: Security State Change" events on success should be enabled or disabled as appropriate.

Auditing of "System: Security State Change" events on failure should be enabled or disabled as appropriate.

Auditing of "System: Security System Extension" events on success should be enabled or disabled as appropriate.

Auditing of "System: Security System Extension" events on failure should be enabled or disabled as appropriate.

Auditing of "System: System Integrity" events on success should be enabled or disabled as appropriate.

Auditing of "System: System Integrity" events on failure should be enabled or disabled as appropriate.

User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Domain Profile.



CCE-4963-5 CCE-327 enable/disabled




The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Private Profile.

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Private Profile.

The log file path and name for the Windows Firewall should be configured correctly for the Private Profile.

The log file size limit for the Windows Firewall should be configured correctly for the Private Profile.

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Public Profile.

CCE-5128-4 CCE-534 enable/disabled







The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Public Profile.

The log file path and name for the Windows Firewall should be configured correctly for the Public Profile.

The log file size limit for the Windows Firewall should be configured correctly for the Public Profile.

The ISATAP tunneling protocol for IPv6 should be enabled or disabled as appropriate.

The 6to4 tunneling protocol for IPv6 should be enabled or disabled as appropriate.

The Teredo tunneling protocol for IPv6 should be enabled or disabled as appropriate.

The "Turn off Help Experience Improvement Program" setting should be configured correctly.



The "Turn off Help Ratings" setting should be configured correctly.

The "Create Symbolic Links" user right should be assigned to the appropriate accounts.


(1) defined by Local or Group Policy reset-account-lockout-counter

(1) defined by Local or Group Policy account-lockout-duration

(1) defined by Local or Group Policy account-lockout-threshold

(1) defined by Local or Group Policy audit-account-logon-events

(1) defined by Local or Group Policy audit-account-logon-events

(1) defined by Local or Group Policy audit-account-management

(1) defined by Local or Group Policy audit-account-management

(1) defined by Local or Group Policy audit-directory-services-access

(1) defined by Local or Group Policy audit-directory-services-access

NIST SCAP Windows Vista XCCDF (SCAP-WinVista-

XCCDF.xml rev 2007-02-06)

(1) defined by Local or Group Policy audit-logon-events

(1) defined by Local or Group Policy audit-logon-events

(1) defined by Local or Group Policy audit-object-access

(1) defined by Local or Group Policy audit-object-access

(1) defined by Local or Group Policy audit-policy-change

(1) defined by Local or Group Policy audit-policy-change

(1) defined by Local or Group Policy audit-privilege-use

(1) defined by Local or Group Policy audit-privilege-use

(1) defined by Local or Group Policy audit-process-tracking

(1) defined by Local or Group Policy audit-process-tracking

(1) defined by Local or Group Policy audit-system-events

(1) defined by Local or Group Policy audit-system-events

Prevent-Guest-Application-Log-Access

Maximum-Application-Log-Size

Retention-Method-For-Application-Log

Prevent-Guest-Security-Log-Access

Maximum-Security-Log-Size

Retention-Method-For-Security-Log

Prevent-Guest-System-Log-Access

Maximum-System-Log-Size

Retention-Method-For-System-Log

(1) defined by Local or Group Policy maximum-password-age

(1) defined by Local or Group Policy minimum-password-age

(1) defined by Local or Group Policy minimum-password-length

(1) defined by Local or Group Policy password-complexity

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy

(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy

(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize


(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy

(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize


(1) defined by Local or Group Policy enforce-password-history

(1) defined by Local or Group Policy reversible-password-encryption

Do-not-allow-Windows-Messenger-to-be-run

Disable-remote-Desktop-Sharing

do-not-allow-anonymous-enumeration-sam

Anonymous-SID-Name-Translation

(1) Local Users and Groups MMC guest-account-status

(1) Local Users and Groups MMC administrator-account-status

message-title-users-attempting-logon

message-text-users-attempting-logon

enable-automatic-logon

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) defined by Local or Group Policy

do-not-allow-anonymous-enumeration-sam-accounts-shares

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AnonymousNameLookup (2) defined by Local or Group

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon

Turn-off-Autoplay, no-drive-type-auto-run

enable-icmp-redirect

disable-ip-source-routing

perform-router-discovery

do-not-display-last-user-name

hide-system-from-browse-list

enable-dead-gw-detect

keep-alive-time

no-name-release-on-demand

syn-attack-protect

warning-level

safe-dll-search-mode

(1) defined by Local or Group Policy rename-administrator

(1) defined by Local or Group Policy rename-guest

audit-access-global-system-objects

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\SafeDllSearchMode

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) defined by Local or Group Policy

amount-of-idle-time-required-before-suspending-session

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) defined by Local or Group Policy

audit-use-backup-restore-privilege

do-not-require-ctrlaltdel

prevent-users-installing-printers

restrict-cdrom-access-local-users-only

restrict-floppy-access-local-users-only

require-strong-session-key

shutdown-system-unable-log-audits

digitally-sign-communications-client-always

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) defined by Local or Group Policy

send-unencrypted-password-to-third-party-smb-servers

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) defined by Local or Group Policy

prompt-user-to-change-password-before-expiration

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy

digitally-sign-communications-client-server-agrees

digitally-sign-communications-server-always

number-of-previous-logons-to-cache

allow-format-eject-removable-media

smart-card-removal-behaviour

disable-machine-account-password-changes

limit-blank-password-use

allow-undock-no-logon

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy

digitally-sign-communications-server-client-agrees

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) defined by Local or Group Policy

digitally-encrypt-or-sign-secure-channel-data-always

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy

digitally-encrypt-secure-channel-data-when-possible

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy

digitally-sign-secure-channel-data-when-possible

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon (2) defined by Local or Group Policy

maximum-machine-account-password-age

disconnect-client-when-logon-hours-expire

named-pipes-accessed-anonymously

Sharing-and-security-model-for-local-accounts

(1) defined by Local or Group Policy Force-logoff-when-logon-hours-expire

screen-saver-grace-period

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) defined by Local or Group Policy

require-domain-controller-authentication-to-unlock

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (2) defined by Local or Group Policy

do-not-allow-storage-credentials-net-passports-network-authn

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous (2) defined by Local or Group Policy

let-everyone-permissions-apply-to-anonymous-users

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPathsHKLM (2) defined by Local or Group Policy

Remotely-accessible-registry-paths, Remotely-accessible-registry-paths-and-sub-paths

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group Policy

Shares-that-can-be-accessed-anonymously -- NOTE: COMMENTED OUT

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash (2) defined by Local or Group Policy

Do-not-store-LAN-Manager-hash-value-on-next-password-change

(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut

Solicited-Remote-Assistance

Offer-Remote-Assistance

Configure-Automatic-Updates

MachineAccessRestrictions

MachineLaunchRestrictions

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword

Always-prompt-client-for-password-upon-connection

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited

Do-not-adjust-default-option-to-Install-Updates-and-Shut-Down

Do-not-display-Install-Updates-and-Shut-Down

No-auto-restart-for-scheduled-Automatic-Updates-installations

Reschedule-Automatic-Updates-scheduled-installations

Require-Smart-Card

tcp-max-data-retransmissions

ntfs-disable-8dot3-name-creation

RPC-Endpoint-Mapper-Client-Authentication

Restrictions-for-Unauthenticated-RPC-clients

(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption

Restrict-anonymous-access-to-Named-Pipes-and-Shares

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions

tcp-max-connect-response-retransmissions

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\EnableAuthEpResolution

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\RestrictRemoteClientsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall

Domain-Profile-Firewall-Protect-All-Network-Connections, Domain-Profile-Firewall-State

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions

Domain-Profile-Firewall-Do-Not-Allow-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\AllowUserPrefMerge

Domain-Profile-Firewall-Allow-Local-Program-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Enabled

Domain-Profile-Firewall-Allow-Inbound-Remote-Administration-Exception

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint\Enabled

Domain-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exception

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop\Enabled

Domain-Profile-Firewall-Allow-Inbound-Remote-Desktop-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\UPnPFramework\Enabled

Domain-Profile-Firewall-Allow-Inbound-UPnP-Framework-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications

Domain-Profile-Firewall-Prohibit-Notifications, Domain-Profile-Display-Notification

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log Dropped Packets

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Name

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFileSize (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Size limit (KB)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log successful connections

Standard-Profile-Firewall-Prohibit-Notifications

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableUnicastResponsesToMulticastBroadcast

Domain-Profile-Firewall-Prohibit-Unicast-Response, Domain-Profile-Allow-Unicast-Response

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts

Domain-Profile-Firewall-Define-Inbound-Port-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\AllowUserPrefMerge

Domain-Profile-Firewall-Allow-Local-Port-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall

Standard-Profile-Firewall-Protect-All-Network-Connections

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions

Standard-Profile-Firewall-Do-Not-Allow-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\AllowUserPrefMerge

Standard-Profile-Firewall-Define-Inbound-Program-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop

Standard-Profile-Firewall-Allow-Inbound-Remote-Administration-Exception

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled

Standard-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exception,Standard-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled

Standard-Profile-Firewall-Allow-Inbound-Remote-Desktop-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\UPnPFramework\Enabled

Standard-Profile-Firewall-Allow-Inbound-UPnP-Framework-Exceptions

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableUnicastResponsesToMulticastBroadcast

Standard-Profile-Firewall-Prohibit-Unicast-Response

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts

Standard-Profile-Firewall-Define-Inbound-Port-Exceptions

Domain-Profile-Inbound-Connections

Domain-Profile-Outbound-Connections

Private-Profile-Firewall-State

Private-Profile-Inbound-Connections

Private-Profile-Outbound-Connections

Private-Profile-Display-Notification

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\AllowUserPrefMerge

Standard-Profile-Firewall-Allow-Local-Port-Exceptions

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Inbound Connections Tab\(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge

Domain-Profile-Apply-Local-Firewall-Rules

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge

Domain-Profile-Apply-Local-Connection-Security-Rules

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications

Private-Profile-Allow-Unicast-Response

Public-Profile-Firewall-State

Public-Profile-Inbound-Connections

Public-Profile-Outbound-Connections

Public-Profile-Display-Notification

Public-Profile-Allow-Unicast-Response

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge

Private-Profile-Apply-Local-Firewall-Rules

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge

Private-Profile-Apply-Local-Connection-Security-Rules

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcast

Public-Profile-Apply-Local-Firewall-Rules

Do-Not-Process-Legacy-Run-List

Do-Not-Process-Run-Once-List

Registry-Policy-Processing

Turn-off-printing-over-HTTP

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge

(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge

Public-Profile-Apply-Local-Connection-Security-Rules

(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRun

(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnce

(1) Computer Configuration\Administrative Templates\System\Group Policy (2)HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoGPOListChanges

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices

Turn-off-Internet-download-for-Web-publishing-and-online-ordering-wizards

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP

Turn-off-the-Windows-Messenger-Customer-Experience-Improvement-Program

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates

Turn-off-Search-Companion-content-file-updates

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload

Turn-off-downloading-of-print-drivers-over-HTTP

Require-trusted-path-for-credential-entry

Do-not-allow-passwords-to-be-saved

Do-not-allow-drive-redirection

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate

Turn-off-Windows-Update-device-driver-searching

(1) Computer Configuration\Administrative Templates\System\Credential User Interface (2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators

Enumerate-administrator-accounts-on-elevation

(1) Computer Configuration\Administrative Templates\System\Credential User Interface (2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnableSecureCredentialPrompting

(1) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList

Deny-all-add-ons-unless-specifically-allowed-in-the-Add-on-List

(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DisablePasswordSaving

(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm(1) User Configuration\Administrative Templates\System (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools

(1) User Configuration\Administrative Templates\System\Power Mangement (2)HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume

Prompt-for-password-on-resume-from-hibernate-suspend

(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation

Do-not-preserve-zone-information-in-file-attachments

(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties

Hide-mechanisms-to-remove-zone-information

(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus

Notify-antivirus-programs-when-opening-attachments

(1) User Configuration\Administrative Templates\Windows Components\Internet Explorer (2)HKEY_CURRENT_USER\Software\Microsoft\Outlook Express\BlockExeAttachments

override-audit-policy-settings

Log-Access-For-Setup-Log

Windows-Search

(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (2)HKEY_LOCAL_MACHINE\System\Currentcontrolset\Control\Lsa\SCENoApplyLegacyAuditPolicy

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup\ChannelAccess

(2)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Search Service\Start

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Disabled

Turn-Off-Microsoft-Peer-to-Peer-Networking-Services

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI\DisableWcnUi

Prohibit-Access-of-the-Windows-Connect-Now-Wizards

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\AllowRemoteRPC

Allow-remote-access-to-the-PnP-interface

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSystemRestore

Do-not-create-system-restore-point-when-new-device-driver-installed

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSendGenericDriverNotFoundToWER

Do-not-send-Windows-Error-Report-when-generic-driver-is-installed-on-device

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess

Turn-Off-Access-to-All-Windows-Update-Feature

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate

Turn-Off-Automatic-Root-Certificates-Update

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer\MicrosoftEventVwrDisableLinks

Turn-Off-Event-Views-Events.asp-Links

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports\PreventHandwritingErrorReports

Turn-Off-Handwriting-Reconition-Error-Reporting

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc\Headlines

Turn-Off-Help-and-Support-Center-Did-you-Know-Content

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc\MicrosoftKBSearchs

Turn-Off-Help-and-Support-Center-Microsoft-Knowledge-Base-Search

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW

Turn-Off-Internet-Connection-Wizard-if-URL-Connection-is-Referring-to-Microsoft.com

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith

Turn-Off-Internet-File-Association-Service

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration

Turn-Off-Registration-if-URL-Connection-is-Referring-to-Microsoft.com

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard

Turn-Off-the-Order-Prints-Picture-Task

(2)[HKEY_LOCAL_MACHINE | HKEY_CURRENT_USER] \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard

Turn-off-the-Publish-to-Web-task-for-files-and-folders

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\CodecDownload

Turn-Off-Windows-Movies-Maker-Automatic-Codec-Downloads

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebHelp

Turn-Off-Windows-Movie-Maker-Online-Web-Links

Turn-off-Windows-Startup-Sound

Allow-only-Vista-or-later-connections

Customization-Warning-Messages

Turn-on-bandwidth-optimization

Turn-on-session-logging

Prevent-IIS-Installation

Turn-Off-Active-Help

Turn-Off-Untrusted-Content

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebPublish

Turn-Off-Windows-Movie-Maker-Saving-to-Online-Video-Hosting-Provider

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWelcomeScreen

Do-Not-Display-the-Getting-Started-Welcome-Screen-at-Logon

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableStartupSound

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex

Require-a-Password-when-a-Computer-Wakes-On-Battery

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex

Require-a-Password-when-a-Computer-Wakes-Plugged

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\CreateEncryptedOnlyTickets

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\UseCustomMessages

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\UseBandwidthOptimization

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\LoggingEnabled

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\IIS\PreventIISInstall

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assistance\Client\1.0\NoActiveHelp

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assistance\Client\1.0\NoUntrustedContent

Turn-off-downloading-enclosures

Allow-indexing-of-encrypted-files

Turn-off-Windows-Calendar

Turn-off-Windows-Defender

Turn-off-communication-features

Turn-off-windows-mail-app

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload

(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems

(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingUncachedExchangeFolders

Prevent-indexing-uncached-Exchange-folders

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\CorporateSQMURL

Allow-Corporate-Redirection-Customer-Experience-Improvement-Program-Uploads

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption

Turn-off-heap-termination-corruption

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior

Turn-off-shell-protocol-protected-mode

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching

Prohibit-Non-Administrators-applying-vendorpatches

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ReportControllerMissing

Report-logon-server-not-available-during-user-logon

(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail\DisableCommunities

(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail\ManualLaunchAllowed

Turn-off-windows-meeting-space

Override-more-gadgets-Lnk

ipv6_block_protocols_41

ipv6_block_udp_3544

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM\DisableOnline

Prevent-Windows-Media-DRM-Internet-Access

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Collaboration\TurnOffWindowsCollaboration

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Collaboration\TurnOnWindowsCollaborationAuditing

Turn-on-windows-meeting-space-auditing

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUnsignedGadgets

Disable-unpacking-installation-gadgets-not-digitally-signed

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\OverrideMoreGadgetsLink

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGadgets

Turn-off-user-installed-windows-sidebar-gidgets

Computer Configuration\Administrative Templates\Windows Components\Digital Locker

do_not_allow_digital_locker_to_run_var

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Components\Game Explorer

turn_off_downloading_of_game_information

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules

Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and subpaths

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive (2) defined by Local or Group Policy

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) defined by Local or Group Policy

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate executables that are signed and validated

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations

(1) defined by the SeNetworkLogonRight setting in Local or Group Policy

(1) defined the SeTcbPrivilege setting in by Local or Group Policy

(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy

(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy

(1) defined the SeRemoteInteractiveLogonRight setting in by Local or Group Policy

(1) defined the SeBackupPrivilege setting in by Local or Group Policy

(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy

(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone

(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy

(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy

(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy

(1) defined the SeDebugPrivilege setting in by Local or Group Policy

(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy

(1) defined the SeDenyBatchLogonRight setting in by Local or Group Policy

(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy

(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy

(1) defined the SeDenyRemoteInteractiveLogonRight setting in by Local or Group Policy

(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy

(1) defined the SeAuditPrivilege setting in by Local or Group Policy

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase a process working set

(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy

(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy

(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy

(1) defined the SeBatchLogonRight setting in by Local or Group Policy

(1) defined the SeServiceLogonRight setting in by Local or Group Policy

(1) defined the SeSecurityPrivilege setting in by Local or Group Policy

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label

(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy

(1) defined the SeManageVolumePrivilege setting in by Local or Group Policy

(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy

(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy

(1) defined the SeUndockPrivilege setting in by Local or Group Policy

(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy

(1) defined the SeRestorePrivilege setting in by Local or Group Policy

(1) defined the SeShutdownPrivilege setting in by Local or Group Policy

(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy

(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy

(1) defined by the object's DACL (2) defined through group policy

HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Protection From Zone Elevation, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe

GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA

GPO Setting: Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

GPO Setting: Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now

GPO Setting: Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system\LogonType

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX ControlsGPO Setting: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Maximum Log Size (KB)

(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Configure Microsoft Spynet ReportingGPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Logging

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Windows Error Reporting

GPO Settings: Computer Configuration\Administrative Templates\System\Error Reporting\Display Error Notification, Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Display Error Notification

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Do not send additional data

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\SafeForScripting\

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoupdate

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun

(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure

GPO Setting: User Configuration\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profiles

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Settings\Firewall settings\Display a notification

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log Dropped Packets

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log successful connections (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Logged successful connections

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Name

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogFileSize (2) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Size limit (KB)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log Dropped Packets

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log successful connections (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Logged successful connections

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Name

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogFileSize (2) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Size limit (KB)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisableComponents



GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help Experience Improvement Program

GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help Ratings

GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create Symbolic Links

oval:com.secure-elements.oval:def:6009 account_lockout_reset_counter

oval:com.secure-elements.oval:def:6007 account_lockout_duration

oval:com.secure-elements.oval:def:6008 account_lockout_threshold

oval:com.secure-elements.oval:def:6010 audit_account_logon_events

oval:com.secure-elements.oval:def:6010 audit_account_logon_events

oval:com.secure-elements.oval:def:6011 audit_account_management

oval:com.secure-elements.oval:def:6011 audit_account_management

oval:com.secure-elements.oval:def:6012 audit_directory_service_access

oval:com.secure-elements.oval:def:6012 audit_directory_service_access

NIST SCAP Windows Vista OVAL (SCAP-WinVista-OVAL.xml rev 2007-

02-06)

FDCC Windows Vista XCCDF (fdcc-accepted-content-20080110\fdcc-

winvista-xccdf.xml)

oval:com.secure-elements.oval:def:6013 audit_logon_events

oval:com.secure-elements.oval:def:6013 audit_logon_events

oval:com.secure-elements.oval:def:6014 audit_object_access

oval:com.secure-elements.oval:def:6014 audit_object_access

oval:com.secure-elements.oval:def:6015 audit_policy_change

oval:com.secure-elements.oval:def:6015 audit_policy_change

oval:com.secure-elements.oval:def:6016 audit_privilege_use

oval:com.secure-elements.oval:def:6016 audit_privilege_use

oval:com.secure-elements.oval:def:6017 audit_process_tracking

oval:com.secure-elements.oval:def:6017 audit_process_tracking

oval:com.secure-elements.oval:def:6018 audit_system_events

oval:com.secure-elements.oval:def:6018 audit_system_events

oval:com.secure-elements.oval:def:6509

oval:com.secure-elements.oval:def:6506 maximum_application_log_size



oval:com.secure-elements.oval:def:6507 maximum_security_log_size



oval:com.secure-elements.oval:def:6508 maximum_system_log_size


oval:com.secure-elements.oval:def:6002 password-maximum_age

oval:com.secure-elements.oval:def:6003 password-minimum-age

oval:com.secure-elements.oval:def:6006 password-minimum-length

oval:com.secure-elements.oval:def:6004 password_complexity

oval:com.secure-elements.oval:def:6001 password_enforce_history

oval:com.secure-elements.oval:def:6005 password_reversible_encryption

oval:com.secure-elements.oval:def:6601 do_not_allow_windows_messenger_to_be_run

oval:com.secure-elements.oval:def:6595 Disable-remote-Desktop-Sharing


oval:com.secure-elements.oval:def:6070 do-not-allow-anonymous-enumeration-sam

anonymous_sid_name_translation

oval:com.secure-elements.oval:def:6020 guest-account-status


oval:com.secure-elements.oval:def:6042 message-title-users-attempting-logon

oval:com.secure-elements.oval:def:6041 message-text-users-attempting-logon

oval:com.secure-elements.oval:def:6054 enable-automatic-logon

do-not-allow-anonymous-enumeration-sam-accounts-shares

turn_off_autoplay

oval:com.secure-elements.oval:def:6057 enable-icmp-redirect

oval:com.secure-elements.oval:def:6055 disable-ip-source-routing

oval:com.secure-elements.oval:def:6063 perform-router-discovery

oval:com.secure-elements.oval:def:6039 do-not-display-last-user-name

oval:com.secure-elements.oval:def:6058 hide-system-from-browse-list

oval:com.secure-elements.oval:def:6056 enable-dead-gw-detect

oval:com.secure-elements.oval:def:6059 keep-alive-time

oval:com.secure-elements.oval:def:6061 no-name-release-on-demand

oval:com.secure-elements.oval:def:6066 syn-attack-protect

oval:com.secure-elements.oval:def:6069 warning-level

oval:com.secure-elements.oval:def:6064 safe-dll-search-mode

oval:com.secure-elements.oval:def:6022 rename-administrator

oval:com.secure-elements.oval:def:6023 rename-guest


oval:com.secure-elements.oval:def:6024 audit-access-global-system-objects

oval:com.secure-elements.oval:def:6574, oval:com.secure-elements.oval:def:6060

amount-of-idle-time-required-before-suspending-session

oval:com.secure-elements.oval:def:6025 audit-use-backup-restore-privilege

oval:com.secure-elements.oval:def:6040 do-not-require-ctrlaltdel

oval:com.secure-elements.oval:def:6030 prevent-users-installing-printers

oval:com.secure-elements.oval:def:6031 restrict-cdrom-access-local-users-only

oval:com.secure-elements.oval:def:6032 restrict-floppy-access-local-users-only

oval:com.secure-elements.oval:def:6038 require-strong-session-key



oval:com.secure-elements.oval:def:6027 shutdown-system-unable-log-audits

oval:com.secure-elements.oval:def:6047 digitally-sign-communications-client-always


send-unencrypted-password-to-third-party-smb-servers

prompt-user-to-change-password-before-expiration

digitally-sign-communications-client-server-agrees

oval:com.secure-elements.oval:def:6051 digitally-sign-communications-server-always


oval:com.secure-elements.oval:def:6043 number-of-previous-logons-to-cache

oval:com.secure-elements.oval:def:6029 allow-format-eject-removable-media



oval:com.secure-elements.oval:def:6035 digitally-sign-secure-channel-data-when-possible

oval:com.secure-elements.oval:def:6046 smart-card-removal-behaviour

oval:com.secure-elements.oval:def:6036 disable-machine-account-password-changes

oval:com.secure-elements.oval:def:6021 limit-blank-password-use

oval:com.secure-elements.oval:def:6028 allow-undock-no-logon

digitally-sign-communications-server-client-agrees

digitally-encrypt-or-sign-secure-channel-data-always

digitally-encrypt-secure-channel-data-when-possible

oval:com.secure-elements.oval:def:6037 maximum_machine-account-password-age

oval:com.secure-elements.oval:def:6045 require-domain-controller-authentication-to-unlock

oval:com.secure-elements.oval:def:6053 disconnect-client-when-logon-hours-expire



oval:com.secure-elements.oval:def:6074 named-pipes-accessed-anonymously

Remotely-accessible-registry-paths

Shares-that-can-be-accessed-anonymously

oval:com.secure-elements.oval:def:6079 Sharing-and-security-model-for-local-accounts


oval:com.secure-elements.oval:def:6081 Force-logoff-when-logon-hours-expire

oval:com.secure-elements.oval:def:6065 screen_save_timeout

do-not-allow-storage-credentials-net-passports-network-authn

let-everyone-permissions-apply-to-anonymous-users

oval:com.secure-elements.oval:def:6075oval:com.secure-elements.oval:def:6076

Do-not-store-LAN-Manager-hash-value-on-next-password-change


oval:com.secure-elements.oval:def:6564 solicited_remote_assistance

oval:com.secure-elements.oval:def:6563 offer_remote_assistance








Always-prompt-client-for-password-upon-connection



oval:com.secure-elements.oval:def:6067 tcp-max-connect-response-retransmissions

oval:com.secure-elements.oval:def:6068 tcp-max-data-retransmissions

oval:com.secure-elements.oval:def:6062 ntfs-disable-8dot3-name-creation

oval:com.secure-elements.oval:def:6566 rpc_endpoint_mapper_client_authentication

oval:com.secure-elements.oval:def:6565 restrictions_for_unauthenticated_rpc_clients




Restrict-anonymous-access-to-Named-Pipes-and-Shares














oval:com.secure-elements.oval:def:6548,oval:com.secure-elements.oval:def:6553




oval:com.secure-elements.oval:def:6561 do_not_process_run_once_list




oval:com.secure-elements.oval:def:6570 Turn-off-Search-Companion-content-file-updates

oval:com.secure-elements.oval:def:6571 Turn-off-printing-over-HTTP

oval:com.secure-elements.oval:def:6572 turn_off_downloading_of_print_drivers_over_http




oval:com.secure-elements.oval:def:6575 enumerate_administrator_accounts_on_elevation



oval:com.secure-elements.oval:def:6596 Do-not-allow-passwords-to-be-saved





oval:com.secure-elements.oval:def:6503 hide_mechanisms_to_remove_zone_information




prompt_for_password_on_resume_from_hibernate_suspend

do_not_preserve_zone_information_in_file_attachments

notify_antivirus_programs_when_opening_attachments

oval:com.secure-elements.oval:def:6026 override-audit-policy-settings





oval:com.secure-elements.oval:def:6667 allow_remote_access_to_the_pnp_interface




oval:com.secure-elements.oval:def:6674 turn_off_automatic_root_certificates_update

oval:com.secure-elements.oval:def:6675 turn_off_event_views_events.asp_links

turn_off_microsoft_peer_to_peer_networking_services

prohibit_access_of_the_windows_connect_now_wizards

do_not_create_system_restore_point_when_new_device_driver_installed

do_not_send_windows_error_report_when_generic_driver_is_installed_on_device

oval:com.secure-elements.oval:def:6676 turn_off_handwriting_reconition_error_reporting




oval:com.secure-elements.oval:def:6680 Turn-Off-Internet-File-Association-Service


oval:com.secure-elements.oval:def:6682 Turn-Off-the-Order-Prints-Picture-Task




turn_off_internet_connection_wizard_if_url_connection_is_referring_to_microsoft.com







oval:com.secure-elements.oval:def:6688 Turn-off-Windows-Startup-Sound






oval:com.secure-elements.oval:def:6694 turn_on_session_logging

oval:com.secure-elements.oval:def:6107 Prevent-IIS-Installation


oval:com.secure-elements.oval:def:6109 turn_off_untrusted_content

Turn-Off-Windows-Movie-Maker-Saving-to-Online-Video-Hosting-Provider


Require-a-Password-when-a-Computer-Wakes-On-Battery

Require-a-Password-when-a-Computer-Wakes-Plugged

oval:com.secure-elements.oval:def:6110 turn_off_downloading_enclosures

oval:com.secure-elements.oval:def:6704 Allow-indexing-of-encrypted-files

oval:com.secure-elements.oval:def:6705 Prevent-indexing-uncached-Exchange-folders




oval:com.secure-elements.oval:def:6118 turn_off_heap_termination_corruption

oval:com.secure-elements.oval:def:6119 turn_off_shell_protocol_protected_mode



oval:com.secure-elements.oval:def:6124 turn_off_communities_features

oval:com.secure-elements.oval:def:6125 turn_off_windows_mail_app

prohibit_non_administrators_install_signed_updates

report_logon_server_not_available_during_user_logon

oval:com.secure-elements.oval:def:6126 prevent_windows_media_drm_internet_access

oval:com.secure-elements.oval:def:6127 turn_off_windows_meeting_space



oval:com.secure-elements.oval:def:6130 override_more_gadgets_lnk


oval:gov.nist.fdcc.vista:def:6698 do_not_allow_digital_locker_to_run

oval:gov.nist.fdcc.vista:def:6703 turn_off_downloading_of_game_information

oval:gov.nist.fdcc.vistafirewall:def:6491


kerberos-enforce-user-logon-restrictions

kerberos_maximum_lifetime_service_ticket

disable_unpacking_installation_gadgets_not_digitally_signed

turn_off_user_installed_windows_sidebar_gidgets

kerberos_maximum_lifetime_user_ticket

kerberos_maximum_lifetime_user_ticket_renewal

allow-automatic-detection-mtu-size

enable-nodefaultexempt-IPSec-Filtering

Lan-manager-authentication-level

LDAP-client-signing-requirements

minimum-session-security-ntlm-ssp-based-clients

recovery-console-allow-administrative-logon

kerberos_maximum_tolerance_computer_clock_synchronization

Remotely-accessible-registry-paths-and-sub-paths

minimum-session-security-ntlm-ssp-based-servers

recovery-console-allow-floppy-copy-access-all-drives-folders

shutdown-allow-system-shutdown-without-having-logon

shutdown-clear-virtual-memory-page

system-cryptography-use-fips-compliant-alorithm

system-objects-require-case-insesitivity

admin_approval_mode

behavior_elevation_prompt_administrators

behavior_elevation_prompt_standard_users

detect_application_installations_prompt_elevation

only_elevate_executables_signed_validated

system-objects-strengthen-default-permissions-internal-system-objects

only_elevate_uiaccess_applications

run_administrators_admin_approval_mode

switch_secure_desktop_prompting_elevation

virtualize_write_failures_per_user_locations

Access-Computer-From-Network-Administrators

Act-As-Part-Of-Operating-System-None

Allow-Log-On-Locally-Administrators-Users

Back-Up-Files-And-Directories-Administrators

Adjust-Memory-Quotas-Administrators-LocalService-NetworkService

Allow-Log-On-Through-Terminal-Services-Administrators-RemoteDesktopUsers

Create-Pagefile-Administrators

Create-Token-Object-None

Create-Permanent-Shared-Objects-None

Debug-Programs-None

Deny-Access-From-Network-Guests

Deny-Logon-As-Batch-Job-Guests

deny_logon_as_service_none

Deny-Logon-Locally-Guests

Bypass-Traverse-Checking-Administrators_Users_LocalService_NetworkService

Change-System-Time-LocalService-Administrators

Change-Time-Zone-Administrators_Users_LocalService

Create-Global-Objects-Administrators-SERVICE-LocalService-NetworkService

Deny-Logon-Through-Terminal-Services-Guest

Increase-Scheduling-Priority-Administrators

Load-And-Unload-Device-Drivers-Administrators

Lock-Pages-In-Memory-None

Log-On-As-Batch-Job-None

Log-On-As-Service-None

Modify-Object-Label-None

Force-Shutdown-From-Remote-System-Administrators

Generate-Security-Audits-LocalService-NetworkService

Impersonate-Client-After-Authentication-Administrators-SERVICE-LocalService-NetworkService

Increase-Process-Working-Set-Administrators_LocalService

Manage-Auditing-And-Security-Log-Administrators

Profile-Single-Process-Administrators

Profile-System-Performance-Administrators

Restore-Files-And-Directories-Administrators

Shut-Down-System-Administrators-Users

Synchronize-Directory-Service-Data-None

Take-Ownership-Of-Files-Administrators

wlan_autoconfig

Modify-Firmware-Environment-Values-Administrators

Perform-Volume-Maintenance-Tasks-Administrators

Remove-Computer-From-Docking-Station-Administrators-Users

Replace-Process-Level-Token-NetworkService-LocalService

turn_on_mapper_io_lltdio_driver

turn_on_responder_rspndr_driver

prohibit_installation_network_bridge

prohibit_internet_connection_firewall

prohibit_internet_connection_sharing

configuration_of_wireless_settings_using_windows_connect_now

turn_off_windows_error_reporting

Always-Use-Classic-Logon

approved_installation_sites_for_activex_controls

maximum_setup_log_size

Do-not-allow-drive-redirection

Set-client-connection-encryption-level

set_timelimit_for_disconnected_sessions

configure_ms_spynet_reporting

disable_logging

internet_explorer_maintenance_policy_processing_enabled

set_timelimit_for_active_but_idle_terminal_services_sessions

disable_windows_error_reporting

display_error_notification

do_not_send_additional_data

enable_user_control_over_installs

do_not_show_first_use_dialog_boxes

prevent_automatic_updates

prevent_desktop_shortcut_creation

password_protect_the_screen_saver

disable_ie_security_prompt_windows_installer_scripts

do_not_automatically_start_windows_messenger_initially

prevent_users_from_sharing_files_within_their_profile

application-group-management

application-group-management

computer-account-management

computer-account-management

distribution-group-management

distribution-group-management

other-account-management-events

other-account-management-events

security-group-management

security-group-management

user-account-management

user-account-management

dpapi-activity

dpapi-activity

process-creation

process-creation

process-termination

process-termination

rpc-events

rpc-events

detailed-directory-service-replication

detailed-directory-service-replication

directory-service-access

directory-service-access

directory-service-changes

directory-service-changes

directory-service-replication

directory-service-replication

account-lockout

account-lockout

ipsec-extended-mode

ipsec-extended-mode

ipsec-main-mode

ipsec-main-mode

ipsec-quick-mode

ipsec-quick-mode

logoff

logoff

logon

logon

other-logon-logoff-events

other-logon-logoff-events

special-logon

special-logon

application-generated

application-generated

certification-services

certification-services

file-share

file-share

file-system

file-system

filtering-platform-connection

filtering-platform-connection

filtering-platform-packet-drop

filtering-platform-packet-drop

handle-manipulation

handle-manipulation

kernel-object

kernel-object

other-object-access-events

other-object-access-events

registry

registry

sam

sam

policy_change_audit

policy_change_audit

authentication-policy-change

authentication-policy-change

authorization-policy-change

authorization-policy-change

filtering-platform-policy-change

filtering-platform-policy-change

mpssvc-rule-level-policy-change

mpssvc-rule-level-policy-change

other-policy-change-events

other-policy-change-events

non-sensitive-privilege-use

non-sensitive-privilege-use

other-privilege-use-events

other-privilege-use-events

sensitive-privilege-use

sensitive-privilege-use

ipsec-driver

ipsec-driver

other-system-events

other-system-events

security-state-change

security-state-change

security-system-extension

security-system-extension

system-integrity

system-integrity

disable_isatap_teredo_6to4_tunneling_protocols



turn_off_help_experience_improvement_program

turn_off_help_ratings

TBD

oval:gov.nist.fdcc.vista:def:6009









FDCC Windows Vista OVAL (fdcc-accepted-content-20080110\fdcc-

winvista-oval.xml)

FDCC Windows Vista Firewall XCCDF (fdcc-accepted-content-

20080110\fdcc-vistafirewall-xccdf.xml)







domain_profile_firewall_state

domain_profile_log_dropped_packets

domain_profile_name

domain_profile_size_limit

domain_profile_logged_successful_connections

domain_profile_allow_unicast_response

domain_profile_inbound_connections

domain_profile_outbound_connections

domain_profile_apply_local_firewall_rules

private_profile_firewall_state

private_profile_inbound_connections

private_profile_outbound_connections

private_profile_display_notification

private_profile_allow_unicast_response

private_profile_apply_local_firewall_rules

public_profile_firewall_state

public_profile_inbound_connections

public_profile_outbound_connections

public_profile_display_notification

public_profile_allow_unicast_response

private_profile_apply_local_connection_security_rules

public_profile_apply_local_firewall_rules







public_profile_apply_local_connection_security_rules








ipv6_block_protocols_41

ipv6_block_udp_3544










domain_profile_display_notification

private_profile_log_dropped_packets

private_profile_name

private_profile_size_limit

public_profile_log_dropped_packets

private_profile_logged_successful_connections

public_profile_name

public_profile_size_limit





public_profile_logged_successful_connections


TBD

FDCC Windows Vista Firewall OVAL (fdcc-accepted-content-

20080110\fdcc-vistafirewall-oval.xml)









Old v4 CCE Id

CCE Parameters






















The "adjust memory quotas for a process" user right should be assigned to the correct accounts.















