cce.mitre.orgcce.mitre.org/lists/data/downloads/cce-co… · xls file · web view ·...
TRANSCRIPT
CCE ID CCE Description
CCE-4017-0 CCE-5 (1) enabled/disabled
CCE-3924-8 CCE-119 (1) enabled/disabled
CCE-3929-7 CCE-146 (1) enabled/disabled
CCE-3576-6 CCE-212 (1) enabled/disabled
Old v4 CCE Id
CCE Parameters
The "Security Zones: Use Only Machine Settings" setting should be configured correctly.
Internet Explorer Processes (Restrict ActiveX Install)
The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.
The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.
CCE-4043-6 CCE-347 enabled/disabled
CCE-4047-7 CCE-382 enabled/disabled
CCE-3941-2 CCE-449 enabled/disabled
Internet Explorer Processes (Zone Elevation Protection)
The "Internet Explorer Processes (Consistent MIME Handling)" setting should be configured correctly.
The "Allow Software to Run or Install Even if the Signature is Invalid" setting should be configured correctly.
CCE-3338-1 CCE-591 (1) enabled/disabled
CCE-4118-6 CCE-622 (1) enabled/disabled
The "Internet Explorer Processes (MK Protocol)" setting should be configured correctly.
The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.
CCE-4122-8 CCE-668 enabled/disabled
CCE-3518-8 CCE-684 (1) enabled/disabled
CCE-3201-1 CCE-693
CCE-3744-0 CCE-708 enabled/disabled
CCE-3894-3 CCE-753 enabled/disabled
The "Internet Explorer Processes (Restrict File Download)" setting should be configured correctly.
The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.
The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.
(1) number of proxy settings
The "Do Not Allow Users to enable or Disable Add-Ons" setting should be configured correctly.
The "Turn Off Crash Detection" setting should be configured correctly.
CCE-4162-4 CCE-827 enabled/disabled
CCE-3933-9 CCE-833 (1) enabled/disabled
CCE-4149-1 CCE-985 enabled/disabled
CCE-4026-1 CCE-1025 enabled/disabled
The "Internet Explorer Processes (Scripted Window Security Restrictions)" setting should be configured correctly.
The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.
The "Internet Explorer Processes (MIME Sniffing)" setting should be configured correctly.
The "Check for Signature on Downloaded Programs" setting should be configured correctly.
CCE-4171-5 CCE-42 enabled/disabled
CCE-4109-5 CCE-49 enabled/disabled
CCE-3378-7 CCE-863 enabled/disabled
CCE-4131-9 CCE-286 enabled/disabled
CCE-4013-9 CCE-1031 enabled/disabled
CCE-4153-3 CCE-200 enabled/disabled
CCE-4052-7 CCE-51 enabled/disabled
CCE-4175-6 CCE-876 enabled/disabled
The "Do Not Allow Resetting Internet Explorer Settings" setting should be configured correctly.
The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Internet Zone.
The "Turn Off First- Run Opt-In" setting should be configured correctly for the Internet Zone.
The "Web Browser Applications" setting should be configured correctly for the Internet Zone.
The "Allow cut, copy, or paste operations from the clipboard via script" setting should be configured correctly for the Restricted Sites Zone.
The "Turn Off First- Run Opt-In" setting should be configured correctly for the Restricted Sites Zone.
The "Web Browser Applications" setting should be configured correctly for the Restricted Sites Zone.
The "Intranet Sites: Include all network paths (UNCs)" setting should be configured correctly.
CCE-3695-4 CCE-810 enabled/disabled
CCE-3777-0 CCE-811 enabled/disabled
CCE-3433-0 CCE-595 enabled/disabled
CCE-4199-6 CCE-938 enabled/disabled
CCE-3204-5 CCE-946 enabled/disabled
CCE-4098-0 CCE-237 enabled/disabled
CCE-3741-6 CCE-541 enabled/disabled
CCE-3997-4 CCE-911 enabled/disabled
The "Disable the Advanced Page" setting should be configured correctly.
The "Disable the Privacy Page" setting should be configured correctly.
The "Disable the Security Page" setting should be configured correctly.
The "Prevent Ignoing Certificate Errors" setting should be configured correctly.
The "Turn Off changing the URL to be displayed for checking updates to Internet Explorer and Internet Tools" setting should be configured correctly.
The "Turn Off Configuring the Update Check Interval (In Days)" setting should be configured correctly.
The "Add-on List" setting should be configured correctly.
The "Deny all add-ons unless specifically allowed in the Add-on List" setting should be configured correctly.
CCE-4001-4 CCE-66 enabled/disabled
CCE-4147-5 CCE-471 enabled/disabled
CCE-4059-2 CCE-611 enabled/disabled
CCE-3935-4 CCE-62 enabled/disabled
CCE-3706-9 CCE-556 enabled/disabled
CCE-3975-0 CCE-948 enabled/disabled
CCE-3993-3 CCE-495 enabled/disabled
CCE-3207-8 CCE-1006 enabled/disabled
CCE-4073-3 CCE-909 enabled/disabled
The "Disable "Configuring History"" setting should be configured correctly.
The "Disable Changing Automatic Configuration Settings" setting should be configured correctly.
The "Disable Changing Connection Settings" setting should be configured correctly.
The "Disable Changing Proxy Settings" setting should be configured correctly.
The "Disable Showing the Splash Screen" setting should be configured correctly.
The "Prevent "Fix settings" Functionality" setting should be configured correctly.
The "Prevent participation in the Customer Experience Improvement Programs" setting should be configured correctly.
The "Prevent performance of First Run Customize settings" setting should be configured correctly.
The "Prevent the deletation of temporary internet files and cookies" setting should be configured correctly.
CCE-3615-2 CCE-1010 enabled/disabled
CCE-3866-1 CCE-1032 enabled/disabled
CCE-3875-2 CCE-1054 enabled/disabled
CCE-4174-9 CCE-964 enabled/disabled
CCE-4192-1 CCE-598 enabled/disabled
CCE-3584-0 CCE-1008 enabled/disabled
CCE-3976-8 CCE-690 enabled/disabled
CCE-3853-9 CCE-47
CCE-3998-2 CCE-685
The "Turn off "Delete Browsing History" functionality" setting should be configured correctly.
The "Turn off Managing Phishing Filter" setting should be configured correctly.
The "Turn off the Security Settings Check feature" setting should be configured correctly.
The "Allow Active Content from CD's to Run on User Machine" setting should be configured correctly.
The "Enable third-party browser extensions" setting should be configured correctly.
The "Automatically Check for Internet Explorer Updates" setting should be configured correctly.
The "Check for Server Certificate Revocation" setting should be configured correctly.
The "Access data sources across domains" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Drag and drop or copy and paste files" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
CCE-3888-5 CCE-491
CCE-3906-5 CCE-355
CCE-4099-8 CCE-280 enabled/disabled
CCE-3601-2 CCE-439
CCE-3249-0 CCE-914 enabled/disabled
CCE-4139-2 CCE-16 enabled/disabled
CCE-3927-1 CCE-1013
CCE-3945-3 CCE-176
The "Font download" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Installation of desktop items" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Internet Zone.
The "Allow Scriptlets" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Allow status bar updates via script" setting should be configured correctly for the Internet Zone.
The "Automatic prompting for file downloads" setting should be configured correctly for the Internet Zone.
The "Download signed ActiveX controls" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Download unsigned ActiveX controls" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
CCE-4068-3 CCE-586
CCE-3963-6 CCE-132
CCE-4104-6 CCE-689
CCE-3623-6 CCE-720
CCE-3751-5 CCE-126
CCE-4143-4 CCE-245
CCE-4161-6 CCE-910 enabled/disabled
The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Java permissions" setting should be configured correctly for the Internet Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Launching programs and files in an IFRAME" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Logon" setting should be configured correctly for the Internet Zone.
Anonymous logon/Automatic logon only in Intranet zone/Automatic logon with current user name and password/Prompt for user name and password
The "Loose XAML" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Navigate sub-frames across different domains" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Open files based on content, not file extension" setting should be configured correctly for the Internet Zone.
CCE-3553-5 CCE-359
CCE-3619-4 CCE-1002 enabled/disabled
CCE-3914-9 CCE-425 enabled/disabled
CCE-3570-9 CCE-724
CCE-3843-0 CCE-1015
CCE-3984-2 CCE-878
CCE-3989-1 CCE-288
CCE-4121-0 CCE-552
The "Software channel permissions" setting should be configured correctly for the Internet Zone.
High safety/low safety/medium safety
The "Use Pop-up Blocker" setting should be configured correctly for the Internet Zone.
The "Userdata persistence" setting should be configured correctly for the Internet Zone.
The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "XPS documents" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Internet Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Intranet Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Locked Down Intranet Zone.
enabled/disabled/prompt
CCE-4138-4 CCE-473
CCE-4028-7 CCE-239
CCE-3905-7 CCE-636
CCE-4050-1 CCE-292
CCE-4196-2 CCE-178
CCE-3337-3 CCE-41
CCE-4150-9 CCE-970 enabled/disabled
CCE-4062-6 CCE-882
The "Display mixed content" setting should be configured correctly for the Local Machine Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Locked Down Local Machine Zone.
enabled/disabled/prompt
The "Access data sources across domains" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Active scripting" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Binary and script behaviors" setting should be configured correctly for the Restricted Sites Zone.
Administrator approved/enabled/disabled
The "Drag and drop or copy and paste files" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "File download" setting should be configured correctly for the Restricted Sites Zone.
The "Font download" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
CCE-4079-0 CCE-763
CCE-4084-0 CCE-680 enabled/disabled
CCE-4119-4 CCE-208 enabled/disabled
CCE-3639-2 CCE-838
CCE-4031-1 CCE-129 enabled/disabled
CCE-4053-5 CCE-175 enabled/disabled
CCE-4057-6 CCE-52
CCE-3564-2 CCE-1012
The "Installation of desktop items" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Allow META REFRESH" setting should be configured correctly for the Restricted Sites Zone.
The "Allow script-initiated windows without size or position constraints" setting should be configured correctly for the Restricted Sites Zone.
The "Allow Scriptlets" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Allow status bar updates via script" setting should be configured correctly for the Restricted Sites Zone.
The "Automatic prompting for file downloads" setting should be configured correctly for the Restricted Sites Zone.
The "Download signed ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Download unsigned ActiveX controls" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
CCE-4101-2 CCE-26
CCE-3996-6 CCE-925
CCE-4066-7 CCE-339
CCE-3696-2 CCE-128
CCE-3590-7 CCE-639
CCE-4110-3 CCE-995
CCE-4132-7 CCE-409 enabled/disabled
The "Initialize and script ActiveX controls not marked as safe for scripting" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Java permissions" setting should be configured correctly for the Restricted Sites Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Launching programs and files in an IFRAME" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Logon" setting should be configured correctly for the Restricted Sites Zone.
Anonymous logon/Automatic logon only in Intranet zone/Automatic logon with current user name and password/Prompt for user name and password
The "Loose XAML" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Navigate sub-frames across different domains" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Open files based on content, not file extension" setting should be configured correctly for the Restricted Sites Zone.
CCE-3400-9 CCE-678
CCE-4158-2 CCE-563
CCE-4163-2 CCE-841
CCE-4202-8 CCE-973
CCE-3216-9 CCE-1000
CCE-3855-4 CCE-520
CCE-4018-8 CCE-660 enabled/disabled
CCE-4040-2 CCE-28 enabled/disabled
The "Run components not signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Run components signed with Authenticode" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Run ActiveX controls and plugins" setting should be configured correctly for the Restricted Sites Zone.
Administrator approved/enabled/disabled/prompt
The "Script ActiveX controls marked safe for scripting" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Scripting of Java applets" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Software channel permissions" setting should be configured correctly for the Restricted Sites Zone.
High safety/low safety/medium safety
The "Use Pop-up Blocker" setting should be configured correctly for the Restricted Sites Zone.
The "Userdata persistence" setting should be configured correctly for the Restricted Sites Zone.
CCE-4215-0 CCE-698
CCE-3991-7 CCE-460
CCE-3264-9 CCE-30
CCE-4087-3 CCE-31
CCE-4232-5 CCE-666
CCE-4259-8 CCE-528 enabled/disabled
CCE-3647-5 CCE-721 enabled/disabled
CCE-3677-2 CCE-69 enabled/disabled
CCE-4056-8 CCE-71 enabled/disabled
The "Web sites in less privileged Web content zones can navigate into this zone" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "XPS documents" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Restricted Sites Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Trusted Sites Zone.
enabled/disabled/prompt
The "Display mixed content" setting should be configured correctly for the Locked Down Trusted Sites Zone.
enabled/disabled/prompt
The "Enable Native XMLHttp Support" setting should be configured correctly.
The "Turn on the auto-complete feature for user names and passwords on form" setting should be configured correctly.
The "Allow Install On Demand (Internet Explorer)" setting should be configured correctly.
The "Turn off page transitions" setting should be configured correctly.
CCE-4246-5 CCE-478 enabled/disabled
CCE-4214-3 CCE-412 enabled/disabled
CCE-3606-1 CCE-1037 enabled/disabled
CCE-4237-4 CCE-1051 enabled/disabled
CCE-3275-5 CCE-963 enabled/disabled
CCE-4036-0 CCE-258 enabled/disabled
CCE-3825-7 CCE-769 enabled/disabled
CCE-4226-7 CCE-625 enabled/disabled
CCE-4120-2 CCE-74 enabled/disabled
CCE-4248-1 CCE-122 enabled/disabled
CCE-3389-4 CCE-716 enabled/disabled
CCE-3645-9 CCE-610 enabled/disabled
CCE-3940-4 CCE-619 enabled/disabled
The "Disable AutoComplete for forms" setting should be configured correctly.
The "Disable Save this program to disk option" setting should be configured correctly.
The "Disable changing certificate settings" setting should be configured correctly.
The "Disable external branding of Internet Explorer" setting should be configured correctly.The "Configure Outlook Express" setting should be configured correctly
The "Turn on the Internet Connection Wizard Auto Detect" setting should be configured correctly.
The "Disable Internet Connection wizard" setting should be configured correctly.
The "Disable the Reset Web Settings feature" should be configured correctly.
The "Disable Downloading Of Site Subscription Content" setting should be configured correctly.
The "Disable Adding Schedules For Offline Pages" setting should be configured correctly.The "Disable Adding Channels" setting should be configured correctly.
The "Disable Editing And Creating Of Schedule Groups" setting should be configured correctly.
The "Disable All Scheduled Offline Pages" setting should be configured correctly.
CCE-3821-6 CCE-373 enabled/disabled
CCE-3742-4 CCE-298 enabled/disabled
CCE-4261-4 CCE-1069 enabled/disabled
CCE-4190-5 CCE-615 enabled/disabled
CCE-4208-5 CCE-1003 enabled/disabled
CCE-3754-9 CCE-320
CCE-3891-9 CCE-138
CCE-4160-8 CCE-1045
CCE-4763-9 CCE-1005
The "Disable Editing Schedules For Offline Pages" setting should be configured correctly.
The "Disable Channel User Interface Completely" setting should be configured correctly.The "Disable Removing Channels" setting should be configured correctly.
The "Disable Removing Schedules For Offline Pages" setting should be configured correctly.
The "Disable Offline Page Hit Logging" setting should be configured correctly.
The "Java permissions" setting should be configured correctly for the Locked Down Intranet Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Java permissions" setting should be configured correctly for the Local Machine Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Java permissions" setting should be configured correctly for the Locked Down Local Machine Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
Computer-wide, rather than per-user, assignment of sites to zones for Internet Explorer should be enabled or disabled as appropriate.
enabled, disabled, or not configured
CCE-4643-3 CCE-281 enabled/disabled
CCE-4652-4 CCE-218
CCE-4793-6 CCE-308
CCE-4692-0 CCE-781
CCE-3902-4 CCE-1088
CCE-4546-8 CCE-1147 enabled/disabled
CCE-4564-1 CCE-140
CCE-3909-9 CCE-1211 enabled/disabled
The "Turn on Protected Mode" setting should be configured correctly for the Internet Zone.
The "Java permissions" setting should be configured correctly for the Intranet Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Download signed ActiveX controls" setting should be configured correctly for the Locked-Down Internet Zone.
enabled/disabled/prompt
The "Java permissions" setting should be configured correctly for the Locked Down Internet Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Java permissions" setting should be configured correctly for the Locked Down Restricted Sites Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Allow status bar updates via script" setting should be configured correctly for the Locked-Down Trusted Sites Zone.
The "Java permissions" setting should be configured correctly for the Locked Down Trusted Sites Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
The "Turn on Protected Mode" setting should be configured correctly for the Restricted Sites Zone.
CCE-4845-4 CCE-675
The "Java permissions" setting should be configured correctly for the Trusted Sites Zone.
Custom/Disable Java/High safety/Low safety/Medium safety
CCE Technical Mechanisms
oval:org.mitre.oval:def:658
oval:org.mitre.oval:def:1400
oval:org.mitre.oval:def:1357
NIST SCAP Microsoft Internet Explorer Version 7.0 OVAL(SCAP-
IE7-OVAL-Beta-v3.xml)
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
oval:org.mitre.oval:def:1277, oval:org.mitre.oval:def:2050
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!explorer.exe, HKLM\Software\Policies\Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict ActiveX Install, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck
oval:org.mitre.oval:def:620
oval:org.mitre.oval:def:884
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Protection From Zone Elevation, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!explorer.exe, HKLM\Software\Policies\Microsoft\Internet E,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Binary Behavior Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING\iexplore.exe
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\RunInvalidSignatures
oval:org.mitre.oval:def:680, oval:org.mitre.oval:def:1392
oval:org.mitre.oval:def:617
oval:org.mitre.oval:def:1188
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!explorer.exe, HKLM\Software\Policies\Microsoft,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/MK Protocol Security Restriction, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe
oval:org.mitre.oval:def:320
oval:org.mitre.oval:def:1198
oval:org.mitre.oval:def:1181
oval:org.mitre.oval:def:487
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoExtensionManagement
oval:org.mitre.oval:def:1380, oval:org.mitre.oval:def:1358, oval:org.mitre.oval:def:1694
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Restrictions\NoCrashDetection
oval:org.mitre.oval:def:465
oval:org.mitre.oval:def:1404
oval:org.mitre.oval:def:317
oval:org.mitre.oval:def:395
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Scripted Window Security Restrictions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\iexplore.exe
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!explorer.exe, Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Mime Sniffing Safety Feature, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING\iexplore.exe
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Download\CheckExeSignatures
oval:org.mitre.oval:def:583
oval:org.mitre.oval:def:1119
oval:org.mitre.oval:def:242
oval:org.mitre.oval:def:621
oval:org.mitre.oval:def:580
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableRIED
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1407
oval:org.mitre.oval:def:506, oval:org.mitre.oval:def:533
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1208
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2400
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1407
oval:org.mitre.oval:def:249, oval:org.mitre.oval:def:1393
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1208
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2400
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
oval:org.mitre.oval:def:559, oval:org.mitre.oval:def:1370
oval:org.mitre.oval:def:1111
oval:org.mitre.oval:def:715
oval:org.mitre.oval:def:1187
oval:org.mitre.oval:def:626
oval:org.mitre.oval:def:1278
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\AdvancedTab
oval:org.mitre.oval:def:934, oval:org.mitre.oval:def:660
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\PrivacyTab
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\SecurityTab
oval:org.mitre.oval:def:672, oval:org.mitre.oval:def:601
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\PreventIgnoreCertErrors
oval:org.mitre.oval:def:655, oval:org.mitre.oval:def:1129
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Page
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Internet Settings/Component Updates/Periodic Check for Updates to Internet Explorer and Internet Tools, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Update_Check_Interval
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management, Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Add-on Management, Registry Keys:[HKLM | HKCU]\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\RestrictToList
oval:org.mitre.oval:def:1164
oval:org.mitre.oval:def:1322
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\History, [HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
oval:org.mitre.oval:def:757, oval:org.mitre.oval:def:1365
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Autoconfig
oval:org.mitre.oval:def:1285, oval:org.mitre.oval:def:613
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connection Settings, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Connwiz Admin Lock
oval:org.mitre.oval:def:355, oval:org.mitre.oval:def:1128
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Proxy
oval:org.mitre.oval:def:398, oval:org.mitre.oval:def:635
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSplash
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableFixSecuritySettings
oval:org.mitre.oval:def:448, oval:org.mitre.oval:def:640
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\SQM\DisableCustomerImprovementProgram
oval:org.mitre.oval:def:1171, oval:org.mitre.oval:def:1391
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\Settings
oval:org.mitre.oval:def:1382, oval:org.mitre.oval:def:703
oval:org.mitre.oval:def:501
oval:org.mitre.oval:def:400
oval:org.mitre.oval:def:110
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Control Panel\DisableDeleteBrowsingHistory
oval:org.mitre.oval:def:458, oval:org.mitre.oval:def:1474
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\PhishingFilter\Enabled
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
oval:org.mitre.oval:def:916, oval:org.mitre.oval:def:1034
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCAL
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\Enable Browser Extensions
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\NoUpdateCheck
oval:org.mitre.oval:def:656, oval:org.mitre.oval:def:1360
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Advanced Page , Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
oval:org.mitre.oval:def:172, oval:org.mitre.oval:def:1502
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1406
oval:org.mitre.oval:def:674, oval:org.mitre.oval:def:650
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1802
oval:org.mitre.oval:def:1083, oval:org.mitre.oval:def:547
oval:org.mitre.oval:def:1043
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1604
oval:org.mitre.oval:def:524, oval:org.mitre.oval:def:659
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1800
oval:org.mitre.oval:def:223, oval:org.mitre.oval:def:541
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2102
oval:org.mitre.oval:def:589, oval:org.mitre.oval:def:1476
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1209
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2103
oval:org.mitre.oval:def:226, oval:org.mitre.oval:def:1208
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2200
oval:org.mitre.oval:def:1113, oval:org.mitre.oval:def:562
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1001
oval:org.mitre.oval:def:1199, oval:org.mitre.oval:def:546
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1004
oval:org.mitre.oval:def:391, oval:org.mitre.oval:def:1200
oval:org.mitre.oval:def:240
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1201
oval:org.mitre.oval:def:1040, oval:org.mitre.oval:def:739
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1C00
oval:org.mitre.oval:def:1174, oval:org.mitre.oval:def:725
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1804
oval:org.mitre.oval:def:611, oval:org.mitre.oval:def:1487
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A00
oval:org.mitre.oval:def:691, oval:org.mitre.oval:def:1123
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2402
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1607
oval:org.mitre.oval:def:612, oval:org.mitre.oval:def:1394
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2100
oval:org.mitre.oval:def:953, oval:org.mitre.oval:def:1300
oval:org.mitre.oval:def:1108
oval:org.mitre.oval:def:628
oval:org.mitre.oval:def:245
oval:org.mitre.oval:def:1166
oval:org.mitre.oval:def:247
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1E05
oval:org.mitre.oval:def:302, oval:org.mitre.oval:def:1398
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1809
oval:org.mitre.oval:def:1179, oval:org.mitre.oval:def:558
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1606
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2101
oval:org.mitre.oval:def:265, oval:org.mitre.oval:def:1432
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2401
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1609
oval:org.mitre.oval:def:383
oval:org.mitre.oval:def:418
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1406
oval:org.mitre.oval:def:652, oval:org.mitre.oval:def:750
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400
oval:org.mitre.oval:def:293, oval:org.mitre.oval:def:561
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2000
oval:org.mitre.oval:def:365, oval:org.mitre.oval:def:1314
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1802
oval:org.mitre.oval:def:498, oval:org.mitre.oval:def:1465
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1803
oval:org.mitre.oval:def:1184, oval:org.mitre.oval:def:1318