The "log on locally" user right should be assigned to the correct accounts.



















The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts.

The "add workstations to domain" user right should be assigned to the correct accounts.






CCE-3574-1 CCE-733

CCE-2627-8 CCE-980

CCE-3551-9 CCE-658


































If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.













If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.



The "when maximum log size is reached" property should be set correctly for the System log.

If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.

The "maximum password age" policy should meet minimum requirements.

The "minimum password age" policy should meet minimum requirements.



CCE-3446-2 CCE-60


CCE-3635-0 CCE-487

CCE-2671-6 CCE-496

CCE-3200-3 CCE-148

CCE-3350-6 CCE-954

CCE-3565-9 CCE-78

CCE-3582-4 CCE-712






The startup type of the Alerter service should be correct.


The startup type of the Automatic Update service should be correct.


The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.


The startup type of the ClipBook service should be correct.


The startup type of the Fax service should be correct.


The startup type of the FTP Publishing service should be correct.


CCE-3353-0 CCE-311

CCE-3618-6 CCE-738

CCE-3494-2 CCE-729

CCE-3640-0 CCE-650

CCE-2909-0 CCE-232

CCE-3552-7 CCE-857

CCE-3428-0 CCE-267

CCE-3556-8 CCE-663

CCE-2678-1 CCE-672

CCE-3612-9 CCE-73

The startup type of the IIS Admin service should be correct.


The startup type of the Indexing service should be correct.




The startup type of the .NET Framework service should be correct.




The startup type of the Print Services for Unix service should be correct.


The startup type of the Remote Access Auto connection Manager service should be correct.


The startup type of the Remote Desktop Help Session Manager service should be correct.




The startup type of the Remote Registry service should be correct.


CCE-3621-0 CCE-223

CCE-3602-0 CCE-522

CCE-3497-5 CCE-531

CCE-3386-0 CCE-870

CCE-3532-9 CCE-975

CCE-3536-0 CCE-892

CCE-3541-0 CCE-940

CCE-3558-4 CCE-40

CCE-3078-3 CCE-75

The startup type of the Routing and Remote Access service should be correct.


The startup type of the Remote Shell service should be correct.


The startup type of the Simple TCP/IP service should be correct.


The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct.


The startup type of the SNMP Service service should be correct.


The startup type of the SNMP Trap Service service should be correct.


The startup type of the SSDP Discovery service should be correct.


The startup type of the Task Scheduler service should be correct.


The startup type of the Telnet service should be correct.


CCE-2832-4 CCE-974

CCE-3475-1 CCE-608

CCE-3492-6 CCE-758

CCE-3633-5 CCE-559

CCE-3638-4 CCE-445

CCE-3175-7 CCE-115

CCE-2695-5 CCE-669

CCE-3637-6 CCE-889

CCE-3642-6 CCE-476

CCE-3664-0 CCE-87

CCE-3435-5 CCE-4

The startup type of the Terminal Services service should be correct.


The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct.


The startup type of the World Wide Web Publishing service should be correct.








The correct service permissions for the Alerter service should be assigned.

(1) set of accounts (2) list of permissions

The correct service permissions for the Automatic Updates service should be assigned.


The correct service permissions for the ClipBook service should be assigned.


The correct service permissions for the Fax service should be assigned.


The correct service permissions for the FTP Publishing service should be assigned.


CCE-3580-8 CCE-792

CCE-3474-4 CCE-444

CCE-3496-7 CCE-79

CCE-3483-5 CCE-21

CCE-3254-0 CCE-109

CCE-3523-8 CCE-157

CCE-3673-1 CCE-915

CCE-3193-0 CCE-219

CCE-3461-1 CCE-426

CCE-3355-5 CCE-56

CCE-2687-2 CCE-521

CCE-3583-2 CCE-944

The correct service permissions for the IIS Admin service should be assigned.


The correct service permissions for the Indexing service should be assigned.


The correct service permissions for the Messenger service should be assigned.


The correct service permissions for the NetMeeting service should be assigned.


The correct service permissions for the Printer service should be assigned.




The correct service permissions for the Remote Desktop Help Session Manager service should be assigned.


The correct service permissions for the Remote Registry service should be assigned.


The correct service permissions for the SMTP service should be assigned.


The correct service permissions for the SNMP service should be assigned.


The correct service permissions for the SNMP Trap service should be assigned.


The correct service permissions for the Telnet service should be assigned.


CCE-3226-8 CCE-605

CCE-3569-1 CCE-143

CCE-3591-5 CCE-195

CCE-3631-9 CCE-318


CCE-3525-3 CCE-653



The correct service permissions for the Terminal Services service should be assigned.


The correct service permissions for the WWW Publishing service should be assigned.







The "Anonymous access to the security event log" policy should be set correctly.

(1) exist/not exist (2) enabled/disabled






CCE-2812-6 CCE-188




IRDP should be properly configured.

Display Last User Name in Logon Screen should be properly configured.

TCP/IP Dead Gateway Detection should be properly configured.

The TCP/IP KeepAlive Time should be set correctly .


TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.


TCP/IP SYN Flood Attack Protection should be properly configured.











Disable saving of dial-up passwords should be properly configured.



Safe DLL Search Mode should be properly configured.

Always Wait for the Network at Computer Startup and Logon should be properly configured.

Background Refresh of Group Policy should be properly configured.


Disallow Installation of Printers Using Kernel-mode Drivers should be properly configured.

The "Allow Server Operators to Schedule Tasks" policy should be set correctly.

The built-in Administrator account should be correctly named.


CCE-3761-4 CCE-222




CCE-3703-6 CCE-719


The built-in Guest account should be correctly named.
























The "Unsigned Driver Installation Behavior" policy should be set correctly.

CCE-3804-2 CCE-814







CCE-3709-3 CCE-773











CCE-3586-5 CCE-919 (1) Group(s)













The "Default owner for objects created by members of the Administrators group" policy should be set correctly.











The "LDAP server signing requirements" policy should be set correctly.


The "Refuse machine account password change" policy should be set correctly.




CCE-3112-0 CCE-343







The "Do not store LAN Manager hash value on next password change" policy should be set correctly.

The "Force logoff when logon hours expire" policy should be set correctly.












The "Current user screensaver" policy should be set correctly.



The "Current user screensaver active" policy should be set correctly.

The "Default user screensaver timeout" policy should be set correctly.

The "Default user screensaver secure" policy should be set correctly.

The "Default user screensaver active" policy should be set correctly.






CCE-3534-5 CCE-481







The "Current user screensaver" policy should be set correctly.




The "password protect the screen saver" setting should be configured correctly

The "Screen Saver timeout" should be set correctly.

(1) enabled/disabled (2) number of seconds

The "Always Install with Elevated Privileges" policy should be set correctly.

The "Enable User Control Over Installs" policy should be set correctly.

The "Enable User to Browser for Source While Elevated" policy should be set correctly.

The "Enable User to Use Media Source While Elevated" policy should be set correctly.

The "Allow Administrator to Install from Terminal Services Session" policy should be set correctly.

The "Enable User to Patch Elevated Products" policy should be set correctly.










CCE-3786-1 CCE-80


The "Cache Transforms in Secure Location" policy should be set correctly.


The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer.

Internet access for Windows Messenger should be configured correctly.

The "Do Not Allow Windows Messenger to be Run" policy should be set correctly.


The "Hide Property Pages" policy should be set correctly for the Task Scheduler.

The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler.

The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services.

The "Limit Number of Connections" policy should be set correctly for Terminal Services.

(1) Maximum number of connections allowed

The "Do Not Allow New Client Connections" policy should be set correctly for Terminal Services.







CCE-2875-3 CCE-920

CCE-3665-7 CCE-123



The "Do Not Allow Local Administrators to Customize Permissions" policy should be set correctly for Terminal Services.

The "Remote Control Settings" policy should be set correctly for Terminal Services.



The "Do not Use Temp folders per Session" policy should be set correctly for Terminal Services.

The "Do not Delete Temp folder on exit" policy should be set correctly for Terminal Services.





The "Allow Reconnection from Original Client Only" policy should be set correctly for Terminal Services.

The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services.






CCE-3237-5 CCE-6


CCE-3396-9 CCE-588

CCE-3788-7 CCE-420

CCE-3806-7 CCE-861

CCE-3608-7 CCE-244

CCE-3740-8 CCE-306

CCE-3277-1 CCE-641

The "Enable Keep-Alive Messages" policy should be set correctly for Terminal Services.


The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.

The "Enable Error Reporting" policy should be set correctly.

The "Enforce user logon restrictions" policy should be set correctly.

The "Maximum Service Ticket Litfetime" policy should be set correctly.


The "Maximum User Ticket Lifetime" policy should be set correctly.



Removable storage should have correct permissions set

The "Allow automatic updates immediate installation" should be set correctly

The "Automatic Updates detection frequency" should be set correctly

The "Configure Automatic Updates" should be set correctly

The "No auto-restart for scheduled Automatic Updates installations

CCE-3661-6 CCE-804

CCE-3730-9 CCE-932

CCE-3250-8 CCE-418




The "Reschedule Automatic Updates scheduled installations" should be set correctly

The "Specify intranet Microsoft update service location" should be set correctly

MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection.






CCE-3713-5 CCE-693








….

….

….

Microsoft Security Guide for Windows

Server 2003


Table 3.28 Deny access to this computer from the network: ANONYMOUS LOGON; Built-in Administrator, Guests; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy Client, Enterprise Client, and High Security)


Table 4.2 Access this computer from the network: Administrators, Authenticated Users, Enterprise Domain Controllers (High Security); Legacy Client and Enterprise Client are not defined


Table 3.21 Act as part of the operating system: Not defined (Legacy Client and Enterprise Client); revoke all security groups and accounts (High Security)




Table 3.26 Change the system time: Administrators and Power Users (default); Administrators (High Security); Legacy client and Enterprise Client are not defined


….

….




Table 3.27 Debug programs: Administrators (default); Revoke all security groups and accounts (Legacy Client, Enterprise client and High Security)


Table 3.32 Force shutdown from a remote system: Administrators (High Security): Legacy client and Enterprise Client are not defined


Table 3.33 Generate security audits: Network Service, Local Service (High Security): Legacy Client and Enterprise Client are not defined


Table 3.23 Adjust memory quotas for a process: Administrators, Network Service, Local Service (High Security); Legacy client and Enterprise Client are not defined


Table 3.35 Increase scheduling priority: Administrators (High Security): Legacy Client and Enterprise Client are not defined


Table 3.36 Load and unload device drivers: Administrators (High Security): Legacy Client and Enterprise Client are not defined


Table 3.37 Lock pages in memory: Administrators (High Security): Legacy Client and Enterprise Client are not defined

….


Table 3.38 Log on as a batch job: Support_388945a0, Local Service (Default); Revoke all security groups and accounts (High Security); Legacy Client and Enterprise Client are not defined



Table 4.4 Allow log on locally: Administrators (Legacy client, Enterprise Client, and High Security)


Table 3.39 Manage auditing and security log: Administrators (High Security); Legacy Client and Enterprise Client are not defined


Table 3.40 Modify firmware environment values: Administrators (High Security); Legacy client and Enterprise Client are not defined


Table 3.42 Profile single process: Administrators (High Security); Legacy Client and Enterprise Client are not defined


Table 3.43 Profile system performance: Administrators (High Security); Legacy client and Enterprise Client are not defined


Table 3.44 Remove computer from docking station: Administrators, Power Users (Default)/Administrators (High Security); Legacy client and Enterprise Client are not defined


Table 3.45 Replace a process level token: Local Service, Network Service (High Security); Legacy Client and Enterprise Client are not defined

….


Table 3.46 Restore files and directories: Administrators and Backup Operators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined


Table 3.47 Shut down the system: Backup Operators, Power Users and Administrators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined


Table 3.49 Take ownership of files or other objects: Administrators (High Security); Legacy Client and Enterprise Client are not defined


Table 3.48 Synchronize directory service data: Revoke all security groups and accounts (High Security); legacy client and Enterprise Client are not defined


(1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy

Table 4.7 Enable computer and user accounts to be trusted for delegation: Administrators (High Security); Legacy client and Enterprise Client are not defined

(1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy

Table 3.22 Add workstations to domain: Administrators (High Security); Legacy Client and Enterprise Client are not defined

….

(1) defined by Local or Group Policy






Table 3.25 Allow log on through Terminal Services: Administrators (High Security); Administrators and Remote Desktop Users (Legacy Client and Enterprise Client)


Table 4.18 Deny log on as a batch job: Support_388945a0 and Guest (Legacy Client, Enterprise Client, and High Security)



Table 4.18 Deny log on through Terminal Services: Built-in Administrator; all NON-operating system service accounts (Legacy Client, Enterprise Client, and High Security)


Table 3.41 Perform volume maintenance tasks: Administrators (High Security); Legacy client and Enterprise Client are not defined

Table 2.11 Reset account lockout counter after: 30 minutes; 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client)

Table 2.9 Account lockout duration: 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client)

Table 2.10 Account lockout threshold: 50 invalid login attempts (Legacy Client and Enterprise Client); 10 invalid login attempts (High Security)

Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)

Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)












Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security)

Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security)

Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security)

Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security)

Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)

Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)

Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security)

Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security)

Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security)

Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security)

Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client)


(1) defined by Local or Group Policy ….





….

….

Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client)

Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security)

Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security)

Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security)



Table 3.110 Maximum application log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)

Table 3.116 Retention method for application log: As needed (Legacy Client, Enterprise Client, and High Security)





Table 3.111 Maximum security log size: 81,920 KB (Legacy Client, Enterprise Client, and High Security)


Table 3.117 Retention method for security log: As needed (Legacy Client, Enterprise Client, and High Security)



Table 3.112 Maximum system log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)


3.118 Retention method for system log: As needed (Legacy Client, Enterprise Client, and High Security)

Table 2.4 Maximum password age: 42 days (Legacy Client, Enterprise Client, and High Security)

Table 2.5 Minimum password age: 2 days (Legacy Client, Enterprise Client, and High Security)





s

Table 2.6 Minimum password length: 12 characters (High Security); 8 characters (Legacy Client and Enterprise Client)

Table 2.7 Password must meet complexity requirements: Enabled (Legacy Client, Enterprise Client, and High Security)

Table 2.3 Enforce password history: 24 passwords remembered (Legacy Client, Enterprise Client, and High Security)

Table 2.8 Store password using reversible encryption: Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.123 Automatic updates service: Automatic (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.124 Background Intelligent Transfer Service: Manual (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.127 Clipbook service: Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.143 Fax Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.146 FTP Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

….

….

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.151 IIS Admin Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.153 Indexing Service: Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.167 Messenger Service: Disabled (Legacy Client, Enterprise Client, and High Security)

(1) defined by the Services Administrative Tool (2) definied by Group Policy

Table 3.172 .NET Framework Support Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.174 NetMeeting Remote Desktop Sharing: Disabled (Legacy Client, Enterprise Client, and High Security)



Table 3.187 Remote Access Auto Connection Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.190 Remote Desktop Help Session Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)


(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.194 Remote Registry Service: Automatic (Legacy Client, Enterprise Client, and High Security)

….

….

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.201 Routing and Remote Access Service: Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.208 Simple TCP/IP Services: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.207 Simple Mail Transport Protocol (SMTP): Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.211 SNMP Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.212 SNMP Trap Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)


(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.216 Task Scheduler: Automatic (default); Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.220 Telnet Service: Disabled (Legacy Client, Enterprise Client, and High Security)

….

….

….

….

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.221 Terminal Services: Manual (default); Automatic (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.182 Plug and Play: Automatic (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Table 3.245 World Wide Web Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)


Table 11.3 Automatic Update Service: Disabled


Table 11.4 Background Intelligent Transfer Service: Disabled


(1) set via Security Templates (2) definied by Group Policy

Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.123 Automatic Updates Service: Automatic (Legacy Client, Enterprise Client, and High Security)




….

….

….

….

….

….

….

….

….

….

….

….













….

….

….

(1) Local Users and Groups MMC ….




3.86 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Legacy Client, Enterprise Client, and High Security)


3.85 Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Legacy Client, Enterprise Client, and High Security)


Table 2.13 Network Access: Allow anonymous SID/NAME translation: Disabled

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security


Table 3.73 Interactive logon: Message title for users attempting to log on: "It is an offense to continue without proper authorization" (Legacy Client, Enterprise Client, and High Security)

….

….

….

….


Table 3.72 Interactive logon: Message text for users attempting to log on: "This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. (Legacy Client, Enterprise Client, and High Security)





…. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName

Table 3.70 Interactive logon: Do not display last user name: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)


Table. 3.246 Security Consideration for Network Attack: EnableDeadGWDetect = 0 (Legacy Client, Enterprise Client, and High Security)


Table 3.246 Security Consideration for Network Attacks: KeepAliveTime = 300,000 (Legacy Client, Enterprise Client, and High Security)


Table 3.248 Configure NetBIOS Name Release Security: Allow the computer to ignore NetBIOS name release requests except from WINS server: NoNameReleaseOnDemand = 1 (Legacy Client, Enterprise Client, and High Security)


Table 3.246 Security Consideration for Network Attacks: EnablePMTUDiscovery = 0 (Legacy Client, Enterprise Client, and High Security)


Table 3.246 Security Consideration for Network Attacks: SynAttackProtect = 1 (Legacy Client, Enterprise Client, and High Security)

….

….

….

….

….



(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword


Table 3.64 Domain member: Digitally encrypt or sign secure channel data (always): Enabled (High Security); Disabled (Legacy Client and Enterprise Client)


Table 3.65 Domain member: Digitally encrypt or sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.253 Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended): SafeDllSearchMode = 1 (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Policies\system\DisableBkGndGroupPolicy


(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked

Table 3.61 Domain controller: Allow server operators to schedule tasks: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)



Table 3.81 Microsoft network server: Amount of idle time required before suspending session: 15 minutes (Legacy Client, Enterprise Client, and High Security)


Table 3.52 Audit: Audit the access of global system objects: Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.53 Audit: Audit the use of backup and restore privilege: Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.71 Interactive logon: Do not require CRTL+ALT+DEL: Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.96 Network security: LAN Manager authentication level: Send NTLM response only (default); Send NTLMv2 response only\refuse LM & NTLM (High Security); Send NTLMv2 responses only (Legacy Client and Enterprise Client)


Table 3.57 Devices: Prevent users from installing printer drivers: Enabled (Legacy Client, Enterprise Client, and High Security)

….

….


Table 3.100 Recovery console: Allow automatic administrative logon: Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.101 Recovery console: Allow floppy copy and access to all drives and all folders: Disabled (High Security); Enabled (Legacy Client and Enterprise Client)



Table 10.2 Devices: Restrict floppy access to locally logged-on user only: Enabled (Enterprise Client)


Table 3.108 System ojects: Strengthen default permissions of internal system objects: Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.69 Domain member: Require strong (W2K or later) session key: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.80 Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) defined by Local or Group Policy

….

….

….


Table 3.75 Interactive logon: Prompt user to change password before expiration: 14 days (Legacy Client, Enterprise Client, and High Security)


Table 3.54 Audit: Shut down system immediately if unable to log security audits: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)


Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.103 Shutdown: Clear virtual memory page file: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)





Table 3.74 Interactive logon: Number of previous logons to cache: 1 (Legacy Client); 0 (Enterprise Client and High Security)


Table 3.56 Devices: Allowed to format and eject removable media: Administrators (Legacy Client, Enterprise Client, and High Security)


Table 3.64 Domain member: Digitally encrypt or sign secure channel data: Enabled (High Security); disabled (Legacy Client and Enterprise Client)


Table 3.65 Domain member: Digitally encrypt secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.66 Domain member: Digitally sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.77 Interactive logon: Smart card removal behavior: Lock Workstation (Enterprise Client and High Security); Legacy Client is not defined


Table 3.105 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Disabled (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner (2) defined by Local or Group Policy

Table 3.106 System objects: Default owner for objects created by members of the Administrators group: Administrators group (default); Object creator (Legacy Client, Enterprise Client, and High Security)




Table 3.107 System objects: Require case insensitivity for non-Windows subsystems: Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.51 Accounts: Limit local account use of blank passwords to console logon only: Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.55 Devices: Allow undock without having to log on: Enabled (default); Disabled (Legacy Client, Enterprise Client, and High Security)

Table 3.62 Domain controller: LDAP server signing requirements: Not Defined (Legacy Client and Enterprise Client); Require signing (High Security)


Table 3.97 Network security: LDAP client signing requirements: Negotiate signing (Legacy Client, Enterprise Client, and High Security)

Table 3.63 Domain controller: Refuse machine account password changes: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.68 Domain member: Maximum machine account password age: 30 days (Legacy Client, Enterprise Client, and High Security)


Table 3.76 Interactive logon: Require domain controller authentication to unlock workstation: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.84 Microsoft network server: Disconnect clients when logon hours expire: Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.87 Network access: Do not allow storage of credentials or .NET Passports for network authentications: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)


Table 3.88 Network access: Let Everyone permissions apply to anonymous users: Disabled (Legacy Client, Enterprise Client, and High Security)


Table 3.89 Network access: Named Pipes that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)



Table 3.90 Network access: Remotely accessible registry paths: System\currentControlSet\Control\Products Options; System\CurrentControlSet\Control\server Applications; Software\Microsoft\Windows NT\CurrentVersion (Legacy Client, Enterprise Client, and High Security)


Table 3.93 Network Access: Shares that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)


Table 3.94 Network Access: Sharing and security model for local accounts: Classic - local users authenticate as themselves (Legacy Client, Enterprise Client, and High Security)


Table 3.95 Network Security: Do not store LAN Manager hash value on next password change: Enabled (Legacy Client, Enterprise Client, and High Security)

Table 2.14 Network Security: Force Logoff when logon hours expire: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)

….

….

….

….

….

….

….


Table 3.98 Network Security: Minimum session security for NTLM SSP based clients: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)


Table 3.99 Network Security: Minimum session security for NTLM SSP based servers: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)

(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE



(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveActive

….

….

….

….

….

….

….

….

….

….

….





GPO path: User Configuration\Administrative Templates\Control Panel\Display\Password protect the screen saver

Table 3.251 Make screensaver password protection immediate: the time in seconds before the screen saver grace period expires: 0 (Legacy Client, Enterprise Client, and High Security)

GPO path: User Configuration\Administrative Templates\Control Panel\Display\Screen Saver timeout

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated


(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownBrowse

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch

….

….

….

….

….

….

….

….

….

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure


(1) HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\{9b017612-c9f1-11d2-8d9f-0000f875c541}\Disabled (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MessengerService

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun

Table 3.167 Messenger: Disabled (Legacy Client, Enterprise Client, and High Security)


(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections

….

….

….

….

….

….

….

….

….

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow



Table 3.255 Set client connection encryption level: High (Legacy Client, Enterprise Client, and High Security)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit



(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken

….

….

….

….

….

….

….

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable




Table 3.257 Error Reporting: Disabled (Legacy Client, Enterprise Client, and High Security)

Table 3.199 Removale Storage: Disabled (Legacy Client, Enterprise Client, and High Security)

Table 11.3 Automatic Updates: Disabled




….

….

….

….


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted




….

….

….

….


(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit

DISA Stig for Windows 2003

….

….

….

….

….

Center for Internet Security Windows Server

2003

4.2.15 Deny access to this computer from the network (minimum): Not Defined

4.2.1 Access this computer from the network: Not Defined; Administrators, Authenticated Users, Enterprise Domain Controllers (Specialized Security)

5.1 User Rights: (4.015: CAT I) Built-in Guest account, Everyone group, guests group, and Domain Guests group DO NOT have the right to "access this computer from the network"

4.2.2 Act as part of the operating system: none

5.1 User Rights: (4.009: CAT I) Individual and group accounts DO NOT have the right to "act as part of the operating system"

4.2.36 Backup files and directories: Administrators (Specialized Security)

4.2.8 Bypass traverse checking: Not Defined

4.2.9 Change the system time: Administrators

4.2.10 Create a pagefile: Administrators (Specialized Security)

4.2.11 Create a token object: None ….

….

4.2.14 Debug Programs: None ….

….

….

….

….

….

….

4.2.13 Create permanent shared objects: None

4.2.21 Force shutdown from a remote system: Administrators (Specialized Security)

4.2.22 Generate security audits: Local Service, Network Service (Specialized Security)

4.2.4 Adjust memory quotas for a process: Network Service, Local Service, Administrators (Specialized Security)

4.2.24 Increase scheduling priority: Administrators (Specialized Security)

4.2.25 Load and unload device drivers: Administrators

4.2.26 Lock pages in memory: Administrators (Specialized Security)

4.2.27 Log on as a batch job: None ….

….

….

….

….

….

….

….

4.2.28 Log on as a service: Not Defined

4.2.5 Allow log on locally: Administrators

5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally

4.2.29 Manage auditing and security log: Administrators (Specialized Security)

4.2.30 Modify firmware environment values: Administrators (Specialized Security)

4.2.32 Profile single process: Administrators (Specialized Security)

4.2.33 Profile system performance: Administrators (Specialized Security)

4.2.34 Remove computer from docking station: Administrators (Specialized Security)

4.2.35 Replace a process level token: Network Service, Local Service

….

….

….

….

….

….

4.2.36 Restore files and directories: Administrators (Specialized Security)

4.2.37 Shut down the system: Administrators (Enterprise, Specialized Security)

4.2.39 Take ownership of file or other objects: Administrators

4.2.38 Synchronize directory service data: None

4.2.18 Deny logon locally: Not Defined

5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally

4.2.20 enable computer and user accounts to be trusted for delegation: None

4.2.3 Add workstations to domain: Not Defined; None (Specialized Security)

….

….

….

….

4.2.6 Allow logon through terminal services: Administrators

5.1 User Rights: (4.040: CAT I) No one has the right to allow logn through Terminal Services unless the machine is performing the role of a Terminal Server

4.2.16 Deny logon as a batch job: Not Defined

4.2.17 Deny logon as a service: Not Defined

4.2.19 Deny logon through Terminal Services: Not Defined

5.1 User Rights: (4.041: CAT II) The Everyone group is assigned the right to deny logon through Terminal Services unless the machine is performing the roale of a Terminal Server, then the Guests group is assigned

4.2.31 Perform volume maintenance tasks: Administrators (Specialized Security)

5.4.5.1 [AP] User Rights Assignments: Perform Volume Maintenance Tasks: Administrators

2.2.3.3 Reset Account Lockout After: 15 minutes

5.4.2.2 [A] Bad Logon Counter Reset: 15 minutes

2.2.3.1 Account Lockout Duration: 15 minutes

4.5.3 Password Policy (4.004: CAT II) The Account Lockout duration set to 15 minutes or more

2.2.3.2 Account Lockout Threshold: 15 attempts; 10 attempts (Specialized Security)

4.5.3 Password Policy (4.002: CAT II) The Account Lockout Threshold will be set to 3 or less

2.2.1.1 Audit Account Logon Events: Success/Failure

2.2.1.1 Audit Account Logon Events: Success/Failure

….

….

….

….

2.2.1.2 Audit Account Management: Success/Failure

2.2.1.2 Audit Account Management: Success/Failure

2.2.1.3 Audit Directory Service Access: Not Defined

6.4 System Audit Settings: Audit directory service access: Not Defined

2.2.1.3 Audit Directory Service Access: Not Defined

6.4 System Audit Settings: Audit directory service access: Not Defined

2.2.1.4 Audit Logon Events: Success and Failure

6.4 System Audit Settings: Audit logon events: Success, Failure

2.2.1.4 Audit Logon Events: Success and Failure

6.4 System Audit Settings: Audit logon events: Success, Failure

2.2.1.5 Audit Object Access: Success/Failure

2.2.1.5 Audit Object Access: Success/Failure

2.2.1.6 Audit Policy Change: Success

6.4 System Audit Settings: Audit policy change: Success, Failure

2.2.1.6 Audit Policy Change: Success

6.4 System Audit Settings: Audit policy change: Success, Failure

2.2.1.7 Audit Privilege Use: Not Defined

6.4 System Audit Settings: Audit privilege use: Failure

….

….

…. ….

….

3.5 [M] Access to Security Event Log: Auditors

2.2.1.7 Audit Privilege Use: Not Defined

6.4 System Audit Settings: Audit privilege use: Failure

6.4 System Audit Settings: Audit process tracking: Not Defined

6.4 System Audit Settings: Audit process tracking: Not Defined

2.2.1.9 Audit System Events: Success

6.4 System Audit Settings: Audit system events: Success, Failure

2.2.1.9 Audit System Events: Success

6.4 System Audit Settings: Audit system events: Success, Failure

2.2.4.1.2 Restrict Guest Access: Enabled

2.2.4.1.1 Maximum Event Log Size: 16MB

5.4.7.1 [A] Event Log Sizes: Maximum application log size: 16384 kilobytes

2.2.4.1.3 Log Retention Method: Not Defined

5.4.7.3 [AP] Preserving Security Events: Retention method for application log: Do not overwrite events (clear log manually)


….

….

….

…. ….

5.4.7.1 [A] Event Log Sizes: Maximum security log size: 16384 kilobytes

6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB

2.2.4.2.3 Log Retention Method: Not Defined


5.4.7.2 [A] Restrict Event Log Access Over Network: Prevent local guests group from accessing security log: Enabled

2.2.4.3.1 Maximum Event Log Size: 16MB

5.4.7.1 [A] Even Log Sizes: Maximum system log size: 16384 kilobytes

6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB

2.1.2 Maximum Password Age: 90 Days

4.5.3 Password Policy: (4.011: CAT II) Maximum password age is set to 90 days or less

2.2.2.1 Minimum Password Age: 1 day

4.5.3 Password Policy: (4.012: CAT II) Minimum password age is set to 1 day or more

4.1.1 Alerter: Disabled ….

….

….

4.1.3 Clipbook: Disabled ….

4.1.4 Fax Service: Disabled ….

7.6.3 FTP Service: Disabled

2.2.2.3 Minimum Password Length: 8 characters; 12 characters (Specialized Security)

5.4.1.3 [AP] Minimum Password Length: 8 characters

2.2.2.4 Password Complexity: Enabled

5.4.1.5 [M] Enable strong Password Filtering: Password must meet complexity requirements: Enabled

2.2.2.5 Password History: 24 passwords remembered

5.4.1.4 [A] Password Uniqueness: Enforce password history: 24 passwords

2.2.2.6 Store Passwords Using Reversible Encryption: Disabled

5.4.1.6 [M] Disable Reversible Password Encryption: Disabled

7.6.1 Automatic Updates Service: Disable if not needed

7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed

4.1.7 FTP Publishing Service: Disabled

4.1.10 IIS Admin Service: Disabled ….

4.1.11 Indexing Service: Disabled ….

4.1.13 Messenger: Disabled 8.3.4 Windows Messenger: Disabled

….

….

….

7.6.9 Remote Registry Service: Disabled

8.4.3 .NET Framework: (5.069: CAT II) the .NET Framwork is not active on the system unless it only supports locally developed .NET applications

4.1.15 NetMeeting Remote Desktop Sharing: Disabled

7.6.4 NetMeeting Remote Desktop Sharing Service: (5.063: CAT II) Disabled

7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required

4.1.20 Remote Access Auto Connection Manager: Disabled

7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled

4.1.23 Remote Desktop Help Session Manager: Disabled

7.6.8 Remote Desktop Help Session Manager: (5.065: CAT II) Disabled

8.3.9.1 Internet Connection Sharing: (3.085: CAT II) Prohibit use of Internet Connection Sharing on your DNS domain networks is Enabled

4.1.26 Remote Registry Service: Disabled (Specialized Security)

….

….

….

….

….

….

….

4.1.35 Telnet: Disabled ….

7.6.11 Routing and Remote Access Service: (5.067: CAT II) Disabled if not required

7.6.10 Remote Shell Service: (5.008: CAT II) Service is removed by typing instsrv rshsvc remove at the command prompt

7.6.16 Telnet Servers: (5.010: CAT II) Simple TCP/IP services are disabled

4.1.31 Simple Mail Transfer Protocol: Disabled

4.1.32 Simple Network Management Protocol Service: Disabled

7.6.13 SNMP Service: (5.026: CAT II) SNMP is disabled if not required

4.1.33 Simple Network Management Protocol Trap: Disabled

7.6.14 Simple Service Discovery Protocol (SSDP) Service: 5.019: CAT I) Disabled

7.6.15 Task Scheduler Service: (5.009: CAT II) Disabled

…. ….

….

….

….

….

4.1.1. Alerter: Disabled ….

…. ….

4.1.3 Clipbook: Disabled ….

4.1.4 Fax Service: Disabled ….

….

4.1.36 Terminal Services: Disabled (Specialized Security)

7.6.17 Terminal Services: (5.020: CAT I) Disabled on machines that are not performing as Terminal Servers

4.1.39 World Wide Web Publishing Services: Disabled

7.6.1 Automatic Updates Service: Disable if not needed

7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed

7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required

4.1.7 FTP Publishing Service: Disabled

4.1.10 IIS Admin Service: Disabled ….

4.1.11 Indexing Service: Disabled ….

4.1.13 Messenger: Disabled ….

….