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1604
oval:org.mitre.oval:def:1109, oval:org.mitre.oval:def:1410
oval:org.mitre.oval:def:1217
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1800
oval:org.mitre.oval:def:251, oval:org.mitre.oval:def:1257
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1608
oval:org.mitre.oval:def:1218, oval:org.mitre.oval:def:1270
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2102
oval:org.mitre.oval:def:1234, oval:org.mitre.oval:def:574
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1209
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1001
oval:org.mitre.oval:def:378, oval:org.mitre.oval:def:1320
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2200
oval:org.mitre.oval:def:252, oval:org.mitre.oval:def:1312
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1001
oval:org.mitre.oval:def:1019, oval:org.mitre.oval:def:1389
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1004
oval:org.mitre.oval:def:949, oval:org.mitre.oval:def:579
oval:org.mitre.oval:def:275
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1201
oval:org.mitre.oval:def:273, oval:org.mitre.oval:def:1342
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1C00
oval:org.mitre.oval:def:824, oval:org.mitre.oval:def:732
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1804
oval:org.mitre.oval:def:274, oval:org.mitre.oval:def:1223
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1A00
oval:org.mitre.oval:def:326, oval:org.mitre.oval:def:1378
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2402
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1607
oval:org.mitre.oval:def:1229, oval:org.mitre.oval:def:1292
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2100
oval:org.mitre.oval:def:706, oval:org.mitre.oval:def:1421
oval:org.mitre.oval:def:300
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2004
oval:org.mitre.oval:def:329, oval:org.mitre.oval:def:599
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2001
oval:org.mitre.oval:def:276, oval:org.mitre.oval:def:1428
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1200
oval:org.mitre.oval:def:571, oval:org.mitre.oval:def:1594
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1405
oval:org.mitre.oval:def:602, oval:org.mitre.oval:def:1274
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1402
oval:org.mitre.oval:def:280, oval:org.mitre.oval:def:641
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1E05
oval:org.mitre.oval:def:290, oval:org.mitre.oval:def:1214
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1809
oval:org.mitre.oval:def:1100, oval:org.mitre.oval:def:1286
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1606
oval:org.mitre.oval:def:1176
oval:org.mitre.oval:def:314
oval:org.mitre.oval:def:1153
oval:org.mitre.oval:def:1183
oval:org.mitre.oval:def:338
oval:org.mitre.oval:def:645
oval:org.mitre.oval:def:523
oval:org.mitre.oval:def:1206
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2101
oval:org.mitre.oval:def:1219, oval:org.mitre.oval:def:1243
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2401
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1609
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\XMLHTTP
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!FormSuggest Passwords, HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\FormSuggest Passwords
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Page_Transitions
oval:org.mitre.oval:def:1516
oval:org.mitre.oval:def:505
oval:org.mitre.oval:def:1362
oval:org.mitre.oval:def:1384
oval:org.mitre.oval:def:1238
oval:org.mitre.oval:def:604
oval:org.mitre.oval:def:1355
oval:org.mitre.oval:def:1437
oval:org.mitre.oval:def:1080
oval:org.mitre.oval:def:1293
oval:org.mitre.oval:def:1383
oval:org.mitre.oval:def:1397
oval:org.mitre.oval:def:1501
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use FormSuggest, HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!FormSuggest
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoSelectDownloadDir
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Certificates
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExternalBranding
HKCU\Software\Microsoft\Outlook Express!BlockExeAttachments
HKCU\Software\Policies\Microsoft\Internet Connection Wizard!DisableICW
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connwiz Admin Lock
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ResetWebSettings
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoSubscriptionContent
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingSubscriptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoAddingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingScheduleGroups
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoScheduledUpdates
oval:org.mitre.oval:def:1565
oval:org.mitre.oval:def:1782
oval:org.mitre.oval:def:1801
oval:org.mitre.oval:def:1954
oval:org.mitre.oval:def:2026
oval:org.mitre.oval:def:2039
oval:org.mitre.oval:def:1422
oval:org.mitre.oval:def:1986
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoEditingSubscriptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoChannelUI
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoRemovingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoRemovingSubscriptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoChannelLogging
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1C00
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Site to Zone Assignment List
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Protected Mode
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1C00
GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone\Download signed ActiveX controls
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\1C00
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1C00
GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone\Allow status bar updates via script
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\1C00
(1) GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Turn on Protected Mode (2) Registry Keys:[HKLM|HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500
Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone/Java permissions, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1C00
IEProcesses-RestrictActiveXInstall-LocalComputer
DoNotAllowUsersAddDeleteSites-LocalComputer
NIST SCAP Microsoft Internet Explorer Version 7.0 XCCDF (SCAP-IE7-XCCDF-
Beta-v3.xml
FDCC IE7 XCCDF (fdcc-accepted-content-20080110\
fdcc-ie7-xccdf.xml)
UseOnlyMachineSettings-LocalComputer, UseOnlyMachineSettings-LocalComputer-Disabled
use_only_machine_settings_local_computer
IEProcesses_RestrictActiveXInstall_LocalComputer
DoNotAllowUsersAddDeleteSites_LocalComputer
DisablePeriodicCheckForIESoftwareUpdates-LocalComputer
DisablePeriodicCheckForIESoftwareUpdates_LocalComputer
IEProcesses-ConsistentMimeHandling-LocalComputer
IEProcesses_ProtectionFromZoneElevation_LocalComputer
IEProcesses_ConsistentMimeHandling_LocalComputer
AllowSoftwareRunInstallSignatureInvalid-LocalComputer, AllowSoftwareToRununOrInstallEvenIfSignatureInvalid-LocalUser
AllowSoftwareRunInstallSignatureInvalid_LocalComputer
IEProcesses-MKProtocolSecurityRestriction-LocalComputer
IEProcesses_MKProtocolSecurityRestriction_LocalComputer
DisableSoftwareUpdateShellNotifications-LocalComputer
DisableSoftwareUpdateShellNotifications_LocalComputer
IEProcesses-RestrictFileDownload-LocalComputer
MakeProxySettingsPerMachine-LocalComputer
TurnOffCrashDetection-LocalComputer
IEProcesses_RestrictFileDownload_LocalComputer
DisableAutomaticInstallOfIEComponents-LocalComputer
DisableAutomaticInstallOfIEComponents_LocalComputer
MakeProxySettingsPerMachine_LocalComputer
DoNotAllowUsersEnableDisableAddOns-LocalComputer, DoNotAllowUsersEnableDisableAddOns-LocalUser
DoNotAllowUsersEnableDisableAddOns_LocalComputer
TurnOffCrashDetection_LocalComputer
DoNotAllowUsersChangePolicies-LocalComputer
CheckSignatureDownloadedPrograms-LocalComputer
IEProcesses-ScriptedWindowSecurityRestrictions-LocalComputer
IEProcesses_ScriptedWindowSecurityRestrictions_LocalComputer
DoNotAllowUsersChangePolicies_LocalComputer
IEProcesses-MimeSniffingSafetyFeature-LocalComputer
IEProcesses_MimeSniffingSafetyFeature_LocalComputer
CheckSignatureDownloadedPrograms_LocalComputer
DoNotAllowResettingIESettings-LocalComputer
TurnOffFirst-RunOpt-In-InternetZone-LocalComputer
WebBrowserApplications-InternetZone-LocalComputer
DoNotAllowResettingIESettings_LocalComputer
AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-InternetZone-LocalUser
allow_cut_copy_paste_operations_from_clipboard_via_script_internet_zone_local_computer
TurnOffFirstRunOptIn_InternetZone_LocalComputer
WebBrowserApplications_InternetZone_LocalComputer
AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalComputer, AllowCutCopyPasteOperationsFromClipboardViaScript-RestrictedSitesZone-LocalUser
AllowCutCopyPasteOperationsFromClipboardViaScript_RestrictedSitesZone_LocalComputer
TurnOffFirst-RunOpt-In-RestrictedSitesZone-LocalComputer
TurnOffFirstRunOptIn_RestrictedSitesZone_LocalComputer
WebBrowserApplications-RestrictedSitesZone-LocalComputer
WebBrowserApplications_RestrictedSitesZone_LocalComputer
IncludeAllNetworkPaths-LocalComputer, IncludeAllNetworkPaths-LocalUser
include_all_network_paths_local_computer
DisableThePrivacyPage-LocalComputer
TurnOffChangingURLDisplay-LocalComputer
AddOnList-LocalComputer
DenyAllAddOns-LocalComputer
DisableTheAdvancedPage-LocalComputer, DisableTheAdvancedPage-LocalUser
DisableTheSecurityPage-LocalComputer, DisableTheSecurityPage-LocalUser
PreventIgnoingCertificateErrors-LocalComputer, PreventIgnoingCertificateErrors-LocalUser
prevent_ignoring_certificate_errors_local_computer
TurnOffChangingURLDisplay_LocalComputer
TurnOffConfiguringUpdateCheckInterval-LocalComputer
TurnOffConfiguringUpdateCheckInterval_LocalComputer
DisableShowingSplashScreen-LocalComputer
DisableConfiguringHistory-LocalComputer, DisableConfiguringHistory-LocalUser
DisableConfiguringHistory_LocalComputer
DisableChangingAutomaticConfigurationSettings-LocalComputer, DisableChangingAutomaticConfigurationSettings-LocalUser
DisableChangingAutomaticConfigurationSettings_LocalComputer
DisableChangingConnectionSettings-LocalComputer, DisableChangingConnectionSettings-LocalUser
DisableChangingProxySettings-LocalComputer, DisableChangingProxySettings-LocalUser
DisableShowingSplashScreen_LocalComputer
PreventFixSettingsFunctionality-LocalComputer, PreventFixSettingsFunctionality-LocalUser
PreventParticipationInCustomerExperienceImprovementPrograms-LocalComputer, PreventParticipationInCustomerExperienceImprovementPrograms-LocalUser
PreventParticipationInCustomerExperienceImprovementPrograms_LocalComputer
PreventPerformanceOfFirstRunCustomizeSettings-LocalComputer
PreventPerformanceOfFirstRunCustomizeSettings_LocalComputer
PerventDeletationOfTempInternetFiles-LocalComputer, PerventDeletationOfTempInternetFiles-LocalUser
TurnOffManagingPhishingFilter-LocalComputer
AllowActiveContentFromCD-LocalComputer
AllowThird-PartyBrowserExtensions-LocalComputer
TurnOffDeleteBrowsingHistoryFunctionality-LocalComputer, TurnOffDeleteBrowsingHistoryFunctionality-LocalUser
TurnOffDeleteBrowsingHistoryFunctionality_LocalComputer
TurnOffManagingPhishingFilter_LocalComputer
TurnOffSecuritySettingsCheckFeature-LocalComputer, TurnOffSecuritySettingsCheckFeature-LocalUser
TurnOffSecuritySettingsCheckFeature_LocalComputer
AllowActiveContentFromCD_LocalComputer
AllowThird-PartyBrowserExtensions_LocalComputer
AutomaticallyCheckIEUpdates-LocalComputer, AutomaticallyCheckForIEUpdates-LocalUser
AutomaticallyCheckIEUpdates_LocalComputer
CheckServerCertificateRevocation-LocalComputer, CheckForServerCertificateRevocation-LocalUser
CheckServerCertificateRevocation_LocalComputer
AccessDataSourcesAcrossDomains-InternetZone-LocalComputer, AccessDataSourcesAcrossDomains-InternetZone-LocalUser
access_data_sources_across_domains_internet_zone_local_computer
AllowDragDropOrCopyPasteFiles-InternetZone-LocalComputer, AllowDragDropOrCopyPasteFiles-InternetZone-LocalUser
AllowDragDropOrCopyPasteFiles_InternetZone_LocalComputer
AllowScriptlets-InternetZone-LocalComputer
AllowFontDownloads-InternetZone-LocalComputer, AllowFontDownloads-InternetZone-LocalUser
AllowFontDownloads_InternetZone_LocalComputer
AllowInstallationOfDesktopItems-InternetZone-LocalComputer, AllowInstallationOfDesktopItems-InternetZone-LocalUser
AllowInstallationOfDesktopItems_InternetZone_LocalComputer
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalComputer, AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-InternetZone-LocalUser
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints_InternetZone_LocalComputer
allow_scriptlets_internet_zone_local_computer
AllowStatusBarUpdatesViaScript-InternetZone-LocalComputer, AllowStatusBarUpdatesViaScript-InternetZone-LocalUser
allow_status_bar_updates_via_script_internet_zone_local_computer
AutomaticPromptingFileDownloads-InternetZone-LocalComputer, AutomaticPromptingFileDownloads-InternetZone-LocalUser
AutomaticPromptingFileDownloads_InternetZone_LocalComputer
DownloadSignedActiveXControls-InternetZone-LocalComputer, DownloadSignedActiveXControls-InternetZone-LocalUser
download_signed_activex_controls_InternetZone_LocalComputer
DownloadUnsignedActiveXControls-InternetZone-LocalComputer, DownloadUnsignedActiveXControls-InternetZone-LocalUser
DownloadUnsignedActiveXControls_InternetZone_LocalComputer
JavaPermissions-InternetZone-LocalUser
LooseXAMLFiles-InternetZone-LocalComputer
InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalComputer, JavaPermissions-InternetZone-LocalComputer, InitializeScriptActiveXControlsNotMarkedAsSafe-InternetZone-LocalUser
InitializeScriptActiveXControlsNotMarkedAsSafe_InternetZone_LocalComputer
java_permissions_internet_zone_local_computer
LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalComputer, LaunchingApplicationsAndFilesInIFRAME-InternetZone-LocalUser
LaunchingApplicationsAndFilesInIFRAME_InternetZone_LocalComputer
LogonOptions-InternetZone-LocalComputer, LogonOptions-InternetZone-LocalUser
LogonOptions_InternetZone_LocalComputer
LooseXAMLFiles_InternetZone_LocalComputer
NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalComputer, NavigateSub-framesAcrossDifferentDomains-InternetZone-LocalUser
navigate_sub_frames_across_different_domains_Internet_zone_local_computer
OpenFilesBasedOnContent-InternetZone-LocalComputer, OpenFilesBasedOnContent-InternetZone-LocalUser
OpenFilesBasedOnContent_InternetZone_LocalComputer
UserdataPersistence-InternetZone-LocalComputer
XPSFiles-InternetZone-LocalComputer
DisplayMixedContent-IntranetZone-LocalComputer
SoftwareChannelPermissions-InternetZone-LocalComputer, SoftwareChannelPermissions-InternetZone-LocalUser
SoftwareChannelPermissions_InternetZone_LocalComputer
UsePop-upBlocker-InternetZone-LocalComputer, UsePop-upBlocker-InternetZone-LocalUser
UsePop-upBlocker_InternetZone_LocalComputer
UserdataPersistence_InternetZone_LocalComputer
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalComputer, WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-InternetZone-LocalUser
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone_InternetZone_LocalComputer
DisplayMixedContent-LockedDownInternetZone-LocalComputer
display_mixed_content_locked_down_internet_zone_local_computer
display_mixed_content_intranet_zone_local_computer
DisplayMixedContent-LockedDownIntranetZone-LocalComputer
display_mixed_content-LockedDownintranet_zone_local_computer
DisplayMixedContent-LocalMachineZone-LocalComputer
display_mixed_content-local_machine_zone_local_computer
DisplayMixedContent-LockedDownLocalMachineZone-LocalComputer
display_mixed_content-LockedDownlocal_machine_zone_local_computer
AccessDataSourcesAcrossDomains-RestrictedSitesZone-LocalComputer, AccessDataSourcesAcrossDomains-RestrictedSitesZone-LocalUser
AccessDataSourcesAcrossDomains_RestrictedSitesZone_LocalComputer
AllowActiveScripting-RestrictedSitesZone-LocalComputer, AllowActiveScripting-RestrictedSitesZone-LocalUser
AllowActiveScripting_RestrictedSitesZone_LocalComputer
AllowBinaryAndScriptBehaviors-RestrictedSitesZone-LocalComputer, AllowBinaryAndScriptBehaviors-RestrictedSitesZone-LocalUser
AllowBinaryAndScriptBehaviors_RestrictedSitesZone_LocalComputer
AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-LocalComputer, AllowDragDropOrCopyPasteFiles-RestrictedSitesZone-LocalUser
AllowDragDropOrCopyPasteFiles_RestrictedSitesZone_LocalComputer
AllowFileDownloads-RestrictedSitesZone-LocalComputer, AllowFileDownloads-RestrictedSitesZone-LocalUser
AllowFileDownloads_RestrictedSitesZone_LocalComputer
AllowFontDownloads-RestrictedSitesZone-LocalComputer, AllowFontDownloads-RestrictedSitesZone-LocalUser
AllowFontDownloads_RestrictedSitesZone_LocalComputer
AllowScriptlets-RestrictedSitesZone-LocalComputer
AllowInstallationOfDesktopItems-RestrictedSitesZone-LocalComputer, AllowInstallationOfDesktopItems-RestrictedSitesZone-LocalUser
AllowInstallationOfDesktopItems_RestrictedSitesZone_LocalComputer
AllowMETAREFRESH-RestrictedSitesZone-LocalComputer, AllowMETAREFRESH-RestrictedSitesZone-LocalUser
AllowMETAREFRESH_RestrictedSitesZone_LocalComputer
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-RestrictedSitesZone-LocalComputer, AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints-RestrictedSitesZone-LocalUser
AllowScriptInitiatedWindowsWithoutSizeOrPositionConstraints_RestrictedSitesZone_LocalComputer
AllowStatusBarUpdatesViaScript-RestrictedSitesZone-LocalComputer, AllowStatusBarUpdatesViaScript-RestrictedSitesZone-LocalUser
AllowStatusBarUpdatesViaScript_RestrictedSitesZone_LocalComputer
AutomaticPromptingFileDownloads-RestrictedSitesZone-LocalComputer, AutomaticPromptingFileDownloads-RestrictedSitesZone-LocalUser
AutomaticPromptingFileDownloads_RestrictedSitesZone_LocalComputer
DownloadSignedActiveXControls-RestrictedSitesZone-LocalComputer, DownloadSignedActiveXControls-RestrictedSitesZone-LocalUser
download_signed_activex_controls_RestrictedSitesZone_LocalComputer
DownloadUnsignedActiveXControls-RestrictedSitesZone-LocalComputer, DownloadUnsignedActiveXControls-RestrictedSitesZone-LocalUser
DownloadUnsignedActiveXControls_RestrictedSitesZone_LocalComputer
LooseXAMLFiles-RestrictedSitesZone-LocalComputer
InitializeScriptActiveXControlsNotMarkedAsSafe-RestrictedSitesZone-LocalComputer, InitializeScriptActiveXControlsNotMarkedAsSafe-RestrictedSitesZone-LocalUser
InitializeScriptActiveXControlsNotMarkedAsSafe_RestrictedSitesZone_LocalComputer
JavaPermissions-RestrictedSitesZone-LocalComputer, JavaPermissions-RestrictedSitesZone-LocalUser
java_permissions_RestrictedSitesZone_LocalComputer
LaunchingApplicationsAndFilesInIFRAME-RestrictedSitesZone-LocalComputer, LaunchingApplicationsAndFilesInIFRAME-RestrictedSitesZone-LocalUser
LaunchingApplicationsAndFilesInIFRAME_RestrictedSitesZone_LocalComputer
LogonOptions-RestrictedSitesZone-LocalComputer, LogonOptions-RestrictedSitesZone-LocalUser
LogonOptions_RestrictedSitesZone_LocalComputer
LooseXAMLFiles_RestrictedSitesZone_LocalComputer
NavigateSub-framesAcrossDifferentDomains-RestrictedSitesZone-LocalComputer, NavigateSub-framesAcrossDifferentDomains-RestrictedSitesZone-LocalUser
NavigateSub-framesAcrossDifferentDomains_RestrictedSitesZone_LocalComputer
OpenFilesBasedOnContent-RestrictedSitesZone-LocalComputer, OpenFilesBasedOnContent-RestrictedSitesZone-LocalUser
OpenFilesBasedOnContent_RestrictedSitesZone_LocalComputer
RunNETFrameworkReliantComponentsNotSignedWithAuthenticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantComponentsNotSignedWithAuthenticode-RestrictedSitesZone-LocalUser
RunNETFrameworkReliantComponentsNotSignedWithAuthenticode_RestrictedSitesZone_LocalComputer
RunNETFrameworkReliantComponentsSignedWithAuthenticode-RestrictedSitesZone-LocalComputer, RunNETFrameworkReliantComponentsSignedWithAuthenticode-RestrictedSitesZone-LocalUser
RunNETFrameworkReliantComponentsSignedWithAuthenticode_RestrictedSitesZone_LocalComputer
RunActiveXControlsAndPlugins-RestrictedSitesZone-LocalComputer, RunActiveXControlsAndPlugins-RestrictedSitesZone-LocalUser
RunActiveXControlsAndPlugins_RestrictedSitesZone_LocalComputer
ScriptActiveXControlsMarkedSafeForScripting-RestrictedSitesZone-LocalComputer, ScriptActiveXControlsMarkedSafeForScripting-RestrictedSitesZone-LocalUser
ScriptActiveXControlsMarkedSafeForScripting_RestrictedSitesZone_LocalComputer
ScriptingOfJavaApplets-RestrictedSitesZone-LocalComputer, ScriptingOfJavaApplets-RestrictedSitesZone-LocalUser
ScriptingOfJavaApplets_RestrictedSitesZone_LocalComputer
SoftwareChannelPermissions-RestrictedSitesZone-LocalComputer, SoftwareChannelPermissions-RestrictedSitesZone-LocalUser
SoftwareChannelPermissions_RestrictedSitesZone_LocalComputer
UsePop-upBlocker-RestrictedSitesZone-LocalComputer, UsePop-upBlocker-RestrictedSitesZone-LocalUser
UsePop-upBlocker_RestrictedSitesZone_LocalComputer
UserdataPersistence-RestrictedSitesZone-LocalComputer
UserdataPersistence_RestrictedSitesZone_LocalComputer
XPSFiles-RestrictedSitesZone-LocalComputer
DisplayMixedContent-TrustedSitesZone-LocalComputer
EnableNativeXMLHttpSupport-LocalComputer
DisableSaveThisProgramToDiskOption-LocalUser
AllowInstallOnDemandIE-LocalUser
TurnOffPageTransitions-LocalUser TurnOffPageTransitions_LocalUser
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-RestrictedSitesZone-LocalComputer, WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone-RestrictedSitesZone-LocalUser
WebSitesInLessPrivilegedWebContentZonesCanNavigateIntoThisZone_RestrictedSitesZone_LocalComputer
DisplayMixedContent-LockedDownRestrictedSitesZone-LocalComputer
display_mixed_content-LockedDownRestrictedSitesZone_LocalComputer
display_mixed_content_trusted_sites_zone_local_computer
DisplayMixedContent-LockedDownTrustedSitesZone-LocalComputer
display_mixed_content_LockedDowntrusted_sites_zone_local_computer
EnableNativeXMLHttpSupport_LocalComputer
TurnOnAutoCompleteFeatureForUserNamesAndPasswords_LocalUser
allow_install_on_demand_ie_local_computer
DisableAutoCompleteForForms-LocalUser
AllowInstallOnDemandIE-LocalUser
DisableChangingCertificateSettings-LocalUser
DisableExternalBrandingOfIE-LocalUser
ConfigureOutlookExpress-LocalUser
InternetConnectionWizardSettings-LocalUser
DisableInternetConnectionWizard-LocalUser
DisableResetWebSettingsFeature-LocalUser
DisableAddingSchedulesForOfflinePages-LocalUser
DisableAddingChannels-LocalUser
DisableAllScheduledOfflinePages-LocalUser
DisableAutoCompleteForForms_LocalUser
DisableExternalBrandingOfIE_LocalUser
configure_outlook_express_local_user
TurnOnInternetConnectionWizardAutoDetect_LocalUser
DisableInternetConnectionWizard_LocalUser
DisableResetWebSettingsFeature_LocalUser
DisableDownloadingOfSiteSubscriptionContent-LocalUser
DisableEditingAndCreatingOfScheduleGroups-LocalUser
DisableEditingSchedulesForOfflinePages-LocalUser
DisableChannelUserInterfaceCompletely-LocalUser
DisableRemovingChannels-LocalUser
DisableRemovingSchedulesForOfflinePages-LocalUser
DisableOfflinePageHitLogging-LocalUser
JavaPermissions-LocalMachineZone-LocalComputer
JavaPermissions-LockedDownIntranetZone-LocalComputer
java_permissions_LockedDownintranet_zone_local_computer
java_permissions_local_machine_zone_local_computer
JavaPermissions-LockedDownLocalMachineZone-LocalComputer
java_permissions_LockedDownlocal_machine_zone_local_computer
site_to_zone_assignment_list_local_computer
TurnOnProtectedMode_InternetZone_LocalComputer
java_permissions_intranet_zone_local_computer
download_signed_activex_controls_locked_down_internet_zone_local_computer
java_permissions_locked_down_internet_zone_local_computer
java_permissions_LockedDownRestrictedSitesZone_LocalComputer
AllowStatusBarUpdatesViaScript_LockedDowntrusted_sites_zone_local_computer
java_permissions_LockedDowntrusted_sites_zone_local_computer
TurnOnProtectedMode_RestrictedSitesZone_LocalComputer
oval:gov.nist.fdcc.ie7:def:1277
oval:gov.nist.fdcc.ie7:def:658
oval:gov.nist.fdcc.ie7:def:1400
oval:gov.nist.fdcc.ie7:def:1357
FDCC IE7 OVAL (fdcc-accepted-content-20080110\
fdcc-ie7-oval.xml
oval:gov.nist.fdcc.ie7:def:320
oval:gov.nist.fdcc.ie7:def:1198
oval:gov.nist.fdcc.ie7:def:1181
oval:gov.nist.fdcc.ie7:def:1694
oval:gov.nist.fdcc.ie7:def:487
oval:gov.nist.fdcc.ie7:def:465
oval:gov.nist.fdcc.ie7:def:1404
oval:gov.nist.fdcc.ie7:def:317
oval:gov.nist.fdcc.ie7:def:395
oval:gov.nist.fdcc.ie7:def:583
oval:gov.nist.fdcc.ie7:def:506
oval:gov.nist.fdcc.ie7:def:1119
oval:gov.nist.fdcc.ie7:def:242
oval:gov.nist.fdcc.ie7:def:249
oval:gov.nist.fdcc.ie7:def:621
oval:gov.nist.fdcc.ie7:def:580
oval:gov.nist.fdcc.ie7:def:559
oval:gov.nist.fdcc.ie7:def:757
oval:gov.nist.fdcc.ie7:def:1285
oval:gov.nist.fdcc.ie7:def:1164
oval:gov.nist.fdcc.ie7:def:1171
oval:gov.nist.fdcc.ie7:def:1322
oval:gov.nist.fdcc.ie7:def:458
oval:gov.nist.fdcc.ie7:def:501
oval:gov.nist.fdcc.ie7:def:916
oval:gov.nist.fdcc.ie7:def:400
oval:gov.nist.fdcc.ie7:def:110
oval:gov.nist.fdcc.ie7:def:656
oval:gov.nist.fdcc.ie7:def:172
oval:gov.nist.fdcc.ie7:def:674
oval:gov.nist.fdcc.ie7:def:1083
oval:gov.nist.fdcc.ie7:def:524
oval:gov.nist.fdcc.ie7:def:223
oval:gov.nist.fdcc.ie7:def:589
oval:gov.nist.fdcc.ie7:def:1043
oval:gov.nist.fdcc.ie7:def:226
oval:gov.nist.fdcc.ie7:def:1113
oval:gov.nist.fdcc.ie7:def:1199
oval:gov.nist.fdcc.ie7:def:391
oval:gov.nist.fdcc.ie7:def:1040
oval:gov.nist.fdcc.ie7:def:1174
oval:gov.nist.fdcc.ie7:def:611
oval:gov.nist.fdcc.ie7:def:691
oval:gov.nist.fdcc.ie7:def:240
oval:gov.nist.fdcc.ie7:def:612
oval:gov.nist.fdcc.ie7:def:953
oval:gov.nist.fdcc.ie7:def:302
oval:gov.nist.fdcc.ie7:def:1179
oval:gov.nist.fdcc.ie7:def:1108
oval:gov.nist.fdcc.ie7:def:265
oval:gov.nist.fdcc.ie7:def:245
oval:gov.nist.fdcc.ie7:def:1166
oval:gov.nist.fdcc.ie7:def:247
oval:gov.nist.fdcc.ie7:def:383
oval:gov.nist.fdcc.ie7:def:418
oval:gov.nist.fdcc.ie7:def:652
oval:gov.nist.fdcc.ie7:def:293
oval:gov.nist.fdcc.ie7:def:365
oval:gov.nist.fdcc.ie7:def:498
oval:gov.nist.fdcc.ie7:def:1184
oval:gov.nist.fdcc.ie7:def:1109
oval:gov.nist.fdcc.ie7:def:251
oval:gov.nist.fdcc.ie7:def:1218
oval:gov.nist.fdcc.ie7:def:1234
oval:gov.nist.fdcc.ie7:def:378
oval:gov.nist.fdcc.ie7:def:252
oval:gov.nist.fdcc.ie7:def:1019
oval:gov.nist.fdcc.ie7:def:949
oval:gov.nist.fdcc.ie7:def:273
oval:gov.nist.fdcc.ie7:def:824
oval:gov.nist.fdcc.ie7:def:274
oval:gov.nist.fdcc.ie7:def:326
oval:gov.nist.fdcc.ie7:def:275
oval:gov.nist.fdcc.ie7:def:1229
oval:gov.nist.fdcc.ie7:def:706
oval:gov.nist.fdcc.ie7:def:329
oval:gov.nist.fdcc.ie7:def:276
oval:gov.nist.fdcc.ie7:def:571
oval:gov.nist.fdcc.ie7:def:602
oval:gov.nist.fdcc.ie7:def:280
oval:gov.nist.fdcc.ie7:def:290
oval:gov.nist.fdcc.ie7:def:1100
oval:gov.nist.fdcc.ie7:def:300
oval:gov.nist.fdcc.ie7:def:1219
oval:gov.nist.fdcc.ie7:def:314
oval:gov.nist.fdcc.ie7:def:1153
oval:gov.nist.fdcc.ie7:def:1183
oval:gov.nist.fdcc.ie7:def:338
oval:gov.nist.fdcc.ie7:def:645
oval:gov.nist.fdcc.ie7:def:9999
oval:gov.nist.fdcc.ie7:def:1206
oval:gov.nist.fdcc.ie7:def:1516
oval:gov.nist.fdcc.ie7:def:1384
oval:gov.nist.fdcc.ie7:def:1238
oval:gov.nist.fdcc.ie7:def:604
oval:gov.nist.fdcc.ie7:def:1355
oval:gov.nist.fdcc.ie7:def:1437
oval:gov.nist.fdcc.ie7:def:2039
oval:gov.nist.fdcc.ie7:def:1422
oval:gov.nist.fdcc.ie7:def:1986
oval:gov.nist.fdcc.ie7:def:9998
oval:gov.nist.fdcc.ie7:def:111999
oval:gov.nist.fdcc.ie7:def:1883
oval:gov.nist.fdcc.ie7:def:24599
oval:gov.nist.fdcc.ie7:def:1419
oval:gov.nist.fdcc.ie7:def:1753
oval:gov.nist.fdcc.ie7:def:118399
oval:gov.nist.fdcc.ie7:def:1699
oval:gov.nist.fdcc.ie7:def:62199
CCE ID CCE Description
CCE-116-4 CCE-116 enabled/disabled
CCE-908-4 CCE-908
CCE-184-2 CCE-184 enabled/disabled
CCE-276-6 CCE-276 enabled/disabled
Old v4 CCE Id
CCE Parameters
The "Disable VBA for Office applications" setting should be configured correctly.
The "ActiveX Control Initialization:" setting should be configured correctly.
1 = Do not prompt | 4 = Prompt user to use control defaults | 6 = Prompt user to use persisted data
The "Enable Customer Experience Improvement Program" setting should be configured correctly.
The "Enable Customer Experience Improvement Program" setting should be configured correctly.
CCE-967-0 CCE-967
CCE-427-5 CCE-427
CCE-649-4 CCE-649
CCE-862-3 CCE-862 enabled/disabled
The "Online content options" setting should be configured correctly.
0 = Never show online content or entry points | 1 = Search only offline content whenever available | 2 = Search online content whenever available
The "VBA Macro Warning Settings" setting should be configured correctly for Access 2007.
1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros
The "VBA Macro Warning Settings" setting should be configured correctly for Excel 2007.
1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros
The "Trust access to Visual Basic Project" setting should be configured correctly for Excel 2007 and 2003.
CCE-567-8 CCE-567
CCE-68-7 CCE-68 enabled/disabled
CCE-537-1 CCE-537 enabled/disabled
CCE-786-4 CCE-786
CCE-937-3 CCE-937 enabled/disabled
CCE-13-3 CCE-13 enabled/disabled
CCE-316-0 CCE-316 enabled/disabled
The "VBA Macro Warning Settings" setting should be configured correctly for PowerPoint 2007.
1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros
The "Trust access to Visual Basic Project" setting should be configured correctly for PowerPoint 2007.
The "Disable Remember Password" setting should be configured correctly.
The "Configure Add-In Trust Level" setting should be configured correctly.
0 = Trust all or use Exchange settings if present | 1 = Trust all loaded and installed COM addins | 2 = Do NOT trust loaded and installed COM addins
The "Disable 'Remember password' for Internet e-mail accounts" setting should be configured correctly.
The "Minimum encryption settings" setting should be configured correctly.
The "Do not check e-mail address against address of certificates being using" setting should be configured correctly.
CCE-14-1 CCE-14 enabled/disabled
CCE-153-7 CCE-153 enabled/disabled
CCE-345-9 CCE-345 enabled/disabled
CCE-700-5 CCE-700
The "Send all signed messages as clear signed messages" setting should be configured correctly.
The "Request an S/MIME receipt for all S/MIME signed messages" setting should be configured correctly.
The "Do not display 'Publish to GAL' button" setting should be configured correctly.
The "Signature Warning" setting should be configured correctly.
0 = Let user decide if they want to be warned | 1 = Always warn about invalid signatures | 2 = Never warn about invalid signatures
CCE-695-7 CCE-695 enabled/disabled
CCE-395-4 CCE-395
CCE-659-3 CCE-659
CCE-703-9 CCE-703 enabled/disabled
The "Enable Cryptography Icons" setting should be configured correctly.
The "Retrieving CRLs (Certificate Revocation Lists)" setting should be configured correctly.
0 = Use system Default | 1 = When online always retreive the CRL | 2 = Never retreive the CRL
The "VBA Macro Warning Settings" setting should be configured correctly for Word 2007.
1 = No Security checks for macros | 2 = Trust Bar warning for all macros | 3 = Trust Bar warning for digitally signed macros only | 4 = No Warnings for all macros but disable all macros
The "Trust access to Visual Basic Project" setting should be configured correctly for Word 2007 and 2003.
CCE-173-5 CCE-173 enabled/disabled
CCE-784-9 CCE-784 enabled/disabled
CCE-1395-3 CCE-1395
enabled/disabled
CCE-1137-9 CCE-1137
enabled/disabled
CCE-1423-3 CCE-1423
enabled/disabled
CCE-1238-5 CCE-1238
enabled/disabled
CCE-1476-1 CCE-1476
enabled/disabled
CCE-1520-6 CCE-1520
enabled/disabled
The "Warn before printing, saving or sending a file that contains tracked changes or comments" setting should be configured correctly.
The "Block updates from the Office Update Site from applying" setting should be configured correctly.The "Underline hyperlinks" setting should be configured correctly for Access 2007.
The "Number of documents in the Recent Documents list (0-9)" setting should be configured correctly for Access 2007.
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Access 2007.
The "Disable all application add-ins" setting should be configured correctly for Access 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Access 2007.
The "Disable all trusted locations" setting should be configured correctly for Access 2007.
CCE-780-7 CCE-780
enabled/disabled
CCE-1214-6 CCE-1214
enabled/disabled
CCE-1370-6 CCE-1370
enabled/disabled
CCE-1268-2 CCE-1268
enabled/disabled
CCE-1400-1 CCE-1400
enabled/disabled
CCE-1440-7 CCE-1440
enabled/disabled
CCE-581-9 CCE-581
enabled/disabled
The "Allow Trusted Locations not on the computer" setting should be configured correctly for Access 2007.
The "Modal Trust Decision Only" setting should be configured correctly for Access 2007.
The "Disable commands" setting should be configured correctly for Access 2007.
The "Disable commands - Office Button | E-Mail" setting should be configured correctly for Access 2007.
The "Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Database Tools | Encrypt with Password" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions" setting should be configured correctly for Access 2007.
CCE-1480-3 CCE-1480
enabled/disabled
CCE-1489-4 CCE-1489
enabled/disabled
CCE-1392-0 CCE-1392
enabled/disabled
CCE-1414-2 CCE-1414
enabled/disabled
CCE-1418-3 CCE-1418
enabled/disabled
CCE-1405-0 CCE-1405
enabled/disabled
CCE-1550-3 CCE-1550
enabled/disabled
The "Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard..." setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Database Tools | Encode/Decode Database" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Macro | Visual Basic" setting should be configured correctly for Access 2007.
The "Disable commands - Database Tools | Macro | Run Macro" setting should be configured correctly for Access 2007.
The "Database Tools | Macro | Convert Macros to Visual Basic" setting should be configured correctly for Access 2007.
The "Database Tools | Macro | Create Shortcut Menu from Macro" setting should be configured correctly for Access 2007.
CCE-1075-1 CCE-1075
enabled/disabled
CCE-709-6 CCE-709
enabled/disabled
CCE-1502-4 CCE-1502
enabled/disabled
CCE-1260-9 CCE-1260
enabled/disabled
CCE-1510-7 CCE-1510
enabled/disabled
CCE-1532-1 CCE-1532
enabled/disabled
CCE-1039-7 CCE-1039
enabled/disabled
The "Disable shortcut keys" setting should be configured correctly for Access 2007.
The "Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks)" setting should be configured correctly for Access 2007.
The "Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic)" setting should be configured correctly for Access 2007.
The "Default file format (Access 2007 | Access 2002-2003)" setting should be configured correctly for Access 2007.
The "Do not prompt to convert older databases" setting should be configured correctly for Access 2007.
The "Internet and network paths as hyperlinks" setting should be configured correctly for Excel 2007.
The "Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls))" setting should be configured correctly for Excel 2007.
CCE-1295-5 CCE-1295
enabled/disabled
CCE-1334-2 CCE-1334
enabled/disabled
CCE-1308-6 CCE-1308
enabled/disabled
CCE-616-3 CCE-616
enabled/disabled
CCE-1246-8 CCE-1246
enabled/disabled
CCE-1251-8 CCE-1251
enabled/disabled
CCE-1524-8 CCE-1524
enabled/disabled
CCE-1422-5 CCE-1422
enabled/disabled
The "Disable AutoRepublish" setting should be configured correctly for Excel 2007.
The "AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing)" setting should be configured correctly for Excel 2007.
The "Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks" setting should be configured correctly
The "Force file extension to match file type (Allow different | Allow different, but warn | Always match file type)" setting should be configured correctly for Excel 2007.
The "Store macro in Personal Macro Workbook by default" setting should be configured correctly
The "Disable all application add-ins" setting should be configured correctly for Excel 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Excel 2007.
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Excel 2007.
CCE-1444-9 CCE-1444
enabled/disabled
CCE-1449-8 CCE-1449
enabled/disabled
CCE-1471-2 CCE-1471
enabled/disabled
CCE-1119-7 CCE-1119
enabled/disabled
CCE-1378-9 CCE-1378
enabled/disabled
CCE-1277-3 CCE-1277
enabled/disabled
CCE-1464-7 CCE-1464
enabled/disabled
CCE-1094-2 CCE-1094
enabled/disabled
CCE-1129-6 CCE-1129
enabled/disabled
The "Allow Trusted Locations not on the computer" setting should be configured correctly for Excel 2007.
The "Disable all trusted locations" setting should be configured correctly for Excel 2007.
The "Ignore other applications " setting should be configured correctly for Excel 2007.
The "Ask to update automatic links" setting should be configured correctly for Excel 2007.
The "Number of documents in the Recent Documents list (0-17)" setting should be configured correctly for Excel 2007.
The "Save any additional data necessary to maintain formulas" setting should be configured correctly for Excel 2007.
The "Load pictures from Web pages not created in Excel" setting should be configured correctly for Excel 2007.
The "Do not show data extraction options when opening corrupt workbooks" setting should be configured correctly for Excel 2007.
The "Assume structured storage format of workbook is intact when recovering data" setting should be configured correctly for Excel 2007.
CCE-1389-6 CCE-1389
enabled/disabled
CCE-1433-2 CCE-1433
enabled/disabled
CCE-1323-5 CCE-1323
enabled/disabled
CCE-1469-6 CCE-1469
enabled/disabled
CCE-1473-8 CCE-1473
enabled/disabled
CCE-1499-3 CCE-1499
enabled/disabled
CCE-1024-9 CCE-1024
enabled/disabled
The "Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME)" setting should be configured correctly for Excel 2007.
The "Connection File Locations" setting should be configured correctly for Excel 2007.
The "Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh)" setting should be configured correctly for Excel 2007.
The "Disable commands" setting should be configured correctly for Excel 2007.
The "Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page" setting should be configured correctly for Excel 2007.
The "Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for Excel 2007.
The "Disable commands - Office Button | Send | Email" setting should be configured correctly for Excel 2007.
CCE-1530-5 CCE-1530
enabled/disabled
CCE-1120-5 CCE-1120
enabled/disabled
CCE-1252-6 CCE-1252
enabled/disabled
CCE-1151-0 CCE-1151
enabled/disabled
CCE-1301-1 CCE-1301
enabled/disabled
CCE-1310-2 CCE-1310
enabled/disabled
CCE-1213-8 CCE-1213
enabled/disabled
CCE-1362-3 CCE-1362
enabled/disabled
The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for Excel 2007.
The "Disable commands - Review | Changes | Protect Sheet" setting should be configured correctly for Excel 2007.
The "Disable commands - Review | Changes | Protect Workbook" setting should be configured correctly for Excel 2007.
The "Disable commands - Review | Changes | Protect and Share Workbook" setting should be configured correctly for Excel 2007.
The "Disable commands - View | Macros | Macros" setting should be configured correctly for Excel 2007.
The "Disable commands - Developer | Code | Macros" setting should be configured correctly for Excel 2007.
The "Disable commands - Developer | Code | Record Macro" setting should be configured correctly for Excel 2007.
The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for Excel 2007.
CCE-1156-9 CCE-1156
enabled/disabled
CCE-1429-0 CCE-1429
enabled/disabled
CCE-1182-5 CCE-1182
enabled/disabled
CCE-1525-5 CCE-1525
enabled/disabled
CCE-1547-9 CCE-1547
enabled/disabled
CCE-1300-3 CCE-1300
enabled/disabled
CCE-1331-8 CCE-1331
enabled/disabled
CCE-1468-8 CCE-1468
enabled/disabled
The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for Excel 2007.
The "Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location" setting should be configured correctly for Excel 2007.
The "Disable shortcut keys" setting should be configured correctly for Excel 2007.
The "Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for Excel 2007.
The "Disable shortcut keys - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for Excel 2007.
The "Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for Excel 2007.
The "Block opening of pre-release versions of file formats new to Excel 2007" setting should be configured correctly for Excel 2007.
The "Block opening of Open XML file types" setting should be configured correctly for Excel 2007.
CCE-1490-2 CCE-1490
enabled/disabled
CCE-1512-3 CCE-1512
enabled/disabled
CCE-1543-8 CCE-1543
enabled/disabled
CCE-1195-7 CCE-1195
enabled/disabled
CCE-554-6 CCE-554
enabled/disabled
CCE-1415-9 CCE-1415
enabled/disabled
CCE-1437-3 CCE-1437
enabled/disabled
CCE-1446-4 CCE-1446
enabled/disabled
CCE-1098-3 CCE-1098
enabled/disabled
CCE-562-9 CCE-562
enabled/disabled
The "Block opening of Binary 12 file types" setting should be configured correctly for Excel 2007.
The "Block opening of Binary file types" setting should be configured correctly for Excel 2007.
The "Block opening of Html and Xmlss files types" setting should be configured correctly for Excel 2007.
The "Block opening of Xml file types" setting should be configured correctly for Excel 2007.
The "Block opening of DIF and SYLK file types" setting should be configured correctly for Excel 2007.
The "Block opening of Text file types" setting should be configured correctly for Excel 2007.
The "Block opening of Xll file type" setting should be configured correctly for Excel 2007.
The "Block saving of Open Xml file types" setting should be configured correctly for Excel 2007.
The "Block saving of Binary12 file types" setting should be configured correctly for Excel 2007.
The "Block saving of Binary file types" setting should be configured correctly for Excel 2007.
CCE-1507-3 CCE-1507
enabled/disabled
CCE-1406-8 CCE-1406
enabled/disabled
CCE-573-6 CCE-573
enabled/disabled
CCE-1336-7 CCE-1336
enabled/disabled
CCE-1230-2 CCE-1230
enabled/disabled
CCE-1375-5 CCE-1375
enabled/disabled
CCE-1380-5 CCE-1380
enabled/disabled
CCE-1376-3 CCE-1376
enabled/disabled
CCE-1398-7 CCE-1398
enabled/disabled
The "Block saving of Html and Xmlss file types" setting should be configured correctly for Excel 2007.
The "Block saving Xml file types" setting should be configured correctly for Excel 2007.
The "Block saving DIF and SYLK file types" setting should be configured correctly for Excel 2007.
The "Block saving of Text file types" setting should be configured correctly for Excel 2007.
The "Locally cache network file storages" setting should be configured correctly for Excel 2007.
The "Locally cache PivotTable reports" setting should be configured correctly for Excel 2007.
The "OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs)" setting should be configured correctly for Excel 2007.
The "Recognize SmartTags" setting should be configured correctly for Excel 2007.
The "Number of documents in the Recent Documents list (0 - 9)" setting should be configured correctly for InfoPath 2007.
CCE-569-4 CCE-569
enabled/disabled
CCE-1065-2 CCE-1065
enabled/disabled
CCE-1361-5 CCE-1361
enabled/disabled
CCE-1096-7 CCE-1096
enabled/disabled
CCE-1391-2 CCE-1391
enabled/disabled
CCE-1519-8 CCE-1519
enabled/disabled
CCE-1523-0 CCE-1523
enabled/disabled
CCE-1171-8 CCE-1171
enabled/disabled
The "Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode)" setting should be configured correctly for InfoPath 2007.
The "Disable commands" setting should be configured correctly for InfoPath 2007.
The "Disable commands - File | Print" setting should be configured correctly for InfoPath 2007.
The "Disable commands - File | Send to Mail Recipient" setting should be configured correctly for InfoPath 2007.
The "Disable commands - File | Open from SharePoint Site" setting should be configured correctly for InfoPath 2007.
The "Disable commands - File | Print Preview" setting should be configured correctly for InfoPath 2007.
The "Disable commands - File | Page Setup" setting should be configured correctly for InfoPath 2007.
The "Disable commands - Insert | Hyperlinks..." setting should be configured correctly for InfoPath 2007.
CCE-1457-1 CCE-1457
enabled/disabled
CCE-1426-6 CCE-1426
enabled/disabled
CCE-805-2 CCE-805
enabled/disabled
CCE-1453-0 CCE-1453
enabled/disabled
CCE-1351-6 CCE-1351
enabled/disabled
CCE-620-5 CCE-620
enabled/disabled
CCE-1017-3 CCE-1017
enabled/disabled
CCE-1021-5 CCE-1021
enabled/disabled
The "Disable commands - Tools | Set Language" setting should be configured correctly for InfoPath 2007.
The "Disable commands - Tools | Customize..." setting should be configured correctly for InfoPath 2007.
The "Disable commands - Tools | Options..." setting should be configured correctly for InfoPath 2007.
The "Disable commands - Help | Microsoft Office Online" setting should be configured correctly for InfoPath 2007.
The "Disable commands - Office Diagnostics" setting should be configured correctly for InfoPath 2007.
The "Disable commands - Help | Activate Product..." setting should be configured correctly for InfoPath 2007.
The "Disable commands - Print Default" setting should be configured correctly for InfoPath 2007.
The "Disable shortcut keys" setting should be configured correctly for InfoPath 2007.
CCE-1299-7 CCE-1299
enabled/disabled
CCE-1197-3 CCE-1197
enabled/disabled
CCE-704-7 CCE-704
enabled/disabled
CCE-1105-6 CCE-1105
enabled/disabled
` CCE-1114
enabled/disabled
CCE-761-7 CCE-761
enabled/disabled
CCE-739-3 CCE-739
enabled/disabled
The "Disable shortcut keys - Print Shortcut (Ctrl+P)" setting should be configured correctly for InfoPath 2007.
The "Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K)" setting should be configured correctly for InfoPath 2007.
The "Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections)" setting should be configured correctly for InfoPath 2007.
The "Disable opening of solutions from the Internet security zone" setting should be configured correctly for InfoPath 2007.
The "Disable fully trusted solutions full access to computer" setting should be configured correctly for InfoPath 2007.
The "Allow the use of ActiveX Custom Controls in InfoPath forms" setting should be configured correctly for InfoPath 2007.
The "Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1" setting should be configured correctly for InfoPath 2007.
CCE-1259-1 CCE-1259
enabled/disabled
CCE-1267-4 CCE-1267
enabled/disabled
CCE-1060-3 CCE-1060
enabled/disabled
CCE-955-5 CCE-955
enabled/disabled
CCE-1479-5 CCE-1479
enabled/disabled
CCE-1360-7 CCE-1360
enabled/disabled
CCE-1386-2 CCE-1386
enabled/disabled
CCE-893-8 CCE-893
enabled/disabled
The "Allow file types as attachments to forms" setting should be configured correctly for InfoPath 2007.
The "Block specific file types as attachments to forms" setting should be configured correctly for InfoPath 2007.
The "Prevent users from allowing unsafe file types to be attached to forms" setting should be configured correctly for InfoPath 2007.
The "Display a warning that a form is digitally signed" setting should be configured correctly for InfoPath 2007.
The "Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.
The "Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.
The "Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.
The "Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow)" setting should be configured correctly for InfoPath 2007.
CCE-1290-6 CCE-1290
enabled/disabled
CCE-1381-3 CCE-1381
enabled/disabled
CCE-1135-3 CCE-1135
enabled/disabled
CCE-1157-7 CCE-1157
enabled/disabled
CCE-1434-0 CCE-1434
enabled/disabled
CCE-1315-1 CCE-1315
enabled/disabled
CCE-1210-4 CCE-1210
enabled/disabled
The "Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)" setting should be configured correctly for InfoPath 2007.
The "Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)" setting should be configured correctly for InfoPath 2007.
The "Disable all application add-ins" setting should be configured correctly for InfoPath 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for InfoPath 2007.
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for InfoPath 2007.
The "Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run)" setting should be configured correctly for InfoPath 2007.
The "Disable sending form template with e-mail forms" setting should be configured correctly for InfoPath 2007.