….

….

….

….

….

….

4.1.35 Telnet: Disabled ….

4.1.15 NetMeeting Remote Desktop Sharing: Disabled

4.1.19 Print Spooler: Disabled (Specialized Security)

4.1.20 Remote Access Auto Connection Manager: Disabled

7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled

4.1.23 Remote Desktop Help Session Manager: Disabled

4.1.26 Remote Registry Service: Disabled (Specialized Security)

4.1.31 Simple Mail Transfer Protocol: Disabled

4.1.32 Simple Network Management Protocol Service: Disabled

4.1.33 Simple Network Management Protocol Trap: Disabled

….

….

…. ….

…. 3.5 [M] Access to Security Event Log: Auditors

….

4.1.36 Terminal Services: Disabled (Specialized Security)

4.1.39 World Wide Web Publishing Services: Disabled

3.1.3 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Enterprise and Specialized Security)

5.4.6.53 [AP] Restrict Anonymous Network Shares: Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled

3.1.1 Network Access: Allow Anonymous SID/Name Translation: Disabled (Specialized Security)

5/4/6/52 Network Access: Allow anonymous SID/Name translation: Disabled

5.2 Windows Server 2003 Built-in Accounts: (4.048: CAT II) Disabled

3.2.1.27 Interactive Logon: Message Title for Users Attmpting to Log On: <Custom or DoJ Approved>

5.4.6.22 [AP] Display Legal Notice: Interactive Logon: Message title for users attempting to log on: US Deparment of Defense Warning Statement

….

….

….

3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On: <Custom or DoJ Approved>

5.4.6.22 Interactive Logon: Message text for users attempting to log on

5.4.6.38 [A] Disable Administrator Automatic Logon: Disabled

5.4.6.47 [A] Disable Media Autoplay: MSS: Disable Autorun on all drives: 255, disable Autorun for all drives

5.4.6.41 [A] ICMP Redirects: MSS: (EnablEICMPRedirect) Allow ICMP redirects to override OSPF generated routes: Disabled

3.2.1.69 MSS: IP Source Routing protection level: Highest Protection, source routing is automatically disabled

5.4.6.39 MISS: DisableIPSourceRouting, IP source routing packet spoofing: Highest protection, source routing is completely disabled

….

….

….

3.2.1.74 MSS: Allow IRDP to detect and configure DefaultGateway addresses: Disabled

3.2.1.24 Interactive Logon: Do Not Display Last User Name: Enabled

3.2.1.70 MSS: Allow automatic detection of dead network gateways: Disabled

5.4.6.40 [A] Detection of Dead Gateways: MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways: Disabled

3.2.1.82 MSS: How often keepalive packets are sent in milliseconds: 300000

5.4.6.49 MSS: How often keepalive packets are sent in milliseconds: 300000

3.2.1.73 MSS: Allow the computer to ignore NetBIOS name release requestions except from WINS servers: Enabled

5.4.6.42 [A] NetBIOS Name Release: MSS: (NoNameReleaseOnDemand) Allow computer to ignore NetBIOS name release requests except from WINS Servers: Enabled

3.2.1.72 MSS: EnablePMTUDiscovery, Allow automatic detection of MTU size: Enabled (Specialized Security)

5.4.6.44 MSS (SynAttackProtect) Syn attack protection level: Connections time out sooner if a SYN attack is detected

….

….

….

….

….

….

5.4.6.6 ConGp: Prevent the dial-up password from being saved: Enabled

3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled

5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled

3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled

5.4.6.17: [A] Signing of Secure Channel Traffic: Domain Membore: Digitally sign secure channel data (when possible): Enabled

3.2.1.80 MSS: Enable Safe DLL search mode: Enabled

5.4.6.48 [A] Safe DLL Search Mode: MSS: Enable Safe DLL search mode: Enabled

8.3.5 Always wait for the network at computer startup: Enabled

8.3.6 Group Policy: (3.080: CAT II) Turn off backroung refresh of Group Policy is set to Disabled

8.3.9.2 Network Bridge: (3.086: CAT II) The setting Prohibit installation and configuration of network Bridge on your DNS doman network is set to Enabled

8.3.10 Installation of Printers Using Kernel-mode Drivers: (3.087: CAT II) the setting Disallow installation of printers using kernel-mode drivers is set to Enabled

3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks: Disabled

5.4.6.12 [A] Server Operators Scheduling Tasks: Domain Controller: Allo server operators to schedule tasks: Disabled

5.4.6.3 Accounts: Rename administrator account: Should not be Administrator

….

`

….

….

5.4.6.4 Account: Rename guest account: Any value other than ‘Guest’

5.4.6.30[A] Idle Time Before Suspending a Session: Microsoft Network Server: Amount of idle time required before suspending a session: 15 minutes

3.2.1.6 Audit: Audit the access of global system objects: Not Defined

5.4.7.76 [A] Global System Object Permission Strength: System objects: Strengthen default permissions of internal system objects: Enabled

3.2.1.7 Audit: Audit the use of backup and restore privilege: Not Defined

5.4.6.21 [A] CTRL+ALT+DEL Security Attention Sequence: Interactive Logon: Do not require CTRL+ALT+DEL: Disabled

3.2.1.50 Network Security: LAN Manager Authentication Level: Send NTLMv2 (Legacy), Send NTLMv2, refuse LM (Enterprise), Send NTLMv2, refuse LM and NTLM (Specialized Security)

5.4.6.64 [AP] LanMan Compatible Password Option Not Properly Set: Network Security: LAN Manager authentication level: Send NTLMv2 response only/refuse LM & NTLM

3.2.1.11 Devices: Prevent users from installing printer drivers: Enabled

5.4.6.9 [A] Secure Print Driver Installation: Devices: Prevent users from installing printer drivers: Enabled

….

3.2.1.54 Recovery Console: Allow Automatic Administrative Logon: Disabled

5.4.6.68 [A] Recovery Console - Automatic Logon: Allow automatic administrative logon: Disabled

3.2.1.55 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Not Defined

5.4.6.69 [A] Recovery Console - Set Command: Recovery console: Allow floppy copy and access to all drives and folders: Disabled

3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only: Not Defined

3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User only: Not Defined

5.4.6.10 [A] Secure Removable Media: Devices: Restrict floppy access to locally logged-on user only: Enabled

3.2.1.62 System Objects: Strengthen default permissions of internal system objects: Enabled

5.4.6.76 [A] Global System Object Permission Strength: System Objects: Strengthen default permissions of internal system objects: Enabled

3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key: Not Defined

5.4.6.20 [AP] Strong Session Key (WIN2K/W2K3 Native Domains): Domain Member: Require Strong (Windows 2000 or later) Session Key: Enabled

3.2.1.35 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server: Disabled

5.4.6.29 [A] Unencrypted Passwords to 3rd party SMB Servers: Disabled

3.2.1.14 Devices: Unsigned driver installation behavior: "Warn, but allow . . . "

5.4.6.11 [AP] Unsigned Driver installation Behavior: Warn but allow installation

….

3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration: 14 days

5.4.6.24 [A] Password Expiration Warning: Interactive Logon: Prompt user to change password before expiration: 14 days

3.2.1.8 Audit: Shut down system immediately if unable to log security alerts: Enabled (Specialized Security)

5.4.6.5 [AP] Halt on Audit Failure: Audit: Shut down system immediately if unable to log security audits: Enabled

3.2.1.56 Shutdown: Allow system to be shut down without having to log on: Disabled

3.2.1.57 Shutdown: Clear virtual memory pagefule: Not Defined

5.4.6.71 [AP] Clear System Page File During Shutdown: Shutdown: Clear virtual memory pagefile: Enabled

3.2.1.33 Microsoft Network Client: Digitally sign communications (always): Enabled (Specialized Security)

5.4.6.27 [A] SMB Client Packet Signing (Always): Microsoft Network Client: Digitally sign communications (always): Enabled

3.2.1.37 Microsoft Network Server: Digitally sign communications (always): Not Defined

5.4.6.31 [A] SMB Server Packet Signing (Always): Microsoft Network Server: Digitally sign communications (always): Enabled

Microsoft network server: Digitally sign communications (if client agrees): Disabled

5.4.6.32 Microsoft Network Server: digitally sign server communications (if client agrees): Enabled

3.2.1.28 Interactive Logon: Number of Previous Logons to Cache: Not Defined

5.4.6.23 Interactive Logon: Number of previous logons to cache (in case Domain Controller is unavailable): 0 logons or 1 logon

3.2.1.10 Devices: Allowed to format and eject removable media: Administrators

5.4.6.8 [A] Format and Eject Removable Media: Devices: Allowed to Format and Eject Removable Media: Administrators

3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined

5.4.6.15 [A] Encrypting and Signing of Secure Channel Traffic: Domain Member: Digitally encrypt or sign secure channel data (always): Enabled

3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled

5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled

3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled

5.4.6.17 [A] Signing of Secure Channel Traffic: Domain Member: Digitally sign secure channel data (when possible): Enabled

3.2.1.32 Interactive Logon: Smart Card Removale Behavior: Lock Workstation

5.4.6.26 [A] Smart Card Removal Option: interactive Logon: Smart card removal behavior: Lock Workstation or Force Logoff

3.2.1.59 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Not Defined

5.4.6.73 [A] FIPS compliant algorithms: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled

3.2.1.60 System Objects: Default owner for objects created by members of the Administrators group: Object Creator

5.4.6.74 [A] Object Created by members of the Administrators Group: System ojects: Default owner for object created by members of the Administrators groups: Object creator

3.2.1.61 System objects: Require case insensitivity for non-Windows subsystems: Not Defined

5.4.6.75 [A] Case Insensitivity for Non-Windows Subsystems: System object: Require Case Insensitivity for non-Windows Subsystems: Enabled

3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only: Enabled

5.4.6.2 [A] Limit Blank Passwords: Accounts: Limit local account use of blank passwords to console logon only: Enabled

3.2.1.9 Devices: Allow undock without having to log on: Enabled (Specialized Security)

5.4.6.7 [A] Undock Without Loggon On: Devices: Allow Undock Without Having to Log On: Disabled

3.2.1.16 Domain Controller: LDAP Server Signing Requirements: Require Signing (Specialized Security)

5.4.6.13 [A] LDA Signing Requirements (Domain Controller): Domain controller: LDAP Server signing requirements: Require signing

3.2.1.51 Network Security: LDAP client signing requirements: Negotiate Signing or Require Signing

5.4.6.65 [A] LDAP Client Signing: Network security: LDAP client signing requirements: Negotiate signing

3.2.1.17 Domain Controller: Refuse machine account password changes: Disabled

5.4.6.14 [A] computer Account Password change Requests: Domain Controller: Refuse machine account password changes: Disabled

3.2.1.22 Domain Member: Maximum Machine Account Password Age: 30 days

5.4.6.19 [A] Maximum Machine Account Password Age: Domain Member: Maximum Machine Account Password Age: 30

3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation: Not Applicable

5.4.6.25 [A] Domain Controller Authentication to Unlock Workstation: Interactive logon: Require domain controller authentication to unlock workstation: Enabled

3.2.1.30 Microsoft Network Server: Disconnect clients when logon hours expire: Enabled

5.4.6.33 [A] forcibly disconnect when logon hours expire: Microsoft network Server: Disconnect clients when logon hours expire: Enabled

3.2.1.40 Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled (Specialized Security)

5.4.6.54 [A] Storage of credentials or .NET passports: Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled

3.2.1.41 Network Access: Let Everyone permissions apply to anonymous users: Disabled

5.4.6.55 [AP] Everyone Permissions Apply to Anonymous Users: Network Access: Let everyone permissions apply to anonymous users: Disabled

3.2.1.42 Network Access: Named pipes that can be accessed anonymously: None

5.4.6.56 [MA] Anonymous Access to Named Pipes: Network Access: Named pipes that can be accessed anonymously: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR, TrkWks, and TrkSvr

3.2.1.43 Network Access: Remotely accessible registry paths: System\CurrentControlSet\Control\Product Options, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\WindowsNT\CurrentVersion

5.4.6.57 [MA] Remotely Accessible Registry Paths: Network Access: Remotely accessible registry paths: System\currentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion

3.2.1.46 Network Access: Shares that can be accessed anonymously: None

5.4.6.60 [MA] Anonymous Access to Network Shares: Network Access: Shares that can be accessed anonymously: <should be blank>

3.2.1.47 Network Access: Sharing and security model for local accounts: Classic

5.4.6.61 [A] Sharing and Security Model for Local Accounts: Network Access: Sharing and security model for local accounts: "Classis - local users authenticate as themselves"

3.2.1.48 Network Security:Do not store LAN Manager password hash value on next password change: Enabled (Specialized Security)

5.4.6.62 [AP] LAN Manager Hash Value: network security: Do not store LAN Manager hash value on next password change: Enabled

3.2.1.49 Network Security: Force logoff when logon hours expire: Not Defined

5.4.6.63 [A] force Logoff when Logon Hours Expire: Enabled

….

….

….

….

….

….

3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security)

5.4.6.66 [A] Minimum Session Security for NTLM SSP-based Clients: "Require NTLMv2 session security", "Require 128-bit encryption", "Require Message Integrity", and "Require Message Confidentiality"

3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security)

5.4.6.67 [A] Minimum Session Security for NTLM SSP-based servers: "Require NTLMv2 session security", Require 128-bit encryption", Require Message Integrity", and "Require Message Confidentiality"

5.5.1 [AP] Password Protected Screen Savers: Passwords are required

3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0

7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)

7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1

7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1




….

….

….

….

….

….

….

….

….

….









8.3.3.1 Always Install with Elevated Privileges: (4.037: CAT II) Disabled

8.3.3.3 Enable User Control Over Installs: (5.051: CAT II) Disabled

8.3.3.4 Enable User to Browse for Source While Elevated: (5.052: CAT II) Disabled

8.3.3.5 Enable User to Use Media Source While Elevated: (5.053: CAT II) Disabled

8.3.3.7 Allow Admin to Install from Terminal Services Session: (5.055: CAT II) Disabled

8.3.3.6 Enable User to Patch Elevated Products: (5.054: CAT II) Disabled

….

….

….

….

4.1.13 Messenger: Disabled

….

….

….

….

….

….

8.3.3.8 Cache Transforms in Secure Location on Workstation: (5.056: CAT II) Enabled

5.6.4.1 [A] Media Player - Disabling Media Player for Automatic Updates: Enabled

8.3.11 Media Player - Automatic Downloads: (5.061: CAT II) Prevent Codec Download is set to Enabled

5.6.5.3 [A] Windows Messenger - internet Access Blocked: 1

8.3.4.1 Do Not Allow Windows Messenger to be Run: (5.017: CAT I) Enabled

8.3.4.2 Do Not Automatically Start Windows Messenger Intially: (5.029: CAT I) Enabled

7.6.15 Task Scheduler Service: (5.035: CAT III) Hide Property Page is Enabled

7.6.15 Task Scheduler Service: (5.036: CAT III) Prohibit New Task Creation is Enabled

8.3.2.2 Limit User to One Remote Session: (5.038: CAT II) Enabled

8.3.2.3 Limit Number of Connections: (5.039: CAT II) Enabled

8.3.2.4 Do Not Allow New Client Connections: (5.040: CAT II) Enabled

….

….

….

….

….

….

….

….

…..

….

5.6.3.3 [A] Terminal Services - Do Not Allow Local Administrators to Customize Permissions: Enabled

5.6.3.4 [A] Terminal Services - Remote Control Settings: "Set rules for remote control of Terminal Services user settings: Enabled

5.6.3.5 [A] Terminal Services - Always prompt client for password upon connections: Enabled

5.6.3.6 [A] Terminal Services - Set Client Connection Encryption Level: Enabled

8.3.2.5 Do Not Use Temp Folders per Session: (5.044: CAT II) Disabled

8.3.2.6 Do Not Delete Temp Folder upon Exit: (5.045: CAT II) Disabled

5.6.3.10 [A] Terminal Services - Set time Limit for Disconnected Sessions: Enabled ("End a disconnected session" is set to "1")

8.3.2.7 Set Time Limit for Idle Sessions: (5.047: CAT II) Enabled and set to no more than 15 minutes

5.6.3.12 [A] Terminal Services - Allow Reconnection from Original Client Only: Enabled

8.3.2.8 Terminate Session When Time Limits are Reached: (5.049: CAT II) Enabled

….

….

….

…. 5.6.9.1 Report Errors: Disabled

….

….

….

….

…. ….

…. ….

…. ….

…. ….

…. ….

8.3.2.1 Keep-Alive Messages: (5.037: CAT III) Enabled

5.6.8.1 [A] Remote Assistance - Solicited Remote Assistance: Disabled

5.6.8.2 [A] Remote Assistance - Offer Remote Assistance: Disabled

5.4.3.1 [M] User Logon Restrictions: Enforce user logon restrictions: Enabled

5.4.3.2 [M] Service Ticket Lifetime: Maximum lifetime for service ticket: 600 minutes

5.4.3.3 [M] User Ticket Lifetime: Maximum lifetime for user ticket: 10 hours

5.4.3.5 [M] Computer Clock Synchronization: Maximum tolerance for computer clock synchronizations: 5 minutes

…. ….

….

….

….

….

2.2.2 Microsoft Software Updates Services: Specify intranet Microsoft update service location: enabled

3.2.1.78 MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection: 5

8.3.1.1 Security Zones: Use Only Machine Settings: (5.028: CAT II) Enabled

8.3.1.3 Security Zones: Do Not Allow Users to Add/Delete Sites: (5.030: CAT II) Enabled

8.3.1.6 Disable Peridoic Check for Internet Explorer Software Updates: (5.033: CAT II) Enabled

….

….

….

….

8.3.1.7 Disable Software Update Shell Notificiations on Program Launch: (5.034: CAT II) Disabled

8.3.1.5 Disable Automatic Install of Internet Explorer Components: (5.032: CAT II) Enabled

8.3.1.4 Make Proxy Settings Per Machine: (5.031: CAT II) Enabled

8.3.1.2 Security Zones: Do Not Allow Users to Change Policies: (5.029: CAT II) Enabled











CCE Parameters

Auditing of "Security System Extension" events on success should be enabled or disabled as appropriate.

Auditing of "System Integrity" events on success should be enabled or disabled as appropriate.

Auditing of "IPsec Driver" events on success should be enabled or disabled as appropriate.

Auditing of "Other System Events" events on success should be enabled or disabled as appropriate.

Auditing of "Security State Change" events on success should be enabled or disabled as appropriate.

Auditing of "Logon" events on success should be enabled or disabled as appropriate.

Auditing of "Logoff" events on success should be enabled or disabled as appropriate.

Auditing of "Account Lockout" events on success should be enabled or disabled as appropriate.

Auditing of "IPsec Main Mode" events on success should be enabled or disabled as appropriate.











Auditing of "IPsec Quick Mode" events on success should be enabled or disabled as appropriate.

Auditing of "IPsec Extended Mode" events on success should be enabled or disabled as appropriate.

Auditing of "Special Logon" events on success should be enabled or disabled as appropriate.

Auditing of "Other Logon/Logoff Events" events on success should be enabled or disabled as appropriate.

Auditing of "Network Policy Server" events on success should be enabled or disabled as appropriate.

Auditing of "File System" events on success should be enabled or disabled as appropriate.

Auditing of "Registry" events on success should be enabled or disabled as appropriate.

Auditing of "Kernel Object" events on success should be enabled or disabled as appropriate.

Auditing of "SAM" events on success should be enabled or disabled as appropriate.

Auditing of "Certification Services" events on success should be enabled or disabled as appropriate.











Auditing of "Application Generated" events on success should be enabled or disabled as appropriate.

Auditing of "Handle Manipulation" events on success should be enabled or disabled as appropriate.

Auditing of "File Share" events on success should be enabled or disabled as appropriate.

Auditing of "Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate.

Auditing of "Filtering Platform Connection" events on success should be enabled or disabled as appropriate.

Auditing of "Other Object Access Events" events on success should be enabled or disabled as appropriate.

Auditing of "Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.

Auditing of "Non Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.

Auditing of "Other Privilege Use Events" events on success should be enabled or disabled as appropriate.

Auditing of "Process Termination" events on success should be enabled or disabled as appropriate.










Auditing of "DPAPI Activity" events on success should be enabled or disabled as appropriate.

Auditing of "RPC Events" events on success should be enabled or disabled as appropriate.

Auditing of "Process Creation" events on success should be enabled or disabled as appropriate.

Auditing of "Audit Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Authentication Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Authorization Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "MPSSVC Rule-Level Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Filtering Platform Policy Change" events on success should be enabled or disabled as appropriate.

Auditing of "Other Policy Change Events" events on success should be enabled or disabled as appropriate.










Auditing of "User Account Management" events on success should be enabled or disabled as appropriate.

Auditing of "Computer Account Management" events on success should be enabled or disabled as appropriate.

Auditing of "Security Group Management" events on success should be enabled or disabled as appropriate.

Auditing of "Distribution Group Management" events on success should be enabled or disabled as appropriate.

Auditing of "Application Group Management" events on success should be enabled or disabled as appropriate.

Auditing of "Other Account Management Events" events on success should be enabled or disabled as appropriate.

Auditing of "Directory Service Access" events on success should be enabled or disabled as appropriate.

Auditing of "Directory Service Changes" events on success should be enabled or disabled as appropriate.

Auditing of "Directory Service Replication" events on success should be enabled or disabled as appropriate.











Auditing of "Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate.

Auditing of "Kerberos Authentication Service" events on success should be enabled or disabled as appropriate.

Auditing of " Credential Validation" events on success should be enabled or disabled as appropriate.

Auditing of "Kerberos Service Ticket Operations" events on success should be enabled or disabled as appropriate.

Auditing of "Other Account Logon Events" events on success should be enabled or disabled as appropriate.

Auditing of "Security System Extension" events on failure should be enabled or disabled as appropriate.

Auditing of "System Integrity" events on failure should be enabled or disabled as appropriate.

Auditing of "IPsec Driver" events on failure should be enabled or disabled as appropriate.

Auditing of "Other System Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Security State Change" events on failure should be enabled or disabled as appropriate.





,CCE-2536-1 enabled/disabled







Auditing of "Logon" events on failure should be enabled or disabled as appropriate.

Auditing of "Logoff" events on failure should be enabled or disabled as appropriate.

Auditing of "Account Lockout" events on failure should be enabled or disabled as appropriate.

Auditing of "IPsec Main Mode" events on failure should be enabled or disabled as appropriate.

Auditing of "IPsec Quick Mode" events on failure should be enabled or disabled as appropriate.

Auditing of "IPsec Extended Mode" events on failure should be enabled or disabled as appropriate.

Auditing of "Special Logon" events on failure should be enabled or disabled as appropriate.

Auditing of "Other Logon/Logoff Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Network Policy Server" events on failure should be enabled or disabled as appropriate.

Auditing of "File System" events on failure should be enabled or disabled as appropriate.

Auditing of "Registry" events on failure should be enabled or disabled as appropriate.






,CCE-2402-6 enabled/disabled





Auditing of "Kernel Object" events on failure should be enabled or disabled as appropriate.

Auditing of "SAM" events on failure should be enabled or disabled as appropriate.

Auditing of "Certification Services" events on failure should be enabled or disabled as appropriate.

Auditing of "Application Generated" events on failure should be enabled or disabled as appropriate.

Auditing of "Handle Manipulation" events on failure should be enabled or disabled as appropriate.

Auditing of "File Share" events on failure should be enabled or disabled as appropriate.

Auditing of "Filtering Platform Packet Drop" events on failure should be enabled or disabled as appropriate.

Auditing of "Filtering Platform Connection" events on failure should be enabled or disabled as appropriate.

Auditing of "Other Object Access Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.











Auditing of "Non Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.

Auditing of "Other Privilege Use Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Process Termination" events on failure should be enabled or disabled as appropriate.

Auditing of "DPAPI Activity" events on failure should be enabled or disabled as appropriate.

Auditing of "RPC Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Process Creation" events on failure should be enabled or disabled as appropriate.

Auditing of "Audit Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Authentication Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Authorization Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "MPSSVC Rule-Level Policy Change" events on failure should be enabled or disabled as appropriate.











Auditing of "Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate.

Auditing of "Other Policy Change Events" events on failure should be enabled or disabled as appropriate.

Auditing of "User Account Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Computer Account Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Security Group Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Distribution Group Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Application Group Management" events on failure should be enabled or disabled as appropriate.

Auditing of "Other Account Management Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Directory Service Access" events on failure should be enabled or disabled as appropriate.

Auditing of "Directory Service Changes" events on failure should be enabled or disabled as appropriate.










Auditing of "Directory Service Replication" events on failure should be enabled or disabled as appropriate.

Auditing of "Detailed Directory Service Replication" events on failure should be enabled or disabled as appropriate.

Auditing of "Kerberos Authentication Service" events on failure should be enabled or disabled as appropriate.

Auditing of " Credential Validation" events on failure should be enabled or disabled as appropriate.

Auditing of "Kerberos Service Ticket Operations" events on failure should be enabled or disabled as appropriate.

Auditing of "Other Account Logon Events" events on failure should be enabled or disabled as appropriate.

Auditing of "Audit account logon events" events on sucess should be enabled or disabled as appropriate.

Auditing of "Audit account management" events on sucess should be enabled or disabled as appropriate.

Auditing of "Audit directory service access" events on sucess should be enabled or disabled as appropriate.











Auditing of "Audit logon events" events on sucess should be enabled or disabled as appropriate.

Auditing of "Audit object access" events on sucess should be enabled or disabled as appropriate.

Auditing of "Audit policy change" events on sucess should be enabled or disabled as appropriate.

Auditing of "Audit privilege use" events on sucess should be enabled or disabled as appropriate.

Auditing of "Audit process tracking" events on sucess should be enabled or disabled as appropriate.

Auditing of "Audit system events" events on sucess should be enabled or disabled as appropriate.

Auditing of "Audit account logon events" events on failure should be enabled or disabled as appropriate.

Auditing of "Audit account management" events on failure should be enabled or disabled as appropriate.

Auditing of "Audit directory service access" events on failure should be enabled or disabled as appropriate.

Auditing of "Audit logon events" events on failure should be enabled or disabled as appropriate.






CCE-2026-3

CCE-2075-0

CCE-2079-2

CCE-2246-7

CCE-2004-0

CCE-2286-3

Auditing of "Audit object access" events on failure should be enabled or disabled as appropriate.

Auditing of "Audit policy change" events on failure should be enabled or disabled as appropriate.

Auditing of "Audit privilege use" events on failure should be enabled or disabled as appropriate.

Auditing of "Audit process tracking" events on failure should be enabled or disabled as appropriate.

Auditing of "Audit system events" events on failure should be enabled or disabled as appropriate.

The "Access credential Manager as a trusted caller" setting should be configured correctly.

The "Access this computer from the network (SeNetworkLogonRight)" setting should be configured correctly.

The "Act as part of the operating system (SeTcbPrivilege)" setting should be configured correctly.The "Add workstations to domain" setting should be configured correctly.

The "Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)" setting should be configured correctly.

The "Allow log on locally" setting should be configured correctly.

CCE-2308-5

CCE-1321-9

CCE-2285-5

CCE-2290-5

CCE-2171-7

CCE-1328-4

CCE-1491-0

CCE-2226-9

CCE-1341-7

CCE-2305-1

CCE-2310-1

The "Allow log on through Terminal Services (SeRemoteInteractiveLogonRight)" setting should be configured correctly.

The "Back up files and directories (SeBackupPrivilege)" setting should be configured correctly.

The "Bypass traverse checking (SeChangeNotifyPrivilege)" setting should be configured correctly.

The "Change the system time (SeSystemTimePrivilege)" setting should be configured correctly.

The "Change the time zone" setting should be configured correctly.

The "Create a pagefile (SeCreatePagefilePrivilege)" setting should be configured correctly.

The "Create a token object (SeCreateTokenPrivilege)" setting should be configured correctly.

The "Create global objects (SeCreateGlobalPrivilege)" setting should be configured correctly.

The "Create permanent shared objects" setting should be configured correctly.

The "Create symbolic links" setting should be configured correctly.

The "Debug programs (SeDebugPrivilege)" setting should be configured correctly.

CCE-2314-3

CCE-1834-1

CCE-2296-2

CCE-1944-8

CCE-2102-2

CCE-1481-1

CCE-1750-9

CCE-2129-5

CCE-1346-6

CCE-2306-9

The "Deny access to this computer from the network (SeDenyNetworkLogonRight)" setting should be configured correctly.

The "Deny log on as a batch job (SeDenyBatchLogonRight)" setting should be configured correctly.

The "Deny log on locally (SeDenyInteractiveLogonRight)" setting should be configured correctly.

The "Deny log on as a service(SeDenyServiceLogonRight)" setting should be configured correctly.

The "Deny log on through Terminal Services (SeDenyRemoteInteractiveLogonRight)" setting should be configured correctly.

The "Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)" setting should be configured correctly.

The "Force shutdown from a remote system (SeRemoteShutdownPrivilege)" setting should be configured correctly.

The "Generate security audits (SeAuditPrivilege)" setting should be configured correctly.

The "Impersonate a client after authentication" setting should be configured correctly.

The "Increase a process working set" setting should be configured correctly.

CCE-2328-3

CCE-1455-5

CCE-2332-5

CCE-1975-2

CCE-2270-7

CCE-1843-2

CCE-2142-8

CCE-2257-4

CCE-1383-9

CCE-2360-6

The "Increase scheduling priority (SeIncreaseBasePriorityPrivilege)" setting should be configured correctly.

The "Load and unload device drivers (SeLoadDriverPrivilege)" setting should be configured correctly.

The "Lock pages in memory (SeLockMemoryPrivilege)" setting should be configured correctly.

The "Log on as a batch job (SeBatchLogonRight)" setting should be configured correctly.

The "Log on as a service (SeServiceLogonRight)" setting should be configured correctly.

The "Manage auditing and security log (SeSecurityPrivilege)" setting should be configured correctly.The "Modify an object label" setting should be configured correctly.

The "Modify firmware environment values (SeSystemEnvironmentPrivilege)" setting should be configured correctly.

The "Perform volume maintenance tasks (SeManageVolumePrivilege)" setting should be configured correctly.

The "Profile single process (SeProfileSingleProcessPrivilege)" setting should be configured correctly.

CCE-2113-9

CCE-2382-0

CCE-1527-1

CCE-2294-7

CCE-2078-4


CCE-2506-4




The "Profile system performance (SeSystemProfilePrivilege)" setting should be configured correctly.

The "Remove computer from docking station (SeUndockPrivilege)" setting should be configured correctly.

The "Replace a process level token (SeAssignPrimaryTokenPrivilege)" setting should be configured correctly.

The "Restore files and directories (SeRestorePrivilege)" setting should be configured correctly.

The "Shut down the system (SeShutdownPrivilege)" setting should be configured correctly.

The "Synchronize directory service data" setting should be configured correctly.

The "Take ownership of files or other objects (SeTakeOwnershipPrivilege)" setting should be configured correctly.

The "Accounts: Administrator account status" setting should be configured correctly.

The "Accounts: Guest account status" setting should be configured correctly.

The "Accounts: Limit local account use of blank passwords to console logon only" setting should be configured correctly.










The "Accounts: Rename administrator account" setting should be configured correctly.

The "Accounts: Rename guest account" setting should be configured correctly.

The "Audit: Audit the access of global system objects" setting should be configured correctly.

The "Audit: Audit the use of Backup and Restore privilege" setting should be configured correctly.

The "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" setting should be configured correctly.

The "Audit: Shut down system immediately if unable to log security audits" setting should be configured correctly.

The "DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.

The "DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.

The "Devices: Allow undock without having to log on" setting should be configured correctly.






CCE-2317-6





The "Devices: Allowed to format and eject removable media" setting should be configured correctly.

The "Devices: Prevent users from installing printer drivers" setting should be configured correctly.

The "Devices: Restrict CD-ROM access to locally logged-on user only" setting should be configured correctly.

The "Devices: Restrict floppy access to locally logged-on user only" setting should be configured correctly.

The "Domain Controller: Allow server operators to schedule tasks" setting should be configured correctly.

The "Domain Controller: LDAP server signing requirements" setting should be configured correctly.

The "Domain Controller: Refuse machine account password changes" setting should be configured correctly.

The "Domain member: Digitally encrypt or sign secure channel data (always)" setting should be configured correctly.

The "Domain member: Digitally encrypt secure channel data (when possible)" setting should be configured correctly.

The "Domain member: Digitally sign secure channel data (when possible)" setting should be configured correctly.

CCE-2256-6

CCE-2278-0




CCE-2225-1

CCE-2037-0

CCE-2297-0


The "Domain member: Disable machine account password changes" setting should be configured correctly.

The "Domain member: Maximum machine account password age" setting should be configured correctly.

The "Domain member: Require strong (Windows 2000 or later) session key" setting should be configured correctly.

The "Interactive logon: Do not display last user name" setting should be configured correctly.

The "Interactive logon: Do not require CTRL+ALT+DEL" setting should be configured correctly.

The "Interactive logon: Message text for users attempting to log on" setting should be configured correctly.

The "Interactive logon: Message title for users attempting to log on" setting should be configured correctly.

The "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" setting should be configured correctly.

The "Interactive logon: Prompt user to change password before expiration" setting should be configured correctly.



CCE-1448-0




CCE-2236-8



The "Interactive logon: Require Domain Controller authentication to unlock workstation" setting should be configured correctly.

The "Interactive logon: Require smart card" setting should be configured correctly.

The "Interactive logon: Smart card removal behavior" setting should be configured correctly.

The "Microsoft network client: Digitally sign communications (always)" setting should be configured correctly.

The "Microsoft network client: Digitally sign communications (if server agrees)" setting should be configured correctly.

The "Microsoft network client: Send unencrypted password to third-party SMB servers" setting should be configured correctly.

The "Microsoft network server: Amount of idle time required before suspending session" setting should be configured correctly.

The "Microsoft network server: Digitally sign communications (always)" setting should be configured correctly.

The "Microsoft network server: Digitally sign communications (if client agrees)" setting should be configured correctly.







CCE-2399-4

The "Microsoft network server: Disconnect clients when logon hours expire" setting should be configured correctly.

The "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" setting should be configured correctly.

The "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" setting should be configured correctly.

The "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" setting should be configured correctly.

The "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" setting should be configured correctly.

The "MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)" setting should be configured correctly.

The "MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" setting should be configured correctly.







The "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic." setting should be configured correctly.

The "MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)" setting should be configured correctly.

The "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" setting should be configured correctly.

The "MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)" setting should be configured correctly.

The "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" setting should be configured correctly.

The "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" setting should be configured correctly.

CCE-2183-2

CCE-1460-5


CCE-2424-0

CCE-2442-2



The "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" setting should be configured correctly.

The "MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)" setting should be configured correctly.

The "MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged" setting should be configured correctly.

The "MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" setting should be configured correctly.

The "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" setting should be configured correctly.

The "Network access: Allow anonymous SID/Name translation" setting should be configured correctly.

The "Network access: Do not allow anonymous enumeration of SAM accounts" setting should be configured correctly.




CCE-2089-1

CCE-1521-4

CCE-2357-2


CCE-2507-2

CCE-2406-7

The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly.