CCE-1236-9 CCE-1236
enabled/disabled
CCE-884-7 CCE-884
enabled/disabled
CCE-1518-0 CCE-1518
enabled/disabled
CCE-1170-0 CCE-1170
enabled/disabled
CCE-1316-9 CCE-1316
enabled/disabled
CCE-1567-7 CCE-1567
enabled/disabled
CCE-1265-8 CCE-1265
enabled/disabled
CCE-1538-8 CCE-1538
enabled/disabled
CCE-1564-4 CCE-1564
enabled/disabled
The "Disable dynamic caching of the form template in InfoPath e-mail forms" setting should be configured correctly for InfoPath 2007.
The "Disable sending InfoPath 2003 Forms as e-mail forms" setting should be configured correctly for InfoPath 2007.
The "Disable e-mail forms running in restricted security level" setting should be configured correctly for InfoPath 2007.
The "Disable e-mail forms from the Internet security zone" setting should be configured correctly for InfoPath 2007.
The "Disable e-mail forms from the Intranet security zone" setting should be configured correctly for InfoPath 2007.
The "Disable e-mail forms from the Full Trust security zone" setting should be configured correctly for InfoPath 2007.
The "Disable InfoPath e-mail forms in Outlook" setting should be configured correctly for InfoPath 2007.
The "Information Rights Management" setting should be configured correctly for InfoPath 2007.
The "Custom code" setting should be configured correctly for InfoPath 2007.
CCE-1212-0 CCE-1212
enabled/disabled
CCE-1344-1 CCE-1344
enabled/disabled
CCE-723-7 CCE-723
enabled/disabled
CCE-1384-7 CCE-1384
enabled/disabled
CCE-1159-3 CCE-1159
enabled/disabled
CCE-1146-0 CCE-1146
enabled/disabled
CCE-1542-0 CCE-1542
enabled/disabled
CCE-582-7 CCE-582
enabled/disabled
The "Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)" setting should be configured correctly for InfoPath 2007.
The "Disable user customization of Quick Access Toolbar via UI" setting should be configured correctly
The "Disable user customization of Quick Access Toolbar via UI - Disallow in Word" setting should be configured correctly
The "Disable user customization of Quick Access Toolbar via UI - Disallow in Excel" setting should be configured correctly
The "Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint" setting should be configured correctly
The "Disable user customization of Quick Access Toolbar via UI - Disallow in Access" setting should be configured correctly
The "Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar" setting should be configured correctly
CCE-1291-4 CCE-1291
enabled/disabled
CCE-1326-8 CCE-1326
enabled/disabled
CCE-1330-0 CCE-1330
enabled/disabled
CCE-1335-9 CCE-1335
enabled/disabled
CCE-1229-4 CCE-1229
enabled/disabled
CCE-630-4 CCE-630
enabled/disabled
CCE-1154-4 CCE-1154
enabled/disabled
CCE-1410-0 CCE-1410
enabled/disabled
The "Disable all user customization of Quick Access Toolbar - Disallow in Word" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar - Disallow in Excel" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar - Disallow in Access" setting should be configured correctly
The "Disable all user customization of Quick Access Toolbar - Disallow in Outlook" setting should be configured correctly
The "Disable UI extending from documents and templates" setting should be configured correctly
The "Disable UI extending from documents and templates - Disallow in Word" setting should be configured correctly
The "Disable UI extending from documents and templates - Disallow in Excel" setting should be configured correctly
CCE-1432-4 CCE-1432
enabled/disabled
CCE-1198-1 CCE-1198
enabled/disabled
CCE-929-0 CCE-929
enabled/disabled
CCE-1074-4 CCE-1074
enabled/disabled
CCE-1458-9 CCE-1458
enabled/disabled
CCE-1233-6 CCE-1233
enabled/disabled
CCE-1379-7 CCE-1379
enabled/disabled
CCE-1401-9 CCE-1401
enabled/disabled
The "Disable UI extending from documents and templates - Disallow in PowerPoint" setting should be configured correctly
The "Disable UI extending from documents and templates - Disallow in Access" setting should be configured correctly
The "Disable UI extending from documents and templates - Disallow in Outlook" setting should be configured correctly
The "Recognize smart tags in Excel" setting should be configured correctly
The "Disable Clip Art and Media downloads from the client and from Office Online website" setting should be configured correctly
The "Disable template downloads from the client and from Office Online website" setting should be configured correctly
The "Disable access to updates, add-ins, and patches on the Office Online website" setting should be configured correctly
The "Prevents users from uploading document templates to the Office Online community." setting should be configured correctly
CCE-1528-9 CCE-1528
enabled/disabled
CCE-1533-9 CCE-1533
enabled/disabled
CCE-646-0 CCE-646
enabled/disabled
CCE-1438-1 CCE-1438
enabled/disabled
CCE-711-2 CCE-711
enabled/disabled
CCE-1292-2 CCE-1292
enabled/disabled
CCE-1615-4 CCE-1615 enabled/disabled
CCE-1191-6 CCE-1191
enabled/disabled
CCE-1587-5 CCE-1587
enabled/disabled
CCE-1486-0 CCE-1486
enabled/disabled
The "Disable training practice downloads from the Office Online website" setting should be configured correctly
The "Disable customer-submitted templates downloads from Office Online" setting should be configured correctly
The "Open Office documents as read/write while browsing" setting should be configured correctly
The "Rely on VML for displaying graphics in browsers" setting should be configured correctly
The "Allow PNG as an output format" setting should be configured correctly
The "Improve Proofing Tools" setting should be configured correctly
The "Disable Opt-in Wizard on first run" setting should be configured correctly.
The "Microsoft Office Online" setting should be configured correctlyThe "Disable Password Caching" setting should be configured correctly
The "Disable all Trust Bar notifications for security issues" setting should be configured correctly
CCE-1508-1 CCE-1508
enabled/disabled
CCE-1640-2 CCE-1640
enabled/disabled
CCE-1539-6 CCE-1539
enabled/disabled
CCE-1561-0 CCE-1561
enabled/disabled
CCE-1068-6 CCE-1068
enabled/disabled
CCE-1574-3 CCE-1574
enabled/disabled
CCE-1239-3 CCE-1239
enabled/disabled
CCE-1623-8 CCE-1623
enabled/disabled
CCE-1083-5 CCE-1083
enabled/disabled
The "Protect document metadata for rights managed Office Open XML Files" setting should be configured correctly
The "Protect document metadata for password protected files." setting should be configured correctly
The "Encryption type for password protected Office Open XML files" setting should be configured correctly
The "Encryption type for password protected Office 97-2003 files" setting should be configured correctly
The "Load Controls in Forms3 (1 | 2 | 3 | 4)" setting should be configured correctly
The "Automation Security (Disable macros by default | Use application macro security level | Macros enabled)" setting should be configured correctly
The "Prevent Word and Excel from loading managed code extensions" setting should be configured correctly
The "Disable hyperlink warnings" setting should be configured correctly
The "Disable password to open UI" setting should be configured correctly
CCE-1343-3 CCE-1343
enabled/disabled
CCE-1242-7 CCE-1242
enabled/disabled
CCE-770-8 CCE-770
enabled/disabled
CCE-903-5 CCE-903
enabled/disabled
CCE-1555-2 CCE-1555
enabled/disabled
CCE-1061-1 CCE-1061
enabled/disabled
CCE-1603-0 CCE-1603
enabled/disabled
CCE-1612-1 CCE-1612
enabled/disabled
CCE-1493-6 CCE-1493
enabled/disabled
The "Download Office Controls" setting should be configured correctly
The "Disable All ActiveX" setting should be configured correctly
The "Allow mix of policy and user locations" setting should be configured correctly
The "Disable Smart Document's use of manifests" setting should be configured correctly
The "Completely disable the Smart Documents feature in Word and Excel" setting should be configured correctly
The "Disable Internet Fax feature" setting should be configured correctly
The "Prevent users from changing permissions on rights managed content" setting should be configured correctly
The "Allow users with earlier versions of Office to read with browsers..." setting should be configured correctly
The "Always require users to connect to verify permission" setting should be configured correctly
CCE-1409-2 CCE-1409
enabled/disabled
CCE-1589-1 CCE-1589
enabled/disabled
CCE-1237-7 CCE-1237
enabled/disabled
CCE-1404-3 CCE-1404
enabled/disabled
CCE-1396-1 CCE-1396
enabled/disabled
CCE-1167-6 CCE-1167
enabled/disabled
CCE-1585-9 CCE-1585
enabled/disabled
CCE-1572-7 CCE-1572
enabled/disabled
CCE-1220-3 CCE-1220
enabled/disabled
The "Always expand groups in Office when restricting permission for documents" setting should be configured correctly
The "Never allow users to specify groups when restricting permission for documents" setting should be configured correctly
The "Disable Microsoft Passport service for content with restricted permission" setting should be configured correctly
The "Do not allow users to upgrade Information Rights Management configuration" setting should be configured correctly
The "Key Usage Filtering" setting should be configured correctlyThe "EKU filtering" setting should be configured correctly
The "Legacy format signatures" setting should be configured correctly
The "Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian)" setting should be configured correctly
The "Suppress external signature services menu item" setting should be configured correctly
CCE-1634-5 CCE-1634
enabled/disabled
CCE-1643-6 CCE-1643
enabled/disabled
CCE-1546-1 CCE-1546
enabled/disabled
CCE-1505-7 CCE-1505
enabled/disabled
CCE-1545-3 CCE-1545
enabled/disabled
CCE-1549-5 CCE-1549
enabled/disabled
CCE-1431-6 CCE-1431
enabled/disabled
The "Disable Check For Solutions" setting should be configured correctly
The "Disable inclusion of document properties in PDF and XPS output" setting should be configured correctly
The "Disable Document Information Panel" setting should be configured correctly
The "Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)" setting should be configured correctly
The "Disable the Office client from polling the Office server for published links" setting should be configured correctly
The "Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter" setting should be configured correctly
The "Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter" setting should be configured correctly
CCE-1594-1 CCE-1594
enabled/disabled
CCE-1241-9 CCE-1241
enabled/disabled
CCE-1607-1 CCE-1607
enabled/disabled
CCE-752-6 CCE-752
enabled/disabled
CCE-1166-8 CCE-1166
enabled/disabled
CCE-654-4 CCE-654
enabled/disabled
CCE-1192-4 CCE-1192
enabled/disabled
CCE-791-4 CCE-791
enabled/disabled
CCE-1456-3 CCE-1456
enabled/disabled
The "Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter" setting should be configured correctly
The "Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled)" setting should be configured correctly
The "Enable Smart Resume" setting should be configured correctly
The "Do not upload media files" setting should be configured correctly
The "Disable hyperlinks to web templates in File | New and task panes" setting should be configured correctly
The "Prevent access to Web-based file storage" setting should be configured correctly
The "Do not allow attachment previewing in Outlook" setting should be configured correctly for Outlook 2007.
The "Read e-mail as plain text" setting should be configured correctly for Outlook 2007.
The "Read signed e-mail as plain text" setting should be configured correctly for Outlook 2007.
CCE-1478-7 CCE-1478
enabled/disabled
CCE-1368-0 CCE-1368
enabled/disabled
CCE-1641-0 CCE-1641
enabled/disabled
CCE-1266-6 CCE-1266
enabled/disabled
CCE-1399-5 CCE-1399
enabled/disabled
CCE-1187-4 CCE-1187
enabled/disabled
CCE-1588-3 CCE-1588
enabled/disabled
The "Prevent publishing to Office Online" setting should be configured correctly for Outlook 2007.
The "Prevent publishing to a DAV server" setting should be configured correctly for Outlook 2007.
The "Restrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details')" setting should be configured correctly for Outlook 2007.
The "Access to published calendars" setting should be configured correctly for Outlook 2007.
The "Restrict upload method" setting should be configured correctly for Outlook 2007.
The "Hide Junk Mail UI" setting should be configured correctly for Outlook 2007.
The "Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only)" setting should be configured correctly for Outlook 2007.
CCE-1117-1 CCE-1117
enabled/disabled
CCE-1130-4 CCE-1130
enabled/disabled
CCE-1093-4 CCE-1093
enabled/disabled
CCE-1599-0 CCE-1599
enabled/disabled
CCE-1621-2 CCE-1621
enabled/disabled
CCE-1269-0 CCE-1269
enabled/disabled
CCE-1419-1 CCE-1419
enabled/disabled
CCE-1551-1 CCE-1551
enabled/disabled
The "Trust E-mail from Contacts" setting should be configured correctly for Outlook 2007.
The "Add e-mail recipients to users' Safe Senders Lists" setting should be configured correctly for Outlook 2007.
The "Dial-up options" setting should be configured correctly for Outlook 2007.
The "Dial-up options - Warn before switching dial-up connection" setting should be configured correctly for Outlook 2007.
The "Dial-up options - Hang up when finished sending, receiving, or updating" setting should be configured correctly for Outlook 2007.
The "Dial-up options - Automatically dial during a background Send/Receive" setting should be configured correctly for Outlook 2007.
The "Do not allow creating, replying, or forwarding signatures for e-mail messages" setting should be configured correctly for Outlook 2007.
The "Send copy of pictures with HTML messages instead of reference to Internet location" setting should be configured correctly for Outlook 2007.
CCE-655-1 CCE-655
enabled/disabled
CCE-1592-5 CCE-1592
enabled/disabled
CCE-1614-7 CCE-1614
enabled/disabled
CCE-1526-3 CCE-1526
enabled/disabled
CCE-1111-4 CCE-1111
enabled/disabled
CCE-1494-4 CCE-1494
enabled/disabled
CCE-1287-2 CCE-1287
enabled/disabled
CCE-1529-7 CCE-1529
enabled/disabled
The "Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format)" setting should be configured correctly for Outlook 2007.
The "Plain text options" setting should be configured correctly for Outlook 2007.
The "Plain text options - Encode attachments in UUENCODE format when sending a plain text message" setting should be configured correctly for Outlook 2007.
The "Set message format (HTML | Rich Text | Plain Text)" setting should be configured correctly for Outlook 2007.
The "Make Outlook the default program for E-mail, Contacts, and Calendar" setting should be configured correctly for Outlook 2007.
The "Do not allow folders in non-default stores to be set as folder home pages" setting should be configured correctly for Outlook 2007.
The "Use Unicode format when dragging e-mail message to file system" setting should be configured correctly for Outlook 2007.
The "Do not allow Outlook object model scripts to run for shared folders" setting should be configured correctly for Outlook 2007.
CCE-1560-2 CCE-1560
enabled/disabled
CCE-1596-6 CCE-1596
enabled/disabled
CCE-1604-8 CCE-1604
enabled/disabled
CCE-1648-5 CCE-1648
enabled/disabled
CCE-1516-4 CCE-1516
enabled/disabled
CCE-1296-3 CCE-1296
enabled/disabled
The "Do not allow Outlook object model scripts to run for public folders" setting should be configured correctly for Outlook 2007.
The "Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere)" setting should be configured correctly for Outlook 2007.
The "Display online status on a person name (Never | Everywhere except To and CC field | Everywhere)" setting should be configured correctly for Outlook 2007.
The "Turn off Enable the Person Names Smart Tag option" setting should be configured correctly for Outlook 2007.
The "Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy)" setting should be configured correctly for Outlook 2007.
The "Display Level 1 attachments" setting should be configured correctly for Outlook 2007.
CCE-1388-8 CCE-1388
enabled/disabled
CCE-1652-7 CCE-1652
enabled/disabled
CCE-1569-3 CCE-1569
enabled/disabled
CCE-1459-7 CCE-1459
enabled/disabled
CCE-1608-9 CCE-1608
enabled/disabled
CCE-1617-0 CCE-1617
enabled/disabled
CCE-1631-1 CCE-1631
enabled/disabled
CCE-1155-1 CCE-1155
enabled/disabled
CCE-1556-0 CCE-1556
enabled/disabled
The "Allow users to demote attachments to Level 2" setting should be configured correctly for Outlook 2007.
The "Do not prompt about Level 1 attachments when sending an item" setting should be configured correctly for Outlook 2007.
The "Do not prompt about Level 1 attachments when closing an item" setting should be configured correctly for Outlook 2007.
The "Allow in-place activation of embedded OLE objects" setting should be configured correctly for Outlook 2007.
The "Display OLE package objects" setting should be configured correctly for Outlook 2007.
The "Add file extensions to block as Level 1" setting should be configured correctly for Outlook 2007.
The "Remove file extensions blocked as Level 1" setting should be configured correctly for Outlook 2007.
The "Add file extensions to block as Level 2" setting should be configured correctly for Outlook 2007.
The "Remove file extensions blocked as Level 2" setting should be configured correctly for Outlook 2007.
CCE-1595-8 CCE-1595
enabled/disabled
CCE-1436-5 CCE-1436
enabled/disabled
CCE-1586-7 CCE-1586
enabled/disabled
CCE-1590-9 CCE-1590
enabled/disabled
CCE-1004-1 CCE-1004
enabled/disabled
The "Allow scripts in one-off Outlook forms" setting should be configured correctly for Outlook 2007.
The "Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly
The "Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
CCE-1273-2 CCE-1273
enabled/disabled
CCE-1172-6 CCE-1172
enabled/disabled
CCE-1568-5 CCE-1568
enabled/disabled
CCE-1573-5 CCE-1573
enabled/disabled
The "Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
CCE-1454-8 CCE-1454
enabled/disabled
CCE-1498-5 CCE-1498
enabled/disabled
CCE-1630-3 CCE-1630
enabled/disabled
CCE-1626-1 CCE-1626
enabled/disabled
CCE-1163-5 CCE-1163
enabled/disabled
CCE-1445-6 CCE-1445
enabled/disabled
CCE-1582-6 CCE-1582
enabled/disabled
The "Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)" setting should be configured correctly for Outlook 2007.
The "Required Certificate Authority" setting should be configured correctly for Outlook 2007.
The "S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible)" setting should be configured correctly for Outlook 2007.
The "Always use Rich Text formatting in S/MIME messages" setting should be configured correctly for Outlook 2007.
The "S/MIME password settings" setting should be configured correctly for Outlook 2007.
The "S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647)" setting should be configured correctly for Outlook 2007.
The "S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647)" setting should be configured correctly for Outlook 2007.
CCE-1357-3 CCE-1357
enabled/disabled
CCE-1132-0 CCE-1132
enabled/disabled
CCE-1511-5 CCE-1511
enabled/disabled
CCE-1018-1 CCE-1018
enabled/disabled
CCE-1181-7 CCE-1181
enabled/disabled
CCE-1639-4 CCE-1639
enabled/disabled
The "Message Formats" setting should be configured correctly for Outlook 2007.
The "Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza)" setting should be configured correctly for Outlook 2007.
2007: The "Do not provide Continue option on Encryption warning dialog boxes" setting should be configured correctly for Outlook 2007. 2003: The "Disable Continue button on all Encryption warning dialogs" setting should be configured correctly.
The "Run in FIPS compliant mode" setting should be configured correctly for Outlook 2007.
The "Encrypt all e-mail messages" setting should be configured correctly for Outlook 2007 and 2003.
The "Sign all e-mail messages" setting should be configured correctly for Outlook 2007.
CCE-677-5 CCE-677
enabled/disabled
CCE-687-4 CCE-687
enabled/disabled
CCE-1613-9 CCE-1613
enabled/disabled
CCE-1402-7 CCE-1402
enabled/disabled
CCE-1658-4 CCE-1658
enabled/disabled
CCE-1662-6 CCE-1662
enabled/disabled
CCE-1080-1 CCE-1080
enabled/disabled
CCE-1076-9 CCE-1076
enabled/disabled
The "URL for S/MIME certificates" setting should be configured correctly for Outlook 2007.
The "Ensure all S/MIME signed messages have a label" setting should be configured correctly for Outlook 2007.
The "S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME )" setting should be configured correctly for Outlook 2007.
The "Fortezza certificate policies" setting should be configured correctly for Outlook 2007.
The "Require SuiteB algorithms for S/MIME operations" setting should be configured correctly for Outlook 2007.
The "Missing CRLs" setting should be configured correctly for Outlook 2007.
The "Missing CRLs - Indicate a missing CRL as a(n): (warning | error)" setting should be configured correctly for Outlook 2007.
The "Missing root certificates" setting should be configured correctly for Outlook 2007.
CCE-1636-0 CCE-1636
enabled/disabled
CCE-943-1 CCE-943
enabled/disabled
CCE-1591-7 CCE-1591
enabled/disabled
CCE-1133-8 CCE-1133
enabled/disabled
CCE-725-2 CCE-725
enabled/disabled
CCE-1347-4 CCE-1347
enabled/disabled
CCE-1475-3 CCE-1475
enabled/disabled
CCE-1497-7 CCE-1497
enabled/disabled
The "Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error)" setting should be configured correctly for Outlook 2007.
The "Promote Level 2 errors as errors, not warnings" setting should be configured correctly for Outlook 2007.
The "Attachment Secure Temporary Folder" setting should be configured correctly for Outlook 2007.
The "Display pictures and external content in HTML e-mail" setting should be configured correctly for Outlook 2007.
The "Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists" setting should be configured correctly for Outlook 2007.
The "Do not permit download of content from safe zones" setting should be configured correctly for Outlook 2007.
The "Block Trusted Zones" setting should be configured correctly for Outlook 2007.
The "Include Internet in Safe Zones for Automatic Picture Download" setting should be configured correctly for Outlook 2007.
CCE-1501-6 CCE-1501
enabled/disabled
CCE-1030-6 CCE-1030
enabled/disabled
CCE-1052-0 CCE-1052
enabled/disabled
CCE-1462-1 CCE-1462
enabled/disabled
CCE-1281-5 CCE-1281
enabled/disabled
CCE-1303-7 CCE-1303
enabled/disabled
CCE-1082-7 CCE-1082
enabled/disabled
The "Include Intranet in Safe Zones for Automatic Picture Download" setting should be configured correctly for Outlook 2007.
The "Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check)" setting should be configured correctly for Outlook 2007.
The "Enable links in e-mail messages" setting should be configured correctly for Outlook 2007.
The "Apply macro security settings to macros, add-ins, and SmartTags" setting should be configured correctly for Outlook 2007.
The "Automatically configure profile based on Active Directory Primary SMTP address" setting should be configured correctly for Outlook 2007.
The "Do not allow users to change permissions on folders" setting should be configured correctly for Outlook 2007.
The "Enable RPC encryption" setting should be configured correctly for Outlook 2007.
CCE-1712-9 CCE-1712
enabled/disabled
CCE-1131-2 CCE-1131
enabled/disabled
CCE-1620-4 CCE-1620
enabled/disabled
CCE-1541-2 CCE-1541
enabled/disabled
CCE-1311-0 CCE-1311
enabled/disabled
CCE-1682-4 CCE-1682
enabled/disabled
CCE-1461-3 CCE-1461
enabled/disabled
The "Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication)" setting should be configured correctly for Outlook 2007.
The "Synchronize Outlook RSS Feeds with Common Feed List" setting should be configured correctly for Outlook 2007.
The "Turn off RSS feature" setting should be configured correctly for Outlook 2007.
The "Automatically download enclosures" setting should be configured correctly for Outlook 2007.
The "Download full text of articles as HTML attachments" setting should be configured correctly for Outlook 2007.
The "Automatically download attachments" setting should be configured correctly for Outlook 2007.
The "Do not include Internet Calendar integration in Outlook" setting should be configured correctly for Outlook 2007.
CCE-1041-3 CCE-1041
enabled/disabled
CCE-1565-1 CCE-1565
enabled/disabled
CCE-1719-4 CCE-1719
enabled/disabled
CCE-1477-9 CCE-1477
enabled/disabled
CCE-1142-9 CCE-1142
enabled/disabled
CCE-1649-3 CCE-1649
enabled/disabled
CCE-1279-9 CCE-1279
enabled/disabled
The "Disable user entries to server list (Publish default, allow others | Publish default, disallow others)" setting should be configured correctly for Outlook 2007.
The "Do not expand distribution lists" setting should be configured correctly for Outlook 2007.
The "Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt))" setting should be configured correctly for PowerPoint 2007.
The "Number of documents in the Recent Documents list (0 - 50)" setting should be configured correctly for PowerPoint 2007.
The "Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations" setting should be configured correctly for PowerPoint 2007.
The "Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting))" setting should be configured correctly for PowerPoint 2007.
The "Make hidden markup visible" setting should be configured correctly for PowerPoint 2007.
CCE-1451-4 CCE-1451
enabled/disabled
CCE-1204-7 CCE-1204
enabled/disabled
CCE-1107-2 CCE-1107
enabled/disabled
CCE-743-5 CCE-743
enabled/disabled
CCE-747-6 CCE-747
enabled/disabled
CCE-782-3 CCE-782
enabled/disabled
CCE-1327-6 CCE-1327
enabled/disabled
CCE-1723-6 CCE-1723
enabled/disabled
The "Unblock automatic download of linked images" setting should be configured correctly for PowerPoint 2007.
The "Disable all application add-ins" setting should be configured correctly for PowerPoint 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for PowerPoint 2007.