The "Network access: Do not allow storage of credentials or .NET Passports for network authentication" setting should be configured correctly.

The "Network access: Let Everyone permissions apply to anonymous users" setting should be configured correctly.

The "Network access: Named Pipes that can be accessed anonymously" setting should be configured correctly.

The "Network access: Remotely accessible registry paths" setting should be configured correctly.

The "Network access: Remotely accessible registry paths and sub paths" setting should be configured correctly.

The "Network access: Restrict anonymous access to Named Pipes and Shares" setting should be configured correctly.

The "Network access: Shares that can be accessed anonymously" setting should be configured correctly.

The "Network access: Sharing and security model for local accounts" setting should be configured correctly.



CCE-2454-7

CCE-2327-5






The "Network security: Do not store LAN Manager hash value on next password change" setting should be configured correctly.

The "Network security: Force logoff when logon hours expire" setting should be configured correctly.

The "Network security: LAN Manager authentication level" setting should be configured correctly.

The "Network security: LDAP client signing requirements" setting should be configured correctly.

The "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" setting should be configured correctly.

The "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" setting should be configured correctly.

The "Recovery console: Allow automatic administrative logon" setting should be configured correctly.

The "Recovery console: Allow floppy copy and access to all drives and all folders" setting should be configured correctly.

The "Shutdown: Allow system to be shut down without having to log on" setting should be configured correctly.






CCE-1598-2


CCE-2302-8

The "Shutdown: Clear virtual memory pagefile" setting should be configured correctly.

The "System cryptography: Force strong key protection for user keys stored on the computer" setting should be configured correctly.

The "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting should be configured correctly.

The "System objects: Require case insensitivity for non-Windows subsystems" setting should be configured correctly.

The "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" setting should be configured correctly.

The "System settings: Optional subsystems" setting should be configured correctly.

The "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies" setting should be configured correctly.

The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.


CCE-2474-5

CCE-2355-6





The "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" setting should be configured correctly.

The "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.

The "User Account Control: Behavior of the elevation prompt for standard users" setting should be configured correctly.

The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly.

The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly.

The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly.

The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly.



CCE-2539-5

CCE-2244-2

CCE-2262-4







CCE-1819-2

The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly.

The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.

The "Maximum application log size" setting should be configured correctly.The "Maximum security log size" setting should be configured correctly.The "Maximum system log size" setting should be configured correctly.

The "Prevent local guests group from accessing application log" setting should be configured correctly.

The "Prevent local guests group from accessing system log" setting should be configured correctly.

The "Prevent local guests group from accessing security log" setting should be configured correctly.The "Retain application log" setting should be configured correctly.The "Retain security log" setting should be configured correctly.The "Retain system log" setting should be configured correctly.

The "Retention method for application log" setting should be configured correctly.

CCE-1836-6

CCE-2607-0


CCE-2200-4

CCE-1861-4

CCE-2240-0



CCE-1317-7

CCE-1872-1

CCE-2311-9

The "Retention method for security log" setting should be configured correctly.

The "Retention method for system log" setting should be configured correctly.

The "Enforce password history" setting should be configured correctly.

The "Maximum password age" setting should be configured correctly.

The "Minimum password age" setting should be configured correctly.

The "Minimum password length" setting should be configured correctly.

The "Password must meet complexity requirements" setting should be configured correctly.

The "Store passwords using reversible encryption" setting should be configured correctly.

The "Account lockout duration" setting should be configured correctly.

The "Account lockout threshold" setting should be configured correctly.

The "Reset account lockout counter after" setting should be configured correctly.


(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) via auditpol

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account logon events (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account management (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit directory service access (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit logon events (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit policy change (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit privilege use (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit process tracking (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit system events (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account logon events (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account management (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit directory service access (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit logon events (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit policy change (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit privilege use (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit process tracking (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit system events (2) Audit Policy security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Access credential Manager as a trusted caller (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Access this computer from the network (SeNetworkLogonRight) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Act as part of the operating system (SeTcbPrivilege) (2) User Rights security settings are not registry keys(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to domain (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on locally (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on through Terminal Services (SeRemoteInteractiveLogonRight) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Back up files and directories (SeBackupPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Bypass traverse checking (SeChangeNotifyPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Change the system time (SeSystemTimePrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Change the time zone (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create a pagefile (SeCreatePagefilePrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create a token object (SeCreateTokenPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create global objects (SeCreateGlobalPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create permanent shared objects (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create symbolic links (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Debug programs (SeDebugPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny access to this computer from the network (SeDenyNetworkLogonRight) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on as a batch job (SeDenyBatchLogonRight) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on locally (SeDenyInteractiveLogonRight) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on as a service(SeDenyServiceLogonRight) (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on through Terminal Services (SeDenyRemoteInteractiveLogonRight) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Force shutdown from a remote system (SeRemoteShutdownPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Generate security audits (SeAuditPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Impersonate a client after authentication (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Increase a process working set (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Increase scheduling priority (SeIncreaseBasePriorityPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Load and unload device drivers (SeLoadDriverPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Lock pages in memory (SeLockMemoryPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on as a batch job (SeBatchLogonRight) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on as a service (SeServiceLogonRight) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Manage auditing and security log (SeSecurityPrivilege) (2) User Rights security settings are not registry keys(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Modify an object label (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Modify firmware environment values (SeSystemEnvironmentPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Perform volume maintenance tasks (SeManageVolumePrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile single process (SeProfileSingleProcessPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile system performance (SeSystemProfilePrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Remove computer from docking station (SeUndockPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Replace a process level token (SeAssignPrimaryTokenPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Restore files and directories (SeRestorePrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Shut down the system (SeShutdownPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Synchronize directory service data (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Take ownership of files or other objects (SeTakeOwnershipPrivilege) (2) User Rights security settings are not registry keys

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Administrator account status (2) Not a Registry Key

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Guest account status (2) Not a Registry Key

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Limit local account use of blank passwords to console logon only (2) MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Rename administrator account (2) Not a Registry Key

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Rename guest account (2) Not a Registry Key

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Audit the access of global system objects (2) MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Audit the use of Backup and Restore privilege (2) MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (2) MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Shut down system immediately if unable to log security audits (2) MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Allow undock without having to log on (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Allowed to format and eject removable media (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Prevent users from installing printer drivers (2) MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Restrict CD-ROM access to locally logged-on user only (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Restrict floppy access to locally logged-on user only (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Allow server operators to schedule tasks (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: LDAP server signing requirements (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Refuse machine account password changes (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally encrypt or sign secure channel data (always) (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally encrypt secure channel data (when possible) (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally sign secure channel data (when possible) (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Disable machine account password changes (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Maximum machine account password age (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Require strong (Windows 2000 or later) session key (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Do not display last user name (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Do not require CTRL+ALT+DEL (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Message text for users attempting to log on (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Message title for users attempting to log on (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Number of previous logons to cache (in case domain controller is not available) (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Prompt user to change password before expiration (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Require Domain Controller authentication to unlock workstation (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Require smart card (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Smart card removal behavior (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Digitally sign communications (always) (2) MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Digitally sign communications (if server agrees) (2) MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Send unencrypted password to third-party SMB servers (2) MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Amount of idle time required before suspending session (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Digitally sign communications (always) (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Digitally sign communications (if client agrees) (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Disconnect clients when logon hours expire (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) (2) MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. (2) MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) (2) MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (2) MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) (2) MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) (2) MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) (2) MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning (2) MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Allow anonymous SID/Name translation (2) Not a Registry Key

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow anonymous enumeration of SAM accounts (2) MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow anonymous enumeration of SAM accounts and shares (2) MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow storage of credentials or .NET Passports for network authentication (2) MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Let Everyone permissions apply to anonymous users (2) MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Named Pipes that can be accessed anonymously (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Remotely accessible registry paths (2) MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Remotely accessible registry paths and sub paths (2) MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Restrict anonymous access to Named Pipes and Shares (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Shares that can be accessed anonymously (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Sharing and security model for local accounts (2) MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Do not store LAN Manager hash value on next password change (2) MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Force logoff when logon hours expire (2) Not a Registry Key

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: LAN Manager authentication level (2) MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: LDAP client signing requirements (2) MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (2) MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Minimum session security for NTLM SSP based (including secure RPC) servers (2) MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Recovery console: Allow automatic administrative logon (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Recovery console: Allow floppy copy and access to all drives and all folders (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Shutdown: Allow system to be shut down without having to log on (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Shutdown: Clear virtual memory pagefile (2) MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System cryptography: Force strong key protection for user keys stored on the computer (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing (2) MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System objects: Require case insensitivity for non-Windows subsystems (2) MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) (2) MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System settings: Optional subsystems (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Admin Approval Mode for the Built-in Administrator account (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop (2)

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Behavior of the elevation prompt for standard users (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Detect application installations and prompt for elevation (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Only elevate executables that are signed and validated (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Only elevate UIAccess applications that are installed in secure locations (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Run all administrators in Admin Approval Mode (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Switch to the secure desktop when prompting for elevation (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop

(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Virtualize file and registry write failures to per-user locations (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization

(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum application log size (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum security log size (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum system log size (2) Event Log security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing application log (2) Event Log security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing system log (2) Event Log security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing security log (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retain application log (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retain security log (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retain system log (2) Event Log security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for application log (2) Event Log security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for security log (2) Event Log security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for system log (2) Event Log security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)






(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy (Settings included in Domain Policies)



Windows Server® 2008 Security Guide Spreadsheet (Windows Server 2008

Security Guide Settings.xls)

System / Security System Extension

System / System Integrity

System / IPsec Driver

System / Other System Events

System / Security State Change

Logon/Logoff / Logon

Logon/Logoff / Logoff

Logon/Logoff / Account Lockout

Logon/Logoff / IPsec Main Mode

Logon/Logoff / Network Policy Server

Logon/Logoff / IPsec Quick Mode

Logon/Logoff / IPsec Extended Mode

Logon/Logoff / Special Logon

Logon/Logoff / Other Logon/Logoff Events

Object Access / File System

Object Access / Registry

Object Access / Kernel Object

Object Access / SAM

Object Access / Certification Services

Object Access / Application Generated

Object Access / Handle Manipulation

Object Access / File Share

Object Access / Filtering Platform Packet Drop

Object Access / Filtering Platform Connection

Object Access / Other Object Access Events

Privilege Use / Sensitive Privilege Use

Privilege Use / Non Sensitive Privilege Use

Privilege Use / Other Privilege Use Events

Detailed Tracking / Process Termination

Detailed Tracking / DPAPI Activity

Detailed Tracking / RPC Events

Detailed Tracking / Process Creation

Policy Change / Audit Policy Change

Policy Change / Authentication Policy Change

Policy Change / Authorization Policy Change

Policy Change / MPSSVC Rule-Level Policy Change

Policy Change / Filtering Platform Policy Change

Policy Change / Other Policy Change Events

Account Management / User Account Management

Account Management / Computer Account Management

Account Management / Security Group Management

Account Management / Distribution Group Management

Account Management / Application Group Management

Account Management / Other Account Management Events

DS Access / Directory Service Access

DS Access / Directory Service Changes

DS Access / Directory Service Replication

DS Access / Detailed Directory Service Replication

Account Logon / Kerberos Authentication Service

Account Logon / Credential Validation

Account Logon / Kerberos Service Ticket Operations

Account Logon / Other Account Logon Events

System / Security System Extension

System / System Integrity

System / IPsec Driver

System / Other System Events

System / Security State Change

Logon/Logoff / Network Policy Server

Logon/Logoff / Logon

Logon/Logoff / Logoff

Logon/Logoff / Account Lockout

Logon/Logoff / IPsec Main Mode

Logon/Logoff / IPsec Quick Mode

Logon/Logoff / IPsec Extended Mode

Logon/Logoff / Special Logon

Logon/Logoff / Other Logon/Logoff Events

Object Access / File System

Object Access / Registry

Object Access / Kernel Object

Object Access / SAM

Object Access / Certification Services

Object Access / Application Generated

Object Access / Handle Manipulation

Object Access / File Share

Object Access / Filtering Platform Packet Drop

Object Access / Filtering Platform Connection

Object Access / Other Object Access Events

Privilege Use / Sensitive Privilege Use

Privilege Use / Non Sensitive Privilege Use

Privilege Use / Other Privilege Use Events

Detailed Tracking / Process Termination

Detailed Tracking / DPAPI Activity

Detailed Tracking / RPC Events

Detailed Tracking / Process Creation

Policy Change / Audit Policy Change

Policy Change / Authentication Policy Change

Policy Change / Authorization Policy Change

Policy Change / MPSSVC Rule-Level Policy Change

Policy Change / Filtering Platform Policy Change

Policy Change / Other Policy Change Events

Account Management / User Account Management

Account Management / Computer Account Management

Account Management / Security Group Management

Account Management / Distribution Group Management

Account Management / Application Group Management

Account Management / Other Account Management Events

DS Access / Directory Service Access

DS Access / Directory Service Changes

DS Access / Directory Service Replication

DS Access / Detailed Directory Service Replication

Account Logon / Kerberos Authentication Service

Account Logon / Credential Validation

Account Logon / Kerberos Service Ticket Operations

Account Logon / Other Account Logon Events

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account logon events

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account management

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit directory service access

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit logon events

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit policy change

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit privilege use

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit process tracking

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit system events

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account logon events

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account management

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit directory service access

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit logon events

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit policy change

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit privilege use

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit process tracking

Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit system events

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Access credential Manager as a trusted caller

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Access this computer from the network (SeNetworkLogonRight)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Act as part of the operating system (SeTcbPrivilege)Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to domain

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on locally

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on through Terminal Services (SeRemoteInteractiveLogonRight)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Back up files and directories (SeBackupPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Bypass traverse checking (SeChangeNotifyPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Change the system time (SeSystemTimePrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Change the time zone

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create a pagefile (SeCreatePagefilePrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create a token object (SeCreateTokenPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create global objects (SeCreateGlobalPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create permanent shared objects

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create symbolic links

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Debug programs (SeDebugPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny access to this computer from the network (SeDenyNetworkLogonRight)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on as a batch job (SeDenyBatchLogonRight)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on locally (SeDenyInteractiveLogonRight)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on as a service(SeDenyServiceLogonRight)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on through Terminal Services (SeDenyRemoteInteractiveLogonRight)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Force shutdown from a remote system (SeRemoteShutdownPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Generate security audits (SeAuditPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Impersonate a client after authentication

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Increase a process working set

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Increase scheduling priority (SeIncreaseBasePriorityPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Load and unload device drivers (SeLoadDriverPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Lock pages in memory (SeLockMemoryPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on as a batch job (SeBatchLogonRight)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on as a service (SeServiceLogonRight)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Manage auditing and security log (SeSecurityPrivilege)Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Modify an object label

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Modify firmware environment values (SeSystemEnvironmentPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Perform volume maintenance tasks (SeManageVolumePrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile single process (SeProfileSingleProcessPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile system performance (SeSystemProfilePrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Remove computer from docking station (SeUndockPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Replace a process level token (SeAssignPrimaryTokenPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Restore files and directories (SeRestorePrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Shut down the system (SeShutdownPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Synchronize directory service data

Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Take ownership of files or other objects (SeTakeOwnershipPrivilege)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Administrator account status

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Guest account status

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Limit local account use of blank passwords to console logon only

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Rename administrator account

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Rename guest account

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Audit the access of global system objects

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Audit the use of Backup and Restore privilege

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Shut down system immediately if unable to log security audits

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Allow undock without having to log on

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Allowed to format and eject removable media

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Prevent users from installing printer drivers

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Restrict CD-ROM access to locally logged-on user only

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Restrict floppy access to locally logged-on user only

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Allow server operators to schedule tasks

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: LDAP server signing requirements

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Refuse machine account password changes

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally encrypt or sign secure channel data (always)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally encrypt secure channel data (when possible)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally sign secure channel data (when possible)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Disable machine account password changes

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Maximum machine account password age

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Require strong (Windows 2000 or later) session key

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Do not display last user name

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Do not require CTRL+ALT+DEL

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Message text for users attempting to log on

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Message title for users attempting to log on

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Number of previous logons to cache (in case domain controller is not available)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Prompt user to change password before expiration

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Require Domain Controller authentication to unlock workstation

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Require smart card

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Smart card removal behavior

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Digitally sign communications (always)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Digitally sign communications (if server agrees)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Send unencrypted password to third-party SMB servers

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Amount of idle time required before suspending session

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Digitally sign communications (always)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Digitally sign communications (if client agrees)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Disconnect clients when logon hours expire

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Allow anonymous SID/Name translation

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow anonymous enumeration of SAM accounts

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow anonymous enumeration of SAM accounts and shares

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow storage of credentials or .NET Passports for network authentication

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Let Everyone permissions apply to anonymous users

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Named Pipes that can be accessed anonymously

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Remotely accessible registry paths

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Remotely accessible registry paths and sub paths

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Restrict anonymous access to Named Pipes and Shares

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Shares that can be accessed anonymously

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Sharing and security model for local accounts

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Do not store LAN Manager hash value on next password change

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Force logoff when logon hours expire

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: LAN Manager authentication level

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: LDAP client signing requirements

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Recovery console: Allow automatic administrative logon

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Recovery console: Allow floppy copy and access to all drives and all folders

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Shutdown: Allow system to be shut down without having to log on

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Shutdown: Clear virtual memory pagefile

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System cryptography: Force strong key protection for user keys stored on the computer

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System objects: Require case insensitivity for non-Windows subsystems

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System settings: Optional subsystems

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Admin Approval Mode for the Built-in Administrator account

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Behavior of the elevation prompt for standard users

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Detect application installations and prompt for elevation

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Only elevate executables that are signed and validated

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Only elevate UIAccess applications that are installed in secure locations

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Run all administrators in Admin Approval Mode

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Switch to the secure desktop when prompting for elevation

Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Virtualize file and registry write failures to per-user locations

Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum application log size

Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum security log size

Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum system log size

Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing application log

Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing system log

Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing security log

Computer Configuration/Windows Settings/Security Settings/Event Log//Retain application log

Computer Configuration/Windows Settings/Security Settings/Event Log//Retain security log

Computer Configuration/Windows Settings/Security Settings/Event Log//Retain system log

Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for application log

Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for security log

Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for system log

GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)






GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy (Settings included in Domain Policies)




CCE-3858-8 CCE-25

CCE-3748-1 CCE-899

CCE-3770-5 CCE-727

CCE-3809-1 CCE-24

CCE-3869-5 CCE-570

CCE-3785-3 CCE-204

CCE-3807-5 CCE-411

CCE-2879-5 CCE-816

CCE-3344-9 CCE-746

Old v4 CCE Id

CCE Parameters

The required auditing for %SystemDrive% directory should be enabled.

(1) set of accounts (2) events to audit (3) applicability

The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled.


The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled.


The required permissions for the directory %ProgramFiles% should be assigned.


The required permissions for the directory %ProgramFiles%\Resource Kit should be assigned.


The required permissions for the directory %ProgramFiles%\Resource Pro Kit should be assigned.


The required permissions for the directory %SystemDrive% should be assigned.


The required permissions for the file %SystemDrive%\AUTOEXEC.BAT should be assigned.


The required permissions for the file %SystemDrive%\BOOT.INI should be assigned.


CCE-3864-6 CCE-987

CCE-3080-9 CCE-419

CCE-3873-7 CCE-120

CCE-3419-9 CCE-181

CCE-3763-0 CCE-868

CCE-3657-4 CCE-776

CCE-3697-0 CCE-714

CCE-3789-5 CCE-540

CCE-3560-0 CCE-602

The required permissions for the file %SystemDrive%\CONFIG.SYS should be assigned.


The required permissions for the file %SystemDrive%\Documents and Settings should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\Administrator should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\All Users should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson should be assigned.


The required permissions for the file %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\Default User should be assigned.


The required permissions for the file %SystemDrive%\IO.SYS should be assigned.


The required permissions for the file %SystemDrive%\MSDOS.SYS should be assigned.


CCE-3335-7 CCE-399

CCE-3749-9 CCE-192

CCE-3771-3 CCE-561

CCE-2895-1 CCE-755

CCE-3686-3 CCE-341

CCE-3083-3 CCE-971

CCE-3105-4 CCE-645

CCE-3876-0 CCE-579

CCE-3519-6 CCE-505

CCE-3197-1 CCE-640

The required permissions for the file %SystemDrive%\NTBOOTDD.SYS should be assigned.


The required permissions for the file %SystemDrive%\NTDETECT.COM should be assigned.


The required permissions for the file %SystemDrive%\NTLDR should be assigned.


The required permissions for the directory %SystemDrive%\Temp should be assigned.


The required permissions for the directory %SystemDrive%\My Download Files should be assigned.


The required permissions for the file %SystemDrive%\System Volume Information should be assigned.


The required permissions for the directory %SystemRoot% should be assigned.


The required permissions for the directory %SystemRoot%\Driver Cache\I386\Driver.cab should be assigned.


The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.




CCE-3342-3 CCE-328

CCE-3505-5 CCE-134

CCE-3791-1 CCE-293

CCE-3192-2 CCE-94

CCE-3836-4 CCE-795

CCE-3091-6 CCE-248

CCE-3862-0 CCE-398

CCE-3867-9 CCE-155

CCE-3404-1 CCE-873

CCE-3052-8 CCE-67

CCE-3879-4 CCE-979

The required permissions for any of the %SystemRoot%\$NtUninstall* directories should be assigned.


The required permissions for the directory %SystemRoot%\CSC should be assigned.


The required permissions for the directory %SystemRoot%\Debug should be assigned.


The required permissions for the directory %SystemRoot%\Debug\UserMode should be assigned.


The required permissions for the file %SystemRoot%\regedit.exe should be assigned.


The required permissions for the directory %SystemDrive%\NTDS should be assigned.


The required permissions for the directory %SystemRoot%\Offline Web Pages should be assigned.

(1) set of accounts (2) list of permissions (3) applicabilityThe required permissions

for the directory %SystemRoot%\Registration should be assigned.


The required permissions for the directory %SystemRoot%\repair should be assigned.


The required permissions for the directory %SystemRoot%\security should be assigned.


The required permissions for the directory %SystemRoot%\SYSVOL should be assigned.


CCE-3544-4 CCE-701

CCE-3408-2 CCE-380

CCE-3800-0 CCE-45

CCE-3571-7 CCE-600

CCE-3712-7 CCE-393

CCE-3716-8 CCE-197

CCE-3734-1 CCE-765

CCE-3641-8 CCE-334

CCE-3540-2 CCE-350

CCE-3831-5 CCE-361

The required permissions for the directory %SystemRoot%\SYSVOL\domain\Policies should be assigned.


The required permissions for the directory %SystemRoot%\Temp should be assigned.


The required permissions for the directory %SystemRoot%\System32 should be assigned.


The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\CONFIG should be assigned.


The required permissions for the file %SystemRoot%\System32\CONFIG\AppEvent.evt should be assigned.


The required permissions for the file %SystemRoot%\System32\CONFIG\*.evt should be assigned.


The required permissions for the directory %SystemRoot%\System32\dllcache should be assigned.


The required permissions for the directory %SystemRoot%\System32\DTCLog should be assigned.


CCE-3745-7 CCE-789

CCE-3890-1 CCE-894

CCE-3784-6 CCE-821

CCE-3793-7 CCE-486

CCE-3815-8 CCE-997

CCE-3824-0 CCE-865

CCE-3595-6 CCE-89

CCE-3516-2 CCE-274

CCE-3520-4 CCE-353

CCE-3776-2 CCE-922

The required permissions for the directory %SystemRoot%\System32\GroupPolicy should be assigned.


The required permissions for the directory %SystemRoot%\System32\ias should be assigned.


The required permissions for the file %SystemRoot%\System32\Ntbackup.exe should be assigned.


The required permissions for the directory %SystemRoot%\System32\NTMSData should be assigned.


The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.


The required permissions for the directory %SystemRoot%\system32\ReinstallBackups should be assigned.


The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.


CCE-3670-7 CCE-587

CCE-3340-7 CCE-326

CCE-3780-4 CCE-357

CCE-3423-1 CCE-291

CCE-3802-6 CCE-692

CCE-3079-1 CCE-322

CCE-3727-5 CCE-864

CCE-3493-4 CCE-364

CCE-3872-9 CCE-46

The required permissions for the directory %SystemRoot%\System32\Setup should be assigned.


The required permissions for the directory %SystemRoot%\System32\repl should be assigned.


The required permissions for the directory %SystemRoot%\System32\repl\export should be assigned.


The required permissions for the directory %SystemRoot%\System32\repl\import should be assigned.


The required permissions for the directory %SystemRoot%\System32\spool\Printers should be assigned.


The required permissions for the directory %SystemRoot%\Tasks should be assigned.


The required permissions for the directory %ALL%\Program Files\MQSeries should be assigned.


The required permissions for the directory %ALL%\Program Files\MQSeries\qmggr should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ACL should be assigned.


CCE-3656-6 CCE-447

CCE-2929-8 CCE-760

CCE-3308-4 CCE-279

CCE-3723-4 CCE-843

CCE-3868-7 CCE-253

CCE-3563-4 CCE-394

CCE-3691-3 CCE-240

CCE-3735-8 CCE-618

The required permissions for the directory %SystemDrive%\WINNT\SECURITY\Database\SECEDIT.SDB ACL should be assigned.


The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Regfile\Shell\Open\Command should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands should be assigned.


CCE-3242-5 CCE-19

CCE-3374-6 CCE-790

CCE-3167-4 CCE-268

CCE-3533-7 CCE-321

CCE-2897-7 CCE-135

CCE-3839-8 CCE-558

CCE-3865-3 CCE-867

CCE-3513-9 CCE-545

The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\clone should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset001 should be assigned.




CCE-3896-8 CCE-289

CCE-3838-0 CCE-465

CCE-3750-7 CCE-254

CCE-3384-5 CCE-606

CCE-3680-6 CCE-694

CCE-3816-6 CCE-500

CCE-3318-3 CCE-809

CCE-3882-8 CCE-99

CCE-3521-2 CCE-934

















The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg should be assigned.


CCE-2932-2 CCE-53

CCE-3651-7 CCE-269

CCE-3210-2 CCE-960

CCE-3466-0 CCE-330

CCE-2978-5 CCE-594

CCE-3957-8 CCE-127

CCE-3961-0 CCE-483

CCE-3732-5 CCE-796

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers should


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities should


The required permissions for the registry key HKEY_USERS\.DEFAULT should be assigned.


The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\NetDDE should be assigned.


The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider should be assigned.


CCE-3737-4 CCE-845











The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned.






















CCE-3687-1 CCE-733













CCE-3960-2 CCE-980

CCE-3229-2 CCE-658










































The "Decoy Admin Account Not Disabled" policy should be set correctly.







CCE-3986-7 CCE-514


CCE-3588-1 CCE-60


CCE-3372-0 CCE-487

CCE-3892-7 CCE-954

CCE-4041-0 CCE-294

If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.The "maximum password age" policy should meet minimum requirements. The "minimum password age" policy should meet minimum requirements.


The correct password filtering DLL should be installed.

(1) file name (2) version (3) file size (4) file hash









The startup type of the Computer Browser service should be correct.


CCE-3059-3 CCE-78

CCE-3830-7 CCE-712

CCE-3835-6 CCE-311

CCE-3738-2 CCE-729

CCE-4035-2 CCE-232

CCE-3554-3 CCE-672

CCE-3572-5 CCE-73

CCE-3973-5 CCE-223

CCE-3995-8 CCE-522

CCE-3515-4 CCE-531





















CCE-3643-4 CCE-870

CCE-3524-6 CCE-975

CCE-3819-0 CCE-892

CCE-3951-1 CCE-75

CCE-3722-6 CCE-758

CCE-3634-3 CCE-559

CCE-3721-8 CCE-445

CCE-3069-2 CCE-115

CCE-3898-4 CCE-109

CCE-3418-1 CCE-407




















The correct service permissions for the Task Scheduler service should be assigned.


The "Additional restrictions for anonymous connections" policy should be set correctly.

CCE-3837-2 CCE-195

CCE-3982-6 CCE-653





CCE-3893-5 CCE-512 (1) allowed/removed










The "Anonymous access to the registry" policy should be set correctly.




Administrative Shares should be properly configured.

Automatic Execution of the System Debugger should be properly configured.


Automatic Reboot After System Crash should be properly configured.


Autoplay for Current User should be properly configured.












CCE-3972-7 CCE-236 (1) visible/invisible

Autoplay for Default User should be properly configured.

CD-ROM Autorun should be properly configured.

Computer Browser ResetBrowser Frames should be properly configured.





Dr. Watson Crash Dumps should be properly configured.


File System Checker and Popups should be properly configured.

System File Checker should be properly configured.

System File Checker Progress Meter should be properly configured.



CCE-3600-4 CCE-188

CCE-3878-6 CCE-333

CCE-4027-9 CCE-751




CCE-3948-7 CCE-112 (1) security level




System availability to Master Browser should be properly configured.




The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly .

(1) number of sockets

The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly .





Protect Kernel object attributes should be properly configured.

Security Audit log warning level should be properly configured.







CCE-3921-4 CCE-222




CCE-4014-7 CCE-719

CCE-3908-1 CCE-275



The "Allow Server Operators to Schedule Tasks" policy should be set correctly. The built-in Administrator account should be correctly named. The built-in Guest account should be correctly named.








The "Send LanMan compatible password" setting should be configured correctly.











CCE-3098-1 CCE-814









The "Unsigned Non-Driver Installation Behavior" policy should be set correctly.











CCE-3545-1 CCE-773

CCE-4069-1 CCE-919 (1) Group(s)



The "Automatically Log Off Users When Logon Time Expires (local)" policy should be set correctly.














CCE-3947-9 CCE-621











The "Prevent System Maintenance of Computer Account Password" policy should be set correctly. Local volumes should be formatted correctly.

(1) type of formatting

Unused USB Ports should be enabled or disabled as appropriate. The "Current user screensaver" policy should be set correctly.















The "Set Safe for Scripting" policy should be set correctly.


The "Enable User to Browser for Source While Elevated" policy should be set correctly.





Internet access for Windows Messenger should be configured correctly.

The "Hide Property Pages" policy should be set correctly for the Task Scheduler.



CCE-4125-1 CCE-693


CCE-4812-4 CCE-10



CCE-4874-4 CCE-1001

CCE-4777-9 CCE-1298






DEPRECATED in favor of CCE-5236-5, CCE-4719-1.



The Smart Card Helper service should be enabled or disabled as appropriate.


The License Logging service should be enabled or disabled as appropriate.



CCE-4825-6 CCE-167

CCE-4720-9 CCE-1786


CCE-4729-0 CCE-2166

CCE-4495-8 CCE-217


CCE-4253-1 CCE-2258

CCE-4539-3 CCE-267


CCE-4447-9 CCE-303


The Application Management service should be enabled or disabled as appropriate.


The Resultant Set of Policy (RSoP) Provider Service should be enabled or disabled as appropriate.


Use of the Recycle Bin on file deletion should be enabled or disabled as appropriate.

The Network News Transport Protocol (NNTP) service should be enabled or disabled as appropriate.


The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.


The "Interactive logon: Requre smart card" setting should be configured correctly.The Distributed Link Tracking Server service should be enabled or disabled as appropriate.





The Distributed Transaction Coordinator service should be enabled or disabled as appropriate.



CCE-4830-6 CCE-340

CCE-4751-4 CCE-366



CCE-4865-2 CCE-6


CCE-4715-9 CCE-588


CCE-4667-2 CCE-40

CCE-4882-7 CCE-428

CCE-4799-3 CCE-458

CCE-4195-4


The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned.


The Uninterruptable Power Supply service should be enabled or disabled as appropriate.


The "Enforce user logon restrictions" policy should be set correctly. The "Maximum User Ticket Lifetime" policy should be set correctly. The "Maximum Service Ticket Litfetime" policy should be set correctly.


The "Maximum User Renewal Lifetime" policy should be set correctly.






The Telephony service should be enabled or disabled as appropriate.


The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.The DHCP Server service should be enabled or disabled as appropriate.



CCE-4244-0 CCE-604

CCE-4764-7 CCE-650

CCE-4803-3 CCE-651

CCE-4794-4 CCE-738

CCE-4689-6 CCE-740

CCE-4779-5 CCE-750

CCE-4801-7 CCE-768

CCE-4453-7

CCE-4096-4 CCE-98

CCE-4003-0 CCE-990 (1) list of accounts

The Wireless Zero Configuration service should be enabled or disabled as appropriate.




The Distributed Link Tracking Client service should be enabled or disabled as appropriate.





The Remote Access Connection Manager service should be enabled or disabled as appropriate.


The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.


The Certificate Services service should be enabled or disabled as appropriate.The Smart Card service should be enabled or disabled as appropriate.


Membership in the Power Users group should be assigned to the appropriate accounts.


(1) defined by the object's SACL



(1) defined by the object's DACL









(1) determined by the local filesystem






(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

s











(1) Local Users and Groups MMC



(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg



(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto


(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot


(1) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

(1) HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDrom\Autorun

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset



(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery


(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\CreateCrashDump


(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress




(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried




(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\EnhancedSecurityLevel













(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel Paramenters: (1) level


(1) Disk Management MMC

(1) ?













(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownBrowse





(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\{9b017612-c9f1-11d2-8d9f-0000f875c541}\Disabled (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MessengerService

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages


(1) via auditpol

(1) via auditpol

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit



(1) defined by the SeDenyBatchLogonRight setting in by Local or Group Policy



(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete


(1) defined by the Services Administrative Tool (2) definied by Group Policy HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption





CIS W2K Server Level 2 Benchmark v2.2.1

4.4.3.1 %System Drive% - Everyone: Failures (this folder, propagate inheritable permissions to all subfolders and files)

4.4.3.2 HKLM\Software – Everyone: Failures (this key, propagate inheritable permission to all subkeys)

4.4.3.3 HKLM\System – Everyone: Failures (this key, propagate inheritable permission to all subkeys)4.4.1.15 %ProgramFiles% - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List

4.4.1.16 %Program Files%\Resource Kit – Administrators: Full; System: Full

4.4.1.17 %Program Files%\Resource Pro Kit – Administrators: Full; System: Full4.4.1.1 %SystemDrive%\ - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List

4.4.1.2 %SystemDrive%\autoexec.bat - Administrator: Full; System: Full

4.4.1.3 %SystemDrive%\boot.ini – Administrators: Full; System: Full

4.4.1.4 %SystemDrive%\config.sys - Administrators: Full; System: Full

?

4.4.1.5 %SystemDrive%\io.sys - Administrators: Full; System: Full

4.4.1.10 %SystemDrive%\Documents and Settings - Administrators: Full; System: Full; Users: Read and Execute, List

4.4.1.11 %SystemDrive%\Documents and Settings\Administrator - Administrators: Full; System: Full

4.4.1.12 %SystemDrive%\Documents and Settings\All Users – Administrators: Full; System: Full; Users: Read and Execute, List

4.4.1.13 %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson – Administrators: Full; System: Full;Creator Owner: Full; Users: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions (This folder, subfolders, and files); Users: Traverse Folder/Execute Files, CreateFiles/Write Data, Create Folder/Append Data (Subfolders and files only)

4.4.1.14 %SystemDrive%\Documents and Settings\Default User - Administrators: Full; System: Full; Users: Read and Execute, List

4.4.1.6 %SystemDrive%\msdos.sys - Administrators: Full; System: Full

?

?

4.4.1.7 %SystemDrive%\ntbootdd.sys - Administrators: Full; System: Full

4.4.1.8 %SystemDrive%\ntdetect.com – Administrators: Full; System: Full

4.4.1.9 %SystemDrive%\ntldr - Administrators: Full; System: Full

4.4.1.47 %SystemDrive%\System Volume Information – (Do not allow permissions on this folder to be replaced)

4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List

4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List

4.4.1.19 %SystemRoot%\$NtServicePackUninstall$ – Administrators: Full; System: Full

?

?

?

4.4.1.20 %SystemRoot%\CSC – Administrators: Full; System: Full

4.4.1.21 %SystemRoot%\Debug - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List

4.4.1.22 %SystemRoot%\Debug\UserMode - Administrators: Full; System: Full; Users: Traverse Folder/Execute File, Listfolder/Read data, Create files/Write data (This folder, only); Create files/Write data, Create folders/Append data(Files only)

4.4.1.31 %SystemRoot%\regedit.exe – Administrators: Full; System: Full

4.4.1.23 %SystemRoot%\Offline Web Pages – Ignore Parent Permission Changes

4.4.1.24 %SystemRoot%\Registration - Administrators: Full; System: Full; Users: Read

4.4.1.25 %SystemRoot%\repair - Administrators: Full; System: Full

4.4.1.26 %SystemRoot%\security - Administrators: Full; System: Full; Creator Owner: Full

?

?

?

?

4.4.1.27 %SystemRoot%\system32 - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List

4.4.1.36 %SystemRoot%\system32\appmgmt – Administrators: Full; System: Full; Users: Read and Execute, List

4.4.1.28 %SystemRoot%\system32\at.exe – Administrators: Full; System: Full

4.4.1.37 %SystemRoot%\system32\config – Administrators: Full; System: Full

4.4.1.38 %SystemRoot%\system32\dllcache – Administrators: Full; System: Full; Creator Owner: Full

4.4.1.39 %SystemRoot%\system32\DTCLog - Administrators: Full; System: Full; Creator Owner: Full; Users: Read andExecute, List

4.4.1.40 %SystemRoot%\system32\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read andExecute, List

4.4.1.41 %SystemRoot%\system32\ias - Administrators: Full; System: Full; Creator Owner: Full

4.4.1.29 %SystemRoot%\system32\Ntbackup.exe – Administrators: Full; System: Full

4.4.1.42 %SystemRoot%\system32\NTMSData – Administrators: Full; System: Full

4.4.1.30 %SystemRoot%\system32\rcp.exe – Administrators: Full; System: Full

4.4.1.32 %SystemRoot%\system32\regedt32.exe – Administrators: Full; System: Full

4.4.1.43 %SystemRoot%\system32\reinstallbackups – Administrators: Full; System: Full; Creator Owner: Full; PowerUsers: Read and Execute, List

4.4.1.33 %SystemRoot%\system32\rexec.exe – Administrators: Full; System: Full

4.4.1.34 %SystemRoot%\system32\rsh.exe – Administrators: Full; System: Full

4.4.1.35 %SystemRoot%\system32\secedit.exe – Administrators: Full; System: Full

?

?

?

?

?

4.4.1.44 %SystemRoot%\system32\Setup – Administrators: Full; System: Full; Users: Read and Execute, List

4.4.1.45 %SystemRoot%\system32\spool\printers – Administrators: Full; System: Full; Creator Owner: Full; Users:Traverse Folder, Execute File, Read, Read Extended Attributes, Create folders, Append Data

4.4.1.46 %SystemRoot%\Tasks - (Do not allow permissions on this folder to be replaced)

?

?

4.4.2.2 HKLM\Software – Administrators Full; System: Full; Creator Owner: Full; Users: Read

4.4.2.1 HKLM\Software\Classes - Administrators: Full; System: Full; Creator Owner: Full; Users: Read

4.4.2.3 HKLM\Software\Microsoft\Net DDE – Administrators: Full; System: Full

4.4.2.4 HKLM\Software\Microsoft\OS/2 Subsystem for NT – Administrators: Full; System: Full; Creator Owner: Full

4.4.2.5 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AsrCommands – Administrators: Full; System: Full;Creator Owner: Full; Users: Read; Backup Operators: Query Value, Set Value, Create Subkey, EnumerateSubkeys, Notify, Delete, Read (this key and subkeys)

4.4.2.6 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib – Administrators: Full; System: Full; CreatorOwner: Full; Interactive: Read (this key and subkeys)

4.4.2.7 HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy - Administrators: Full; System: Full;Authenticated Users: Read

4.4.2.8 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer - Administrators Full; System: Full; Users: Read

4.4.2.9 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies - Administrators: Full; System: Full; AuthenticatedUsers: Read

4.4.2.10 HKLM\System - Administrators Full; System: Full; Creator Owner: Full; Users: Read

4.4.2.11 HKLM\System\Clone – Allow inheritable permissions to propagate to this object

4.4.2.12 HKLM\System\ControlSet001 - Administrators Full; System: Full; Creator Owner: Full; Users: Read

4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read









4.4.2.14 HKLM\System\CurrentControlSet\Control\SecurePipeServers\WinReg – Administrators: Full

4.4.2.15 HKLM\System\CurrentControlSet\Control\WMI\Security – Administrators: Full; System: Full; Creator Owner: Full(this key and subkeys)

4.4.2.16 HKLM\System\CurrentControlSet\Enum - (Do not allow permissions on this key to be replaced)

4.4.2.17 HKLM\System\CurrentControlSet\Hardware Profiles – Administrators Full; System: Full; Creator Owner: Full;Users: Read

4.4.2.18 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers - Administrators Full; System: Full;Creator Owner: Full

4.4.2.19 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities - Administrators Full; System: Full;Creator Owner: Full

4.4.2.20 HKU\.Default - Administrators Full; System: Full; Creator Owner: Full; Users: Read

4.4.2.21 HKU\.Default\Software\Microsoft\NetDDE - Administrators Full; System: Full

4.4.2.22 HKU\.Default\Software\Microsoft\Protected Storage System Provider – No entries

?

4.2.11 Deny access to this computer from the network: Guests

4.2.2 Act as part of the operating system: None

4.2.4 Back up files and directories: Administrators

4.2.5 Bypass traverse checking: Users

4.2.6 Change the system time: Administrators

4.2.7 Create a pagefile: Administrators

4.2.8 Create a token object: None

4.2.9 Create permanent shared objects: None

4.2.10 Debug Programs: None

4.2.1 Access this computer from the network: Users, Administrators (or none)

4.2.16 Force shutdown from a remote system: Administrators

4.2.17 Generate security audits: None

4.2.18 Increase quotas: Administrators

4.2.19 Increase scheduling priority: Administrators

4.2.20 Load and unload device drivers: Administrators

4.2.21 Lock pages in memory: None

4.2.22 Log on as a batch job: None

4.2.23 Log on as a service: None

4.2.25 Manage auditing and security log: Administrators

4.2.26 Modify firmware environment values: Administrators

4.2.27 Profile single process: Administrators

4.2.24 Log on locally: Users, Administrators (further restriction allowable)

4.2.28 Profile system performance: Administrators

4.2.29 Remove computer from docking station: Users, Administrators

4.2.30 Replace a process level token: None

4.2.31 Restore files and directories: Administrators

4.2.32 Shut down the system: Users, Administrators

4.2.34 Take ownership of file or other objects: Administrators

4.2.33 Synchronize directory service data: Not Applicable

4.2.3 Add workstations to domain: Not applicable

Reset Account Lockout After: 15 Minutes (minimum)

4.2.14 Deny logon locally: None by default (others allowable as appropriate)

4.2.15 Enable computer and user accounts to be trusted for delegation: Not Applicable

Account Lockout Duration: 15 Minutes (minimum)

Account Lockout Threshold: 3 Bad Login Attempts (maximum)

Audit Account Logon Events: Success and Failure

Audit Account Logon Events: Success and Failure

Audit Account Management: Success and Failure

Audit Account Management: Success and Failure

Audit Logon Events: Success and Failure

Audit Logon Events: Success and Failure

Audit Object Access: Failure (minimum)

Audit Object Access: Failure (minimum)

Audit Policy Change: Failure (minimum)

Audit Policy Change: Failure (minimum)

Audit Privilege Use: Failure (minimum)

Audit Privilege Use: Failure (minimum)

Audit Process Tracking: Not Defined

Audit Process Tracking: Not Defined

Audit System Events: Success and Failure

Audit System Events: Success and Failure

Allow System to be Shut Down Without Having to Log On?

Application Log: Restrict Guest Access to Logs: Enabled

Application Log: Maximum Event Log Size: 80 Mb (minimum)

Security Log: Restrict Guest Access to Logs: Enabled

Security Log: Maximum Event Log Size: 80 Mb (minimum)

Security Log: Log Retention Method: “Overwrite Events As Needed”

System Log: Restrict Guest Access to Logs: Enabled

System Log: Maximum Event Log Size: 80 Mb (minimum)

System Log: Log Retention Method: “Overwrite Events As Needed”

Application Log: Log Retention Method: “Overwrite Events As Needed”

All passwords are no more than 90 days old (maximum).

Minimum Password Age: 1 day

All passwords are at least 8 characters long (minimum).?

Password Complexity: Enabled

Password History: 24 Passwords Remembered

Store Passwords using Reversible Encryption: Disabled

4.1.1 Alerter – Disabled

4.1.2 Clipbook – Disabled

4.1.3 Computer Browser – Disabled

4.1.4 Fax Service – Disabled

4.1.5 FTP Publishing Service – Disabled

4.1.6 IIS Admin Service – Disabled

4.1.8 Messenger – Disabled

4.1.9 NetMeeting Remote Desktop Sharing – Disabled

4.1.7 Internet Connection Sharing – Disabled

4.1.10 Remote Registry Service – Disabled

4.1.11 Routing and Remote Access – Disabled?

?

4.1.12 Simple Mail Transfer Protocol (SMTP) – Disabled

4.1.15 Telnet – Disabled

4.1.16 World Wide Web Publishing Services – Disabled

4.1.17 Automatic Updates – Not Defined

4.1.18 Background Intelligent Transfer Service – Not Defined

?

4.1.13 Simple Network Management Protocol (SNMP) Service – Disabled

4.1.14 Simple Network Management Protocol (SNMP) Trap – Disabled

Additional Restrictions for Anonymous Connections: “No Access Without Explicit Anonymous Permissions”

?

?

?

Message Title for Users Attempting to Log On: “Warning:” or custom title.

Message Text for Users Attempting to Log On: Custom Message or “This

Remove administrative shares on workstation (Professional): HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks (REG_DWORD) 0

Disable Automatic Execution of the System Debugger: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto (REG_DWORD) 0

Disable Automatic Logon: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon(REG_DWORD) 0

Disable automatic reboots after a Blue Screen of Death: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot (REG_DWORD) 0

Disable autoplay from any disk type, regardless of application: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255

Disable autoplay for current user: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255

Disable autoplay for new users by default: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) Not Defined

Disable CD Autorun: HKLM\System\CurrentControlSet\Services\CDrom\Autorun (REG_DWORD) 0

Protect against Computer Browser Spoofing Attacks: HKLM\System\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset (REG_DWORD) 1

Ensure ICMP Routing via shortest path first: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect (REG_DWORD) 0

Protect against source-routing spoofing: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting (REG_DWORD) 2

Ensure Router Discovery is Disabled: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (REG_DWORD) 0

Enable IPSec to protect Kerberos RSVP Traffic: HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt (REG_DWORD) 1

Suppress Dr. Watson Crash Dumps: HKLM\Software\Microsoft\DrWatson\CreateCrashDump (REG_DWORD) 0

Don’t display username of last successful logon at the logon screen: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName (REG_SZ) Not Defined; 3.2.1.15 Do Not Display Last User Name in Logon Screen: Enabled

Enable the File System Checker and Disable Popups: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable (REG_DWORD) Not Defined

Enable the System File Checker to verify all operating system files at boot time: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan (REG_DWORD) Not DefinedNote: Due to the processor-intensive nature of the System File Checker, it is no longer required on startup.

Do not show the System File Checker progress meter: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress (REG_DWORD) Not Defined

3.2.2.24 Do not announce this computer to domain master browsers: HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden (REG_DWORD) 1

Protect the Default Gateway network setting: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect (REG_DWORD) 0

Manage Keep-alive times: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime(REG_DWORD) 300000

SYN Attack protection – Manage TCP Maximum half-open sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen (REG_DWORD) 100

SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired (REG_DWORD) 80

Protect Against Malicious Name-Release Attacks: HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand (REG_DWORD) 1

Help protect against packet fragmentation: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery (REG_DWORD) 0

Protect against SYN Flood attacks: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect (REG_DWORD) 2

Allow Server Operators to Schedule Tasks: Not Applicable

Rename Administrator Account: Any value other than ‘Administrator’

Rename Guest Account: Any value other than ‘Guest’

Audit the access of global system objects: Not Defined

Audit the use of backup and restore privilege: Not Defined

Disable CTRL+ALT+Delete Requirement for Logon: Disabled

Prevent Users from Installing Printer Drivers: Enabled

Amount of Idle Time Required Before Disconnecting Session: 30 Minutes (minimum)

LAN Manager Authentication Level: “Send NTLMv2 response only” (minimum)

Recovery Console: Allow Automatic Administrative Logon: Disabled

Restrict CD-ROM Access to Locally Logged-On User Only: Enabled

Restrict Floppy Access to Locally Logged-On User Only: Enabled

Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Disabled

Strengthen Default Permissions of Global System Objects (e.g. Symbolic Links): Enabled

Secure Channel: Require Strong (Windows 2000 or later) Session Key: Not Defined

Send Unencrypted Password to Connect to Third-Party SMB Servers: Disabled

Unsigned Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation”.

Unsigned Non-Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation”

Prompt User to Change Password Before Expiration: 14 Days (minimum)

Allow System to be Shut Down Without Having to Log On: Disabled

Clear Virtual Memory Pagefile When System Shuts Down: Enabled

Digitally Sign Client Communication (Always): Not Defined

Digitally Sign Client Communication (When Possible): Enabled

Digitally Sign Server Communication (Always): Not Defined

Digitally Sign Server Communication (When Possible): Enabled

Number of Previous Logons to Cache: 1 (maximum)

Allowed to Eject Removable NTFS Media: Administrators

Shut Down system immediately if unable to log security audits: Not Defined

Automatically Log Off Users When Logon Time Expires (local): Enabled

Smart Card Removal Behavior: “Lock Workstation” (minimum)

4.3.1 Ensure all disk volumes are using the NTFS file system

?

?

?

?

?

Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined

Secure Channel: Digitally Encrypt Secure Channel Data (When Possible): Enabled

Secure Channel: Digitally Sign Secure Channel Data (When Possible): Enabled

Prevent System Maintenance of Computer Account Password: Disabled

?

Reg Auditing Local Machine

Reg Auditing Local Machine

Program Files ACL

Resource Kit ACL Servers and DCs

Resource Kit ACL WorkstationSystemDrive ACL

Autoexec.bat ACL

BOOT.INI ACL

DISA Gold Disk Check Name for W2K (golddisk.win2k.ecve.txt)

CONFIG.SYS ACL

Documents and Settings ACL

Documents and Settings\Administrator ACL

Documents and Settings\All Users ACL

DrWatson ACL

DrWatson Log ACLDefault User ACL

IO.SYS ACL

MSDOS.SYS ACL

NTBOOTDD.SYS ACL

NTDETECT.COM ACL

NTLDR ACL

Temp ACL

My Download ACL

System Root ACL

Driver.cab ACL

System Root ACL

%SystemRoot%\$NtServicePackUninstall$

NT SP Uninstall ACL

CSC ACL

Debug ACL

UserMode Directory ACL

regedit.exe ACL

NTDS ACL

Registration ACL

Repair ACL

Security ACL

SYSVOL ACL

%SystemRoot%\SYSVOL\domain\Policies

Temp ACL

System32 ACL

appmgmt ACL

at.exe ACL

CONFIG ACL

%SystemRoot%\System32\CONFIG\AppEvent.evt

%SystemRoot%\System32\CONFIG\SecEvent.evt

dllcache ACL

GroupPolicy ACL

ias ACL

NTbackup.exe ACL

NTMSData ACL

Rcp.exe ACL

Regedt32.exe ACL

Rexec.exe ACL

Rsh.exe ACL?

Setup ACL

repl ACL

Export ACL

Import ACL

Spool\Printers ACL?

MQSeries ACL

MQSeries Queue ACL

269

SECEDIT.SDB ACL

Registry ACL Check CLASSES_ROOT

Registry ACL Check Software?

Reg ACL NetDDE Check test

Reg ACL OS2 Check test

Reg ACL Check AsrCommands

\SOFTWARE\Classes\Regfile\Shell\Open\Command

Registry ACL Check Perflib

Reg ACL Check Group Policy

Reg ACL Check Installer

Reg ACL Check Policies

Registry ACL Check SYSTEM

Registry ACL Check controlset001










Winreg ACL

Registry ACL Check Security

Registry ACL Check Hardware Profiles

Registry ACL Check Permitted Managers

Registry ACL Check ValidCommunities

Registry ACL Check Default

Registry ACL Check NetDDE

Registry ACL Check CLASSES_ROOT

User Right Check deny access from network

User Right Check Network Logon

User Right Check Act as OS

User Right Check Backup

User Right Check Bypass Traverse checking

User Right Check change system time

User Right Check create pagefile

User Right Check create token object

User Right Check create permanent shared objects

User Right Check debug programs

User Right Check remote shutdown

User Right Check generate security audits

User Right Check increase quotas

User Right Check increase scheduling priority

User Right Check load and unload device drivers

User Right Check lock pages in memory

User Right Check log on as a batch job

User Right Check log on as a service job

User Right Check log on locally

User Right Check modify firmware

User Right Check Profile single process

Manage Auditing and Security Logs on a Member Server

User Right Check Profile system performance

User Right Check undock

User Right replace process token

User Right restore

User Right shut down

User Right take ownership

User Right synch directory

User Right Check deny logon locally

User Right Check allow trust for delegation

User Right Check Add wkstn to domain

Lockout Reset (15)

Lockout Duration (15)

Lockout Count (3)

Account logon auditing

Account logon auditing

Account management auditing

Account management auditing

logon auditing

logon auditing

object access auditing

object access auditing

policy change auditing

policy change auditing

priv use auditing

priv use auditing?

?

System Event auditing

System Event auditing?

Decoy Admin, Account Exists

Application Event Log size key value

Anonymous Access to the Application Event Log value

Application Event Log retention key value

Application Event Log retention key value

Security Event Log size key value

Security Event Log retention key value

Security Event Log retention key value

System Event Log size key value

System Event Log retention key value

Anonymous Access to the Security Event Log value

Anonymous Access to the System Event Log value

System Event Log retention key value

Maximum Password Age (90)

Minimum Password Age

Password Length (8)

Check for Enpasflt.dll

EnPasFlt Check

Password History (24)

Reversible Pwd Encryption?

?

Computer Browser Disabled

?

?

?

?

?

Remote Shell Service

Simple TCP/IP Service

NetMeeting Remote Desktop Sharing Disabled

Remote Access Auto Connection Manager Disabled

?

?

?

Telnet Disabled?

Print Services for UNIX

Printer Permissions

"Schedule" service is run as the system account.

Restrict Anonymous value

Anonymous access to the event logs is not restricted.

Anonymous access to the Registry is not restricted.

Guest Account Disabled

?

?

Admin Autologon Value

CIS: Disable Reboot After Crash value

Autoplay value?

Legal notice is not configured to display before console logon.

CIS: Automatic Execution of the System Debugger value

?

Computer Browser Spoofing Attacks

Disable ICMP Redirect

Disable IP Source Routing

Disable Router Discovery

CIS: Allow Dr. Watson Crash Dumps value?

CIS: Disable Media Autoplay (HKU-.Default hive)

CIS: Enable IPSec security for Kerberos RSVP Traffic value

Disable Dead Gateway Detection

TCP Connection Keep-Alive Time

Half-open TCP Sockets

Half-open retired TCP Sockets

Name-Release Attacks?

SYN Attack Protection

Protect Kernel object attributes

Audit Log Warning Level

Disable saving of dial up password

Encrypt Secure Channel Traffic Value

CIS: Hide computer Name from other domain controllers value

Sign Secure Channel Traffic Value?

Administrator Account Renamed

Guest Account Renamed

?

?

Ctrl+Alt+Del security attention sequence is Disabled.

LMCompatibility Value

Print Driver Installation value

Amount of idle time before disconnecting value (<= 15)

The Send download LanMan compatible password option is not set to "Send LM and NTLM - Use NTLMv2 if Negotiated."

Recovery Console Autologon value

Recovery Console Full Access Value?

Floppy Allocation

Strength permissions on GSO value?

Unsigned Driver Behavior Value

Unsigned Non-Driver Behavior Value

Password Expiration value

Send unencrypted password to 3rd party SMB value

Crash on audit fail Value

The system allows shutdown from the logon dialog box

Logon Time Enforcement (0)

Clear Pagefile value?

Enable Security Signature Value?

SMB Server Packet Signing Value

Logon Caching value (<= 2)

NTFS Media Ejection value

?

?

?

Smart Card Removal Behavior Value

Disable password change Value

Non-NTFS Partition

Unused USB ports are not disabled.

current user scrnsave.exe

Current user screensaver timeout

Current user screensaver secure

Current user screensaver active

Always Install with Elevated Privileges

Enable User Control Over Installs

Enable User to Patch Elevated Products

Windows Messenger Internet Access

Hide Property Pages

Prohibit New Task Creation

Disable IE Security Prompt for Windows Installer Scripts

Enable User to Browse for Source While Elevated

Enable User to Use Media Source While Elevated

Allow Admin to Install from Terminal Services Session

Cache Transforms in Secure Location on Workstation

Security Zones: Use Only Machine Settings

Security Zones: Do Not Allow Users to Add/Delete Sites

Disable Periodic Check for Internet Explorer Software Updates

Disable Software Update Shell Notifications on Program Launch

Make Proxy Settings Per Machine

Audit Directory Service Access

Audit Directory Service Access

Smart Card Helper Service Disabled

License Logging Service Disabled

Denied Logon As A Batch Job

Disable Automatic Install of Internet Explorer Components

Security Zones: Do Not Allow Users to Change Policies

Application Management Service Disabled

Resultant Set of Policy Provider Service Disabled

CAC logon required (NIPRNet only) Requirement

Distributed Link Tracking Server Service Disabled

Impersonate a Client After Authentication

Recycle Bin Configured to Delete Files (Servers) Requirements

Network News Transport Protocol Service Disabled

Network Dynamic Data Exchange (DDE) Service Disabled

Remote Access Auto Connection Manager Service Disabled

Forcibly Disconnect when Logon Hours Expire Requirements

Distributed Transaction Coordinator Service Disabled

DCOM - RunAs Value Requirements

Uninterrupted Power Supply Service Disabled

Right To Create Global Objects

Task Scheduler Service Disabled

Telephony Service Disabled

DHCP Server Service Disabled

Denied Logon As A Service

Kerberos - User Logon Restrictions (DC) Requirements

Kerberos - User Ticket Lifetime (DC) Requirements

Kerberos - Service Ticket Lifetime (DC) Requirements

Kerberos - User Ticket Renewal Lifetime (DC Requirements

Kerberos - Computer Clock Synchronization (DC) Requirements

DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

Wireless Zero Configuration

ASP .NET State Service Disabled

Distributed Link Tracking Client Service Disabled

Indexing Service Disabled

Certificate Service Disabled

Smart Card Service Disabled

Power Users Restricted Group

DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

Remote Access Connection Manager Service Disabled

Network DDE DDE Share Database Manager (DSDM) Service Disabled


CCE-2682-3 CCE-25

CCE-2796-1 CCE-899

CCE-1840-8 CCE-727

CCE-2483-6 CCE-211

CCE-1849-9 CCE-39

CCE-2620-3 CCE-83

CCE-2787-0 CCE-854

CCE-2673-2 CCE-783

Old v4 CCE Id

CCE Parameters

The required auditing for %SystemDrive% directory should be enabled.


The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled.


The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled.


The required permissions for the directory %ALL% should be assigned.


The required permissions for the directory %AllUsersProfile% should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys should be assigned.


CCE-2782-1 CCE-713

CCE-2676-5 CCE-387

CCE-1815-0 CCE-527

CCE-2728-4 CCE-686

CCE-2763-1 CCE-3

CCE-2768-0 CCE-356

CCE-2561-9 CCE-85

CCE-2706-0 CCE-24

CCE-2085-9 CCE-411

The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\HTML Help should be assigned.


The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\MediaIndex should be assigned.


The required permissions for the directory %AllUsersProfile%\Documents\desktop.ini should be assigned.


The required permissions for the directory %AllUsersProfile%\DRM should be assigned.


The required permissions for the directory %ProgramFiles% should be assigned.


The required permissions for the directory %SystemDrive% should be assigned.


CCE-2702-9 CCE-816

CCE-2623-7 CCE-987

CCE-2565-0 CCE-419

CCE-2115-4 CCE-120

CCE-2741-7 CCE-714

CCE-2745-8 CCE-540

CCE-2287-1 CCE-602

CCE-2798-7 CCE-399

CCE-2578-3 CCE-192

CCE-2234-3 CCE-561

The required permissions for the file %SystemDrive%\AUTOEXEC.BAT should be assigned.


The required permissions for the file %SystemDrive%\CONFIG.SYS should be assigned.


The required permissions for the file %SystemDrive%\Documents and Settings should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\Administrator should be assigned.


The required permissions for the directory %SystemDrive%\Documents and Settings\Default User should be assigned.


The required permissions for the file %SystemDrive%\IO.SYS should be assigned.


The required permissions for the file %SystemDrive%\MSDOS.SYS should be assigned.


The required permissions for the file %SystemDrive%\NTBOOTDD.SYS should be assigned.


The required permissions for the file %SystemDrive%\NTDETECT.COM should be assigned.


The required permissions for the file %SystemDrive%\NTLDR should be assigned.


CCE-2750-8 CCE-971

CCE-2160-0 CCE-645

CCE-2475-2 CCE-579

CCE-2387-9 CCE-505

CCE-2647-6 CCE-134

CCE-2418-2 CCE-293

CCE-2329-1 CCE-94

CCE-2105-5 CCE-152

CCE-2752-4 CCE-482

CCE-2757-3 CCE-147

CCE-2264-0 CCE-737

The required permissions for the file %SystemDrive%\System Volume Information should be assigned.


The required permissions for the directory %SystemRoot% should be assigned.


The required permissions for the directory %SystemRoot%\Driver Cache\I386\Driver.cab should be assigned.




The required permissions for the directory %SystemRoot%\CSC should be assigned.


The required permissions for the directory %SystemRoot%\Debug should be assigned.


The required permissions for the directory %SystemRoot%\Debug\UserMode should be assigned.


The required permissions for the directory %SystemRoot%\Debug\UserMode\userenv.log should be assigned.


The required permissions for the file %SystemRoot%\Installer should be assigned.


The required permissions for the file %SystemRoot%\Offline Web Pages should be assigned.


The required permissions for the file %SystemRoot%\Prefetch should be assigned.


CCE-2175-8 CCE-795

CCE-2325-9 CCE-155

CCE-1833-3 CCE-323

CCE-2805-0 CCE-873

CCE-2739-1 CCE-67

CCE-2638-5 CCE-380

CCE-2660-9 CCE-45

CCE-2052-9 CCE-600

CCE-2184-0 CCE-393

CCE-2312-7 CCE-166

CCE-2726-8 CCE-977

The required permissions for the file %SystemRoot%\regedit.exe should be assigned.

(1) set of accounts (2) list of permissions (3) applicabilityThe required permissions

for the directory %SystemRoot%\Registration should be assigned.


The required permissions for the directory %SystemRoot%\Registration\CRMLog should be assigned.


The required permissions for the directory %SystemRoot%\repair should be assigned.


The required permissions for the directory %SystemRoot%\security should be assigned.


The required permissions for the directory %SystemRoot%\Temp should be assigned.


The required permissions for the directory %SystemRoot%\System32 should be assigned.


The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\attrib.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\cacls.exe should be assigned.


CCE-2250-9 CCE-272

CCE-1924-0 CCE-994

CCE-2598-1 CCE-170

CCE-1842-4 CCE-197

CCE-1846-5 CCE-765

CCE-2800-1 CCE-334

CCE-2699-7 CCE-201

CCE-2844-9 CCE-386

CCE-2109-7 CCE-941

CCE-2514-8 CCE-981

The required permissions for the file %SystemRoot%\System32\ciadv.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\Com\comexp.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\compmgmt.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\CONFIG should be assigned.


The required permissions for the file %SystemRoot%\System32\CONFIG\AppEvent.evt should be assigned.


The required permissions for the file %SystemRoot%\System32\CONFIG\*.evt should be assigned.


The required permissions for the file %SystemRoot%\System32\debug.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\devmgmt.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\dfrg.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\diskmgmt.msc should be assigned.


CCE-1863-0 CCE-350

CCE-2760-7 CCE-403

CCE-2425-7 CCE-972

CCE-1909-1 CCE-20

CCE-2145-1 CCE-489

CCE-2436-4 CCE-917

CCE-2704-5 CCE-846

CCE-2334-1 CCE-529

CCE-2229-3 CCE-264

CCE-2621-1 CCE-819

The required permissions for the directory %SystemRoot%\System32\dllcache should be assigned.


The required permissions for the file %SystemRoot%\System32\drwatson.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\drwtsn32.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\eventtriggers.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\eventvwr.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\fsmgmt.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\ftp.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\gpedit.msc should be assigned.


CCE-2876-1 CCE-789

CCE-2813-4 CCE-894

CCE-2597-3 CCE-198

CCE-2747-4 CCE-634

CCE-2139-4 CCE-550

CCE-2178-2 CCE-731

CCE-2672-4 CCE-607

CCE-1916-6 CCE-158

CCE-2732-6 CCE-220

The required permissions for the directory %SystemRoot%\System32\GroupPolicy should be assigned.


The required permissions for the directory %SystemRoot%\System32\ias should be assigned.


The required permissions for the directory %SystemRoot%\System32\lusrmgr.msg should be assigned.


The required permissions for the directory %SystemRoot%\System32\MSDTC should be assigned.


The required permissions for the file %SystemRoot%\System32\nbstat.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\net.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\net1.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\netstat.exe should be assigned.


CCE-2613-8 CCE-242

CCE-2903-3 CCE-821

CCE-1925-7 CCE-486

CCE-2727-6 CCE-548

CCE-2749-0 CCE-715

CCE-2912-4 CCE-151

CCE-2784-7 CCE-997

CCE-2220-2 CCE-547

CCE-2833-2 CCE-865

The required permissions for the file %SystemRoot%\System32\nslookup.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Ntbackup.exe should be assigned.


The required permissions for the directory %SystemRoot%\System32\NTMSData should be assigned.


The required permissions for the file %SystemRoot%\System32\ntmsoprq.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\ntmsmgr.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\perfmon.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.


CCE-2855-5 CCE-543

CCE-2894-4 CCE-657

CCE-2899-3 CCE-274

CCE-2546-0 CCE-168

CCE-2674-0 CCE-353

CCE-2070-1 CCE-27

CCE-2762-3 CCE-340

CCE-2176-6 CCE-516

CCE-2198-0 CCE-922

CCE-2185-7 CCE-847

The required permissions for the file %SystemRoot%\System32\regini.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\regsvr32.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\route.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\RSoP.msc should be assigned.


The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\secpol.msc should be assigned.


CCE-2458-8 CCE-904

CCE-2872-0 CCE-587

CCE-2753-2 CCE-692

CCE-2788-8 CCE-921

CCE-2797-9 CCE-225

CCE-2691-4 CCE-159

CCE-2731-8 CCE-348

CCE-1937-2 CCE-718

CCE-2857-1 CCE-154

CCE-2738-3 CCE-322

The required permissions for the file %SystemRoot%\System32\services.msc should be assigned.


The required permissions for the directory %SystemRoot%\System32\Setup should be assigned.


The required permissions for the directory %SystemRoot%\System32\spool\Printers should be assigned.


The required permissions for the file %SystemRoot%\System32\subst.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\systeminfo.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\telnet.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\tftp.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned.


The required permissions for the file %SystemRoot%\System32\wmimgmt.msc should be assigned.


The required permissions for the directory %SystemRoot%\Tasks should be assigned.


CCE-2619-5 CCE-279

CCE-2284-8 CCE-59

CCE-2809-2 CCE-90

CCE-1943-0 CCE-477

CCE-2612-0 CCE-394

CCE-2758-1 CCE-826

CCE-2401-8 CCE-618

CCE-2921-5 CCE-19

The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography/Calais should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib should be assigned.


CCE-2392-9 CCE-363

CCE-2771-4 CCE-790

CCE-2793-8 CCE-268

CCE-2207-9 CCE-321

CCE-2625-2 CCE-131

CCE-2736-7 CCE-34

CCE-2630-2 CCE-135

The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be assigned.


CCE-2775-5 CCE-558

CCE-2300-2 CCE-837

CCE-2172-5 CCE-9

CCE-1960-4 CCE-934

CCE-2859-7 CCE-53

CCE-2938-9 CCE-269

CCE-2850-6 CCE-960

CCE-2590-8 CCE-613

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\clone should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security should be assigned.


CCE-2484-4 CCE-930

CCE-2524-7 CCE-163

CCE-2907-4 CCE-978

CCE-2911-6 CCE-877

CCE-2555-1 CCE-683

CCE-2202-0 CCE-238

CCE-2352-3 CCE-101

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt should be assigned.


CCE-2634-4 CCE-788

CCE-1973-7 CCE-823

CCE-2603-9 CCE-246

CCE-2871-2 CCE-902

CCE-2396-0 CCE-193

CCE-1966-1 CCE-110

CCE-2696-3 CCE-661

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdd\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security should be assigned.


CCE-2595-7 CCE-330

CCE-2238-4 CCE-594

CCE-2881-1 CCE-35

CCE-2780-5 CCE-290

CCE-2428-1 CCE-202

CCE-2885-2 CCE-603

CCE-2537-9 CCE-748

The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers should


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities should


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip should be assigned.


The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security should be assigned.


CCE-2057-8 CCE-907

CCE-2951-2 CCE-127

CCE-2845-6 CCE-483

CCE-2740-9 CCE-730







The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security should be assigned.


The required permissions for the registry key HKEY_USERS\.DEFAULT should be assigned.


The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\NetDDE should be assigned.


The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots should be assigned.
















CCE-2466-1 CCE-733

CCE-2928-0 CCE-980

CCE-2986-8 CCE-658


































If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.The "maximum password age" policy should meet minimum requirements. The "minimum password age" policy should meet minimum requirements.



CCE-2994-2 CCE-60


CCE-3034-6 CCE-487

CCE-2937-1 CCE-496

CCE-2818-3 CCE-148

CCE-2713-6 CCE-954

CCE-2880-3 CCE-294

CCE-2950-4 CCE-800














The startup type of the Computer Browser service should be correct.


The startup type of the Fast User Switching service should be correct.