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for PowerPoint 2007.
The "Allow Trusted Locations not on the computer" setting should be configured correctly for PowerPoint 2007.
The "Disable all trusted locations" setting should be configured correctly for PowerPoint 2007.
The "Disable commands" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for PowerPoint 2007.
CCE-1366-4 CCE-1366
enabled/disabled
CCE-1679-0 CCE-1679
enabled/disabled
CCE-1173-4 CCE-1173
enabled/disabled
CCE-1714-5 CCE-1714
enabled/disabled
CCE-1485-2 CCE-1485
enabled/disabled
CCE-1687-3 CCE-1687
enabled/disabled
CCE-1709-5 CCE-1709
enabled/disabled
CCE-1463-9 CCE-1463
enabled/disabled
The "Disable commands - Office Button | Send | Email" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Review | Proofing | Language" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - View | Macros | Macros" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Developer | Code | Macros" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location" setting should be configured correctly for PowerPoint 2007.
CCE-1467-0 CCE-1467
enabled/disabled
CCE-1740-0 CCE-1740
enabled/disabled
CCE-1780-6 CCE-1780
enabled/disabled
CCE-1661-8 CCE-1661
enabled/disabled
CCE-1688-1 CCE-1688
enabled/disabled
CCE-1701-2 CCE-1701
enabled/disabled
CCE-1348-2 CCE-1348
enabled/disabled
CCE-1644-4 CCE-1644
enabled/disabled
CCE-1194-0 CCE-1194
enabled/disabled
The "Disable commands - Disable shortcut keys" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for PowerPoint 2007.
The "Disable commands - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for PowerPoint 2007.
The "Block opening of pre-release versions of file formats new to PowerPoint 2007" setting should be configured correctly for PowerPoint 2007.
The "Block opening of Open Xml files types" setting should be configured correctly for PowerPoint 2007.
The "Block opening of Binary file types" setting should be configured correctly for PowerPoint 2007.
The "Block opening of Html file types" setting should be configured correctly for PowerPoint 2007.
The "Block opening of Outlines" setting should be configured correctly for PowerPoint 2007.
CCE-1216-1 CCE-1216
enabled/disabled
CCE-1506-5 CCE-1506
enabled/disabled
CCE-1136-1 CCE-1136
enabled/disabled
CCE-1766-5 CCE-1766
enabled/disabled
CCE-1180-9 CCE-1180
enabled/disabled
CCE-1722-8 CCE-1722
enabled/disabled
CCE-1731-9 CCE-1731
enabled/disabled
CCE-885-4 CCE-885
enabled/disabled
The "Block opening of Converters" setting should be configured correctly for PowerPoint 2007.
The "Block saving of Open Xml file types" setting should be configured correctly for PowerPoint 2007.
The "Block saving of Binary file types" setting should be configured correctly for PowerPoint 2007.
The "Block saving of Html file types" setting should be configured correctly for PowerPoint 2007.
The "Block saving of Outlines" setting should be configured correctly for PowerPoint 2007.
The "Block saving of GraphicFilters" setting should be configured correctly for PowerPoint 2007.
The "Disable Slide Update" setting should be configured correctly for PowerPoint 2007.
The "Hidden text" setting should be configured correctly for Word 2007.
CCE-1656-8 CCE-1656
enabled/disabled
CCE-1537-0 CCE-1537
enabled/disabled
CCE-1249-2 CCE-1249
enabled/disabled
CCE-1509-9 CCE-1509
enabled/disabled
The "Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml))" setting should be configured correctly for The "Number of documents in the Recent Documents list (0-50)" setting should be configured correctly for Word 2007.
The "Update automatic links at Open" setting should be configured correctly for Word 2007.
The "Save smart tags in e-mail" setting should be configured correctly for Word 2007.
CCE-1280-7 CCE-1280
enabled/disabled
CCE-1681-6 CCE-1681
enabled/disabled
CCE-1562-8 CCE-1562
enabled/disabled
CCE-1333-4 CCE-1333
enabled/disabled
CCE-1355-7 CCE-1355
enabled/disabled
CCE-1637-8 CCE-1637
enabled/disabled
CCE-1659-2 CCE-1659
enabled/disabled
CCE-1329-2 CCE-1329
enabled/disabled
The "Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents" setting should be configured correctly for Word 2007.
The "Disable all application add-ins" setting should be configured correctly for Word 2007.
The "Require that application add-ins are signed by Trusted Publisher" setting should be configured correctly for Word 2007.
The "Disable Trust Bar Notification for unsigned application add-ins" setting should be configured correctly for Word 2007.
The "Allow Trusted Locations not on the computer" setting should be configured correctly for Word 2007.
The "Disable all trusted locations" setting should be configured correctly for Word 2007.
The "Disable commands" setting should be configured correctly for Word 2007.
The "Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page" setting should be configured correctly for Word 2007.
CCE-1632-9 CCE-1632
enabled/disabled
CCE-1425-8 CCE-1425
enabled/disabled
CCE-1196-5 CCE-1196
enabled/disabled
CCE-936-5 CCE-936
enabled/disabled
CCE-1354-0 CCE-1354
enabled/disabled
CCE-1125-4 CCE-1125
enabled/disabled
CCE-1742-6 CCE-1742
enabled/disabled
CCE-1782-2 CCE-1782
enabled/disabled
The "Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview" setting should be configured correctly for Word 2007.
The "Disable commands - Office Button | Send | Email" setting should be configured correctly for Word 2007.
The "Disable commands - Insert | Links | Hyperlink" setting should be configured correctly for Word 2007.
The "Disable commands - Review | Protect | Protect Document" setting should be configured correctly for Word 2007.
The "Disable commands - View | Macros | Macros" setting should be configured correctly for Word 2007.
The "Disable commands - Developer | Code | Macros" setting should be configured correctly for Word 2007.
The "Disable commands - Developer | Code | Record Macro" setting should be configured correctly for Word 2007.
The "Disable commands - Developer | Code | Macro Security" setting should be configured correctly for Word 2007.
CCE-1306-0 CCE-1306
enabled/disabled
CCE-1548-7 CCE-1548
enabled/disabled
CCE-1716-0 CCE-1716
enabled/disabled
CCE-1597-4 CCE-1597
enabled/disabled
CCE-1689-9 CCE-1689
enabled/disabled
CCE-1570-1 CCE-1570
enabled/disabled
CCE-1720-2 CCE-1720
enabled/disabled
CCE-1746-7 CCE-1746
enabled/disabled
The "Disable commands - Developer | Code | Visual Basic" setting should be configured correctly for Word 2007.
The "Disable commands - Developer | Templates | Document Template" setting should be configured correctly for Word 2007.
The "Disable shortcut keys" setting should be configured correctly for Word 2007.
The "Disable shortcut keys - Ctrl+F (Home | Editing | Find)" setting should be configured correctly for Word 2007.
The "Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)" setting should be configured correctly for Word 2007.
The "Disable shortcut keys - Alt+F8 (Developer | Code | Macros)" setting should be configured correctly for Word 2007.
The "Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)" setting should be configured correctly for Word 2007.
The "Block opening of pre-release versions of file formats new to Word 2007" setting should be configured correctly for Word 2007.
CCE-1504-0 CCE-1504
enabled/disabled
CCE-1654-3 CCE-1654
enabled/disabled
CCE-1160-1 CCE-1160
enabled/disabled
CCE-958-9 CCE-958
enabled/disabled
CCE-1579-2 CCE-1579
enabled/disabled
CCE-984-5 CCE-984
enabled/disabled
CCE-1072-8 CCE-1072
enabled/disabled
CCE-1503-2 CCE-1503
enabled/disabled
CCE-1371-4 CCE-1371
enabled/disabled
CCE-1019-9 CCE-1019
enabled/disabled
The "Block opening of Open XML file types" setting should be configured correctly for Word 2007.
The "Block opening of Binary file types" setting should be configured correctly for Word 2007.
The "Block opening of HTML file types" setting should be configured correctly for Word 2007.
The "Block opening of Word 2003 XML file types" setting should be configured correctly for Word 2007.
The "Block opening of RTF file types" setting should be configured correctly for Word 2007.
The "Block open Converters" setting should be configured correctly for Word 2007.
The "Block opening of Text file types" setting should be configured correctly for Word 2007.
The "Block opening of Internal file types" setting should be configured correctly for Word 2007.
The "Block opening of files before version" setting should be configured correctly for Word 2007.
The "Block saving of Open XML file types" setting should be configured correctly for Word 2007.
CCE-1684-0 CCE-1684
enabled/disabled
CCE-1675-8 CCE-1675
enabled/disabled
CCE-1200-5 CCE-1200
enabled/disabled
CCE-1741-8 CCE-1741
enabled/disabled
CCE-1231-0 CCE-1231
enabled/disabled
CCE-1755-8 CCE-1755
enabled/disabled
CCE-1169-2 CCE-1169
The InfoPath APTCA Assemblyenabled/disabled
CCE-1735-0 CCE-1735
The Windows Internet Explorenabled/disabled
The "Block saving of Binary file types" setting should be configured correctly for Word 2007.
The "Block saving of HTML file types" setting should be configured correctly for Word 2007.
The "Block saving of Word 2003 XML file types" setting should be configured correctly for Word 2007.
The "Block saving of RTF file types" setting should be configured correctly for Word 2007.
The "Block saving of Converters" setting should be configured correctly for Word 2007.
The "Block saving of Text file types" setting should be configured correctly for Word 2007.
CCE-1739-2 CCE-1739
The InfoPath APTCA Assemblyenabled/disabled
CCE-933-2 CCE-933
The Disable Package Repair enabled/disabled
CCE-1563-6 CCE-1563
The Disable user name and penabled/disabled
CCE-1215-3 CCE-1215
The Disable user name and penabled/disabled
CCE-1484-5 CCE-1484
The Disable user name and penabled/disabled
CCE-1629-5 CCE-1629
The Disable user name and penabled/disabled
CCE-1762-4 CCE-1762
The Disable user name and penabled/disabled
CCE-1660-0 CCE-1660
The Disable user name and penabled/disabled
CCE-1057-9 CCE-1057
The Disable user name and penabled/disabled
CCE-1285-6 CCE-1285
The Disable user name and penabled/disabled
CCE-1669-1 CCE-1669
The Bind to object setting s enabled/disabled
CCE-1691-5 CCE-1691
The Bind to object - excel.exenabled/disabled
CCE-1338-3 CCE-1338
The Bind to object - powerpnenabled/disabled
CCE-1717-8 CCE-1717
The Bind to object - pptview enabled/disabled
CCE-1488-6 CCE-1488
The Bind to object - winwordenabled/disabled
CCE-1638-6 CCE-1638
The Bind to object - outlook.enabled/disabled
CCE-1647-7 CCE-1647
The Bind to object - spDesigenabled/disabled
CCE-1294-8 CCE-1294
The Bind to object - msaccesenabled/disabled
CCE-1193-2 CCE-1193
The Saved from URL setting enabled/disabled
CCE-1352-4 CCE-1352
The Saved from URL - excel.enabled/disabled
CCE-928-2 CCE-928
The Saved from URL - powerpenabled/disabled
CCE-1576-8 CCE-1576
The Saved from URL - pptvieenabled/disabled
CCE-1100-7 CCE-1100
The Saved from URL - pptvieenabled/disabled
CCE-1232-8 CCE-1232
The Saved from URL - outlooenabled/disabled
CCE-1774-9 CCE-1774
The Saved from URL - spDesienabled/disabled
CCE-906-8 CCE-906
The Saved from URL - msacceenabled/disabled
CCE-1034-8 CCE-1034
The Navigate URL setting shenabled/disabled
CCE-1435-7 CCE-1435
The Navigate URL - excel.exeenabled/disabled
CCE-1708-7 CCE-1708
The Navigate URL - powerpntenabled/disabled
CCE-808-6 CCE-808
The Navigate URL - pptview.eenabled/disabled
CCE-1650-1 CCE-1650
The Navigate URL - winword.enabled/disabled
CCE-1223-7 CCE-1223
The Navigate URL - outlook.eenabled/disabled
CCE-1764-0 CCE-1764
The Navigate URL - spDesignenabled/disabled
CCE-1769-9 CCE-1769
The Navigate URL - msaccessenabled/disabled
CCE-1152-8 CCE-1152
The Block popups setting shoenabled/disabled
CCE-1566-9 CCE-1566
The Block popups - excel.exeenabled/disabled
CCE-1077-7 CCE-1077
The Block popups - powerpntenabled/disabled
CCE-1606-3 CCE-1606
The Block popups - pptview.eenabled/disabled
CCE-1738-4 CCE-1738
The Block popups - winword.enabled/disabled
CCE-1262-5 CCE-1262
The Block popups - outlook.eenabled/disabled
CCE-1663-4 CCE-1663
The Block popups - spDesignenabled/disabled
CCE-1544-6 CCE-1544
The Block popups - msaccessenabled/disabled
CCE-1443-1 CCE-1443 1 = Enabled
CCE-1161-9 CCE-1161
CCE-1421-7 CCE-1421
The "Prevent users from customizing attachment security settings" setting should be configured correctly.
The "Access: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "Access: Trust all installed add – ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
CCE-1571-9 CCE-1571
CCE-1721-0 CCE-1721
CCE-1602-2 CCE-1602
CCE-1624-6 CCE-1624
CCE-1522-2 CCE-1522
The "Excel: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "Excel: Trust all installed add – ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Outlook: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "Outlook: Trust all installed add-ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Outlook virus security settings" setting should be configured correctly.
0 = Uses default administrative settings | 1 = Look in the Outlook Security Settings folder | 2 = Look in the Outlook 10 Security Settings folder
CCE-1183-3 CCE-1183
CCE-1611-3 CCE-1611
CCE-1633-7 CCE-1633
CCE-822-7 CCE-822
CCE-1734-3 CCE-1734
CCE-1628-7 CCE-1628
The "S/MIME receipt requests" setting should be configured correctly.
0 = Open message if receipt can't be sent | 1 = Always prompt before sending receipt | 2 = Never send S/MIME receipts | 3 = Don't open message if receipt can't be sent
The "PowerPoint: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "PowerPoint: Trust all installed add – ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Publisher: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
The "Publisher: Trust all installed add–ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Word: Macro Security Level" setting should be configured correctly.
1 = Enabled - Low | 2 = Enabled - Medium | 3 = Enabled - High
CCE-1761-6 CCE-1761
CCE-1302-9 CCE-1302
CCE-1307-8 CCE-1307
The "Word: Trust all installed add–ins and templates" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Store random number to improve merge accuracy" setting should be configured correctly.
0 = Enabled | 1 = Disabled
The "Prevent Users from Changing Office Encryption Settings" setting should be configured correctly.
0 = Disabled | 1 = Enabled
CCE Technical Mechanisms
Table 1.3. ActiveX Control Initialization
Microsoft Threats and Countermeasures guide
2007: GPO Settings:Computer Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 System / Security Settings , Registry Keys: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Office\12.0\Common\VbaOff 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Disable VBA for Office applications (2) HKLM\Software\Policies\Microsoft\Office\11.0\Common - VbaOff (3) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Disable VBA for Office applications (4) HKCU\Software\Policies\Microsoft\Office\11.0\Common - VbaOff
Table 1.124. Disable VBA for Office applications, Table 2.5. Disable VBA for Office applications
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 system / Security /ActiveX Control InitializationSettings , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\Security\UFIControls 2003: (1) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\ActiveX Control Initialization (2) HKCU\Software\Policies\Microsoft\Office\Common\Security - UFIControls
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Privacy / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\QMEnable
Table 1.148. Enable Customer Experience Improvement Program
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Privacy / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\UpdateReliabilityData
Table 1.23. Automatically receive small updates to improve reliability
Table 1.179. Online content options
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 system / Tools / Options / General / Service Options / Online Content , Registry Keys: HKEY_CURRENT_USER\Softtware\Polices\Microsoft\Office\12.0\Common\Internet\UseOnlineContent
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Access 2007 / Application Settings / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Access\Security\VBAWarnings
Table 1.234. VBA Macro Warning Settings
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Excel 2007 / Excel Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\VBAWarnings
Table 1.234. VBA Macro Warning Settings
2007GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Excel 2007 / Excel Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Excel\Security\AccessVBOM 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Trust access to Visual Basic Project (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - AccessVBOM (3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Trust access to Visual Basic Project (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - AccessVBOM
Table 1.225. Trust access to Visual Basic Project
Table 1.72. Configure trusted add-ins
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office PowerPoint 2007 / PowerPoint Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\VBAWarnings
Table 1.234. VBA Macro Warning Settings
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office PowerPoint 2007 / PowerPoint Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\AccessVBOM
Table 1.225. Trust access to Visual Basic Project
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\EnableRememberPwd
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\AddinTrust 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Configure Add-In Trust Level (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - AddinTrust
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\EnableRememberPwd
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\MinEncKey
Table 1.173. Minimum encryption settings
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\SupressNameChecks
Table 1.134. Do not check e-mail address against address of certificates being using
Table 1.220. Signature Warning
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\ClearSign 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Send all signed messages as clear signed messages (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - ClearSign
Table 1.214. Send all signed messages as clear signed messages
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\RequestSecureReceipt
Table 1.198. Request an S/MIME receipt for all S/MIME signed messages
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\PublishToGalDisabled 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Disable 'Publish to GAL' button (2) HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security - PublishToGalDisabled
Table 1.135. Do not display 'Publish to GAL' button
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\WarnAboutInvalid 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Signature Warning (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - WarnAboutInvalid
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\ConvertSMIMEBlobSignedIcons 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Enable cryptography icons (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - ConvertSMIMEBlobSignedIcons
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Outlook 2007 / Security / Cryptography / Signature Status Dialog Box , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\Security\UseCRLChasing
Table 1.204. Retrieving CRLs (Certificate Revocation Lists)
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Security\VBAWarnings
Table 1.234. VBA Macro Warning Settings
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security / Trust Center , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Policies\Microsoft\Office\12.0\Word\Security\AccessVBOM 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Trust access to Visual Basic Project (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - AccessVBOM (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Trust access to Visual Basic Project (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security - AccessVBOM
Table 1.225. Trust access to Visual Basic Project
Table 1.230. Underline hyperlinks
Table 1.89. Disable all trusted locations
2007: GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office Word 2007 / Word Options / Security , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Word\Options\vpref\fWarnRevisions_1805_1 2003: (1) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Options\Security\Warn before printing or saving or sending a file that contains tracked changes or comments (2) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vpre
GPO Settings:User Configuration / Administrative Templates / Classic Administrative Templates / Microsoft Office 2007 / Miscellaneous , Registry Keys: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\Common\OfficeUpdate\BlockUpdates
Table 1.64. Block updates from the Office Update Site from applying
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Web Options\General\Underline hyperlinks (2) Software\Policies\Microsoft\Office\12.0\Access\Internet
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\General\General\Number of documents in the Recent Documents list (0-9) (2) Software\Policies\Microsoft\Office\12.0\Access\Settings
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Access\Security
Table 1.120. Disable Trust Bar Notification for unsigned application add-ins
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Access\Security
Table 1.87. Disable all application add-ins
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Access\Security
Table 1.200. Require that application add-ins are signed by Trusted Publisher
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations
Table 1.176. Modal Trust Decision Only
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Allow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations
Table 1.11. Allow Trusted Locations not on the computer
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Modal Trust Decision Only (2) Software\Policies\Microsoft\Office\12.0\Access\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | E-Mail (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encrypt with Password (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard... (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encode/Decode Database (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Run Macro (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Convert Macros to Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Create Shortcut Menu from Macro (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledCmdBarItemsCheckBoxes
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
Table 1.80. Default file format
Table 1.211. Save Excel files as
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks) (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Access\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Default file format (Access 2007 | Access 2002-2003) (2) Software\Policies\Microsoft\Office\12.0\Access\Settings
(1) User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Do not prompt to convert older databases (2) Software\Policies\Microsoft\Office\12.0\Access\Settings
Table 1.141. Do not prompt to convert older databases
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Proofing\Autocorrect Options\Internet and network paths as hyperlinks (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
Table 1.164. Internet and network paths as hyperlinks
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls)) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
Table 1.91. Disable AutoRepublish(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Disable AutoRepublish (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
Table 1.25. AutoRepublish Warning Alert
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
Table 1.81. Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Force file extension to match file type (Allow different | Allow different, but warn | Always match file type) (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
Table 1.155. Force file extension to match file type
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Store macro in Personal Macro Workbook by default (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
Table 1.221. Store macro in Personal Macro Workbook by default
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
Table 1.87. Disable all application add-ins
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
Table 1.200. Require that application add-ins are signed by Trusted Publisher
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Excel\Security
Table 1.120. Disable Trust Bar Notification for unsigned application add-ins
Table 1.89. Disable all trusted locations
Table 1.159. Ignore other applications
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted Locations
Table 1.11. Allow Trusted Locations not on the computer
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ignore other applications (2) Software\Policies\Microsoft\Office\12.0\Excel\Options\BinaryOptions
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ask to update automatic links (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
Table 1.17. Ask to update automatic links
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Number of documents in the Recent Documents list (0-17) (2) Software\Policies\Microsoft\Office\12.0\Excel\File MRU
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralSave any additional data necessary to maintain formulas (2) Software\Policies\Microsoft\Office\12.0\Excel\Internet
Table 1.210. Save any additional data necessary to maintain formulas
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralLoad pictures from Web pages not created in Excel (2) Software\Policies\Microsoft\Office\12.0\Excel\Internet
Table 1.169. Load pictures from Web pages not created in Excel
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Do not show data extraction options when opening corrupt workbooks (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
Table 1.143. Do not show data extraction options when opening corrupt workbooks
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Assume structured storage format of workbook is intact when recovering data (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Connection File Locations (2) Software\Policies\Microsoft\Office\Common\Server Links\Published
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh) (2) Software\Policies\Microsoft\Office\Common\Server Links\Published
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Sheet (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Workbook (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect and Share Workbook (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Excel\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Excel 2007 (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
Table 1.34. Block opening of files created by pre-release versions of Excel 2007
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
Table 1.38. Block opening of Open XML file types
Table 1.48. Block opening of Xll file type
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary 12 file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
Table 1.29. Block opening of Binary 12 file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
Table 1.30. Block opening of Binary file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Html and Xmlss files types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
Table 1.35. Block opening of Html and Xmlss files types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
Table 1.49. Block opening of Xml file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of DIF and SYLK file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
Table 1.32. Block opening of DIF and SYLK file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Text file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
Table 1.46. Block opening of Text file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xll file type (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Open Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
Table 1.57. Block saving of Open Xml file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary12 file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
Table 1.52. Block saving of Binary12 file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Html and Xmlss file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
Table 1.55. Block saving of Html and Xmlss file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving Xml file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving DIF and SYLK file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
Table 1.50. Block saving DIF and SYLK file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Text file types (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileSaveBlock
Table 1.60. Block saving of Text file types
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache network file storages (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache PivotTable reports (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs) (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Recognize SmartTags (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\General\Number of documents in the Recent Documents list (0 - 9) (2) Software\Policies\Microsoft\Office\12.0\InfoPath
Table 1.178. Offline Mode status
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Editor\Offline
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Send to Mail Recipient (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Open from SharePoint Site (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print Preview (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Page Setup (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Insert | Hyperlinks... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.114. Disable shortcut keys
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Set Language (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Customize... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Options... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Microsoft Office Online (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Office Diagnostics (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Activate Product... (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Print Default (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Print Shortcut (Ctrl+P) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.73. Control behavior for Windows SharePoint Services gradual upgrade
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable opening of solutions from the Internet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.109. Disable opening of solutions from the Internet security zone
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable fully trusted solutions full access to computer (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.102. Disable fully trusted solutions full access to computer
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow the use of ActiveX Custom Controls in InfoPath forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1 (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow file types as attachments to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.7. Allow file types as attachments to forms
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Block specific file types as attachments to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.62. Block specific file types as attachments to forms
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Prevent users from allowing unsafe file types to be attached to forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.186. Prevent users from allowing unsafe file types to be attached to forms
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Display a warning that a form is digitally signed (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors
Table 1.74. Control behavior when opening forms in the Internet security zone
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors
Table 1.75. Control behavior when opening forms in the Intranet security zone
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Open Behaviors
Table 1.76. Control behavior when opening forms in the Trusted Site security zone
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.26. Beaconing UI for forms opened in InfoPath
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.27. Beaconing UI for forms opened in InfoPath Editor ActiveX
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.87. Disable all application add-ins
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.200. Require that application add-ins are signed by Trusted Publisher
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.120. Disable Trust Bar Notification for unsigned application add-ins
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.77. Control behavior when opening InfoPath e-mail forms containing code or script
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending form template with e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment
Table 1.112. Disable sending form template with e-mail forms
Table 1.79. Custom code
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable dynamic caching of the form template in InfoPath e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Deployment
Table 1.97. Disable dynamic caching of the form template in InfoPath e-mail forms
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending InfoPath 2003 Forms as e-mail forms (2) Software\Policies\Microsoft\Office\12.0\InfoPath
Table 1.113. Disable sending InfoPath 2003 Forms as e-mail forms
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms running in restricted security level (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.101. Disable e-mail forms running in restricted security level
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Internet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.99. Disable e-mail forms from the Internet security zone
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Intranet security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.100. Disable e-mail forms from the Intranet security zone
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Full Trust security zone (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 1.98. Disable e-mail forms from the Full Trust security zone
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable InfoPath e-mail forms in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.106. Disable InfoPath e-mail forms in Outlook
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Information Rights Management (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\RestrictedFeatures
Table 1.163. Information Rights Management
(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Custom code (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Designer\RestrictedFeatures
Table 1.147. Email Forms Beaconing UI(1) User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Miscellaneous\Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.122. Disable user customization of Quick Access Toolbar via UI
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.122. Disable user customization of Quick Access Toolbar via UI
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.122. Disable user customization of Quick Access Toolbar via UI
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.122. Disable user customization of Quick Access Toolbar via UI
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.122. Disable user customization of Quick Access Toolbar via UI
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.122. Disable user customization of Quick Access Toolbar via UI
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.90. Disable all user customization of Quick Access Toolbar
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.90. Disable all user customization of Quick Access Toolbar
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.90. Disable all user customization of Quick Access Toolbar
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.90. Disable all user customization of Quick Access Toolbar
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.90. Disable all user customization of Quick Access Toolbar
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.90. Disable all user customization of Quick Access Toolbar
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.121. Disable UI extending from documents and templates
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Word (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.121. Disable UI extending from documents and templates
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Excel (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.121. Disable UI extending from documents and templates
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in PowerPoint (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.121. Disable UI extending from documents and templates
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Access (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.121. Disable UI extending from documents and templates
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Outlook (2) Software\Policies\Microsoft\Office\12.0\Common\Toolbars
Table 1.121. Disable UI extending from documents and templates
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint and Access)\Recognize smart tags in Excel (2) Software\Policies\Microsoft\Office\12.0\Excel\Options
Table 1.194. Recognize smart tags in Excel
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable Clip Art and Media downloads from the client and from Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.93. Disable Clip Art and Media downloads from the client and from Office Online website
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable template downloads from the client and from Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.117. Disable template downloads from the client and from Office Online website
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable access to updates, add-ins, and patches on the Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.85. Disable access to updates, add-ins, and patches on the Office Online website
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Prevents users from uploading document templates to the Office Online community. (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.188. Prevents users from uploading document templates to the Office Online community
Table 1.160. Improve Proofing Tools
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable training practice downloads from the Office Online website (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.119. Disable training practice downloads from the Office Online website
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable customer-submitted templates downloads from Office Online (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.95. Disable customer-submitted templates downloads from Office Online
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Files\Open Office documents as read/write while browsing (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.180. Open Office documents as read/write while browsing
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Rely on VML for displaying graphics in browsers (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.195. Rely on VML for displaying graphics in browsers
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Allow PNG as an output format (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.9. Allow PNG as an output format
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | Spelling\Proofing Data Collection\Improve Proofing Tools (2) Software\Policies\Microsoft\Office\12.0\Common\PTWatson
(1) User Configuration\Administrative Templates\Classic Administrative Templates\Microsoft Office 2007\Privacy \Trust Center\Disable Opt-in Wizard on first run (2) HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Common\QMEnable
Table 1.110. Disable Opt-in Wizard on first run
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Help\Microsoft Office Online (2) Software\Policies\Microsoft\Office\12.0\Common\Internet(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable Password Caching (2) Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable all Trust Bar notifications for security issues (2) Software\Policies\Microsoft\Office\12.0\Common\TrustCenter
Table 1.88. Disable all Trust Bar notifications for security issues
Table 1.168. Load Controls in Forms3
Table 1.24. Automation Security
Table 1.103. Disable hyperlink warnings
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for rights managed Office Open XML Files (2) Software\Policies\Microsoft\Office\12.0\Common\Security
Table 1.191. Protect document metadata for rights managed Office Open XML Files
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for password protected files. (2) Software\Policies\Microsoft\Office\12.0\Common\Security
Table 1.190. Protect document metadata for password protected files
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office Open XML files (2) Software\Policies\Microsoft\Office\12.0\Common\Security
Table 1.153. Encryption type for password protected Office Open XML files
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office 97-2003 files (2) Software\Policies\Microsoft\Office\12.0\Common\Security
Table 1.152. Encryption type for password protected Office 97-2003 files
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Load Controls in Forms3 (1 | 2 | 3 | 4) (2) Software\Policies\Microsoft\VBA\Security
2007: (1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Automation Security (Disable macros by default | Use application macro security level | Macros enabled) (2) Software\Policies\Microsoft\Office\Common\Security 2003: (1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Automation Security (2) HKLM\Software\Policies\Microsoft\Office\11.0\Common\Security - AutomationSecurity
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Prevent Word and Excel from loading managed code extensions (2) Software\Policies\Microsoft\Office\Common\Smart Tag
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable hyperlink warnings (2) Software\Policies\Microsoft\Office\12.0\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable password to open UI (2) Software\Policies\Microsoft\Office\12.0\Common\Security
Table 1.111. Disable password to open UI
Table 1.86. Disable All ActiveX
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Download Office Controls (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable All ActiveX (2) Software\Policies\Microsoft\Office\Common\Security
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Trust Center\Allow mix of policy and user locations (2) Software\Policies\Microsoft\Office\12.0\Common\Security\Trusted Locations
Table 1.8. Allow mix of policy and user locations
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Disable Smart Document's use of manifests (2) Software\Policies\Microsoft\Office\Common\Smart Tag
Table 1.116. Disable Smart Document's use of manifests
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Completely disable the Smart Documents feature in Word and Excel (2) Software\Policies\Microsoft\Office\Common\Smart Tag
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Services\Fax\Disable Internet Fax feature (2) Software\Policies\Microsoft\Office\12.0\Common\Services\Fax
Table 1.107. Disable Internet Fax feature
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
Table 1.187. Prevent users from changing permissions on rights managed content
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Allow users with earlier versions of Office to read with browsers... (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
Table 1.13. Allow users with earlier versions of Office to read with browsers…
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always require users to connect to verify permission (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
Table 1.15. Always require users to connect to verify permission
Table 1.166. Key Usage Filtering
Table 1.146. EKU filtering
Table 1.167. Legacy format signatures
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always expand groups in Office when restricting permission for documents (2) Software\Policies\Microsoft\Office\12.0\Common\DRM\AutoExpandDls
Table 1.14. Always expand groups in Office when restricting permission for documents
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Never allow users to specify groups when restricting permission for documents (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
Table 1.177. Never allow users to specify groups when restricting permission for documents
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Disable Microsoft Passport service for content with restricted permission (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
Table 1.108. Disable Microsoft Passport service for content with restricted permission
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Do not allow users to upgrade Information Rights Management configuration (2) Software\Policies\Microsoft\Office\12.0\Common\DRM
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Key Usage Filtering (2) Software\Policies\Microsoft\Office\12.0\Common\General(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\EKU filtering (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Legacy format signatures (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian) (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures
Table 1.223. Suppress Office Signing Providers
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress external signature services menu item (2) Software\Policies\Microsoft\Office\12.0\Common\Signatures
Table 1.222. Suppress external signature services menu item
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office Diagnostics\Disable Check For Solutions (2) Software\Policies\Microsoft\Office\Common\OffDiag
Table 1.92. Disable Check For Solutions
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Microsoft Save As PDF and XPS add-ins\Disable inclusion of document properties in PDF and XPS output (2) Software\Policies\Microsoft\Office\12.0\Common\FixedFormat
Table 1.105. Disable inclusion of document properties in PDF and XPS output
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Disable Document Information Panel (2) Software\Policies\Microsoft\Office\12.0\Common\DocumentInformationPanel
Table 1.96. Disable Document Information Panel
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone) (2) Software\Policies\Microsoft\Office\12.0\Common\DocumentInformationPanel
Table 1.144. Document Information Panel Beaconing UI
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Server Settings\Disable the Office client from polling the Office server for published links (2) Software\Policies\Microsoft\Office\12.0\Common\Portal
Table 1.118. Disable the Office client from polling the Office server for published links
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.44. Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter (2) Software\Policies\Microsoft\Office\12.0\Excel\Security\FileOpenBlock
Table 1.40. Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter
Table 1.78. Control blogging
Table 1.192. Read e-mail as plain text
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
Table 1.42. Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled) (2) Software\Policies\Microsoft\Office\12.0\Common\Blog
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Enable Smart Resume (2) Software\Policies\Microsoft\Office\12.0\Common\Restore Workspace
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Do not upload media files (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Disable hyperlinks to web templates in File | New and task panes (2) Software\Policies\Microsoft\Office\12.0\Common\Internet
Table 1.104. Disable hyperlinks to web templates from the client and from Office Online website
(1) User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Prevent access to Web-based file storage (2) Software\Policies\Microsoft\Office\12.0\Common\WebServices
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Do not allow attachment previewing in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Preferences
Table 1.128. Do not allow attachment previewing in Outlook
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read e-mail as plain text (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read signed e-mail as plain text (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.193. Read signed e-mail as plain text
Table 1.203. Restrict upload method
Table 1.158. Hide Junk Mail UI
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to Office Online (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
Table 1.185. Prevent publishing to Office Online
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to a DAV server (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
Table 1.184. Prevent publishing to a DAV server
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details') (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
Table 1.202. Restrict level of calendar details users can publish
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceAccess to published calendars (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
Table 1.1. Access to published calendars
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict upload method (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\PubCal
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Hide Junk Mail UI (2) Software\Policies\Microsoft\Office\12.0\Outlook
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.165. Junk E-mail protection level
Table 1.226. Trust E-mail from Contacts
Table 1.4. Add e-mail recipients to users
Table 1.84. Dial-up options
Table 1.84. Dial-up options
Table 1.84. Dial-up options
Table 1.84. Dial-up options
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Trust E-mail from Contacts (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Add e-mail recipients to users' Safe Senders Lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Warn before switching dial-up connection (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Hang up when finished sending, receiving, or updating (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Automatically dial during a background Send/Receive (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Do not allow creating, replying, or forwarding signatures for e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Common\MailSettings
Table 1.129. Do not allow creating, replying, or forwarding signatures for e-mail messages
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Send copy of pictures with HTML messages instead of reference to Internet location (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.181. Outlook Rich Text options
Table 1.183. Plain text options
Table 1.183. Plain text options
Table 1.217. Set message format
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options - Encode attachments in UUENCODE format when sending a plain text message (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Message FormatSet message format (HTML | Rich Text | Plain Text) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Make Outlook the default program for E-mail, Contacts, and Calendar (2) software\policies\microsoft\office\12.0\outlook\options\general
Table 1.171. Make Outlook the default program for E-mail, Contacts, and Calendar
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow folders in non-default stores to be set as folder home pages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.130. Do not allow folders in non-default stores to be set as folder home pages
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Use Unicode format when dragging e-mail message to file system (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\General
Table 1.233. Use Unicode format when dragging e-mail message to file system
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for shared folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.132. Do not allow Outlook object model scripts to run for shared folders
Table 1.182. Outlook Security Mode
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for public folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.131. Do not allow Outlook object model scripts to run for public folders
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere) (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM
Table 1.216. Set maximum level of online status on a person name
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Display online status on a person name (Never | Everywhere except To and CC field | Everywhere) (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM
Table 1.126. Display online status on a person name
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Turn off Enable the Person Names Smart Tag option (2) Software\Policies\Microsoft\Office\12.0\Outlook\IM
Table 1.227. Turn off Enable the Person Names Smart Tag option
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display Level 1 attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.125. Display Level 1 attachments
Table 1.5. Add file extensions to block as
Table 1.6. Add file extensions to block as
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow users to demote attachments to Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.12. Allow users to demote attachments to Level 2
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when sending an item (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.140. Do not prompt about Level 1 attachments when sending an item
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when closing an item (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.139. Do not prompt about Level 1 attachments when closing an item
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow in-place activation of embedded OLE objects (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display OLE package objects (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 1 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 1 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.196. Remove file extensions blocked as Level 1
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 2 (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.197. Remove file extensions blocked as Level 2
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.10. Allow scripts in one-off Outlook forms
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.218. Set Outlook object model Custom Actions execution prompt
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.215. Set control ItemProperty prompt
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.71. Configure Outlook object model prompt when sending mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.65. Configure Outlook object model prompt when accessing an address book
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.69. Configure Outlook object model prompt when reading address information
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.70. Configure Outlook object model prompt when responding to meeting and task requests
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.68. Configure Outlook object model prompt when executing Save As
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.67. Configure Outlook object model prompt When accessing the Formula property of a UserProperty object
Table 1.208. S/MIME password settings
Table 1.208. S/MIME password settings
Table 1.208. S/MIME password settings
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.66. Configure Outlook object model prompt when accessing address information via UserProperties.Find
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Required Certificate Authority (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.201. Required Certificate Authority
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.207. S/MIME interoperability with external clients:
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Always use Rich Text formatting in S/MIME messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647) (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647) (2) Software\Policies\Microsoft\Cryptography\Defaults\Provider\Microsoft Exchange Cryptographic Provider v1.0
Table 1.172. Message Formats
Table 1.172. Message Formats
Table 1.219. Sign all e-mail messages
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
2007: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not provide Continue option on Encryption warning dialog boxes (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Disable Continue button on all Encryption warning dialogs (2) HKCU\Software\Policies\Microsoft\office\11.0\outlook\Security - DisableContinue
Table 1.142. Do not provide Continue option on Encryption warning dialog boxes
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Run in FIPS compliant mode (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.205. Run in FIPS compliant mode
2007: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Encrypt all e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security 2003: (1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\Encrypt all e-mail messages (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - AlwaysEncrypt
Table 1.151. Encrypt all e-mail messages
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Sign all e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.209. S/MIME receipt requests
Table 1.174. Missing CRLs
Table 1.174. Missing CRLs
Table 1.175. Missing root certificates
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\URL for S/MIME certificates (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.232. URL for S/MIME certificates
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Ensure all S/MIME signed messages have a label (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.154. Ensure all S/MIME signed messages have a label
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME ) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Fortezza certificate policies (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.156. Fortezza certificate policies
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Require SuiteB algorithms for S/MIME operations (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.199. Require SuiteB algorithms for S/MIME operations
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs - Indicate a missing CRL as a(n): (warning | error) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.175. Missing root certificates
Table 1.63. Block Trusted Zones
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as errors, not warnings (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.189. Promote Level 2 errors as errors, not warnings
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Attachment Secure Temporary Folder (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.18. Attachment Secure Temporary Folder
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Display pictures and external content in HTML e-mail (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.127. Display pictures and external content in HTML e-mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.22. Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Do not permit download of content from safe zones (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.138. Do not permit download of content from safe zones
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Block Trusted Zones (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Internet in Safe Zones for Automatic Picture Download (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.161. Include Internet in Safe Zones for Automatic Picture Download
Table 1.213. Security setting for macros
Table 1.150. Enable RPC encryption
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Intranet in Safe Zones for Automatic Picture Download (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.162. Include Intranet in Safe Zones for Automatic Picture Download
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Enable links in e-mail messages (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.149. Enable links in e-mail messages
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Apply macro security settings to macros, add-ins, and SmartTags (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.16. Apply macro security settings to macros, add-ins, and SmartTags
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Automatically configure profile based on Active Directory Primary SMTP address (2) Software\Policies\Microsoft\Office\12.0\Outlook\AutoDiscover
Table 1.20. Automatically configure profile based on Active Directory Primary SMTP address
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Do not allow users to change permissions on folders (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Folders
Table 1.133. Do not allow users to change permissions on folders
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Enable RPC encryption (2) Software\Policies\Microsoft\Office\12.0\Outlook\RPC
Table 1.228. Turn off RSS feature
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication) (2) Software\Policies\Microsoft\Office\12.0\Outlook\Security
Table 1.19. Authentication with Exchange Server
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Synchronize Outlook RSS Feeds with Common Feed List (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
Table 1.224. Synchronize Outlook RSS Feeds with Common Feed List
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn off RSS feature (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Automatically download enclosures (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Download full text of articles as HTML attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\RSS
Table 1.145. Download full text of articles as HTML attachments
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Automatically download attachments (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebCal
Table 1.21. Automatically download attachments
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Do not include Internet Calendar integration in Outlook (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\WebCal
Table 1.137. Do not include Internet Calendar integration in Outlook
Table 1.212. Save files in this format
Table 1.206. Run Programs
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Meeting Workspace\Disable user entries to server list (Publish default, allow others | Publish default, disallow others) (2) Software\Policies\Microsoft\Office\12.0\Meetings\Profile
Table 1.123. Disable user entries to server list
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous\Do not expand distribution lists (2) Software\Policies\Microsoft\Office\12.0\Outlook\Options\Mail
Table 1.136. Do not expand distribution lists
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Save\Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt)) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Options
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Advanced\Number of documents in the Recent Documents list (0 - 50) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\File MRU
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
Table 1.82. Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting)) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Make hidden markup visible (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
Table 1.170. Make hidden markup visible
Table 1.89. Disable all trusted locations
Table 1.94. Disable commands
Table 1.94. Disable commands
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Unblock automatic download of linked images (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
Table 1.229. Unblock automatic download of linked images
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
Table 1.87. Disable all application add-ins
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
Table 1.200. Require that application add-ins are signed by Trusted Publisher
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security
Table 1.120. Disable Trust Bar Notification for unsigned application add-ins
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Trusted Locations
Table 1.11. Allow Trusted Locations not on the computer
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Review | Proofing | Language (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledCmdBarItemsCheckBoxes
Table 1.39. Block opening of Outlines
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes
Table 1.94. Disable commands, Table 1.114. Disable shortcut keys
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes
Table 1.94. Disable commands, Table 1.114. Disable shortcut keys
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes
Table 1.94. Disable commands, Table 1.114. Disable shortcut keys
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\DisabledShortcutKeysCheckBoxes
Table 1.94. Disable commands, Table 1.114. Disable shortcut keys
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to PowerPoint 2007 (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
Table 1.41. Block opening of pre-release versions of file formats new to PowerPoint 2007
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Open Xml files types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
Table 1.38. Block opening of Open XML file types
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
Table 1.30. Block opening of Binary file types
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Html file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
Table 1.36. Block opening of HTML file types
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Outlines (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
Table 1.58. Block saving of Outlines
Table 1.115. Disable Slide Update
Table 1.157. Hidden text
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Converters (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileOpenBlock
Table 1.31. Block opening of Converters
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Open Xml file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
Table 1.57. Block saving of Open Xml file types
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
Table 1.51. Block saving of Binary file types
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Html file types (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
Table 1.56. Block saving of HTML file types
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Outlines (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of GraphicFilters (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\Security\FileSaveBlock
Table 1.54. Block saving of GraphicFilters
(1) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Miscellaneous\Disable Slide Update (2) Software\Policies\Microsoft\Office\12.0\PowerPoint\slide libraries
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Display\Hidden text (2) Software\Policies\Microsoft\Office\12.0\Word\Options\vpref
Table 1.212. Save files in this format(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Save\Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml)) (2) Software\Policies\Microsoft\Office\12.0\Word\Options
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Number of documents in the Recent Documents list (0-50) (2) Software\Policies\Microsoft\Office\12.0\Word\File MRU
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Update automatic links at Open (2) Software\Policies\Microsoft\Office\12.0\Word\Options
Table 1.231. Update automatic links at Open
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\E-mail Options\Save smart tags in e-mail (2) Software\Policies\Microsoft\Office\12.0\Word\Options\vpref
Table 1.89. Disable all trusted locations
Table 1.94. Disable commands
Table 1.94. Disable commands
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents (2) Software\Policies\Microsoft\Office\12.0\Word\Security
Table 1.83. Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable all application add-ins (2) Software\Policies\Microsoft\Office\12.0\Word\Security
Table 1.87. Disable all application add-ins
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher (2) Software\Policies\Microsoft\Office\12.0\Word\Security
Table 1.200. Require that application add-ins are signed by Trusted Publisher
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins (2) Software\Policies\Microsoft\Office\12.0\Word\Security
Table 1.120. Disable Trust Bar Notification for unsigned application add-ins
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer (2) Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations
Table 1.11. Allow Trusted Locations not on the computer
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsDisable all trusted locations (2) Software\Policies\Microsoft\Office\12.0\Word\Security\Trusted Locations
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.94. Disable commands
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Review | Protect | Protect Document (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
Table 1.94. Disable commands
Table 1.94. Disable commands
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
Table 1.114. Disable shortcut keys
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Templates | Document Template (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledCmdBarItemsCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+F (Home | Editing | Find) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic) (2) Software\Policies\Microsoft\Office\12.0\Word\DisabledShortcutKeysCheckBoxes
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Word 2007 (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.43. Block opening of pre-release versions of file formats new to Word 2007
Table 1.28. Block open Converters
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.38. Block opening of Open XML file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.30. Block opening of Binary file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of HTML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.36. Block opening of HTML file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Word 2003 XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.47. Block opening of Word 2003 XML file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of RTF file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.45. Block opening of RTF file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block open Converters (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Text file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.46. Block opening of Text file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Internal file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.37. Block opening of Internal file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of files before version (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileOpenBlock
Table 1.33. Block opening of files before version
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Open XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
Table 1.57. Block saving of Open Xml file types
Table 1.53. Block saving of Converters
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Binary file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
Table 1.51. Block saving of Binary file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of HTML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
Table 1.56. Block saving of HTML file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Word 2003 XML file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
Table 1.61. Block saving of Word 2003 XML file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of RTF file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
Table 1.59. Block saving of RTF file types
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Converters (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
(1) User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Text file types (2) Software\Policies\Microsoft\Office\12.0\Word\Security\FileSaveBlock
Table 1.60. Block saving of Text file types
(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security\APTCA
Table 2.6. InfoPath APTCA Assembly allowable list
(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting) (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 2.3. Disable Package Repair
(1) Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist Enforcement (2) Software\Policies\Microsoft\Office\12.0\InfoPath\Security
Table 2.7. InfoPath APTCA Assembly Allowable List Enforcement
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable Package Repair (2) Software\Policies\Microsoft\Office\12.0\Common\OpenXMLFormat
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Table 2.4. Disable user name and password
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Table 2.4. Disable user name and password
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Table 2.4. Disable user name and password
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Table 2.4. Disable user name and password
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Table 2.4. Disable user name and password
Table 2.1. Bind to object
Table 2.1. Bind to object
Table 2.1. Bind to object
Table 2.1. Bind to object
Table 2.1. Bind to object
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Table 2.4. Disable user name and password
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Table 2.4. Disable user name and password
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
Table 2.4. Disable user name and password
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
Table 2.1. Bind to object
Table 2.1. Bind to object
Table 2.1. Bind to object
Table 2.9. Saved from URL
Table 2.9. Saved from URL
Table 2.9. Saved from URL
Table 2.9. Saved from URL
Table 2.9. Saved from URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
Table 2.9. Saved from URL
Table 2.9. Saved from URL
Table 2.9. Saved from URL
Table 2.8. Navigate URL
Table 2.8. Navigate URL
Table 2.8. Navigate URL
Table 2.8. Navigate URL
Table 2.8. Navigate URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
Table 2.8. Navigate URL
Table 2.8. Navigate URL
Table 2.8. Navigate URL
Table 2.2. Block popups
Table 2.2. Block popups
Table 2.2. Block popups
Table 2.2. Block popups
Table 2.2. Block popups
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - excel.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - powerpnt.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - pptview.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - winword.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
Table 2.2. Block popups
Table 2.2. Block popups
Table 2.2. Block popups
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - outlook.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - spDesign.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - msaccess.exe (2) Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Prevent users from customizing attachment security settings (2) HKCU\Software\Policies\Microsoft\Office\12.0\Outlook - DisallowAttachmentCustomization
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Access: Macro Security Leve (2) HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Access 2003\Tools\Macros\Security\Security level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security - Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Access: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Access\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Access 2003\Tools\Macros\Security\Trust all installed add-ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Access\Security - DontTrustInstalledFiles
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - Level(3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Security level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Excel: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Excel\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Excel 2003\Tools\Macros\Security\Trust all installed add-ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Excel\Security - DontTrustInstalledFiles
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Outlook: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Outlook\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Macros\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook - Security\Level
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Macros\Security\Outlook: Trust all installed add-ins and templates (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - DontTrustInstalledFiles
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Outlook virus security settings (2) HKCU\Software\Policies\Microsoft\Security - CheckAdminSettings
(1) User Configuration\Administrative Templates\Microsoft Office Outlook 2003\Tools\Options\Security\Cryptography\S/MIME receipt requests (2) HKCU\Software\Policies\Microsoft\Office\11.0\Outlook\Security - RespondToReceiptRequests
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\PowerPoint: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2003\Tools\Macro\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint - Security\Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\PowerPoint: Trust all installed add – ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office PowerPoint 2003\Tools\Macro\Security\Trust all installed add – ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\PowerPoint\Security - DontTrustInstalledFiles
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Publisher: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Security - Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Publisher: Trust all installed add–ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Publisher\Security - DontTrustInstalledFiles
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Macro Security Level (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - Level (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Security Level (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word - Security\Level
(1) Computer Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Word: Trust all installed add–ins and templates (2) HKLM\Software\Policies\Microsoft\Office\11.0\Word\Security - DontTrustInstalledFiles (3) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Macro\Security\Trust all installed add – ins and templates (4) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Security - DontTrustInstalledFiles
(1) User Configuration\Administrative Templates\Microsoft Office Word 2003\Tools\Options\Security\Store random number to improve merge accuracy (2) HKCU\Software\Policies\Microsoft\Office\11.0\Word\Options\vpref - fDontSaveRSID_1804_1
(1) User Configuration\Administrative Templates\Microsoft Office 2003\Security Settings\Prevent Users from Changing Office Encryption Settings (2) HKCU\Software\Policies\Microsoft\Office\11.0\Common\Security - DisableCustomEncryption
oval:org.mitre.oval:def:771
oval:org.mitre.oval:def:814
oval:org.mitre.oval:def:829
oval:org.mitre.oval:def:1473
Microsoft Office 2007 Recommendations (Security
Settings for Office 2007 Applications.xlsx)
NIST SCAP Microsoft Office 2007 OVAL (SCAP-Office2007-OVAL-Beta-
v1.xml)
NIST SCAP Microsoft Office
2007 XCCDF (SCAP-Office2007-
XCCDF-Beta-v1.xml )
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable VBA for Office applications, Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable VBA for Office applications
DisableVBAForOfficeApplications
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\ActiveX Control Initialization (1 | 2 | 3 | 4 | 5 | 6)
ActiveXControlInitialization
User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Enable Customer Experience Improvement Program
EnableCustomerExperienceImprovementProgram
User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Automatically receive small updates to improve reliability
AutomaticallyReceiveSmallUpdatesToImproveReliability
oval:org.mitre.oval:def:1302 OnlineContentOptions
oval:org.mitre.oval:def:1403
oval:org.mitre.oval:def:649
oval:org.mitre.oval:def:1560
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Service Options...\Online Content\Online content options (Never show online content or entry points | Search only offline content whenever available | Search online content whenever available)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))
VBAMacroWarningSettings-Access
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))
VBAMacroWarningSettings-Excel
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trust access to Visual Basic Project
TrustAccessToVisualBasicProject-Excel
oval:org.mitre.oval:def:654
oval:org.mitre.oval:def:665
oval:org.mitre.oval:def:1298
oval:org.mitre.oval:def:1390
oval:org.mitre.oval:def:1232
oval:org.mitre.oval:def:661
oval:org.mitre.oval:def:1399
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No Security checks for macros (Not recommended, code in all documents can run))
VBAMacroWarningSettings-PowerPoint
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trust access to Visual Basic Project TrustAccessToVisualBasi
cProject-PowerPoint
DisableRememberPassword
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Trusted Add-insConfigure trusted add-ins
ConfigureAddInTrustLevel
DisableRememberPasswordForInternetEmailAccounts
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Minimum encryption settings
MinimumEncryptionSettings
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not check e-mail address against address of certificates being used DoNotCheckEmailAddres
sAgainstAddressOfCertificatesBeingUsed
oval:org.mitre.oval:def:1388
oval:org.mitre.oval:def:705
oval:org.mitre.oval:def:741
oval:org.mitre.oval:def:756 SignatureWarning
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Send all signed messages as clear signed messages
SendAllSignedMessagesAsClearSignedMessages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Request an S/MIME receipt for all S/MIME signed messages RequestAnSMIMEReceip
tForAllSMIMESignedMessages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not display 'Publish to GAL' button
DoNotDisplayPublishToGALButton
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Warning (Let user decide if they want to be warned | Always warn about invalid signatures | Never warn about invalid signatures)
oval:org.mitre.oval:def:1716 EnableCryptographyIcons
oval:org.mitre.oval:def:1700 RetrievingCRLs
oval:org.mitre.oval:def:1350
oval:org.mitre.oval:def:1713
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Enable Cryptography Icons
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Retrieving CRLs (Certificate Revocation Lists) (Use system Default | When online always retreive the CRL | Never retreive the CRL)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\VBA Macro Warning Settings (Trust Bar warning for all macros | Trust Bar warning for digitally signed macros only (unsigned macros will be disabled) | No Warnings for all macros but disable all macros | No )
VBMacroWarningSettings-Word
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trust access to Visual Basic Project
TrustAccessToVisualBasicProject-Word
oval:org.mitre.oval:def:788
oval:org.mitre.oval:def:1755
WarnBeforePrintingSavingOrSendingAFileThatContainsTrackedChangesOrComments
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Block updates from the Office Update Site from applying
BlockUpdatesFromTheOfficeUpdateSiteFromApplying
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Web Options\General\Underline hyperlinks
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\General\General\Number of documents in the Recent Documents list (0-9)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Disable all trusted locations
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Allow Trusted Locations not on the computer
User Configuration\Administrative Templates\Microsoft Office Access 2007\Application Settings\Security\Trust Center\Trusted Locations\Modal Trust Decision Only
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | E-Mail
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Access Options | Customize | All Commands | Insert Hyperlink
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encrypt with Password
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User and Group Permissions
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permissions | User and Group Accounts
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Administer | Users and Permission | User-Level Security Wizard...