CCE-2849-8 CCE-78

CCE-2888-6 CCE-712

CCE-3016-3 CCE-311

CCE-2910-8 CCE-738

CCE-2915-7 CCE-729

CCE-2053-7 CCE-650

CCE-2071-9 CCE-408

CCE-2896-9 CCE-232

CCE-2280-6 CCE-857

CCE-2940-5 CCE-267

CCE-2255-8 CCE-663













The startup type of the Net Logon service should be correct.








The startup type of the Remote Desktop Help Session Manager service should be correct.


CCE-3026-2 CCE-672

CCE-3030-4 CCE-73

CCE-3035-3 CCE-223

CCE-2427-3 CCE-522

CCE-2449-7 CCE-531

CCE-2233-5 CCE-870

CCE-2779-7 CCE-975

CCE-2520-5 CCE-892

CCE-2661-7 CCE-940

CCE-2934-8 CCE-40

















The startup type of the SSDP Discovery service should be correct.




CCE-2326-7 CCE-75

CCE-3043-7 CCE-974

CCE-3048-6 CCE-608

CCE-2942-1 CCE-758

CCE-2076-8 CCE-669

CCE-2626-0 CCE-889

CCE-3022-1 CCE-61

CCE-2815-9 CCE-476

CCE-2568-4 CCE-643

CCE-3071-8 CCE-87



The startup type of the Terminal Services service should be correct.


The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct.




The correct service permissions for the Alerter service should be assigned.


The correct service permissions for the Automatic Updates service should be assigned.


The correct service permissions for the Background Intelligent Transfer service should be assigned.


The correct service permissions for the ClipBook service should be assigned.


The correct service permissions for the Computer Browser service should be assigned.


The correct service permissions for the Fax service should be assigned.


CCE-2969-4 CCE-968

CCE-3057-7 CCE-4

CCE-2563-5 CCE-792

CCE-2836-5 CCE-444

CCE-2480-2 CCE-79

CCE-2502-3 CCE-497

CCE-2119-6 CCE-21

CCE-2976-9 CCE-109

CCE-2990-0 CCE-915

CCE-3021-3 CCE-219

The correct service permissions for the File Shares service should be assigned.


The correct service permissions for the FTP Publishing service should be assigned.


The correct service permissions for the IIS Admin service should be assigned.


The correct service permissions for the Indexing service should be assigned.


The correct service permissions for the Messenger service should be assigned.


The correct service permissions for the Net Logon service should be assigned.


The correct service permissions for the NetMeeting service should be assigned.




The correct service permissions for the Remote Desktop Help Session Manager service should be assigned.


The correct service permissions for the Remote Registry service should be assigned.


CCE-2141-0 CCE-779

CCE-2773-0 CCE-426

CCE-2941-3 CCE-56

CCE-2945-4 CCE-521

CCE-3077-5 CCE-407

CCE-3108-8 CCE-944

CCE-3130-2 CCE-605

CCE-3029-6 CCE-869

CCE-3051-0 CCE-143

The correct service permissions for the Routing and Remote Access service should be assigned.


The correct service permissions for the SMTP service should be assigned.


The correct service permissions for the SNMP service should be assigned.


The correct service permissions for the SNMP Trap service should be assigned.


The correct service permissions for the Task Scheduler service should be assigned.


The correct service permissions for the Telnet service should be assigned.


The correct service permissions for the Terminal Services service should be assigned.


The correct service permissions for the Universal Plug and Play service should be assigned.


The correct service permissions for the WWW Publishing service should be assigned.


CCE-2804-3 CCE-195

CCE-2147-7 CCE-318


CCE-3119-5 CCE-983

CCE-2890-2 CCE-142

CCE-2643-5 CCE-653





CCE-3137-7 CCE-512 (1) allowed/removed






The "Anonymous access to the application event log" policy should be set correctly.


The "Anonymous access to the system event log" policy should be set correctly.





Use of the built-in Administrator account should be enabled or disabled as appropriate.



Administrative Shares should be properly configured.










Automatic Execution of the System Debugger should be properly configured.


Automatic Reboot After System Crash should be properly configured.


Autoplay for Current User should be properly configured.

Autoplay for Default User should be properly configured.

CD-ROM Autorun should be properly configured.

Computer Browser ResetBrowser Frames should be properly configured.









CCE-2559-3 CCE-188

CCE-2453-9 CCE-333




Dr. Watson Crash Dumps should be properly configured.


System availability to Master Browser should be properly configured.




The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly .


CCE-3114-6 CCE-751








The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly .





Security Audit log warning level should be properly configured.


Safe DLL Search Mode should be properly configured.

Always Wait for the Network at Computer Startup and Logon should be properly configured.


CCE-3100-5 CCE-231 (1) logon type








CCE-3157-5 CCE-222


Delete Roaming Cached Profiles should be properly configured.

Use Classic Logon should be properly configured.

Background Refresh of Group Policy should be properly configured.

Show Shared Internet Connection Access UI should be properly configured.


Disallow Installation of Printers Using Kernel-mode Drivers should be properly configured.

The "Allow Server Operators to Schedule Tasks" policy should be set correctly.

The built-in Administrator account should be correctly named. The built-in Guest account should be correctly named.






CCE-2926-4 CCE-719




















CCE-2701-1 CCE-814



















CCE-3106-2 CCE-773

CCE-3111-2 CCE-919 (1) Group(s)















The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.












The "Default owner for objects created by members of the Administrators group" policy should be set correctly.




The "LDAP server signing requirements" policy should be set correctly.


The "Refuse machine account password change" policy should be set correctly.









CCE-3058-5 CCE-343










The "Do not store LAN Manager hash value on next password change" policy should be set correctly.

The "Force logoff when logon hours expire" policy should be set correctly.



CCE-2795-3 CCE-621









Local volumes should be formatted correctly.

(1) type of formatting

The "Current user screensaver timeout" policy should be set correctly. The "Default user screensaver" policy should be set correctly.

The "Default user screensaver timeout" policy should be set correctly.

The "Default user screensaver secure" policy should be set correctly.

The "Default user screensaver active" policy should be set correctly. The "Current user screensaver" policy should be set correctly.
















The "Set Safe for Scripting" policy should be set correctly.












CCE-3129-4 CCE-80





The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer.

The "Do Not Allow Windows Messenger to be Run" policy should be set correctly.



The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services.

The "Limit Number of Connections" policy should be set correctly for Terminal Services.

(1) Maximum number of connections allowed

The "Do Not Allow New Client Connections" policy should be set correctly for Terminal Services.

The "Do Not Allow Local Administrators to Customize Permissions" policy should be set correctly for Terminal Services.

The "Remote Control Settings" policy should be set correctly for Terminal Services.





CCE-2961-1 CCE-920

CCE-3124-5 CCE-123







The "Do not Use Temp folders per Session" policy should be set correctly for Terminal Services.

The "Do not Delete Temp folder on exit" policy should be set correctly for Terminal Services.





The "Allow Reconnection from Original Client Only" policy should be set correctly for Terminal Services.

The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services.

The "Enable Keep-Alive Messages" policy should be set correctly for Terminal Services.


The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.



CCE-2708-6 CCE-6



CCE-3208-6 CCE-588



CCE-3010-6 CCE-458

CCE-2662-5 CCE-740

CCE-2917-3 CCE-22


The "Enable Error Reporting" policy should be set correctly. The "Enforce user logon restrictions" policy should be set correctly. The "Maximum Service Ticket Litfetime" policy should be set correctly.


The "Maximum User Ticket Lifetime" policy should be set correctly. The "Maximum User Renewal Lifetime" policy should be set correctly.





The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.


The "Display user information when the session is locked" setting should be configured correctly.

The "Interactive logon: Requre smart card" setting should be configured correctly.

CCE-2834-0 CCE-638

CCE-2992-6 CCE-647

CCE-2705-2 CCE-48

CCE-2723-5 CCE-572

CCE-2213-7 CCE-577

CCE-2239-2 CCE-872




The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly.

The "System cryptography: Force strong key protection for user keys stored on the computer" setting should be configured correctly.

The "System settings: optional subsystems" setting should be configured correctly.

the "System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices" setting should be configured correctly.

MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged


MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted


Membership in the Backup Operators group should be assigned to the appropriate accounts.

Membership in the Power Users group should be assigned to the appropriate accounts.

Membership in the Remote Desktop Users group should be assigned to the appropriate accounts.

CCE-3171-6 CCE-43

CCE-3047-8 CCE-167

CCE-3113-8 CCE-585

CCE-2756-5 CCE-484

CCE-3153-4 CCE-651

CCE-3184-9 CCE-303

CCE-2985-0 CCE-436

CCE-3236-7 CCE-774

CCE-3140-1 CCE-435

CCE-2301-0 CCE-950

CCE-3003-1 CCE-118

CCE-2716-9 CCE-624

CCE-3223-5 CCE-453

The Application Layer Gateway Service should be enabled or disabled as appropriate.


The Application Management service should be enabled or disabled as appropriate.


The Cryptographic Services service should be enabled or disabled as appropriate.


The DHCP Client service should be enabled or disabled as appropriate.


The Distributed Link Tracking Client service should be enabled or disabled as appropriate.


The Distributed Transaction Coordinator service should be enabled or disabled as appropriate.


The DNS Client service should be enabled or disabled as appropriate.


The Error Reporting Service should be enabled or disabled as appropriate.


The Event Log service should be enabled or disabled as appropriate.


The Help and Support service should be enabled or disabled as appropriate.


The Human Interface Device Access service should be enabled or disabled as appropriate.


The IMAPI CD-Burning COM Service should be enabled or disabled as appropriate.


The Infrared Monitor service should be enabled or disabled as appropriate.


CCE-3245-8 CCE-72

CCE-3294-6 CCE-988

CCE-3073-4 CCE-891

CCE-3065-0 CCE-900

CCE-2840-7 CCE-671

CCE-3131-0 CCE-217

CCE-3122-9 CCE-768

CCE-3267-2 CCE-825

CCE-3056-9 CCE-472

CCE-3144-3 CCE-265

CCE-3289-6 CCE-759

CCE-3205-2 CCE-697

The IPSEC Services service should be enabled or disabled as appropriate.


The Logical Disk Manager service should be enabled or disabled as appropriate.


The Logical Disk Manager Administrative Service should be enabled or disabled as appropriate.


The MS Software Shadow Copy Provider service should be enabled or disabled as appropriate.


The Network Connections service should be enabled or disabled as appropriate.


The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.


The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.


The Network Location Awareness (NLA) service should be enabled or disabled as appropriate.


The NT LM Security Support Provider service should be enabled or disabled as appropriate.


The Performance Logs and Alerts service should be enabled or disabled as appropriate.


The Portable Media Serial Number Service service should be enabled or disabled as appropriate.


The Protected Storage service should be enabled or disabled as appropriate.


CCE-3206-0 CCE-706

CCE-3104-7 CCE-750

CCE-3126-0 CCE-993

CCE-3148-4 CCE-164

CCE-2567-6 CCE-741

CCE-2823-3 CCE-172

CCE-3074-2 CCE-679

CCE-3219-3 CCE-102

CCE-3241-7 CCE-98

CCE-2831-6 CCE-1001

CCE-2835-7 CCE-772

CCE-2321-8 CCE-450

CCE-3274-8 CCE-665

The QoS RSVP service should be enabled or disabled as appropriate.


The Remote Access Connection Manager service should be enabled or disabled as appropriate.


The Remote Procedure Call (RPC) service should be enabled or disabled as appropriate.


The Remote Procedure Call (RPC) Locator service should be enabled or disabled as appropriate.


The Removable Storage service should be enabled or disabled as appropriate.


The Secondary Logon service should be enabled or disabled as appropriate.


The Security Accounts Manager service should be enabled or disabled as appropriate.


The Server service should be enabled or disabled as appropriate.


The Smart Card service should be enabled or disabled as appropriate.


The Smart Card Helper service should be enabled or disabled as appropriate.


The System Event Notification service should be enabled or disabled as appropriate.


The System Restore Service should be enabled or disabled as appropriate.


The TCP/IP NetBIOS Helper service should be enabled or disabled as appropriate.


CCE-2811-8 CCE-428

CCE-3195-5 CCE-956

CCE-3221-9 CCE-366

CCE-2988-4 CCE-652

CCE-3146-8 CCE-538

CCE-3291-2 CCE-305

CCE-3256-5 CCE-851

CCE-2639-3 CCE-234

CCE-3159-1 CCE-890

CCE-3163-3 CCE-912

CCE-3203-7 CCE-815

CCE-2599-9 CCE-560

The Telephony service should be enabled or disabled as appropriate.


The Themes service should be enabled or disabled as appropriate.


The Uninterruptable Power Supply service should be enabled or disabled as appropriate.


The Upload Manager service should be enabled or disabled as appropriate.


The Volume Shadow Copy service should be enabled or disabled as appropriate.


The WebClient service should be enabled or disabled as appropriate.


The Windows Audio service should be enabled or disabled as appropriate.


The Windows Image Acquisition (WIA) service should be enabled or disabled as appropriate.


The Windows Installer service should be enabled or disabled as appropriate.


The Windows Management Instrumentation service should be enabled or disabled as appropriate.


The Windows Management Instrumentation Driver Extensions service should be enabled or disabled as appropriate.


The Windows Time service should be enabled or disabled as appropriate.


CCE-2494-3 CCE-604

CCE-3265-6 CCE-745

CCE-2397-8 CCE-296

CCE-2683-1 CCE-511 (1) reg_dword






CCE-2476-0 CCE-771



CCE-3304-3 CCE-832

The Wireless Zero Configuration service should be enabled or disabled as appropriate.


The WMI Performance Adapter service should be enabled or disabled as appropriate.


The Workstation service should be enabled or disabled as appropriate.


MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames.

RPC Endpiont Mapper Client Authentication (SP2 only)Restrictions for Unauthenticated RPC clients (SP2 only)Domain Profile: Protect all network connections (SP2 only)Domain Profile: Do not allow exceptions (SP2 only)

Domain Profile: Allow local program exceptions

Domain Profile: Allow remote administration


Domain Profile: Allow file and printer sharing exception (SP2 only)Domain Profile: Allow ICMP exceptions (SP2 only)

Domain Profile: Allow Remote Desktop exception (SP2 only)










Domain Profile: Allow UPnP framework exception (SP2 only)

The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile.

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile.

The log file path and name for the Windows Firewall should be configured correctly for the Domain Profile.

The log file size limit for the Windows Firewall should be configured correctly for the Domain Profile.

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile.

Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile.

Domain Profile: Define port exceptions (SP2 only)







CCE-3081-7 CCE-797





CCE-3174-0 CCE-609 (1) file path

Domain Profile: Allow local port exceptions (SP2 only)Standard Profile: Protect all network connections (SP2 only)Standard Profile: Do not allow exceptions (SP2 only)Standard Profile: Allow local program exceptions (SP2 only)Standard Profile: Allow remote administration exception (SP2 only)Standard Profile: Allow file and printer sharing exception (SP2 only)

Standard Profile: Allow ICMP exceptions (SP2 only)

(1) enabled/ Allow outboud source quench, Allow inbound echo request, Allow outbound packet too big

Standard Profile: Allow Remote Desktop exception (SP2 only)Standard Profile: Allow UPnP framework exception (SP2 only)

The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile.

The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Standard Profile.

The log file path and name for the Windows Firewall should be configured correctly for the Standard Profile.







CCE-2856-3 CCE-301

CCE-4952-8 CCE-1225




The log file size limit for the Windows Firewall should be configured correctly for the Standard Profile.

The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Standard Profile.

Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile.

Standard Profile: Define port exceptions (SP2 only)Standard Profile: Allow local port exceptions (SP2 only)

The startup type of the Internet Connection Firewall service should be correct. Restricted Groups have been set on the system

(1) Group enumeration

The required permissions for the file %SystemRoot%\System32\mshta.exe should be assigned.


The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.

The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.

The "Display Error Notification" setting should be configured correctly.


CCE-5053-4 CCE-584


CCE-5200-1 CCE-887



CCE-5099-7 CCE-691


CCE-4513-8 CCE-852 Turn off printing over HTTP


The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly.

Group Policy - Registry policy processing

The "Turn Off Automatic Root Certificates Update" setting should be configured correctly.

Turn off downloading of print drivers over HTTP

The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.

The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

Turn off Internet download for Web publishing and online ordering wizards

The "Turn Off Internet File Association Service" setting should be configured correctly.

The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.

CCE-5055-9 CCE-818



CCE-4224-2 CCE-722




CCE-5014-6 CCE-927

CCE-5032-8 CCE-583



Turn off Search Companion content file updates

The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.

The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.

Turn off the Windows Messenger Customer Experience Improvement Program

The "Turn Off Windows Movies Maker Automatic Codec Downloads" setting should be configured correctly.

The "Turn Off Windows Movie Maker Online Web Links" setting should be configured correctly.

The "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting should be configured correctly.

Turn off Windows Update device driver searching

Logon - Do not process the run once list

The "Don't Display the Getting Started Welcome Screen at Logon" setting should be configured correctly.

The "Prevent IIS Installation" setting should be configured correctly.


CCE-4849-6 CCE-976






CCE-4390-1 CCE-509

CCE-4412-3 CCE-12

CCE-5042-7 CCE-58

CCE-5059-1 CCE-372

The "Turn off downloading of enclosures" setting should be configured correctly.

The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.

The "Turn off shell protocol protected mode" setting should be configured correctly.

The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.

The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.

The "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly.


Prompt for password on resume from hibernate/suspend should be set correctly.

Do not preserve zone information in file attachments should be set correcly.

Hide mechanisms to remove zone information should be set correcly.

Notify antivirus programs when opening attachments should be set correcly.



?


?


?



?


?


?


?

DISA Gold Disk for WXP

File Auditing - Must Have ACE (CID:269)


?


?


?


?


?


?


?


?

(1) defined by the object's DACL System Drive ACL (CID:2000)


?


?


?


?


?


?


?


?


?


?


?


?



?


?


?


?


?


?


?


?

Driver.cab ACL (CID:4083)



?


?


?


?



?





regedit.exe ACL (CID:2001)

arp.exe ACL (CID:2002)

at.exe ACL (CID:2003)

attrib.exe ACL (CID:2004)

cacls.exe ACL (CID:2005)


?


?


?


?




?


?


?


?

Eventlog ACL (CID:225)

debug.exe ACL (CID:2006)


?


?





?


?

(1) defined by the object's DACL ftp.exe ACL (CID:2


?


?

edlin.exe ACL (CID:2007)

eventcreate.exe ACL (CID:2008)

eventtriggers.exe ACL (CID:2009)


?


?


?


?






nbtstat.exe ACL (CID:2011)

net.exe ACL (CID:2012)

net1.exe ACL (CID:2013)

netsh.exe ACL (CID:2014)

netstat.exe ACL (CID:2015)




?


?


?


?




nslookup.exe ACL (CID:2016)

ntbackup.exe ACL (CID:2017)

rcp.exe ACL (CID:2018)

reg.exe ACL (CID:2019)

regedt32.exe ACL (CID:2020)







?


?




?

regini.exe ACL (CID:2021)

regsvr32.exe ACL (CID:2022)

rexec.exe ACL (CID:2023)

route.exe ACL (CID:2024)

rsh.exe ACL (CID:2025)

sc.exe ACL (CID:2026)

secedit.exe ACL (CID:2027)


?


?


?







?


?

subst.exe ACL (CID:2028)

systeminfo.exe ACL (CID:2029)

telnet.exe ACL (CID:2030)

tftp.exe ACL (CID:2031)

tlntsvr.exe ACL (CID:2032)


?


?


?


?


?


?


?


?


?


?


?


?


?


?


?


?


?


?



?


?


?


?

Winreg ACL (CID:237)


?


?


?


?


?


?


?




?


?


?


?


?

SNMP - Permitted Managers (CID:1033)

SNMP Communities (CID:4046)


?


?


?


?


User Right Check deny access from network (CID:162)


User Right Check Logon on network (CID:152)


User Right Check act as OS (CID:153)


User Right Check Backup (CID:155)


User Right Check Bypass Traverse Checking (CID:156)


User Right Check change system time (CID:157)


User Right Check create pagefile (CID:158)


User Right Check create token object (CID:159)


User Right Check create permanent shared objects (CID:160)


User Right Check debug programs (CID:161)


User Right Check remote shutdown (CID:165)


User Right Check generate security audits (CID:173)


User Right Check increase quotas (CID:166)


User Right Check increase scheduling priority (CID:167)


User Right Check load and unload device drivers (CID:168)


User Right Check lock pages in memory (CID:169)


User Right Check log on as a batch job (CID:170)


User Right Check log on as a service job (CID:171)

?


User Right Check log on locally (CID:172)



User Right Check modify firmware (CID:174)


User Right Check Profile single process (CID:175)


User Right Check Profile system performance (CID:176)


User Right Check undock (CID:177)


User Right replace process token (CID:178)


User Right restore (CID:179)


User Right shut down (CID:180)


User Right take ownership (CID:182)


User Right synch directory (CID:181)

?

?






User Right Check deny logon locally (CID:163)


User Right Check allow trust for delegation (CID:164)


User Right Check Add wkstn to domain (CID:154)


User Right allow logon terminal service (CID:737)




User Right deny logon terminal service (CID:738)


User Right perform volume maintenance (CID:739)

Lockout Reset (CID:45)

Lockout Duration (CID:44)

Lockout Count (CID:43)

Account logon auditing (CID:49)





?


?







Account logon auditing (CID:49)

Account management auditing (CID:51)

Account management auditing (CID:51)

logon auditing (CID:53)

logon auditing (CID:53)

object access auditing (CID:55)

object access auditing (CID:55)

policy change auditing (CID:56)

policy change auditing (CID:56)




?


?



priv use auditing (CID:58)

priv use auditing (CID:58)

system event auditing (CID:59)

system event auditing (CID:59)


Anonymous Access to the Security Event Log value (CID:479)


Application log size (CID:82)


Application log retention (CID:85)






Security log size (CID:80)


Security log retention (CID:83)




System log size (CID:81)


System log retention (CID:84)

Maximum Password Age (CID:40)Minimum Password Age (CID:41)



?


(1) defined by Local or Group Policy ?

?

?

?

Password Length (CID:39)

Password History (CID:42)

Reversible Pwd Encryption (CID:232)





(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Computer Browser Disabled (CID:22)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Fast User Swithcing Compatibility Disabled (CID:729)

s

?

?

?

?




Internet Information System Installed - IIS Admin (CIS:4066)



Windows Messenger Internet Access (CIS:4036)


.NET Framework service (CIS:4035)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy


NetMeeting Romote Desktop Sharing Disabled (CIS:730)


Print Services for Unix Service (CIS:4031)


Remote Access Auto Connection Manager Disabled (CIS:731)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Remote Desktop Help Session Manager Disabled (CIS:732)

?

?




Routing and Remote Access Disabled (CIS:733)


Remote Shell Service (CIS:24)


Simple TCP/IP Service (CIS:25)



Management and Monitoring Tools Installed - SNMP Service (CIS:4071)


Management and Monitoring Tools Installed - SNMP Trap (CIS:4072)


SSDP Discovery Service Disabled (CIS:734)


Task Scheduler Check (CIS:28)

?

?

?

?

?

?

?


23 - Telnet Disabled (CIS:23)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy

Terminal Services Disabled (CIS:735)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy


Internet Information Sytem Installed - World Wide Web Publishing (CIS:4067)







?

?

?

?

?

?

?

?


File Shares (CIS:230)








Printer ACL (CIS:229)



?

?

?

?

?

?

?

?

?










?

?



?

?

?

?


Restrict Anonymous value (CIS:97)



(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application

Anon Access to Application log (CIS:78)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System

Anon Access to Security log (CIS:79)


Anon Access to System log (CIS:77)

Guest Account Disabled (CIS:29)



(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks

?

?

?

?

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto

CIS: Automatic Execution of the System Debugger value (CIS:749)


Admin Autologon password values not exist: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword; Admin Autologon Value: HKEY_LOCAL_MACHINE\*\AutoAdminLogon (CIS:188, 189)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot

CIS: Disable Reboot After Crash value (CID:755)


Autoplay value (CID:103)

(1) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

(1) HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun

Disable Media Autoplay (HKEY_USER-.Default hive) Value (CID:752)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDrom\Autorun

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset


?

?

?

?

?

?


(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery


CIS: Enable IPSec secuiryt for Kerberos RSVP Traffic value (CID:758)

(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\CreateCrashDump

CIS: Allow Dr. Watson Crash Dumps value (CID:746)



CIS: Hide computer Name from other domain controllers value (CID:761)



(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen

?

?

?

?

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried






Disable saving of dial up password (CID:105)


Safe DLL Search Mode value (CID:774)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy

Always Wait for the Network at Computer Startup and Logon (CID:927)


?



?

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\DeleteRoamingCache

Cached Profiles value (CID:93)

(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system\LogonType

Always Use Classic Logon (CID:924)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Policies\system\DisableBkGndGroupPolicy

Turn Off Background Refresh of Group Policy (CID:930)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI

Internet Connection Sharing (CID:942)


Prohibit Installation and Configuration of Network Bridge on the DNS Domain Network (CID:945)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked

Disallow Installation of Printers Using Kernel-mode Drivers (CID:948)

Administrator Account Renamed (CID:30)

Guest Account Renamed (CID:31)


Amount of idle time before disconnecting value (CID:213)


?

?

?




LMCompatibility Value (CID:123)


Print Driver Installation value (CID:99)


Recovery Console Autologon value (CID:117)


Recovery Console Full Access Value (CID:119)



Floppy Allocation (CID:89)


Strength permissions on GSO value (CID:204)

?

?


Domain member: Require strong (Windows 2000 or later) session key value (CID:770)


Send unencrypted password to 3rd party SMB value (CID:207)


Unsigned Driver Behavior Value (CID:127)


Password Expiration value (CID:199)


Crash on audit fail Value (CID:121)


Shutdown before logon Check (CID:217)


Clear Pagefile value (CID:101)



Enable Security Signature Value (CID:113)


? (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy


Logon Caching value (CID:91)


NTFS Media Ejection value (CID:2010)


Digitally encrypt or sign secure channel data (always) value (CID:743)


Sign Secure Channel Traffic Value (CID:109)


Sign Secure Channel Traffic Value (CID:107)


Smart Card Removal Behavior Value (CID:125)


Disable password change Value (CID:111)


Use FIPS compliant algorithms for encryption, hashing, and signing (CID:804)

?


?


?

(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner (2) defined by Local or Group Policy

Default owner for objects created by members of the Administrators group (CID:807)


System Object: Require Case Insensitivity for Non-Windows Subsystems (CID:810)


Limit Blank Passwords value (CID:764)



LDAP client signing requirements (CID:795)


Accounts: Maximum machine account password age value (CID:767)


Domain Controller Authentication to Unlock Workstation Value (CID:777)


Automatically log off user when logon time expires value (CID:210)

?

?

?



Do not allow storage of credentials or .NET Passports for network authentication value (CID:780)


Let Everyone permissions apply to anonymous users Value (CID:783)





Sharing and security model for local accounts Value (CID:786)


Do not store LAN Manager hash value on next password change (CID:789)

Logon Time Enforcement (CID:46)

(1) Disk Management MMC


Minimum session security for NTLM SSP based clients (CID:798)


Minimum session security for NTLM SSP based servers (CID:801)

Non-NTFS Partition (CID:10)


(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\SCRNSAVE.EXE

Default user scrnsave.exe (CID:67)

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut

Default user screensaver timeout (CID:68, 71)

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure

Default user screensaver secure (CID:69)

(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveActive

Default user screensaver active (CID:70)


Current user scrnsave.exe (CID:76)


Current user screensaver timeout (CID:74)


Current user screensaver secure (CID:72)


Current user screensaver active (CID:73)


Always Install with Elevated Privileges (CID:888)


Disable IE Security Prompt for Windows Installer Scripts (CID:891)


Enable User Control Over Installs (CID:894)


Enable User to Use Media Source While Elevated (CID:900)


Allow Admin to Install from Terminal Services Session (CID:906)


Enable User to Patch Elevated Products (CID:903)


Cache Transforms in Secure Location on Workstation (CID:908)


Disable Media Player for XP automatic Updates (CID:912)

(1) HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload

951 - Prevent Codec Download

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun

Do Not Allow Windows Messenger to be Run (CID:915)


918 - Do Not Automatically Start Windows Messenger Initially


Prohibit New Task Creation (CID:843)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser

Limit Users to One Remote Session (CID:849)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount

Limit Number of Connections (CID:852)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections

Do Not Allow New Client Connections (CID:855)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab

Do Not Allow Local Administrators to Customize (CID:858)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow

Remote Control Settings (CID:861)


Always Prompt Client for Password upon Connection (CID:864)


Set Client Connection Encryption (CID:867)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir

Do Not Use Temp Folders per Session (CID:870)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit

Do Not Delete Temp Folder upon Exit (CID:873)


Set Time Limit for Disconnected Sessions (CID:876)


Set Time Limit for Idle Sessions (CID:879)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame

Allow Reconnection from Original Client Only (CID:882)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken

Terminate Session When Time Limits are Reached (CID:885)

(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable

Keep-Alive Messages (CID:846)


Solicited Remote Assistance (CID:933)


Unsolicited Remote Assistance (CID:936)

?

?

?

?

?


Report Errors (CID:939)

(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions

`
















HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\EnableAuthEpResolution

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\RestrictRemoteClientsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewallHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptionsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\AllowUserPrefMerge

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnabledHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\UPnPFramework\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log Dropped Packets

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Name

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFileSize (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Size limit (KB)

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log successful connections

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableUnicastResponsesToMulticastBroadcastHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\AllowUserPrefMergeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewallHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptionsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\AllowUserPrefMergeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktopHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ICMPSettings\*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\EnabledHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\UPnPFramework\Enabled

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications

(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\Windows Firewall: Allow Logging - Log Dropped Packets

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFilePath


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFileSize

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogSuccessfulConnections

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableUnicastResponsesToMulticastBroadcastHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPortsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\AllowUserPrefMerge

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy

(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Disabled

GPO Setting: Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network

GPO Settings: Computer Configuration\Administrative Templates\System\Error Reporting\Display Error Notification, Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Display Error Notification

GPO Setting: Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing

(1) Computer Configuration\Administrative Templates\System\Group Policy (2)HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoGPOListChanges

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer\MicrosoftEventVwrDisableLinks

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard

(2)[HKEY_LOCAL_MACHINE | HKEY_CURRENT_USER] \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\CodecDownload

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebHelp

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebPublish

(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate

(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnce

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWelcomeScreen

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\IIS\PreventIISInstall

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload

(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DisablePasswordSaving

(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior

(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes

GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation

(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure (1) User Configuration\Administrative Templates\System\Power Mangement (2)HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume

(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation

(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties

(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus

?

4.4.3.1 %SystemDrive%?

?

?

%AllUsersProfile%

NSA Security Guide for WXP (NSA-XP-

C44-026-02.pdf)CIS WXP Pro

Benchmark v1.3

CIS WXP Pro Benchmark v2.01

(CIS_WindowsXP_Benchmark_v2.01.

pdf)

4.4.3.2 HKEY_LOCAL_MACHINE\Software

4.4.3.3 HKEY_LOCAL_MACHINE\System

%AllUsersProfile%\Application Data

%AllUsersProfile%\Application Data\Microsoft

%AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys

%AllUsersProfile%\DRM

%ProgramFiles%

%SystemDrive% 4.4.1.1 %SystemDrive%

%AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys

%AllUsersProfile%\Application Data\Microsoft\Dr Watson

%AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log

%AllUsersProfile%\Application Data\Microsoft\HTML Help

%AllUsersProfile%\Application Data\Microsoft\Media Index

%AllUsersProfile%\Documents\desktop.ini

%SystemDrive%\io.sys

%SystemDrive%\ntldr

%SystemDrive%\autoexec.bat

%SystemDrive%\config.sys

%SystemDrive%\Documents and Settings

%SystemDrive%\Documents and Settings\Administrator

%SystemDrive%\Documents and Settings\Default User

%SystemDrive%\msdos.sys

%SystemDrive%\ntbootdd.sys

%SystemDrive%\ntdetect.com

%SystemRoot%?

%SystemRoot%\CSC

%SystemRoot%\Debug

?

%SystemRoot%\Installer

%SystemRoot%\Prefetch

%SystemDrive%\System Volume Information

%SystemRoot%\$NtServicePackUninstall$

%SystemRoot%\Debug\UserMode

%SystemRoot%\Debug\UserMode\userenv.log

%SystemRoot%\Offline Web Pages

%SystemRoot%\repair

%SystemRoot%\security

%SystemRoot%\Temp

%SystemRoot%\system32

?

?

%SystemRoot%\regedit.exe

4.4.1.17 %SystemRoot%\regedit.exe

%SystemRoot%\Registration

%SystemRoot%\Registration\CRMLog

%SystemRoot%\system32\arp.exe

%SystemRoot%\system32\at.exe

4.4.1.2 %SystemRoot%\system32\at.exe

4.4.1.3 %SystemRoot%\system32\attrib.exe

4.4.1.4 %SystemRoot%\system32\cacls.exe

?

?

%SystemRoot%\system32\ciadv.msc

%SystemRoot%\system32\Com\comexp.msc

%SystemRoot%\system32\compmgmt.msc

%SystemRoot%\system32\config

4.4.1.5 %SystemRoot%\system32\debug.exe

%SystemRoot%\system32\devmgmt.msc

%SystemRoot%\system32\dfrg.msc

%SystemRoot%\system32\diskmgmt.msc

%SystemRoot%\system32\dllcache

?

?

?

?

?

?

4.4.1.6 %SystemRoot%\system32\drwatson.exe

4.4.1.7 %SystemRoot%\system32\drwtsn32.exe

4.4.1.8 %SystemRoot%\system32\edlin.exe

4.4.1.9 %SystemRoot%\system32\eventcreate.exe

4.4.1.10 %SystemRoot%\system32\eventtriggers.exe

%SystemRoot%\system32\eventvwr.msc

%SystemRoot%\system32\fsmgmt.msc

4.4.1.11 %SystemRoot%\system32\ftp.exe

%SystemRoot%\system32\gpedit.msc

%SystemRoot%\system32\Group Policy

?

?

?

%SystemRoot%\system32\ias

%SystemRoot%\system32\lusrmgr.msg

%SystemRoot%\system32\MSDTC

%SystemRoot%\system32\nbstat.exe

4.4.1.12 %SystemRoot%\system32\net.exe

4.4.1.13 %SystemRoot%\system32\net1.exe

%SystemRoot%\system32\netsh.exe

4.4.1.14 %SystemRoot%\system32\netsh.exe

%SystemRoot%\system32\netstat.exe

%SystemRoot%\system32\nslookup.exe

%SystemRoot%\system32\Ntbackup.exe

%SystemRoot%\system32\NTMSData

%SystemRoot%\system32\ntmsoprq.msc

%SystemRoot%\system32\ntmsmgr.msc

%SystemRoot%\system32\perfmon.msc

%SystemRoot%\system32\rcp.exe

4.4.1.15 %SystemRoot%\system32\rcp.exe

%SystemRoot%\system32\reg.exe

4.4.1.16 %SystemRoot%\system32\reg.exe

%SystemRoot%\system32\regedt32.exe

4.4.1.18 %SystemRoot%\system32\regedt32.exe

?