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Database Tools | Encode/Decode Database
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Visual Basic
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Database Tools | Macro | Run Macro
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Convert Macros to Visual Basic
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Database Tools | Macro | Create Shortcut Menu from Macro
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Office Button | Access Options | Customize | All Commands | Insert Hyperlinks)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Database Tools | Macro | Visual Basic)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Default file format (Access 2007 | Access 2002-2003)
User Configuration\Administrative Templates\Microsoft Office Access 2007\Miscellaneous\Do not prompt to convert older databases
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Proofing\Autocorrect Options\Internet and network paths as hyperlinks
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Save Excel files as (Excel Workbook (*.xlsx) | Excel Macro-Enabled Workbook (*.xlsm) | Excel Binary Workbook (*.xlsb) | Web Page (*.htm; *.html) | Excel 97-2003 Workbook (*.xls) | Excel 5.0/95 Workbook (*.xls))
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\Disable AutoRepublish
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Save\AutoRepublish Warning Alert (Always show the alert before publishing | Never show the alert before publishing)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft Excel Open XML workbooks
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Force file extension to match file type (Allow different | Allow different, but warn | Always match file type)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Store macro in Personal Macro Workbook by default
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Security\Trust Center\Trusted LocationsDisable all trusted locations
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ignore other applications
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Ask to update automatic links
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Number of documents in the Recent Documents list (0-17)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralSave any additional data necessary to maintain formulas
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Excel Options\Advanced\Web Options…\GeneralLoad pictures from Web pages not created in Excel
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Do not show data extraction options when opening corrupt workbooks
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Assume structured storage format of workbook is intact when recovering data
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Recovery\Corrupt formula conversion (Convert unrecoverable references to: values | #REF or #NAME)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Connection File Locations
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Data Access Security\Automatic Query Refresh (Prompt for all workbooks | Do not prompt; do not allow auto refresh | Do not prompt; allow auto refresh)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Save as Web Page
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Web Page Preview
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Sheet
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect Workbook
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Review | Changes | Protect and Share Workbook
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Excel Options | Customize | All Commands | Document Location
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Excel 2007
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Open XML file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary 12 file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Binary file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Html and Xmlss files types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xml file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of DIF and SYLK file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Text file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Open\Block opening of Xll file type
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Open Xml file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary12 file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Binary file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Html and Xmlss file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving Xml file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving DIF and SYLK file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Block file formats\Save\Block saving of Text file types
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache network file storages
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Locally cache PivotTable reports
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\OLAP PivotTable User Defined Function (UDF) security setting (Allow ALL UDFs | Allow safe UDFs only | Allow NO UDFs)
User Configuration\Administrative Templates\Microsoft Office Excel 2007\Miscellaneous\Recognize SmartTags
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\General\Number of documents in the Recent Documents list (0 - 9)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Tools | Options\Advanced\Offline\Offline Mode status (Disabled | Enabled, InfoPath in Offline Mode | Enabled, InfoPath not in Offline Mode)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Send to Mail Recipient
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Open from SharePoint Site
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Print Preview
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - File | Page Setup
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Insert | Hyperlinks...
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Set Language
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Customize...
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Tools | Options...
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Microsoft Office Online
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Office Diagnostics
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Help | Activate Product...
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable commands - Print Default
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Print Shortcut (Ctrl+P)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Predefined\Disable shortcut keys - Insert Hyperlink Shortcut (Ctrl+K)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior for Windows SharePoint Services gradual upgrade (Allow redirections to any location | Allow redirections to Intranet only | Block all redirections)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable opening of solutions from the Internet security zone
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Disable fully trusted solutions full access to computer
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow the use of ActiveX Custom Controls in InfoPath forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Run forms in restricted mode if they do not specify a publish location and use only features introduced before InfoPath 2003 SP1
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Allow file types as attachments to forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Block specific file types as attachments to forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Prevent users from allowing unsafe file types to be attached to forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Display a warning that a form is digitally signed
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Internet security zone (Block | Prompt | Allow)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Intranet security zone (Block | Prompt | Allow)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Local Machine security zone (Block | Prompt | Allow)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Control behavior when opening forms in the Trusted Site security zone (Block | Prompt | Allow)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Beaconing UI for forms opened in InfoPath Editor ActiveX (Never show beaconing UI | Always show beaconing UI | Show UI if Form Template is from Internet Zone)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Control behavior when opening InfoPath e-mail forms containing code or script (Run without prompting | Prompt before running | Never run)
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending form template with e-mail forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable dynamic caching of the form template in InfoPath e-mail forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable sending InfoPath 2003 Forms as e-mail forms
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms running in restricted security level
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Internet security zone
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Intranet security zone
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable e-mail forms from the Full Trust security zone
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Disable items in user interface\Disable InfoPath e-mail forms in Outlook
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Information Rights Management
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Restricted Features\Custom code
User Configuration\Administrative Templates\Microsoft Office InfoPath 2007\Miscellaneous\Email Forms Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Word
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in PowerPoint
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Access
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable user customization of Quick Access Toolbar via UI - Disallow in Outlook
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Word
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in PowerPoint
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Access
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable all user customization of Quick Access Toolbar - Disallow in Outlook
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Word
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in PowerPoint
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Access
User Configuration\Administrative Templates\Microsoft Office 2007 system\Global Options\Customize\Disable UI extending from documents and templates - Disallow in Outlook
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | AutoCorrect Options... (Excel, Word, PowerPoint and Access)\Recognize smart tags in Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable Clip Art and Media downloads from the client and from Office Online website
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable template downloads from the client and from Office Online website
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable access to updates, add-ins, and patches on the Office Online website
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Prevents users from uploading document templates to the Office Online community.
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable training practice downloads from the Office Online website
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Disable customer-submitted templates downloads from Office Online
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Files\Open Office documents as read/write while browsing
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Rely on VML for displaying graphics in browsers
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | General | Web Options...\Browsers\Allow PNG as an output format
User Configuration\Administrative Templates\Microsoft Office 2007 system\Tools | Options | Spelling\Proofing Data Collection\Improve Proofing Tools
User Configuration\Administrative Templates\Microsoft Office 2007 system\Privacy\Trust Center\Disable Opt-in Wizard on first run
User Configuration\Administrative Templates\Microsoft Office 2007 system\Help\Microsoft Office OnlineUser Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable Password Caching
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable all Trust Bar notifications for security issues
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for rights managed Office Open XML Files
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Protect document metadata for password protected files.
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office Open XML files
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Encryption type for password protected Office 97-2003 files
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Load Controls in Forms3 (1 | 2 | 3 | 4)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Automation Security (Disable macros by default | Use application macro security level | Macros enabled)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Prevent Word and Excel from loading managed code extensions
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable hyperlink warnings
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable password to open UI
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Download Office Controls
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Disable All ActiveX
User Configuration\Administrative Templates\Microsoft Office 2007 system\Security Settings\Trust Center\Allow mix of policy and user locations
User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Disable Smart Document's use of manifests
User Configuration\Administrative Templates\Microsoft Office 2007 system\Smart Documents (Word, Excel)\Completely disable the Smart Documents feature in Word and Excel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Services\Fax\Disable Internet Fax feature
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Prevent users from changing permissions on rights managed content
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Allow users with earlier versions of Office to read with browsers...
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always require users to connect to verify permission
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Always expand groups in Office when restricting permission for documents
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Never allow users to specify groups when restricting permission for documents
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Disable Microsoft Passport service for content with restricted permission
User Configuration\Administrative Templates\Microsoft Office 2007 system\Manage Restricted Permissions\Do not allow users to upgrade Information Rights Management configuration
User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Key Usage FilteringUser Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\EKU filtering
User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Legacy format signatures
User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress Office Signing Providers (Enable Western and East Asian | Suppress default Western | Suppress default East Asian | Suppress both Western and East Asian)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Signing\Suppress external signature services menu item
User Configuration\Administrative Templates\Microsoft Office 2007 system\Office Diagnostics\Disable Check For Solutions
User Configuration\Administrative Templates\Microsoft Office 2007 system\Microsoft Save As PDF and XPS add-ins\Disable inclusion of document properties in PDF and XPS output
User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Disable Document Information Panel
User Configuration\Administrative Templates\Microsoft Office 2007 system\Document Information Panel\Document Information Panel Beaconing UI (Never show UI | Always show UI | Show UI if XSN is in Internet Zone)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Server Settings\Disable the Office client from polling the Office server for published links
User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Word 2007 through the Compatibility Pack for the 2007 Office system and Word 2007 Open XML/Word 97-2003 Format Converter
User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to Excel 2007 through the Compatibility Pack for the 2007 Office system and Excel 2007 Converter
User Configuration\Administrative Templates\Microsoft Office 2007 system\Office 2007 Converters\Block opening of pre-release versions of file formats new to PowerPoint 2007 through the Compatibility Pack for the 2007 Office system and PowerPoint 2007 Converter
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Control Blogging (Enabled | Only SharePoint blogs allowed | All blogging disabled)
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Enable Smart Resume
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Do not upload media files
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Disable hyperlinks to web templates in File | New and task panes
User Configuration\Administrative Templates\Microsoft Office 2007 system\Miscellaneous\Prevent access to Web-based file storage
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Do not allow attachment previewing in Outlook
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read e-mail as plain text
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\E-mail Options\Read signed e-mail as plain text
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to Office Online
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServicePrevent publishing to a DAV server
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict level of calendar details users can publish (All options are available | Disables 'Full details' | Disables 'Full details' and 'Limited details')
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceAccess to published calendars
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Calendar Options\Microsoft Office Online Sharing ServiceRestrict upload method
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Hide Junk Mail UI
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Junk E-mail protection level (No Protection, Low, High, Trusted Lists Only)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Trust E-mail from Contacts
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Preferences\Junk E-mail\Add e-mail recipients to users' Safe Senders Lists
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Warn before switching dial-up connection
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Hang up when finished sending, receiving, or updating
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Setup\Dial-up options - Automatically dial during a background Send/Receive
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Do not allow creating, replying, or forwarding signatures for e-mail messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Send copy of pictures with HTML messages instead of reference to Internet location
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Outlook Rich Text options (Convert to HTML | Convert to Plain Text format | Send Using Outlook Rich Text format)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Plain text options - Encode attachments in UUENCODE format when sending a plain text message
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Mail Format\Internet Formatting\Message FormatSet message format (HTML | Rich Text | Plain Text)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Make Outlook the default program for E-mail, Contacts, and Calendar
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow folders in non-default stores to be set as folder home pages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Use Unicode format when dragging e-mail message to file system
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for shared folders
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Advanced\Do not allow Outlook object model scripts to run for public folders
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Set maximum level of online status on a person name (Do not allow | Allow everywhere except To and CC field | Allow everywhere)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Display online status on a person name (Never | Everywhere except To and CC field | Everywhere)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Options...\Other\Person Names\Turn off Enable the Person Names Smart Tag option
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Outlook Security Mode (Outlook Default Security | Use Security Form from 'Outlook Security Settings' Public Folder | Use Security Form from 'Outlook 10 Security Settings' Public Folder | Use Outlook Security Group Policy)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display Level 1 attachments
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow users to demote attachments to Level 2
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when sending an item
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Do not prompt about Level 1 attachments when closing an item
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Allow in-place activation of embedded OLE objects
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Display OLE package objects
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 1
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 1
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Add file extensions to block as Level 2
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Attachment Security\Remove file extensions blocked as Level 2
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Allow scripts in one-off Outlook forms
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set Outlook object model Custom Actions execution prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Custom Form Security\Set control ItemProperty prompt (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when sending mail (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing an address book (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when reading address information (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when responding to meeting and task requests (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when executing Save As (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Security Form Settings\Programmatic Security\Configure Outlook object model prompt when accessing address information via UserProperties.Find (Prompt User | Automatically Approve | Automatically Deny | Prompt user based on computer security)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Required Certificate Authority
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME interoperability with external clients: (Handle internally | Handle externally | Handle if possible)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Always use Rich Text formatting in S/MIME messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Default S/MIME password time (minutes): (0 - 2147483647)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME password settings - Maximum S/MIME password time (minutes): (0 - 2147483647)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Message Formats - Support the following message formats: (S/MIME | Exchange | Fortezza | S/MIME and Exchange | S/MIME and Fortezza | Exchange and Fortezza | S/MIME, Exchange, and Fortezza)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Do not provide Continue option on Encryption warning dialog boxes
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Run in FIPS compliant mode
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Encrypt all e-mail messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Sign all e-mail messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\URL for S/MIME certificates
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Ensure all S/MIME signed messages have a label
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\S/MIME receipt requests (Open message if receipt can't be sent | Don't open message if receipt can't be sent | Always prompt before sending receipt | Never send S/MIME )
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Fortezza certificate policies
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Require SuiteB algorithms for S/MIME operations
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing CRLs - Indicate a missing CRL as a(n): (warning | error)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Missing root certificates - Indicate a missing root certificate as a(n): (neither error nor warning | warning | error)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Promote Level 2 errors as errors, not warnings
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Cryptography\Signature Status dialog box\Attachment Secure Temporary Folder
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Display pictures and external content in HTML e-mail
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Automatically download content for e-mail from people in Safe Senders and Safe Recipients Lists
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Do not permit download of content from safe zones
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Block Trusted Zones
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Internet in Safe Zones for Automatic Picture Download
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Automatic Picture Download Settings\Include Intranet in Safe Zones for Automatic Picture Download
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Security setting for macros (Always warn | Never warn, disable all | Warn for signed, disable unsigned | No security check)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Enable links in e-mail messages
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Security\Trust Center\Apply macro security settings to macros, add-ins, and SmartTags
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Automatically configure profile based on Active Directory Primary SMTP address
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Do not allow users to change permissions on folders
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Enable RPC encryption
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Exchange\Authentication with Exchange Server (Kerberos/NTLM Password Authentication | Kerberos Password Authentication | NTLM Password Authentication)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Synchronize Outlook RSS Feeds with Common Feed List
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Turn off RSS feature
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Automatically download enclosures
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\RSS Feeds\Download full text of articles as HTML attachments
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Automatically download attachments
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Tools | Account Settings\Internet Calendars\Do not include Internet Calendar integration in Outlook
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Meeting Workspace\Disable user entries to server list (Publish default, allow others | Publish default, disallow others)
User Configuration\Administrative Templates\Microsoft Office Outlook 2007\Miscellaneous\Do not expand distribution lists
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Save\Save files in this format (PowerPoint Presentation (*.pptx) | PowerPoint Macro-Enabled Presentation (*.pptm) | PowerPoint 97-2003 Presentation (*.ppt))
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Advanced\Number of documents in the Recent Documents list (0 - 50)
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Determine whether to force encrypted macros to be scanned in Microsoft PowerPoint Open XML presentations
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Run Programs (disable (don't run any programs) | enable (prompt user before running) | enable all (run without prompting))
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Make hidden markup visible
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Unblock automatic download of linked images
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\PowerPoint Options\Security\Trust Center\Trusted LocationsDisable all trusted locations
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Web Page Preview
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Review | Proofing | Language
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Office Button | PowerPoint Options | Customize | All Commands | Document Location
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F8 (Developer | Code | Macros)
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Disable items in user interface\Predefined\Disable commands - Alt+F11 (Developer | Code | Visual Basic)
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to PowerPoint 2007
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Open Xml files types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Binary file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Html file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Outlines
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Open\Block opening of Converters
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Open Xml file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Binary file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Html file types
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of Outlines
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Save\Block saving of GraphicFilters
User Configuration\Administrative Templates\Microsoft Office PowerPoint 2007\Block file formats\Miscellaneous\Disable Slide Update
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Display\Hidden text
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Save\Save files in this format (Word document (*.docx) | Single Files Web Page (*.mht) | Web Page (*.htm; *.html) | Web Page, Filtered (*.htm, *.html) | Rich Text Format (*.rtf) | Plain Text (*.txt) | Word 6.0/95 (*.doc) | Word 6.0/95 - Chinese (Simplified) (*.doc) | Word 6.0/95 - Chinese (Traditional) (*.doc) | Word 6.0/95 - Japanese (*.doc) | Word 6.0/95 - Korean (*.doc) | Word 97-2002 & 6.0/95 - RTF | Word 5.1 for Macintosh (*.mcw) | Word 5.0 for Macintosh (*.mcw) | Word 2.x for Windows (*.doc) | Works 4.0 for Windows (*.wps) | WordPerfect 5.x for Windows (*.doc) | WordPerfect 5.1 for DOS (*.doc) | Word 2007 Macro Enabled Document (*.docm) | Word 2007 Macro Free Template (*.dotx) | Word 2007 Macro Enabled Template (*.dotm) | Word 97 - 2003 Document (*.doc) | Word 97 - 2003 Template (*.dot) | Flat XML Document (*.xml))
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Number of documents in the Recent Documents list (0-50)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\Update automatic links at Open
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Advanced\E-mail Options\Save smart tags in e-mail
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Determine whether to force encrypted macros to be scanned in Microsoft Word Open XML documents
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable all application add-ins
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Require that application add-ins are signed by Trusted Publisher
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Disable Trust Bar Notification for unsigned application add-ins
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsAllow Trusted Locations not on the computer
User Configuration\Administrative Templates\Microsoft Office Word 2007\Word Options\Security\Trust Center\Trusted LocationsDisable all trusted locations
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Save As Web Page
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Word Options | Customize | All Commands | Web Page Preview
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Office Button | Send | Email
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Insert | Links | Hyperlink
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Review | Protect | Protect Document
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - View | Macros | Macros
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macros
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Record Macro
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Macro Security
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Code | Visual Basic
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable commands - Developer | Templates | Document Template
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+F (Home | Editing | Find)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Ctrl+K (Insert | Links | Hyperlink)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F8 (Developer | Code | Macros)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Disable items in user interface\Predefined\Disable shortcut keys - Alt+F11 (Developer | Code | Visual Basic)
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of pre-release versions of file formats new to Word 2007
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Open XML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Binary file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of HTML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Word 2003 XML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of RTF file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block open Converters
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Text file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of Internal file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Open\Block opening of files before version
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Open XML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Binary file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of HTML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Word 2003 XML file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of RTF file types
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Converters
User Configuration\Administrative Templates\Microsoft Office Word 2007\Block file formats\Save\Block saving of Text file types
Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist
Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\Windows Internet Explorer Feature Control Opt-In (None | InfoPath.exe, Document Information Panel and Workflow forms | InfoPath.exe, Document Information Panel, Workflow forms and 3rd Party Hosting)
Computer Configuration\Administrative Templates\Microsoft Office InfoPath 2007 (Machine)\Security\InfoPath APTCA Assembly Whitelist Enforcement
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\Disable Package Repair
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Disable user name and password - msaccess.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Bind to object - msaccess.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Saved from URL - msaccess.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Navigate URL - msaccess.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - excel.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - powerpnt.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - pptview.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - winword.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - outlook.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - spDesign.exe
Computer Configuration\Administrative Templates\Microsoft Office 2007 system (Machine)\Security Settings\IE Security\Block popups - msaccess.exe
CCE ID CCE Description
CCE-3416-5
enabled / disabled
CCE-4218-4
enabled / disabled
CCE-4209-3
installed / uninstalled
CCE-4249-9
enabled / disabled
CCE-3522-0
enabled / disabled
CCE-4275-4
enabled / disabled
CCE-4042-8
enabled / disabled
CCE-3685-5
CCE-4187-1
loaded / not loaded
CCE-4006-3
installed / uninstalled
CCE-4173-1
enabled / disabled
CCE Parameters
The rhnsd service should be enabled or disabled as appropriate.
The yum-updatesd service should be enabled or disabled as appropriate.The AIDE package should be installed or not as appropriate
The nodev option should be enabled or disabled as appropriate for all non-root partitions.
The nodev option should be enabled or disabled as appropriate for all removable media.