?

?

%SystemRoot%\system32\regini.exe

4.4.1.19 %SystemRoot%\system32\regsvr32.exe

%SystemRoot%\system32\rexec.exe

4.4.1.20 %SystemRoot%\system32\rexec.exe

%SystemRoot%\system32\route.exe

%SystemRoot%\system32\rsh.exe

4.4.1.21 %SystemRoot%\system32\rsh.exe

%SystemRoot%\system32\RSoP.msc

4.4.1.22 %SystemRoot%\system32\runas.exe

4.4.1.23 %SystemRoot%\system32\sc.exe

%SystemRoot%\system32\secedit.exe

%SystemRoot%\system32\secpol.msc

?

?

?

%SystemRoot%\Tasks

%SystemRoot%\system32\services.msc

%SystemRoot%\system32\Setup

%SystemRoot%\system32\spool\Printers

4.4.1.24 %SystemRoot%\system32\subst.exe

%SystemRoot%\system32\systeminfo.exe

4.4.1.25 %SystemRoot%\system32\telnet.exe

%SystemRoot%\system32\tftp.exe

4.4.1.26 %SystemRoot%\system32\tftp.exe

4.4.1.27 %SystemRoot%\system32\tlntsvr.exe

%SystemRoot%\system32\wmimgmt.msc

4.4.2.1 HKLM\SoftwareHKEY_LOCAL_MACHINE\SOFTWARE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC

4.4.2.9 HKLM\Software\Microsoft\MSDTC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib

4.4.2.4 HKLM\System

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit

4.4.2.11 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer

4.4.2.2 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies

4.4.2.3 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings

4.4.2.8 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony

HKEY_LOCAL_MACHINE\SYSTEM

HKEY_LOCAL_MACHINE\SYSTEM\clone

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum

4.4.2.5 HKLM\System\CurrentControlSet\Enum

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdde\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers

4.4.2.6 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

4.4.2.7 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security

HKEY_USER\.DEFAULT

4.2.8 Change the system time

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security

HKEY_USER\.DEFAULT\Software\Microsoft\NetDDE

HKEY_USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

4.4.2.10 HKEY_USER\.Default\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

Deny access to this computer from the network: Not Defined

4.2.13 Deny access to this computer from the network

Access this computer from a network: Administrators, Users

4.2.1 Access this computer from the network

Act as part of the operating system

4.2.2 Act as part of the operating system

Back up files and directories: Administrators

4.2.6 Back up files and directories

Bypass traverse checking: Users

4.2.7 Bypass traverse checking

Change the system time: Administrators

4.2.9 Create a pagefile

4.2.10 Create a token object

Debug programs: No One 4.2.12 Debug Programs

4.2.23 Lock pages in memory

4.2.24 Log on as a batch job

4.2.25 Log on as a service

Create a pagefile: Administrators

Create a token object: No One

Create permanent shared objects: No One

4.2.11 Create permanent shared objects

Force shutdown from a remote system: Administrators

4.2.19 Force shutdown from a remote system

Generate security audits: LOCAL SERVICE, NETWORK SERVICE

4.2.20 Generate security audits

Adjust memory quotas for a process: Administrators,NETWORK SERVICE, LOCAL SERVICE

4.2.4 Adjust memory quotas for a process

Increase scheduling priority: Administrators

4.2.21 Increase scheduling priority

Load and unload device drivers: Administrators

4.2.22 Load and unload device drivers

Lock pages in memory: No One

Log on as a batch job: No One

Log on as a service: Network Service

4.2.26 Log on locally

4.2.30 Profile single process

4.2.35 Shut down the system

Log on locally: Administrators, Users

Manage auditing and security log: Administrators

4.2.27 Manage auditing and security log

Modify firmware environment variables: Administrators

4.2.28 Modify firmware environment values

Profile single process: Administrators

Profile system performance: Administrators

4.2.31 Profile system performance

Remove computer from docking station: Administrators, Users

4.2.32 Remove computer from docking station

Replace a process level token: LOCAL SERVICE, NETWORK SERVICE

4.2.33 Replace a process level token

Restore files and directories: Administrators

4.2.34 Restore files and directories

Shut down the system: Administrators, Users

Take ownership of files or other objects: Administrators

4.2.37 Take ownership of file or other objects

Synchronize directory service data: No One

4.2.36 Synchronize directory service data

4.2.16 Deny logon locally

4.2.15 Deny logon as a service

Deny logon locally: Not Defined

Enable computer and user accounts to be trusted for delegation: No One

4.2.18 Enable computer and user accounts to be trusted for delegation

Add workstations to domain

4.2.3 Add workstations to domain

Allow logon through Terminal Services: No One

4.2.5 Allow logon through terminal services

Deny logon as a batch job: No One

4.2.14 Deny logon as a batch job

Deny logon as a service: No One

Deny logon through Terminal Services: Everyone

4.2.17 Deny logon through Terminal Service

Perform volume maintenance tasks: Administrators

4.2.29 Perform volume maintenance tasks

Reset account lockout counter after (15 min.)

2.2.3.3 Reset Account Lockout After

Account lockout duration (15 minutes)

2.2.3.1 Account Lockout Duration

Account lockout threshold (3 invalid attempts)

2.2.3.2 Account Lockout Threshold

Audit account logon events (Success, Failure)

2.2.1.1 Audit Account Logon Events

2.2.1.4 Audit Logon Events

2.2.1.4 Audit Logon Events

2.2.1.5 Audit Object Access

2.2.1.5 Audit Object Access

2.2.1.6 Audit Policy Change

2.2.1.6 Audit Policy Change

Audit account logon events (Success, Failure)

2.2.1.1 Audit Account Logon Events

Audit account management (Success, Failure)

2.2.1.2 Audit Account Management

Audit account management (Success, Failure)

2.2.1.2 Audit Account Management

Audit directory service access (No auditing)

2.2.1.3 Audit Directory Service Access

Audit directory service access (No auditing)

2.2.1.3 Audit Directory Service Access

Audit logon events (Success, Failure)

Audit logon events (Success, Failure)

Audit object access (Failure)

Audit object access (Failure)

Audit policy change (Success, Failure)

Audit policy change (Success, Failure)

2.2.1.7 Audit Privilege Use

2.2.1.7 Audit Privilege Use

2.2.1.8 Audit Process Tracking

2.2.1.8 Audit Process Tracking

2.2.1.9 Audit System Events

2.2.1.9 Audit System Events

Retain application log 2.2.4.1.4 Log Retention

Audit privilege use (Failure)

Audit privilege use (Failure)

Audit process tracking (No Auditing)

Audit process tracking (No Auditing)

Audit system events (Success, Failure)

Audit system events (Success, Failure)

Restrict guest access to application Log

2.2.4.1.2 Restrict Guest Access

Maximum application log size

2.2.4.1.1 Maximum Event Log Size

Retention method for application Log

2.2.4.1.3 Log Retention Method

Maximum security log size

Retain security log 2.2.4.2.4 Log Retention

Maximum system log size

Retain system log 2.2.4.3.4 Log Retention

Restrict guest access to security Log



Retention method for security log


Restrict guest access to system Log



Retention method for system log


Maximum Password Age (90)

2.1.2 Maximum Password Age, 2.2.2.2 Maximum Password Age

Minimum Password Age (1)

2.2.2.1 Minimum Password Age

2.2.2.4 Password Complexity

2.2.2.5 Password History

?

4.1.1 Alerter?

4.1.2 Automatic Updates?

?

4.1.4 Clipbook?

4.1.5 Computer Browser?

4.1.6 Fax Service

Minimum Password Length (12)

2.1.1 Minimum Password Length, 2.2.2.3 Minimum Password Length

Passwords must meet complexity requirements (Enabled)

Enforce password history (24 passwords)

Store password using reversible encryption for all users in the domain (Disabled)

2.2.2.6 Store Passwords using Reversible Encryption

4.1.3 Background Intelligent Transfer Service

?

?

4.1.7 FTP Publishing Service?

4.1.8 IIS Admin Service?

4.1.9 Indexing Service?

4.1.10 Messenger?

?

4.1.11 Net Logon?

?

?

?

4.1.12 NetMeeting Remote Desktop Sharing

4.1.13 Remote Desktop Help Session Manager

?

?

?

?

?

?

?

?

?

4.1.19 Task Scheduler

4.1.14 Remote Registry Service

4.1.15 Routing and Remote Access

4.1.16 Simple Mail Transfer Protocol (SMTP)

4.1.17 Simple Network Management Protocol (SNMP) Service

4.1.18 Simple Network Management Protocol (SNMP) Trap

?

4.1.20 Telnet?

4.1.21 Terminal Services?

?

?

?

?

?

?

?

4.1.22 Universal Plug and Play Device Host

4.1.23 World Wide Web Publishing Services

4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)






?

?

?

?

?

?

?

?

?

?









?

?

?

?

?

?

?

?

?










?

?

?

?

Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled

3.1.3 Network Access: Do not allow Anonymous Enumeration of SAM Accounts and Shares

Network access: Do not allow anonymous enumeration of SAM accounts: Enabled

3.1.2 Network Access: Do not allow Anonymous Enumeration of SAM Accounts

Network access: Allow anonymous SID/Name translation: Disabled

3.1.1 Network Access: Allow Anonymous SID/Name Translation

Accounts: Guest account status: Disabled

3.2.1.2 Accounts: Guest Account Status

Accounts: Administrator account status: Enabled

3.2.1.1 Accounts: Administrator Account Status

Interactive logon: Message title for users attempting to log on

3.2.1.27 Interactive Logon: Message Title for Users Attempting to Log On

Interactive logon: Message test for users attempting to log on: <Configure Locally>

3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On

3.2.2.9 Remove administrative shares on workstation (Professional)

?

?

?

?

?

?

?

?

3.2.2.2 Disable Automatic Execution of the System Debugger

Interactive logon: Allow Automatic Administator Logon - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = 0

3.2.2.6 Disable Automatic Logon

3.2.2.7 Disable automatic reboots after a Blue Screen of Death

3.2.2.3 Disable autoplay from any disk type, regardless of application

3.2.2.4 Disable autoplay for current user

3.2.2.5 Disable autoplay for the default profile3.2.2.8 Disable CD Autorun: HKLM\System\CurrentControlSet\Services\Cdrom\Autorun (REG_DWORD)

3.2.2.10 Protect against Computer Browser Spoofing Attacks

3.2.2.13 Ensure ICMP Routing via shortest path first

?

?

?

?

?

?

?

?

3.2.2.11 Protect against source-routing spoofing

3.2.2.17 Ensure Router Discovery is Disabled

3.2.2.21 Enable IPSec to protect Kerberos RSVP Traffic

3.2.2.1 Suppress Dr. Watson Crash Dumps

Interactive logon: Do no display last user name - Enabled

3.2.1.24 Interactive Logon: Do Not Display Last User Name

3.2.2.22 Hide workstation from Network Browser listing: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden

3.2.2.12 Protect the Default Gateway network setting: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect

3.2.2.15 Manage Keep-alive times: HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\Tcpip\Parameters\KeepAliveTime

3.2.2.19 SYN Attack protection – Manage TCP Maximum half-open sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen

?

?

?

?

?

3.2.2.20 SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried

3.2.2.16 Protect Against Malicious Name-Release Attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand

3.2.2.14 Help protect against packet fragmentation: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery

3.2.2.18 Protect against SYN Flood attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect

System objects: Set safe search path for DLLs

3.2.2.23 Enable Safe DLL Search Mode: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode

?

?

?

?

?

?

Domain controller: Allow server operators to schedule tasks: Not Defined

3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks

Accounts: Rename administrator account: Administrator

3.2.1.4 Accounts: Rename Administrator Account

Accounts: Rename guest account: <Configure locally>

3.2.1.5 Accounts: Rename Guest Account

Microsoft network server: Amount of idle time required before suspending session

3.2.1.35 Microsoft Network Server: Amount of Idle Time Required Before Disconnecting Session

Audit: Audit the access of global system objects: Not Defined

3.2.1.6 Audit: Audit the access of global system objects

Audit: Audit the use of Backup and Restore privilege: Not Defined

3.2.1.7 Audit: Audit the use of backup and restore privilege

Interactive logon: Do not require CTRL+ALT+DEL: Disabled

3.2.1.25 Interactive Logon: Do not require CTRL+ALT+DEL

Network security: LAN Manager authentication level: Send LM & NTLM - use NTLMv2 session security if negotiated

3.2.1.47 Network Security: LAN Manager Authentication Level

Devices: Prevent users from installing printer drivers: Enabled

3.2.1.11 Devices: Prevent users from installing printer drivers

Recovery console: Allow automatic administrative logon: Disabled

3.2.1.51 Recovery Console: Allow Automatic Administrative Logon

Recovery console: Allow floppy copy and access to all drives and all folders: Disabled

3.2.1.52 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders

Devices: Restrict CD-ROM access to locally logged-on user only: Enabled

3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only

Devices: Restrict floppy access to locally logged-on user only: Enabled

3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User Only

System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links): Enabled

3.2.1.58 System objects: Strengthen default permissions of internal system objects

Domain member: Require strong (Windows 2000 or later) session key: Enabled

3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key

Microsoft network client: Send unencrypted password to third-party SMB servers

3.2.1.34 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server

Devices: Unsigned driver installation behavior: Warn but allow installation

3.2.1.14 Devices: Unsigned Driver Installation Behavior

Interactive logon: Prompt user to change password before expiration: 14 days

3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration

Audit: Shut down system immediately if unable to log security audits: Disabled

3.2.1.8 Audit: Shut Down system immediately if unable to log security alerts

Shutdown: Allow system to be shut down without having to log on: Enabled

3.2.1.53 Shutdown: Allow System to be Shut Down Without Having to Log On

Shutdown: Clear virtual memory pagefile: Disabled

3.2.1.54 Shutdown: Clear Virtual Memory Pagefile

Microsoft network client: Digitally sign communications (always)

3.2.1.32 Microsoft Network Client: Digitally sign communications (always)

Microsoft network client: Digitally sign communications (if server agrees)

3.2.1.33 Microsoft Network Client: Digitally sign communications (if server agrees)

Microsoft network server: Digitally sign communications (always)

3.2.1.36 Microsoft Network Server: Digitally sign communications (always)

Microsoft network server: Digitally sign communications (if client agrees): Enabled

3.2.1.37 Microsoft Network Server: Digitally sign communications (if client agrees)

Interactive logon: Number of previous logons to cache (in case domain controller is not available): 0 logons

3.2.1.28 Interactive Logon: Number of Previous Logons to Cache

Devices: Allowed to format and eject removable media: Administrators

3.2.1.10 Devices: Allowed to format and eject removable media

Domain member: Digitally encrypt or sign secure channel data (always): Not Defined

3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)

Domain member: Digitally encrypt secure channel data (when possible): Enabled

3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible)

Domain member: Digitally sign secure channel data (when possible): Enabled

3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible)

Interactive logon: Smart card removal behavior: Lock Workstation

3.2.1.31 Interactive Logon: Smart Card Removal Behavior

Domain member: Disable machine account password changes:Disabled

3.2.1.21 Domain Member: Disable Machine Account Password Changes

System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled

3.2.1.55 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing

System objects: Default owner for objects created by members of the Administrators group: Object Creator

3.2.1.56 System objects: Default owner for objects created by members of the Administrators group

System objects: Require case insensitivity for non-Windows subsystems: Enabled

3.2.1.57 System objects: Require case insensitivity for non-Windows subsystems

Accounts: Limit local account user of blank passwords to console logon only: Enabled

3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only

Devices: Allow undock without having to log on: Disabled

3.2.1.9 Devices: Allow undock without having to log on

Domain controller: LDAP server signing requirements: Not Defined

3.2.1.16 Domain Controller: LDAP Server Signing Requirements

Network security: LDAP client signing requirements

3.2.1.48 Network Security: LDAP client signing requirements

Domain controller: Refuse machine account password changes: Not Defined

3.2.1.19(note: different enumeration) Domain Controller: Refuse machine account password changes

Domain member: Maximum machine account password age: 7 Days

3.2.1.22 Domain Member: Maximum Machine Account Password Age

Interactive logon: Require Domain Controller authentication to unlock workstation: Enabled

3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation

Microsoft network server: Disconnect clients when logon hours expire: Enabled

3.2.1.38 Microsoft Network Server: Disconnect clients when logon hours expire

Network access: Do not allow storage of credentials or .NET Passports: Enabled

3.2.1.39 Network Access: Do not allow storage of credentials or .NET passports for network authentication

Network access: Let Everyone permissions apply to anonymous users: Disabled

3.2.1.40 Network Access: Let Everyone permissions apply to anonymous users

Network access: Named Pipes that can be accessed anonymously: Not Defined

3.2.1.41 Network Access: Named pipes that can be accessed anonymously

Network access: Remotely accessible registry paths: Classic - local users authenticate as themselves

3.2.1.42 Network Access: Remotely accessible registry paths

Network access: Shares that can be accessed anonymously: Not Defined

3.2.1.43 Network Access: Shares that can be accessed anonymously

Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves

3.2.1.44 Network Access: Sharing and security model for local accounts

Network security: Do not store LAN Manager hash value on next password change: Enabled

3.2.1.45 Network Security: Do not store LAN Manager password hash value on next password change

Network security: Force logoff when logon hours expire: Enabled

3.2.1.46 Network Security: Force logoff when logon hours expire

?

?

?

?

?

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128-bit encryption

3.2.1.49 Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers: Require NTLMv2 session security, Require 128-bit encryption

3.2.1.50 Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers

Chapter 10: Modifying File System Security Settings with Security Templates

4.3.1 Ensure volumes are using the NTFS file system

?

?

?

?

?

?

?

?

Remote control settings

Limit users to one remote session

Limit number of connections

Do not allow new client connections

Do not allow local administrator to customize permissions

Always prompt client for password upon connection

?

?

?

Set client connection encryption level

Do not use temp folders per session

Do not delete temp folder upon exit

Set time limit for disconnected sessions

Set time limit for idle sessions

Allow reconnection from original client only

Terminate session when time limits are reached

?

Enforce user logon restrictions (Enabled)Maximum lifetime for service ticket (600 minutes)

Maximum lifetime for user ticket (10 hours)

Maximum lifetime for user ticket renewal (7 days)

Maximum tolerance for computer clock synchronization (5 minutes)

5.1.1.1 RPC Endpiont Mapper Client Authentication (SP2 only)

5.1.1.2 Restrictions for Unauthenticated RPC clients (SP2 only)5.2.1.1.1.1 Protect all network connections (SP2 only)5.2.1.1.1.2 Do not allow exceptions (SP2 only)

5.2.1.1.1.3 Allow local program exceptions

5.2.1.1.1.4 Allow remote administration

5.2.1.1.1.5 Allow file and printer sharing exception (SP2 only)5.2.1.1.1.6 Allow ICMP exceptions (SP2 only)

5.2.1.1.1.7 Allow Remote Desktop exception (SP2 only)

5.2.1.1.1.8 Allow UPnP framework exception (SP2 only)5.2.1.1.1.9 Prohibit notifications

5.2.1.1.1.10 Log dropped packets (SP2 only)

5.2.1.1.1.11 Log file path and name (SP2 only)

5.2.1.1.1.12 Log file size limit (SP2 only)

5.2.1.1.1.13 Log successful connections (SP2 only)

5.2.1.1.1.14 Prohibit unicast response to multicast or broadcast (SP2 only)

5.2.1.1.1.15 Define port exceptions (SP2 only)

5.2.1.1.16 Allow local port exceptions (SP2 only)5.2.1.1.2.1 Protect all network connections (SP2 only)5.2.1.1.2.2 Do not allow exceptions (SP2 only)

5.2.1.1.2.3 Allow local program exceptions (SP2 only)5.2.1.1.2.4 Allow remote administration exception (SP2 only)5.2.1.1.2.4 Allow file and printer sharing exception (SP2 only)5.2.1.1.2.6 Allow ICMP exceptions (SP2 only)

5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)5.2.1.1.2.8 Allow UPnP framework exception (SP2 only)5.2.1.1.2.9 Prohibit notifications (SP2 only)

5.2.1.1.2.10 Log Dropped Packets (SP2 only)

5.2.1.1.2.11 Log file path and name (SP2 only)

5.2.1.1.2.12 Log file size limit (SP2 only)

5.2.1.1.2.13 Log Successful Connections (SP2 only)

5.2.1.1.2.14 Prohibit unicast response to multicast or broadcast (SP2 only)

5.2.1.1.2.15 Define port exceptions (SP2 only)

5.2.1.1.2.16 Allow local port exceptions (SP2 only)5.2.1.1. Windows Firewall

CIS WXP Pro Benchmark v2.01 OVAL (cis-winxp-

oval.xml)

NIST 800-68 Windows XPPDF

(SP800-68-20051102.pdf)

NIST 800-68 Windows XP XCCDF (NIST-800-68-53-

WinXPPro_XCCDF_10102006.xml)

regedit.exePermissions

arp.exePermissions

at.exePermissions

attrib.exePermissions

cacls.exePermissions

%SystemRoot%\system32\regedit.exe Table: 9.19 Value: Administrators: Full System: Full

%SystemRoot%\system32\arp.exe Table: 9.1 Value: Administrators: Full System: Full

%SystemRoot%\system32\at.exe Table: 9.2 Value: Administrators: Full System: Full

%SystemRoot%\system32\attrib.exe Table: 9.3 Value: Administrators: Full System: Full

%SystemRoot%\System32\cacls.exe Table: 9.4 Value: Administrators: Full System: Full

oval:gov.nist.1:def:132

%SystemRoot%\System32\debug.exe Table: 9.5 Value: Administrators: Full System: Full

edlin.exePermissions

eventcreate.exePermissions

eventtriggers.exePermissions

%SystemRoot%\system32\edlin.exe Table: 9.6 Value: Administrators: Full System: Full

%SystemRoot%\system32\eventcreate.exe Table: 9.7 Value: Administrators: Full System: Full

%SystemRoot%\System32\eventtriggers.exe Table: 9.8 Value: 9.8

%SystemRoot%\system32\ftp.exe Table: 9.9 Value: Administrators: Full System: Full ftp.exePermissions

ftp://ftp.exepermissions/

nbtstat.exePermissions

net.exePermissions

net1.exePermissions

netsh.exePermissions

netstat.exePermissions

%SystemRoot%\system32\nbtstat.exe Table: 9.10 Value: Administrators: Full System: Full

%SystemRoot%\system32\net.exe Table: 9.11 Value: Administrators: Full System: Full

%SystemRoot%\system32\net1.exe Table: 9.12 Value: Administrators: Full System: Full

%SystemRoot%\system32\netsh.exe Table: 9.13 Value: Administrators: Full System: Full

%SystemRoot%\system32\netstat.exe Table: 9.14 Value: Administrators: Full System: Full

nslookup.exePermissions

ntbackup.exePermissions

rcp.exePermissions

reg.exePermissions

regedt32.exePermissions

%SystemRoot%\system32\nslookup.exe Table: 9.15 Value: Administrators: Full System: Full

%SystemRoot%\system32\Ntbackup.exe Table: 9.16 Value: Administrators: Full System: Full

%SystemRoot%\system32\rcp.exe Table: 9.17 Value: Administrators: Full System: Full

%SystemRoot%\system32\reg.exe Table: 9.18 Value: Administrators: Full System: Full

%SystemRoot%\system32\Regedt32.exe Table: 9.20 Value: Administrators: Full System: Full

regini.exePermissions

regsvr32.exePermissions

rexec.exePermissions

route.exePermissions

rsh.exePermissions

sc.exePermissions

secedit.exePermissions

%SystemRoot%\system32\regini.exe Table: 9.21 Value: Administrators: Full System: Full

%SystemRoot%\system32\regsvr32.exe Table: 9.22 Value: Administrators: Full System: Full

%SystemRoot%\system32\rexec.exe Table: 9.23 Value: Administrators: Full System: Full

%SystemRoot%\system32\route.exe Table: 9.24 Value: Administrators: Full System: Full

%SystemRoot%\system32\rsh.exe Table: 9.25 Value: Administrators: Full System: Full

%SystemRoot%\system32\sc.exe Table: 9.26 Value: Administrators: Full System: Full

%SystemRoot%\system32\secedit.exe Table: 9.27 Value: Administrators: Full System: Full

subst.exePermissions

systeminfo.exePermissions

telnet.exePermissions

tftp.exePermissions

tlntsvr.exePermissions

%SystemRoot%\system32\subst.exe Table: 9.28 Value: Administrators: Full System: Full

%SystemRoot%\system32\systeminfo.exe Table: 9.29 Value: Administrators: Full System: Full

%SystemRoot%\system32\telnet.exe Table: 9.30 Value: Administrators: Full System: Full

%SystemRoot%\system32\tftp.exe Table: 9.31 Value: Administrators: Full System: Full

%SystemRoot%\system32\tlntsvr.exe Table: 9.32 Value: Administrators: Full System: Full

DenyAccessFromNetwork

ActAsPartOfOperatingSystem

BypassTraverseChecking

ChangeSystemTime

Deny access to this computer from the network Table: 4.15 Value: Guests, SUPPORT

Access this computer from the network Table: 4.1 Value: Administrators, not defined

AccessComputerFromNetwork, AccessComputerFromNetworkUsers

Act as part of the operating system Table: 4.2 Value:

none

Back up files and directories Table: 4.7 Value: Administrators, not defined

BackUpFilesAndDirectories, BackUpFilesAndDirectoriesOperators

Bypass traverse checking Table: 4.8 Value: Administrators, Users, not defined

Change the system time Table: 4.9 Value: Administrators

CreatePagefile

CreateTokenObject

CreatePermanentSharedObjects

DebugPrograms

ShutdownFromRemoteSystem

GenerateSecurityAudits

AdjustMemoryQuotas

IncreaseSchedulingPriority

LoadAndUnloadDeviceDrivers

LockPagesInMemory

LogOnAsBatchJob

LogOnAsService

Create pagefile Table: 4.10 Value: Administrators

Create a token object Table: 4.11 Value: None, not defined

Create permanent share objects Table: 4.13 Value: None, not defined

Debug programs Table: 4.14 value: None, Administrators

Force shutdown from a remote system Table: 4.21 Value: Administrators

Generate security audits Table: 4.22 Value: LOCAL SERVICE, NETWORK SERVICE

Adjust memory quotas for a process Table: 4.4 Value: Administrators, LOCAL SERVICE, NETWORK SERVICE

Increase scheduling priority Table: 4.24 Value: Administrators

Load and unload device drivers Table: 4.25 Value: Administrators

Lock pages in memory Table: 4.26 Value: none

Log on as a batch job Table: 4.27 Value: none, not defined

Log on as a service Table: 4.28 Value: LOCAL SERVICE, NETWORK SERVICE

ModifyFirmwareEnvironmentValues

ProfileSingleProcess

ProfileSystemPerformance

ReplaceProcessLevelToken

RestoreFilesAndDirectories

ShutDownSystem

TakeOwnershipOfFiles

SynchronizeDirectoryServiceData

Allow log on locally Table: 4.5 Value: Users, Administrators

AllowLogOnLocally, AllowLogOnLocallyAuthenticatedUsers

Manage auditing and security log Table: 4.29 Value: Administrators

ManageAuditingAndSecurityLog, ManageAuditingAndSecurityLogNone

Modify firmware environment values Table: 4.30 Value: Administrators

Profile single process Table: 4.32 Value: Administrators

Profile system performance Table: 4.33 Value: Administrators

Remove computer from docking station Table: 4.34 Value: Users, Administrators

RemoveComputerFromDockingStation, RemoveComputerFromDockingStationNone

Replace a process-level token Table: 4.35 Value: LOCAL SERVICE, NETWORK SERVICE

Restore files and directories Table: 4.36 Value: Administrators

Shut down the system Table: 4.37 Value: Users, Administrators

Take ownership of files and other objects Table: 4.39 Value: Administrators

Syncronize directory service data Table: 4.38 Value: not defined

DenyLogonLocally

AccountsTrustedForDelegation

DenyLogonAsBatchJob

***

PerformVolumeMaintenanceTasks

AccountLockoutReset

AccountLockoutDuration

AccountLockoutThreshold

AuditAccountLogin

Deny logon locally Table: 4.18 Value: Guests, SUPPORT_388945a0, any service accounts

Enable computer and user accounts to be trusted for delegation Table: 4.20 Value: none, not defined

Add workstations to domain Table: 4.3 Value: Administrators

AddWorkstationsToDomain, AddWorkstationsToDomainNone

Allow logon through Terminal Services Table: 4.6 Value: none, not defined

AllowLogOnThroughTerminalServices

Deny logon as a batch job Table: 4.16 Value: Guests, SUPPORT_388945a0

Deny logon as a service Table: 4.17 Value: not defined

Deny logon through Terminal Services Table: 4.19 Value: Everyone, not defined

DenyLogonThroughTerminalServices

Profile volume maintenance tasks Table: 4.31 Value: Administrators

Reset account lockout counter after Table: 2.3 value: 15

Account lockout duration Table: 2.1 Value: 15

Account lockout threshold Table: 2.2 Value: 10, 50

Audit account logon events Table: 3.1 Value: success, success and failure

AuditAccountLogin

AuditAccountManagement

AuditAccountManagement

Not applicable

Not applicable

AuditLogonEvents

AuditLogonEvents

AuditObjectAccess

AuditObjectAccess

AuditPolicyChangesSuccessOnly

AuditPolicyChangesSuccessOnly

Audit account logon events Table: 3.1 Value: success, success and failure

Audit account management Table: 3.2 Value success, failure

Audit account management Table: 3.2 Value success, failure

Audit directory service acces Table: 3.3 Value: not defined

Audit directory service acces Table: 3.3 Value: not defined

Audit logon events Table: 3.4 Value: success, success and failure

Audit logon events Table: 3.4 Value: success, success and failure

Audit object access Table: 3.5 Value: failure, no auditing

Audit object access Table: 3.5 Value: failure, no auditing

Audit policy change Table: 3.6 Value: success

Audit policy change Table: 3.6 Value: success

AuditPrivilegeUse

AuditPrivilegeUse

AuditProcessTracking

AuditProcessTracking

AuditSystemEventsSuccessOnly

AuditSystemEventsSuccessOnly

PreventGuestApplicationLogAccess

MaximumApplicationLogSize

ApplicationLogRetentionMethod

Audit privilege use Table: 3.7 Value: failure, no auditing

Audit privilege use Table: 3.7 Value: failure, no auditing

Audit process tracking Table: 3.8 Value: no auditing

Audit process tracking Table: 3.8 Value: no auditing

Audit system events Table: 3.9 Value: success

Audit system events Table: 3.9 Value: success

Prevent local guestsgroup from accessingapplication log Table: 6.4 Value: enabled

Maximum Application log size Table: 6.1 Value: 16384 kilobytes

Retain application log Table: 6.7 Value: not defined

Retention method for application log Table: 6.10 Value: as needed

PreventGuestSecurityLogAccess

MaximumSecurityLogSize

SecurityLogRetentionMethod

PreventGuestSystemLogAccess

MaximumSystemLogSize

SystemLogRetentionMethod

MaximumPasswordAge

MinimumPasswordAge

Prevent local guestsgroup from accessingsecurity log Table: 6.5 Value: enabled

Maxium security log size Table: 6.2 Value: 81920 kilobytes

Retain security log Table: 6.8 Value: not defined

Retention method forsystem log Table: 6.11 Value: as needed

Prevent local guestsgroup from accessingsystem log Table: 6.6 Value: enabled

Maximum system log size Table: 6.3 Value: 16384 kilobytes

Retain system log Table: 6.9 Value: not defined

Retention method for system log Table: 6.12 Value: not defined

Maximum password age Table: 1.2 Value: 90

Minimum password age Table: 1.3 Value: 1

MinimumPasswordLength

PasswordComplexity

PasswordHistoryEnforcement

AlerterService

***

***

ClipBookService

BrowserService

Minimum password length Table: 1.4 Value: 12, 8

Password must meet complexity requirements Table: 1.5 Value: enabled

Enforce password history Table: 1.1 Value: 24

Store passwrd using reversible encryptin for all users in the domain Table: 1.6 Value: disabled

PasswordStorageReversibleEncryption

Alerter Service Table: 8.1 Value: disabled

Automatic update service Table: 8.4 Value: not defined

Background Intelligent Transfer Service Table: 8.5 Value: not defined

ClipBook service Table: 8.6 Value: disabled

Computer Browswer Service Table: 8.9 Value: disabled

Fast User SwitchingCompatibility Table: 8.17 Value: not defined

FaxService

FTPPublishingService

IISAdminService

IndexingService

MessengerService

Fax Servce Table: 8.18 Value: disabled

FTP Publishing Service Table: 8.19 Value: disabled

IIS Admin service Table: 8.22 Value: disabled

Indexing Service Table: 8.24 Value: disabled

Messenger service Table: 8.30 Value: disabled

Net Logon service Table: 8.32 Value: not defined

Net meeting Remote Desktop Sharing Table: 8.33 Value: disabled

NetMeetingRemoteDesktopSharingService

Remote Access Auto Connection Manager Table: 8.45 Value: not defined

Remote Desktop Help Session Manager Table: 8.47 Value: disabled

RemoteDesktopHelpSessionManagerService

RoutingAndRemoteAccessService

SMTPService

SNMPService

SNMPTrap

SSDPService

TaskSchedulerService

Internet ConnectionFirewall (ICF)/InternetConnection Sharing(ICS) Table: 8.26 Value: not defined

Remote Registery service Table: 8.50 Value: not defined

Routing and Remote Access service Table: 8.52 Value: disabled

Simple Mail TransferProtocol (SMTP) Table: 8.59 Value: disabled

Simple NetworkManagement Protocol(SNMP) Service Table: 8.60 Value: disabled

Simple NetworkManagement Protocol(SNMP) Trap Table: 8.61 Value: disabled

Simple ServiceDiscovery Protocol(SSDP) DiscoveryService Table: 8.62 Value: disabled

Task Scheduler service Table: 8.65 Value: disabled

TelnetService

TerminalServicesService

WWWPublishingServicesService

Telnet service Table: 8.68 Value: disabled

Terminal Services service Table: 8.69 Value: disabled

Universal Plug and Play Device Host Disabled Table: 8.73 Value: Not defined

UniversalPlugAndPlayDeviceHostService

World Wide Web Publishing Services Table: 8.85 Value: Disabled

Print Spooler service Table: 8.42 Value: not defined

Plug and Play service Table: 8.40 Value: not defined

AnonymousEnumerationOfAccounts

GuestAccountStatus

AdministratorAccountStatus

LogonMessageTitle

LogonMessageText

Network access: Do notallow anonymousenumeration of SAMaccounts and shares Table: 5.45 Value: enabled

AnonymousEnumerationOfAccountsAndShares

Network access: Do notallow anonymousenumeration of SAMaccounts Table: 5.44 Value: enabled

Network access: Allowanonymous SID/Nametranslation Table: 5.43 Value: disabled

Accounts: Guestaccount status Table: 5.2 Value: disabled

Accounts: Administratoraccount status Table: 5.1 Value: enabled

Interactive logon: Messagetitle for users attempting tolog on Table: 5.30 Value: <DoJ Approved>

Interactive logon: Messagetext for users attempting tolog on Table: 5.29 Value: <DoJ approved>

MSS: (AutoShareWks)Enable AdministrativeShares Table: 5.72 Value: not defined

AutomaticLogonDisabled

DisableAutorunForAllDrives

AllowICMPRedirectsDisabled

MSS: (AutoAdminLogon)Enable Automatic Logon Table: 5.70 Value: disabled

MSS: (AutoReboot) AllowWindows to automaticallyrestart after a system crash Table: 5.71 Value: not defined

MSS:(NoDriveTypeAutoRun)Disable Autorun for alldrives Table: 5.80 Value: 255

MSS:(EnableICMPRedirect)Allow ICMP redirects tooverride OSPF generatedroutes Table: 5.76 Value: disabled

IPSourceRoutingProtectionLevel

RouterDiscovery

NoDefaultExemptForIPSecFiltering

HideFromBrowseList

AutomaticDetectionOfDeadGWs

KeepAliveTime

MSS:(DisableIPSourceRouting)IP source routing protectionlevel Table: 5.73 Value: Highestprotection,source routingis completelydisabledMSS:(PerformRouterDiscovery)Allow IRDP to detect andconfigure DefaultGatewayaddresses Table: 5.83 Value: enabled

MSS: (NoDefaultExempt)Enable NoDefaultExemptfor IPSec Filtering Table: 5.79 Value: Multicast, broadcast, and ISAKMP are exempt

Interactive logon: Do notdisplay last user name Table: 5.27 Value: enabled

LastUserNameNotDisplayedForLogon

MSS: (Hidden) HideComputer From the BrowseList Table: 5.77 Value: enabled

MSS:(EnableDeadGWDetect)Allow automatic detectionof dead network gateways Table: 5.75 Value: disabled

MSS: (KeepAliveTime)How often keep-alivepackets are sent inmilliseconds Table: 5.78 Value: 300,000ms (5 minutes)

NameReleaseRequests

SynAttackProtectionLevel

EventLogThresholdWarning

SafeDLLSearchMode

MSS:(NoNameReleaseOnDemand) Allow the computer toignore NetBIOS namerelease requests exceptfrom WINS servers Table: 5.81 Value: enabled

MSS: (SynAttackProtect) Syn attact protection level Table: 5.86 Value: Connections time out sooner if attack is detected (1)

MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Table: 5.89 Value: 90

MSS:(DisableSavePassword)Prevent the dial-uppassword from being saved Table: 5.74 Value: not defined

MSS: (SafeDllSearchMode)Enable Safe DLL searchmode Table: 5.84 value: enabled

SessionTimeout

AuditAccessToGlobalObjects

Domain controller: Allow server operators to schedule tasks Table: 5.17 Value: not defined

Accounts: Rename administrator account Table: 5.4 Value: not defined

Accounts: Rename guest account Table: 5.5 Value: not defined

Microsoft network server:Amount of idle timerequired before suspendingsession Table: 5.39 Value: 15 minutes

Audit: Audit the access of global system objects Table: 5.6 Value: disabled

RequireCTRL_ALT_DEL

RecoveryConsoleAutoLogon

RecoveryConsoleFullSystemAccess


RestrictFloppyAccessDisabled

InternalSystemObjectsPermissions

Audit: Audit the use of backup and restore privilege Table: 5.7 Value: disabled

AuditBackupAndRestorePrivilegeDisabled

Interactive logon: Do notrequire CTRL+ALT+DEL Table: 5.28 Value: diabled

Network security: LANManager authenticationlevel Table: 5.55 Value: Send NTLMv2responseonly\refuse LM& NTLM or Send NTLMv2 response only\refuse LM

LANManagerAuthenticationRefuseLM, LANManagerAuthenticationRefuseLM_NTLM

Devices: Prevent users from installing priter drivers Table: 5.13 Value: enabled or disabled

PreventUsersFromInstallingPrinterDrivers

Recovery console: Allowautomatic administrativelogon Table: 5.59 Value: disabled

Recovery console: Allowfloppy copy and access toall drives and all folders Table: 5.60 Value: disabled

Devices: Restrict CD-ROM access to locally logged-on user only Table: 5.14 Value: disabled

Devices: Restrict floppy access to locally logged-on user only Table: 5.15 Value: disabled

System objects: Strengthendefault permissions ofinternal system objects(e.g. Symbolic Links) Table: 5.67 Value: enabled

RequireStrongSessionKey

UnencryptedSMBPasswords

UnsignedDriverInstallationWarning

PasswordExpirationPrompt

ShutdownWithoutLogon

ClearPagefileOnShutdown

ClientAlwaysSignCommunications

SignCommunicationsIfServerAgrees

ServerAlwaysSignCommunications

Domain member: Requirestrong (Windows 2000 orlater) session key Table: 5.25 Value: enabled

Microsoft network client:Send unencryptedpassword to third-partySMB servers Table: 5.38 Value: disabled

Devices: Unsigned driver installation behavior Table: 5.16 Value: warn but allow isntallation

Interactive logon: Promptuser to change passwordbefore expiration Table: 5.32 Value: 14 days

Audit: Shut down system immediately if unable to log security audits Table: 5.8 Value: not defined

Shutdown: Allow system tobe shut down withouthaving to log on Table: 5.61 Value: disabled

Shutdown: Clear virtualmemory pagefile Table: 5.62 Value: enabled

Microsoft network client:Digitally signcommunications (always) Table: 5.36 Value: enabled

Microsoft network client:Digitally signcommunications (if serveragrees) Table: 5.37 Value: enabled

Microsoft network server:Digitally signcommunications (always) Table: 5.40 Value: enabled

SignCommunicationsIfClientAgrees

PreviousLogonsCached

SmartCardRemoval

MachineAccountPasswordChanges

FIPSCompliantEncryption

Microsoft network server:Digitally signcommunications (if clientagrees) Table: 5.41 Value: enabled

Interactive logon: Numberof previous logons to cache(in case domain controlleris not available) Table: 5.31 Value: 0 logons or 2 logons

Devices: Allowed to format and eject removeable media Table: 5.12 Value: Administrators or Administrators and interactive users

RestrictAccessToFormatAndEjectRemovableMediaAdministrators, RestrictAccessToFormatAndEjectRemovableMedia

Domain member: Digitallyencrypt or sign securechannel data (always) Table: 5.20 Value: enabled

AlwaysDigitallyEncryptSecureChannelData

Domain member: Digitallyencrypt secure channeldata (when possible) Table: 5.21 Value: enabled

WhenPossibleDigitallyEncryptSecureChannelData

Domain member: Digitallysign secure channel data(when possible) Table: 5.22 Value: enabled

WhenPossibleDigitallySignSecureChannelData

Interactive logon: Smart card removal behavior Table: 5.35 Value: lock workstation

Domain member: Disablemachine account passwordchanges Table: 5.23 Value: disabled

System cryptography: UseFIPS compliant algorithmsfor encryption, hashing,and signing Table: 5.64 Value enabled

RequireCaseInsensitivity

LimitBlankPasswordUse

AllowUndockWithoutLoginDisabled

LDAPClientSigningRequirements

LogonTimeExpiration

System objects: Defaultowner for objects createdby members of theAdministrators group Table: 5.65 Value: Object creator

AdministratorsGroupObjectCreatorOwner

System objects: Requirecase insensitivity for non-Windows subsystems Table: 5.66 Value: enabled

Accounts: Limit local account use of blank passwords to console logon only Table: 5.3 Value: enabled

Devices: Allow undock without having to logon Table: 5.11 Value: disabled

Domain controller: LDAP server signin requirements Table: 5.18 Value: not defined

Network security: LDAPclient signing requirements Table: 5.56 Value: Negotiate signing

Domain controller: Refuse machine account password changes Table: 5.19 Value: not defined

Domain member: Maximummachine account passwordage Table: 5.24 Value:30 days

MaximumMachineAccountPasswordAge

Interactive logon: RequireDomain Controllerauthentication to unlockworkstation Table: 5.33 Value: enabled or disabled

DomainControllerAuthenticationRequired

Microsoft network server:Disconnect clients whenlogon hours expire Table: 5.42 Value: enabled

CredentialsStorage

AnonymousUsersPermissions

AnonymouslyAccessedNamedPipes

RemotelyAccessibleRegistryPaths

AnonymouslyAccessedShares

LocalAccountsSecurityModel

LANManagerHashStorage

ForceLogoff

Network access: Do notallow storage of credentialsor .NET Passports fornetwork authentication Table: 5.46 Value: enabled

Network access: LetEveryone permissionsapply to anonymous users Table: 5.47 Value: disabled

Network access: NamedPipes that can be accessedanonymously Table: 5.48 Value: COMNAPCOMNODESQL\QUERYSPOOLSSLLSRPCbrowserNetwork access: Remotelyaccessible registry paths Table: 5.49 Value: System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server Applications, System\CurrentControlSet\Services\

Network access: Sharesthat can be accessedanonymously Table: 5.51 Value: COMCFGDFS$

Network access: Sharingand security model for localaccounts Table: 5.52 Value: Classic - local users authenticate as themselves

Network security: Do notstore LAN Manager hashvalue on next passwordchange Table: 5.53 Value: enabled`

Network security: Forcelogoff when logon hoursexpire Table: 5.54 Value: enabled

ScreenSaverGracePeriod

Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) clients Table: 5.57 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption

NTLM_SSP_BasedClientsSessionSecurity

Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) servers Table: 5.58 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption

NTLM_SSP_BasedServersSessionSecurity

MSS:(ScreenSaverGracePeriod)The time in seconds beforethe screen saver graceperiod expires Table: 5.85 Value: 0

Create global objects Table: 4.12 Value: not defined

Impersonate a client after authentication Table: 4.23 Value: not defined

DCOM: Machine access of the global system objects Table: 5.9 Value: disabled

DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax Table: 5.10 Value: not defined

Interactive logon: Display user information when the session is locked Table: 5.26 Value: not defined

Interactive logon: Requre smart card Table: 5.34 Value: not defined

TCPConnectionResponses

TCPMaxDataRetransmissions

BackupOperators

PowerUsers

RemoteDesktopUsers

Network access: Restrict anonymous access to named pipes and shares Table: 5.50 Value: not defined

System cryptography: Force strong key protection for user keys stored on the computer Table: 5.63 Value: not defined

System settings: optional subsystems Table: 5.68 Value: not defined

System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices Table: 5.69 Value: not defined

MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged Table: 5.87 Value: 3 and 6 sec, half open connections dropped after 21 secMSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted Table: 5.88 Value: 3

Backup Operators Table: 7.1 Value: none

Power Users Table: 7.2 Value: none

Remote Desktop Users Table: 7.3 Value: none

Application Layer Gateway Service Table: 8.2 Value: not defined

Application Management Table: 8.3 Value: not defined

Cryptographic Services Table: 8.10 Value: not defined

DHCP Client Table: 8.11 Value: not defined

Distributed Link Tracking Client Table: 8.12 Value: not defined

Distributed Transaction Coordinator Table: 8.13 Value: not defined

DNS Client Table: 8.14 Value: not defined

Error Reporting Service Table: 8.15 Value: not defined

Event Log Table: 8.16 Value: not defined

Help and Support Table: 8.20 Value: not defined

Human Interface Device Access Table: 8.21 Value: not defined

IMAPI CD-Burning COM Service Table: 8.23 Value: not defined

Infrared Monitor Table: 8.25 Value: not defined

DDEService

DDEdsdmService

IPSEC Services Table: 8.27 Value: not defined

Logical Disk Manager Table: 8.28 Value: not defined

Logical Disk Manager Administrative Service Table: 8.29 Value: not defined

MS Software Shadow Copy Provider Table: 8.31 Value: not defined

Network Connections Table: 8.34 Value: not defined

Network Dynamic Data Exchange (DDE) Table: 8.35 Value: not defined

Network DDE DDE Share Database Manager (DSDM) Table: 8.36 Value: not defined

Network Location Awareness (NLA) Table: 8.37 Value: not defined

NT LM Security Support Provider Table: 8.38 Value: not defined

Performance Logs and Alerts Table: 8.39 Value: not defined

Portable Media Serial Number Service Table: 8.41 Value: not defined

Protected Storage Table: 8.43 Value: not defined

RasManService

QoS RSVP Table: 8.44 Value: not defined

Remote Access Connection Manager Table: 8.46 Value: not defined

Remote Procedure Call (RPC) Table: 8.48 Value: not defined

Remote Procedure Call (RPC) Locator Table: 8.49 Value: not defined

Removable Storage Table: 8.51 Value: not defined

Secondary Logon Table: 8.53 Value: not defined

Security Accounts Manager Table: 8.54 Value: not defined

Server Table: 8.55 Value: not defined

Smart Card Table: 8.57 Value: not defined

Smart Card Helper Table: 8.58 Value: not defined

System Event Notification Table: 8.63 Value: not defined

System Restore Service Table: 8.64 Value: not defined

TCP/IP NetBIOS Helper Table: 8.66 Value: not defined

Telephony Table: 8.67 Value: not defined

Themes Table: 8.70 Value: not defined

Uninterruptable Power Supply Table: 8.71 Value: not defined

Upload Manager Table: 8.72 Value: not defined

Volume Shadow Copy Table: 8.74 Value: not defined

Webclient Table: 8.75 Value: not defined

Windows Audio Table: 8.76 Value: not defined

Windows Image Acquisition (WIA) Table: 8.77 Value: not defined

Windows Installer Table: 8.78 Value: not defined

Windows Management Instrumentation Table: 8.79 Value: not defined

Windows Management Instrumentation Driver Extensions Table: 8.80 Value: not defined

Windows Time Table: 8.81 Value: not defined

Disable8Dot3NameCreation

Wireless Zero Configuration Table: 8.82 Value: not defined

WMI Performance Adapter Table: 8.83 Value: not defined

Workstation Table: 8.84 Value: not defined

MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames. Table: 5.82 Value: enabled

5.2.1.1.2.4 Allow remote administration exception (SP2 only)

5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)

OVAL10088

OVAL10219

NIST 800-68 Windows XP OVAL (NIST-800-

68-53-WinXPPro_OVAL_101

02006.xml)

FDCC Windows XP XCCDF (fdcc-accepted-content-20080110\fdcc-

winxp-xccdf.xml)

FDCC Windows XP OVAL (fdcc-accepted-

content-20080110\fdcc-winxp-oval.xml)

oval:gov.nist.1:def:146 regedit.exePermissions oval:gov.nist.fdcc.xp:def:146

oval:gov.nist.1:def:128 arp.exePermissions oval:gov.nist.fdcc.xp:def:128

oval:gov.nist.1:def:129 at.exePermissions oval:gov.nist.fdcc.xp:def:129

oval:gov.nist.1:def:130 attrib.exePermissions oval:gov.nist.fdcc.xp:def:130

oval:gov.nist.1:def:131 cacls.exePermissions oval:gov.nist.fdcc.xp:def:131

debug.exePermissions debug.exePermissions oval:gov.nist.fdcc.xp:def:132

oval:gov.nist.1:def:133 edlin.exePermissions oval:gov.nist.fdcc.xp:def:133

oval:gov.nist.1:def:134 eventcreate.exePermissions oval:gov.nist.fdcc.xp:def:134

oval:gov.nist.1:def:135 eventtriggers.exePermissions oval:gov.nist.fdcc.xp:def:135



oval:gov.nist.1:def:138 net.exePermissions oval:gov.nist.fdcc.xp:def:138

oval:gov.nist.1:def:139 net1.exePermissions oval:gov.nist.fdcc.xp:def:139

oval:gov.nist.1:def:140 netsh.exePermissions oval:gov.nist.fdcc.xp:def:140




oval:gov.nist.1:def:144 rcp.exePermissions oval:gov.nist.fdcc.xp:def:144

oval:gov.nist.1:def:145 reg.exePermissions oval:gov.nist.fdcc.xp:def:145

oval:gov.nist.1:def:147 regedt32.exePermissions oval:gov.nist.fdcc.xp:def:147

oval:gov.nist.1:def:148 regini.exePermissions oval:gov.nist.fdcc.xp:def:148

oval:gov.nist.1:def:149 regsvr32.exePermissions oval:gov.nist.fdcc.xp:def:149

oval:gov.nist.1:def:150 rexec.exePermissions oval:gov.nist.fdcc.xp:def:150

oval:gov.nist.1:def:151 route.exePermissions oval:gov.nist.fdcc.xp:def:151

oval:gov.nist.1:def:152 rsh.exePermissions oval:gov.nist.fdcc.xp:def:152

oval:gov.nist.1:def:153 sc.exePermissions oval:gov.nist.fdcc.xp:def:153

oval:gov.nist.1:def:154 secedit.exePermissions oval:gov.nist.fdcc.xp:def:154

oval:gov.nist.1:def:155 subst.exePermissions oval:gov.nist.fdcc.xp:def:155

oval:gov.nist.1:def:156 systeminfo.exePermissions oval:gov.nist.fdcc.xp:def:156


oval:gov.nist.1:def:158 tftp.exePermissions oval:gov.nist.fdcc.xp:def:158

oval:gov.nist.1:def:159 tlntsvr.exePermissions oval:gov.nist.fdcc.xp:def:159

oval:gov.nist.1:def:175 oval:gov.nist.fdcc.xp:def:175

oval:gov.nist.fdcc.xp:def:161





DenyAccessFromNetwork-Guests-SUPPORT_388945a0

oval:gov.nist.1:def:161, oval:gov.nist.1:def:231

AccessComputerFromNetwork_Administrators

ActAsPartOfOperatingSystem_None


BackUpFilesAndDirectories_Administrators

BypassTraverseChecking_Administrators_Users

ChangeSystemTime_Administrators

oval:gov.nist.1:def:170 CreatePagefile_Administrators oval:gov.nist.fdcc.xp:def:170

oval:gov.nist.1:def:171 CreateTokenObject_None oval:gov.nist.fdcc.xp:def:171








oval:gov.nist.1:def:184 LockPagesInMemory_None oval:gov.nist.fdcc.xp:def:184

oval:gov.nist.1:def:185 LogOnAsBatchJob_None oval:gov.nist.fdcc.xp:def:185


CreatePermanentSharedObjects_None

DebugPrograms_Administrators

ShutdownFromRemoteSystem_Administrators

GenerateSecurityAudits-LOCAL_SERVICE-NETWORK_SERVICE

AdjustMemoryQuotas_Administrators-LOCAL_SERVICE-NETWORK_SERVICE

IncreaseSchedulingPriority_Administrators

LoadAndUnloadDeviceDrivers_Administrators

LogOnAsService-LOGON_SERVICE-NETWORK_SERVICE













LogOnLocally_Administrators_Users


ManageAuditingAndSecurityLog_Administrators

ModifyFirmwareEnvironmentValues_Administrators

ProfileSingleProcess_Administrators

ProfileSystemPerformance_Administrators


RemoveComputerFromDockingStation_Administrators_Users

ReplaceProcessLevelToken-LOGON_SERVICE-NETWORK_SERVICE

RestoreFilesAndDirectories_Administrators

ShutDownSystem_Administrators_Users

TakeOwnershipOfFiles_Administrators

SynchronizeDirectoryServiceData_None





*** deny_logon_as_service_none oval:gov.nist.fdcc.xp:def:677



oval:gov.nist.1:def:26 account_lockout_reset oval:gov.nist.fdcc.xp:def:26

oval:gov.nist.1:def:23 account_lockout_duration oval:gov.nist.fdcc.xp:def:23

oval:gov.nist.1:def:24 account_lockout_threshold oval:gov.nist.fdcc.xp:def:24

oval:gov.nist.1:def:27 AuditAccountLogonEvents oval:gov.nist.fdcc.xp:def:27

DenyLogonLocally-Guests-SUPPORT_388945a0


AllowLogOnThroughTerminalServices_Administrators-RemoteDesktopUsers

DenyLogonAsBatchJob-Guests-SUPPORT_388945a0

DenyLogonThroughTerminalServices-Guests

PerformVolumeMaintenanceTasks_Administrators

oval:gov.nist.1:def:27 AuditAccountLogonEvents oval:gov.nist.fdcc.xp:def:27

oval:gov.nist.1:def:29 AuditAccountManagement oval:gov.nist.fdcc.xp:def:29

oval:gov.nist.1:def:29 AuditAccountManagement oval:gov.nist.fdcc.xp:def:29

Not applicable AuditDirectoryServiceAccess oval:gov.nist.fdcc.xp:def:30

Not applicable AuditDirectoryServiceAccess oval:gov.nist.fdcc.xp:def:30

oval:gov.nist.1:def:32 AuditLogonEvents oval:gov.nist.fdcc.xp:def:32

oval:gov.nist.1:def:32 AuditLogonEvents oval:gov.nist.fdcc.xp:def:32

oval:gov.nist.1:def:34 AuditObjectAccess oval:gov.nist.fdcc.xp:def:34

oval:gov.nist.1:def:34 AuditObjectAccess oval:gov.nist.fdcc.xp:def:34

oval:gov.nist.1:def:35 AuditPolicyChange oval:gov.nist.fdcc.xp:def:35

oval:gov.nist.1:def:35 AuditPolicyChange oval:gov.nist.fdcc.xp:def:35

oval:gov.nist.1:def:36 AuditPrivilegeUse oval:gov.nist.fdcc.xp:def:36

oval:gov.nist.1:def:36 AuditPrivilegeUse oval:gov.nist.fdcc.xp:def:36

oval:gov.nist.1:def:40 AuditProcessTracking oval:gov.nist.fdcc.xp:def:40

oval:gov.nist.1:def:40 AuditProcessTracking oval:gov.nist.fdcc.xp:def:40

oval:gov.nist.1:def:37 AuditSystemEvents oval:gov.nist.fdcc.xp:def:37

oval:gov.nist.1:def:37 AuditSystemEvents oval:gov.nist.fdcc.xp:def:37



retention_application_log oval:gov.nist.fdcc.xp:def:203


prevent_guest_application_log_access

maximum_application_log_size


oval:gov.nist.1:def:198 maximum_security_log_size oval:gov.nist.fdcc.xp:def:198

retention_security_log oval:gov.nist.fdcc.xp:def:204



oval:gov.nist.1:def:199 maximum_system_log_size oval:gov.nist.fdcc.xp:def:199

retention_system_log oval:gov.nist.fdcc.xp:def:205


oval:gov.nist.1:def:17 maximum_password_age oval:gov.nist.fdcc.xp:def:17

oval:gov.nist.1:def:18 minimum_password_age oval:gov.nist.fdcc.xp:def:18

prevent_guest_security_log_access

prevent_guest_system_log_access

oval:gov.nist.1:def:19 minimum_password_length oval:gov.nist.fdcc.xp:def:19

oval:gov.nist.1:def:21 password_complexity oval:gov.nist.fdcc.xp:def:21



oval:gov.nist.1:def:209 AlerterService oval:gov.nist.fdcc.xp:def:209

***

*** BITSService oval:gov.nist.fdcc.xp:def:6132

oval:gov.nist.1:def:210 ClipBookService oval:gov.nist.fdcc.xp:def:210

oval:gov.nist.1:def:211 ComputerBrowserService oval:gov.nist.fdcc.xp:def:211


password_history_enforcement

PasswordStorageReversibleEncryption

FastUserSwitchingCompatibilityService

oval:gov.nist.1:def:212 FaxService oval:gov.nist.fdcc.xp:def:212

oval:gov.nist.1:def:213 FTPPublishingService oval:gov.nist.fdcc.xp:def:213


oval:gov.nist.1:def:215 IndexingService oval:gov.nist.fdcc.xp:def:215




Do-not-allow-Windows-Messenger-to-be-run

disable_remote_desktop_sharing





oval:gov.nist.1:def:223 SSDPService oval:gov.nist.fdcc.xp:def:223

oval:gov.nist.1:def:224 TaskSchedulerService oval:gov.nist.fdcc.xp:def:224

prohibit_internet_connection_sharing


RoutingAndRemoteAccessService

oval:gov.nist.1:def:225 TelnetService oval:gov.nist.fdcc.xp:def:225

oval:gov.nist.1:def:226 TerminalServicesService oval:gov.nist.fdcc.xp:def:226



UniversalPlugAndPlayDeviceHostService

WWWPublishingServicesService




oval:gov.nist.1:def:243 GuestAccountStatus oval:gov.nist.fdcc.xp:def:243


oval:gov.nist.1:def:71 LogonMessageTitle oval:gov.nist.fdcc.xp:def:71

oval:gov.nist.1:def:70 LogonMessageText oval:gov.nist.fdcc.xp:def:70

AnonymousEnumerationOfAccountsAndShares

AnonymousEnumerationOfAccounts

anonymous_sid_name_translation

oval:gov.nist.1:def:110 AutomaticLogonDisabled oval:gov.nist.fdcc.xp:def:110

DisableAutorunForAllDrives oval:gov.nist.fdcc.xp:def:117

oval:gov.nist.1:def:113 AllowICMPRedirectsDisabled oval:gov.nist.fdcc.xp:def:113


oval:gov.nist.1:def:121 RouterDiscovery oval:gov.nist.fdcc.xp:def:121




oval:gov.nist.1:def:114 HideFromBrowseList oval:gov.nist.fdcc.xp:def:114


oval:gov.nist.1:def:115 KeepAliveTime oval:gov.nist.fdcc.xp:def:115

IPSourceRoutingProtectionLevel

NoDefaultExemptForIPSecFiltering

LastUserNameNotDisplayedForLogon

AutomaticDetectionOfDeadGWs

oval:gov.nist.1:def:118 NameReleaseRequests oval:gov.nist.fdcc.xp:def:118

EnablePMTUDiscovery oval:gov.nist.fdcc.xp:def:407

oval:gov.nist.1:def:124 SynAttackProtectionLevel oval:gov.nist.fdcc.xp:def:124

oval:gov.nist.1:def:127 EventLogThresholdWarning oval:gov.nist.fdcc.xp:def:127

oval:gov.nist.1:def:122 SafeDLLSearchMode oval:gov.nist.fdcc.xp:def:122

Always-Use-Classic-Logon oval:gov.nist.fdcc.xp:def:6686

RenameAdministrator oval:gov.nist.fdcc.xp:def:6022

RenameGuest oval:gov.nist.fdcc.xp:def:6023

oval:gov.nist.1:def:83 session_timeout oval:gov.nist.fdcc.xp:def:83

oval:gov.nist.1:def:45 AuditAccessToGlobalObjects oval:gov.nist.fdcc.xp:def:45

prohibit_installation_network_bridge


AllowServerOperatorsToScheduleTasks



oval:gov.nist.1:def:69 RequireCTRL_ALT_DEL oval:gov.nist.fdcc.xp:def:69



oval:gov.nist.1:def:101 RecoveryConsoleAutoLogon oval:gov.nist.fdcc.xp:def:101


oval:gov.nist.1:def:102 RestrictCDROMAccess oval:gov.nist.fdcc.xp:def:58

oval:gov.nist.1:def:59 RestrictFloppyAccess oval:gov.nist.fdcc.xp:def:59


AuditBackupAndRestorePrivilege


LANManagerAuthenticationLevel-RefuseLM_NTLM

PreventUsersFromInstallingPrinterDrivers


InternalSystemObjectsPermissions

oval:gov.nist.1:def:66 require_strong_session_key oval:gov.nist.fdcc.xp:def:66

oval:gov.nist.1:def:82 unencrypted_smb_passwords oval:gov.nist.fdcc.xp:def:82


oval:gov.nist.1:def:74 password_expiration_prompt oval:gov.nist.fdcc.xp:def:74


oval:gov.nist.1:def:103 shutdown_without_logon oval:gov.nist.fdcc.xp:def:103

oval:gov.nist.1:def:104 ClearPagefileOnShutdown oval:gov.nist.fdcc.xp:def:104




UnsignedDriverInstallationBehavior

ShutDownIfUnableToLogSecurityAudits

client_always_sign_communications

SignCommunicationsIfServerAgrees

server_always_sign_communications


oval:gov.nist.1:def:72 previous_logons_cached oval:gov.nist.fdcc.xp:def:72




oval:gov.nist.1:def:78 smart_card_removal oval:gov.nist.fdcc.xp:def:78


oval:gov.nist.1:def:105 FIPSCompliantEncryption oval:gov.nist.fdcc.xp:def:105

SignCommunicationsIfClientAgrees


always_digitally_encrypt_secure_channel_data

WhenPossibleDigitallyEncryptSecureChannelData

WhenPossibleDigitallySignSecureChannelData

MachineAccountPasswordChanges


oval:gov.nist.1:def:107 RequireCaseInsensitivity oval:gov.nist.fdcc.xp:def:107

oval:gov.nist.1:def:42 LimitBlankPassword oval:gov.nist.fdcc.xp:def:42

oval:gov.nist.1:def:53 AllowUndockWithoutLogin oval:gov.nist.fdcc.xp:def:53




oval:gov.nist.1:def:86 LogonTimeExpiration oval:gov.nist.fdcc.xp:def:86

AdministratorsGroupObjectCreatorOwner

LDAPServerSigningRequirements


LDAPClientSigningRequirements

RefuseMachineAccountPasswordChanges


maximum_machine_account_password_age

domain_controller_authentication_required

oval:gov.nist.1:def:89 CredentialsStorage oval:gov.nist.fdcc.xp:def:89

oval:gov.nist.1:def:90 AnonymousUsersPermissions oval:gov.nist.fdcc.xp:def:90



oval:gov.nist.1:def:93 AnonymouslyAccessedShares oval:gov.nist.fdcc.xp:def:93

oval:gov.nist.1:def:94 LocalAccountsSecurityModel oval:gov.nist.fdcc.xp:def:94

oval:gov.nist.1:def:95 LANManagerHashStorage oval:gov.nist.fdcc.xp:def:95

oval:gov.nist.1:def:244 ForceLogoff oval:gov.nist.fdcc.xp:def:244

AnonymouslyAccessedNamedPipes

RemotelyAccessibleRegistryPaths



oval:gov.nist.1:def:123 Screen-Saver-timeout oval:gov.nist.fdcc.xp:def:6708

ntlm_ssp_based_client_session_security

ntlm_ssp_based_servers_session_security



prevent_automatic_updates

Disable-IE-security-prompt-Windows-Installer-scripts

Enable-User-Control-over-installs


do_not_automatically_start_windows_messenger_initially





solicited_remote_assistance oval:gov.nist.fdcc.xp:def:6564

offer_remote_assistance oval:gov.nist.fdcc.xp:def:6563

set-client-connection-encryption-level

set-timelimit-for-disconnected-sessions

set-timelimit-for-active-but-idle-TerminalServices-sessions






RequireSmartCard oval:gov.nist.fdcc.xp:def:6082

turn_off_windows_error_reporting

kerberos_enforce_user_logon_restrictions


kerberos_maximum_lifetime_service_ticket


kerberos_maximum_lifetime_user_ticket


kerberos_maximum_lifetime_user_ticket_renewal


kerberos_maximum_tolerance_computer_clock_synchronization


Create-Global-Objects_Administrators-SERVICE-LocalService-NetworkService

ImpersonateClientAfterAuthentication-SERVICE_Administrators



oval:gov.nist.1:def:125 TCPConnectionResponses oval:gov.nist.fdcc.xp:def:125

oval:gov.nist.1:def:126 TCPMaxDataRetransmissions oval:gov.nist.fdcc.xp:def:126




ErrorReportingService oval:gov.nist.fdcc.xp:def:2111

oval:gov.nist.1:def:245 NetworkDDEService oval:gov.nist.fdcc.xp:def:245

oval:gov.nist.1:def:246 NetworkDDEdsdmService oval:gov.nist.fdcc.xp:def:246

oval:gov.nist.1:def:247 RasManService oval:gov.nist.fdcc.xp:def:247

WebClientService oval:gov.nist.fdcc.xp:def:2271

Wireless-Zero-Configuration oval:gov.nist.fdcc.xp:def:2881

WMIPerformanceAdapter oval:gov.nist.fdcc.xp:def:6719

oval:gov.nist.1:def:119 Disable8Dot3NameCreation oval:gov.nist.fdcc.xp:def:119



rpc_endpoint_mapper_client_authentication

Restrictions-for-Unauthenticated-RPC-clients

mshta.exe-permissions oval:gov.nist.fdcc.xp:def:1351


display_error_notification

turn_off_microsoft_peer_to_peer_networking_services

prohibit_internet_connection_firewall




registry_policy_processing oval:gov.nist.fdcc.xp:def:6672







Turn-off-printing-over-HTTP oval:gov.nist.fdcc.xp:def:6571


internet_explorer_maintenance_policy_processing_enabled

Turn-Off-Automatic-Root-Certificates-Update

Turn-off-downloading-of-print-drivers-over-HTTP

Turn-Off-Event-Views-Events.asp-Links

Turn-Off-Internet-Connection-Wizard-if-URL-Connection-is-Referring-to-Microsoft.com


Turn-Off-Internet-File-Association-Service












Prevent-IIS-Installation oval:gov.nist.fdcc.xp:def:6107

Turn-off-Search-Companion-content-file-updates

Turn-Off-the-Order-Prints-Picture-Task





turn_off_windows_movie_maker_saving_to_online_video_hosting_provider


Do-Not-Process-Run-Once-List











Turn-off-downloading-enclosures

do_not_allow_passwords_to_be_saved

turn_off_shell_protocol_protected_mode

prohibit_non_administrators_install_signed_updates

do_not_show_first_use_dialog_boxes


prevent_desktop_shortcut_creation


password_protect_the_screen_saver

prompt_for_password_on_resume_from_hibernate_suspend

do_not_preserve_zone_information_in_file_attachments

hide_mechanisms_to_remove_zone_information

notify_antivirus_programs_when_opening_attachments

FDCC Windows XP Firewall XCCDF (fdcc-

accepted-content-20080110\fdcc-

xpfirewall-xccdf.xml)

FDCC Windows XP Firewall OVAL (fdcc-

accepted-content-20080110\fdcc-

xpfirewall-oval.xml)

protect_all_network_connections_domain_profile

oval:gov.nist.fdcc.xpfirewall:def:5000

allow_local_program_exceptions_domain_profile


allow_remote_administration_exceptions_domain_profile


allow_file_print_sharing_exceptions_domain_profile


allow_icm_exceptions_domain_profile


allow_remote_desktop_exceptions_domain_profile


allow_upnp_framework_exceptions_domain_profile


prohibit_notifications_domain_profile


allow_logging_log_dropped_packets_domain_profile


allow_logging_log_path_domain_profile


allow_logging_log_size_domain_profile


allow_logging_log_successful_connections_domain_profile


prohibit_unicast_response_to_multicast_or_broadcast_requests_domain_profile


define_port_exceptions_domain_profile


allow_local_port_exceptions_domain_profile


ProtectAllNetworkConnectionsStandardProfile


DoNotAllowExceptionsStandardProfile


AllowLocalProgramExceptionsStandardProfile


AllowRemoteAdministrationExceptionsStandardProfile


AllowFilePrintSharingExceptionsStandardProfile


AllowICMPExceptionsStandardProfile


AllowRemoteDesktopExceptionsStandardProfile


AllowUPnPframeworkExceptionsStandardProfile


ProhibitNotificationsStandardProfile


mm

ProhibitUnicastResponseToMulticastOrBroadcastRequestsStandardProfile


AllowLocalPortExceptionsStandardProfile