The noexec option should be enabled or disabled as appropriate for all removable media.
The nosuid option should be enabled or disabled as appropriate for all removable media.Console device ownership should be restricted to root-only as appropriate.
root-only / not root-only
The USB device support module should be loaded or not as appropriate
The USB device support module should be installed or not as appropriateUSB kernel support should be enabled or disabled as appropriate.
CCE-3944-6
enabled / disabled
CCE-4072-5
enabled / disabled
CCE-4231-7
enabled / disabled
CCE-3988-3
group
CCE-3883-6
group
CCE-3276-3
user
CCE-3932-1
permissions
CCE-4064-2
group
CCE-4210-1
user
CCE-3918-0
user
CCE-3566-7
permissions
CCE-3958-6
user
CCE-3967-7
permissions
CCE-3495-9
group
CCE-4130-1
permissions
The ability to boot from USB devices should be enabled or disabled as appropriateThe autofs service should be enabled or disabled as appropriate.
The GNOME automounter (gnome-volume-manager) should be enabled or disabled as appropriateThe /etc/shadow file should be owned by the appropriate group.The /etc/group file should be owned by the appropriate group.The /etc/group file should be owned by the appropriate user.File permissions for /etc/gshadow should be set correctly.The /etc/gshadow file should be owned by the appropriate group.The /etc/gshadow file should be owned by the appropriate user.The /etc/shadow file should be owned by the appropriate user.File permissions for /etc/passwd should be set correctly.The /etc/passwd file should be owned by the appropriate user.File permissions for /etc/group should be set correctly.The /etc/passwd file should be owned by the appropriate group.File permissions for /etc/shadow should be set correctly.
CCE-3399-3
set / not set
CCE-3795-2
enabled / disabled
CCE-4178-0
set / not set
CCE-3324-1
set / not set
CCE-4223-4user / none
CCE-3573-3group / none
CCE-4220-0
permissions mask
CCE-4225-9
enabled / disabled
CCE-4247-3
enabled / disabled
CCE-4146-7
enabled / disabled
CCE-4168-1
enabled / disabled
CCE-4172-3
enabled / disabled
CCE-4177-2
enabled / disabled
CCE-3820-8
enabled/disabled
The sticky bit should be set or not set as appropriate for all world-writable directories.
The world-write permission should be enabled or disabled as appropriate for all files.The sgid bit should be set or not set as appropriate for all files.The suid bit should be set or not set as appropriate for all files.All files should be owned by a user as appropriateAll files should be owned by a group as appropriateThe daemon umask should be set as appropriate
Core dumps for all users should be enabled or disabled as appropriateCore dumps for setuid programs should be enabled or disabled as appropriate
ExecShield randomized placement of virtual memory regions should be enabled or disabled as appropriate
ExecShield should be enabled or disabled as appropriateKernel support for the XD/NX processor feature should be enabled or disabled as appropriate
The XD/NX processor feature should be enabled or disabled as appropriate in the BIOS
Logins through the specified virtual console interface should be enabled or disabled as appropriate
CCE-3485-0
enabled/disabled
CCE-4111-1
enabled/disabled
CCE-4256-4
enabled/disabled
CCE-4274-7
enabled/disabled
CCE-4044-4
grant/reject
CCE-3987-5
enabled/disabled
CCE-4238-2
enabled/disabled
CCE-4009-7
enabled/disabled
CCE-4154-1
length of password
CCE-4180-6
number of days
CCE-4092-3
number of days
CCE-4097-2
number of days
CCE-4114-5
CCE-3762-2
password strength
Logins through the specified virtual console device should be enabled or disabled as appropriate
Logins through the primary console device should be enabled or disabled as appropriate
Login prompts on serial ports should be enabled or disabled as appropriate.
Command access to the root account should be enabled or disabled as appropriate.Sudo privileges should granted or rejected to the wheel group as appropriate
Login access to non-root system accounts should be enabled or disabled as appropriate
Login access to accounts without passwords should be enabled or disabled as appropriate
Anonymous root logins are enabled or disabled as appropriateThe password minimum length should be set appropriately
The "minimum password age" policy should meet minimum requirements. The "maximum password age" policy should meet minimum requirements. The password warn age should be set appropriately
NIS file inclusions should be set appropriately in the /etc/passwd fileThe password strength should meet minimum requirements
CCE-3410-8 number of attempts
CCE-4185-5
group
CCE-3952-9
permissions
CCE-3301-9
path
CCE-4090-7
permissions
CCE-3844-8
umask
CCE-4227-5
CCE-3870-3
CCE-4144-2
user
CCE-3923-0
permissions
CCE-3818-2
password
CCE-4197-0
group
CCE-4241-6
enabled/disabled
CCE-4245-7
enabled/disabled
The "account lockout threshold" policy should meet minimum requirements. The /usr/sbin/userhelper file should be owned by the appropriate group.File permissions for /usr/sbin/userhelper should be set correctly.The PATH variable should be set correctly for user root
File permissions should be set correctly for the home directories for all user accounts.
The default umask for all users should be set correctly for the bash shellThe default umask for all users should be set correctly for the csh shellThe default umask for all users should be set correctlyThe /etc/grub.conf file should be owned by the appropriate user.File permissions for /etc/grub.conf should be set correctly.The grub boot loader should have password protection enabled or disabled as appropriate
The /etc/grub.conf file should be owned by the appropriate group.
The requirement for a password to boot into single-user mode should be configured correctly.The ability for users to perform interactive startups should be enabled or disabled as appropriate.
CCE-3689-7
number of minutes
CCE-3707-7
number of minutes
CCE-3315-9
number of minutes
CCE-3910-7
number of minutes
CCE-4060-0
banner text
CCE-4188-9
banner text/xml
CCE-3977-6
CCE-3999-0
CCE-3624-4
targeted / strict / mls
CCE-4254-9
enabled / disabled
CCE-4148-3
installed / uninstalled
CCE-3668-1
enabled / disabled
CCE-4129-3
enabled / disabled
CCE-4151-7 enabled / disabled
The idle time-out value for the default /bin/tcsh shell should meet the minimum requirements.
The idle time-out value for the default /bin/bash shell should meet the minimum requirements.
The allowed period of inactivity gnome desktop lockout should be configured correctly.The vlock package should be installed or not as appropriateThe system login banner text should be set correctly.The direct gnome login warning banner should be set correctly.SELinux should be enabled or disabled as appropriate
enforcing / permissive / disabled
The SELinux state should be set appropriately.
enforcing / permissive / disabled
The SELinux policy should be set appropriately.
The setroubleshoot service should be enabled or disabled as appropriate.The setroubleshoot package should be installed or uninstalled as appropriate.
The mcstrans service should be enabled or disabled as appropriate.The restorecond service should be enabled or disabled as appropriate.The default setting for sending ICMP redirects should be enabled or disabled for network interfaces as appropriate.
CCE-4155-8 enabled / disabled
CCE-3561-8 enabled / disabled
CCE-3472-8 enabled / disabled
CCE-4217-6 enabled / disabled
CCE-4133-5 enabled / disabled
CCE-4265-5 enabled / disabled
CCE-3644-2 enabled / disabled
CCE-4186-3 enabled / disabled
CCE-4080-8 enabled / disabled
CCE-3339-9 enabled / disabled
Sending ICMP redirects should be enabled or disabled for all interfaces as appropriate.
IP forwarding should be enabled or disabled as appropriate.Accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for all interfaces as appropriate.
Accepting ICMP redirects should be enabled or disabled for all interfaces as appropriate.
Ignoring bogus ICMP responses to broadcasts should be enabled or disabled as appropriate.
Sending TCP syncookies should be enabled or disabled as appropriate.Ignoring ICMP echo requests (pings) sent to broadcast / multicast addresses should be enabled or disabled as appropriate.
The default setting for accepting ICMP redirects should be enabled or disabled for network interfaces as appropriate.
Performing source validation by reverse path should be enabled or disabled for all interfaces as appropriate.
The default setting for accepting "secure" ICMP redirects (those from gateways listed in the default gateways list) should be enabled or disabled for network interfaces as appropriate.
CCE-4320-8 enabled / disabled
CCE-3840-6 enabled / disabled
CCE-4091-5 enabled / disabled
CCE-4236-6 enabled / disabled
CCE-3628-5
enabled / disabled
CCE-4276-2
enabled / disabled
CCE-4170-7
included / excluded
CCE-3562-6
enabled / disabled
CCE-3377-9
enabled / disabled
CCE-4296-0
enabled / disabled
CCE-3381-1
enabled / disabled
Logging of "martian" packets (those with impossible addresses) should be enabled or disabled for all interfaces as appropriate.
The default setting for performing source validation by reverse path should be enabled or disabled for network interfaces as appropriate.
The default setting for accepting source routed packets should be enabled or disabled for network interfaces as appropriate.
Accepting source routed packets should be enabled or disabled for all interfaces as appropriate.
All wireless devices should be enabled or disabled in the BIOS as appropriate.
All wireless interfaces should be enabled or disabled as appropriate.Device drivers for wireless devices should be included or excluded from the kernel as appropriate.
Automatic loading of the IPv6 kernel module should be enabled or disabled as appropriate.
Global IPv6 initialization should be enabled or disabled as appropriate.IPv6 configuration should be enabled or disabled as appropriate for all interfaces.
The default setting for IPv6 configuration should be enabled or disabled for network interfaces as appropriate.
CCE-4269-7
enabled / disabled
CCE-4291-1
enabled / disabled
CCE-4313-3
enabled / disabled
CCE-4198-8
enabled / disabled
CCE-3842-2
CCE-4221-8
enabled / disabled
CCE-4137-6
number
CCE-4159-0
number
CCE-3895-0
number
Accepting IPv6 router advertisements should be enabled or disabled as appropriate for all network interfaces.
The default setting for accepting IPv6 router advertisements should be enabled or disabled for network interfaces as appropriate.
Accepting redirects from IPv6 routers should be enabled or disabled as appropriate for all network interfaces.
The default setting for accepting redirects from IPv6 routers should be enabled or disabled for network interfaces as appropriate.
IPv6 privacy extensions should be configured appropriately for all interfaces.
disabled / lightweight / rfc3041 (alias yes)
The default setting for accepting router preference via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate.
The default number of global unicast IPv6 addresses allowed per network interface should be set appropriately.
The default number of IPv6 router solicitations for network interfaces to send should be set appropriately.
The default number of IPv6 duplicate address detection solicitations for network interfaces to send per configured address should be set appropriately.
CCE-4287-9
enabled / disabled
CCE-4058-4
enabled / disabled
CCE-4128-5
enabled / disabled
CCE-4167-3
enabled / disabled
CCE-4189-7
enabled / disabled
CCE-3679-8
enabled / disabled
CCE-3701-0
group
CCE-4233-3
permissions
CCE-4366-1
user
CCE-4260-6
sent / not sent
CCE-3382-9
accept / reject
CCE-4182-2
enabled / disabled
The default setting for autoconfiguring network interfaces using prefix information in IPv6 router advertisements should be enabled or disabled as appropriate.
The default setting for accepting prefix information via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate.
The default setting for accepting a default router via IPv6 router advertisement should be enabled or disabled for network interfaces as appropriate.
The ip6tables service should be enabled or disabled as appropriate.The iptables service should be enabled or disabled as appropriate.The syslog service should be enabled or disabled as appropriate.
All syslog log files should be owned by the appropriate group.File permissions for all syslog log files should be set correctly.
All syslog log files should be owned by the appropriate user.Syslog logs should be sent to a remote loghost or not as appropriateSyslogd should accept remote messages or not as appropriateThe logrotate (syslog rotater) service should be enabled or disabled as appropriate.
CCE-4323-2
enabled / disabled
CCE-4292-9
enabled / disabled
CCE-4234-1
enabled / disabled
CCE-4252-3
enabled / disabled
CCE-4023-8
installed / uninstalled
CCE-4164-0
installed / uninstalled
CCE-3390-2
enabled / disabled
CCE-4330-7
installed / uninstalled
CCE-3974-3
enabled / disabled
CCE-4141-8
enabled / disabled
CCE-3537-8
enabled / disabled
CCE-4308-3
installed / uninstalled
CCE-3705-1
enabled / disabled
CCE-4348-9
installed / uninstalled
CCE-4273-9
enabled / disabled
The logwatch service should be enabled or disabled as appropriate
The auditd service should be enabled or disabled as appropriate.The inetd service should be enabled or disabled as appropriate.The xinetd service should be enabled or disabled as appropriate.The inetd package should be installed or uninstalled as appropriate.The xifnetd package should be installed or uninstalled as appropriate.
The telnet service should be enabled or disabled as appropriate.The telnet-server package should be installed or uninstalled as appropriate.
The rcp service should be enabled or disabled as appropriate.The rsh service should be enabled or disabled as appropriate.The rlogin service should be enabled or disabled as appropriate.The rsh packagee should be installed or uninstalled as appropriate.The ypbind service should be enabled or disabled as appropriate.The ypserv package should be installed or uninstalled as appropriate.
The tftp service should be enabled or disabled as appropriate.
CCE-3916-4
installed / uninstalled
CCE-3412-4 enabled / disabled
CCE-4229-1
enabled / disabled
CCE-4123-6
enabled / disabled
CCE-4286-1
enabled / disabled
CCE-3425-6
enabled / disabled
CCE-4211-9
enabled / disabled
CCE-3854-7
enabled / disabled
CCE-4356-2
enabled / disabled
CCE-4369-5
enabled / disabled
CCE-4100-4
enabled / disabled
CCE-3455-3
enabled / disabled
CCE-4421-4
enabled / disabled
CCE-4302-6
enabled / disabled
CCE-3822-4
enabled / disabled
The tftp-server package should be installed or uninstalled as appropriate.
The firstboot service should be enabled or disabled as appropriate.The gpm service should be enabled or disabled as appropriate.The irqbalance service should be enabled or disabled as appropriate.The isdn service should be enabled or disabled as appropriate.The kdump service should be enabled or disabled as appropriate.The kudzu service should be enabled or disabled as appropriate.The mdmonitor service should be enabled or disabled as appropriate.The microcode_ctl service should be enabled or disabled as appropriate.
The network service should be enabled or disabled as appropriate.The pcscd service should be enabled or disabled as appropriate.The smartd service should be enabled or disabled as appropriate.The readahead_early service should be enabled or disabled as appropriate.
The readahead_later service should be enabled or disabled as appropriate.
The messagebus service should be enabled or disabled as appropriate.
CCE-4364-6
enabled / disabled
CCE-4355-4
enabled / disabled
CCE-4377-8
enabled / disabled
CCE-4289-5
enabled / disabled
CCE-4298-6
enabled / disabled
CCE-4051-9
enabled / disabled
CCE-4324-0
enabled / disabled
CCE-4406-5
enabled / disabled
CCE-4428-9
installed / uninstalled
CCE-4322-4
group
CCE-4450-3
permissions
CCE-4331-5
group
CCE-3851-3
user
CCE-4379-4
user
CCE-4388-5
permissions
CCE-4054-3
group
The haldaemon service should be enabled or disabled as appropriate.The bluetooth service should be enabled or disabled as appropriate.The hidd service should be enabled or disabled as appropriate.The apmd service should be enabled or disabled as appropriate.The acpid service should be enabled or disabled as appropriate.The cpuspeed service should be enabled or disabled as appropriate.The crond service should be enabled or disabled as appropriate.The anacron service should be enabled or disabled as appropriate.The anacron package should be installed or uninstalled as appropriate.
The /etc/cron.monthly file should be owned by the appropriate group.File permissions for /etc/cron.daily should be set correctly.The /etc/cron.weekly file should be owned by the appropriate group.The /etc/crontab file should be owned by the appropriate user.The /etc/anacrontab file should be owned by the appropriate user.File permissions for /etc/crontab should be set correctly.The /etc/cron.hourly file should be owned by the appropriate group.
CCE-4441-2
user
CCE-4212-7
group
CCE-4380-2
user
CCE-3833-1
user
CCE-3604-6
group
CCE-4106-1
permissions
CCE-3983-4
user
CCE-3626-9
group
CCE-4022-0
user
CCE-4304-2
permissions
CCE-4203-6
permissions
CCE-4251-5
permissions
CCE-3481-9
group
CCE-4250-7
permissions
CCE-4268-9
enabled / disabled
CCE-4272-1
installed / uninstalled
The /etc/cron.monthly file should be owned by the appropriate user.The /etc/cron.d file should be owned by the appropriate group.The /etc/cron.d file should be owned by the appropriate user.The /etc/cron.weekly file should be owned by the appropriate user.The /etc/anacrontab file should be owned by the appropriate group.File permissions for /etc/cron.hourly should be set correctly.The /etc/cron.hourly file should be owned by the appropriate user.The /etc/crontab file should be owned by the appropriate group.The /etc/cron.daily file should be owned by the appropriate user.File permissions for /etc/anacrontab should be set correctly.File permissions for /etc/cron.weekly should be set correctly.File permissions for /etc/cron.monthly should be set correctly.The /etc/cron.daily file should be owned by the appropriate group.File permissions for /etc/cron.d should be set correctly.The sshd service should be enabled or disabled as appropriate.SSH should be installed or uninstalled as appropriate
CCE-4295-2
allow / deny
CCE-4325-7
CCE-3845-5
integer (seconds)
CCE-4475-0
enabled / disabled
CCE-4370-3
enabled / disabled
CCE-4387-7
enabled / disabled
CCE-3660-8
enabled / disabled
CCE-4431-3
enabled / disabled
CCE-4462-8
enabled / disabled
CCE-4422-2
installed/removed
CCE-4303-4
enabled / disabled
CCE-4448-7
enabled / disabled
CCE-4074-1
enabled / disabled
Inbound connections to the ssh port should be allowed or denied as appropriate
SSH version 1 protocol support should be enabled or disabled as appropriate.
permitted / not permitted
The SSH idle timout interval should be set to an appropriate valueEmulation of the rsh command through the ssh server should be enabled or disabled as appropriate
SSH host-based authentication should be enabled or disabled as appropriate
Root login via SSH should be enabled or disabled as appropriateRemote connections from accounts with empty passwords should be enabled or disabled as appropriate
SSH warning banner should be enabled or disabled as appropriateX Windows should be enabled or disabled at system boot as appropriate
X Windows should be installed or removed as appropriateX Font Server should be enabled or disabled as appropriateThe xfs service should be enabled or disabled as appropriate.X Windows System Listening for remote connections should be enabled or disabled as appropriate
CCE-3717-6
enabled / disabled
CCE-4365-3
enabled / disabled
CCE-4136-8
serve / not serve
CCE-4409-9
serve / not serve
CCE-4426-3
accept / reject
CCE-4193-9
allow / disallow
CCE-4444-6
enabled / disabled
CCE-4352-1
enabled / disabled
CCE-4433-9
enabled / disabled
CCE-4451-1
enabled / disabled
CCE-4341-4
enabled / disabled
CCE-4358-8
enabled / disabled
CCE-4112-9
enabled / disabled
Warning banners for gui login users should be enabled or disabled as appropriate
The avahi-daemon service should be enabled or disabled as appropriate.The Avahi daemon should be configured to serve via Ipv6 or not as appropriateThe Avahi daemon should be configured to serve via Ipv4 or not as appropriateAvahi should be configured to accept packets with a TTL field not equal to 255 or not as appropriate
Avahi should be configured to allow other stacks from binding to port 5353 or not as appropriate
Avahi publishing of local information should be enabled or disabled as appropriate
Avahi publishing of local information by user applications should be enabled or disabled as appropriate
Avahi publishing of hardware information should be enabled or disabled as appropriate
Avahi publishing of workstation name should be enabled or disabled as appropriate
Avahi publishing of IP addresses should be enabled or disabled as appropriate
Avahi publishing of domain name should be enabled or disabled as appropriate
The cups service should be enabled or disabled as appropriate.
CCE-3755-6
enabled/disabled
CCE-3649-1
enabled / disabled
CCE-4420-6
enabled / disabled
CCE-4407-3
allow / deny
CCE-4425-5
enabled / disabled
CCE-4191-3
enabled / disabled
CCE-4336-4
enabled / disabled
CCE-4464-4
installed / uninstalled
CCE-4257-2
enabled / disabled
CCE-4403-2
accepted / denied
CCE-4345-5
accepted / denied
CCE-3724-2
sent / not sent
CCE-4243-2
sent / not sent
CUPS service should be enabled or disabled as appropriateFirewall access to printing service should be enabled or disabled as appropriate
Remote print browsing should be enabled or disabled as appropriateCUPS should be allowed or denied the ability to listen for Incoming printer information as appropriate
The hplip service should be enabled or disabled as appropriate.The dhcp client service should be enabled or disabled as appropriate for each interface.
The dhcpd service should be enabled or disabled as appropriate.The dhcp package should be installed or uninstalled as appropriate.The dynamic DNS feature of the DHCP server should be enabled or disabled as appropriate
DHCPDECLINE messages should be accepted or denied by the DHCP server as appropriate
BOOTP queries should be accepted or denied by the DHCP server as appropriate
Domain name server information should be sent or not sent by the DHCP server as appropriate.
Default routers should be sent or not sent by the DHCP server as appropriate.
CCE-4389-3
sent / not sent
CCE-3913-1
sent / not sent
CCE-4169-9
sent / not sent
CCE-4318-2
sent / not sent
CCE-4319-0
sent / not sent
CCE-3733-3
enabled / disabled
CCE-4376-0
enabled / disabled
CCE-4134-3
allow / deny
CCE-4385-1
ip address
CCE-4032-9
installed / uninstalled
CCE-4424-8
enabled / disabled
CCE-3487-6
local ntp server
CCE-4416-4
enabled / disabled
CCE-4293-7
enabled / disabled
Domain name should be sent or not sent by the DHCP server as appropriate.
NIS domain should be sent or not sent by the DHCP server as appropriate.
NIS servers should be sent or not sent by the DHCP server as appropriate.
Time offset should be sent or not sent by the DHCP server as appropriate.
NTP servers should be sent or not sent by the DHCP server as appropriate.
dhcpd logging should be enabled or disabled as appropriate.The ntpd service should be enabled or disabled as appropriate.Network access to ntpd should be allowed or denied as appropriateA remote NTP Server for time synchronization should be specified or not as appropriate
OpenNTPD should be installed or uninstalled as appropriateThe ntp daemon should be enabled or disabled as appropriateThe ntp daemon synchronization server should be set appropriately
The sendmail service should be enabled or disabled as appropriate.The listening sendmail daemon should be enabled or disabled as appropriate.
CCE-3501-4
enabled / disabled
CCE-4360-4
permissions
CCE-4378-6
permissions
CCE-4492-5
user
CCE-4263-0
permissions
CCE-3502-2
user
CCE-4449-5
user
CCE-4361-2
permissions
CCE-4427-1
group
CCE-4321-6
group
CCE-4339-8
group
CCE-4105-3
user
The ldap service should be enabled or disabled as appropriate.
File permissions for /etc/pki/tls/CA/cacert.pem should be set correctly.
File permissions for /etc/pki/tls/ldap/serverkey.pem should be set correctly.The /etc/pki/tls/ldap file should be owned by the appropriate user.
File permissions for /etc/pki/tls/ldap/servercert.pem should be set correctly.
The /etc/pki/tls/ldap/serverkey.pem file should be owned by the appropriate user.
The /etc/pki/tls/CA/cacert.pem file should be owned by the appropriate user.File permissions for /etc/pki/tls/ldap should be set correctly.
The /etc/pki/tls/CA/cacert.pem file should be owned by the appropriate group.
The /etc/pki/tls/ldap/serverkey.pem file should be owned by the appropriate group.The /etc/pki/tls/ldap file should be owned by the appropriate group.
The /etc/pki/tls/ldap/servercert.pem file should be owned by the appropriate user.
CCE-3718-4
group
CCE-4484-2
group
CCE-4502-1
user
CCE-4396-8
enabled / disabled
CCE-3535-2
enabled / disabled
CCE-3568-3
enabled / disabled
CCE-4533-6
enabled / disabled
CCE-4550-0
enabled / disabled
CCE-4559-1
static / dynamic
CCE-4015-4
static / dynamic
CCE-3667-3
static / dynamic
CCE-4310-9
static / dynamic
The /etc/pki/tls/ldap/servercert.pem file should be owned by the appropriate group.The /var/lib/ldap/* files should be owned by the appropriate group.The /var/lib/ldap/* files should be owned by the appropriate user.The nfslock service should be enabled or disabled as appropriate.The rpcgssd service should be enabled or disabled as appropriate.The rpcidmapd service should be enabled or disabled as appropriate.The netfs service should be enabled or disabled as appropriate.The portmap service should be enabled or disabled as appropriate.The lockd service should be configured to use a static port or a dynamic portmapper port for TCP as appropriate
The statd service should be configured to use an outgoing static port or an outgoing dynamic portmapper port as appropriate
The statd service should be configured to use a static port or a dynamic portmapper port as appropriate
The lockd service should be configured to use a static port or a dynamic portmapper port for UDP as appropriate
CCE-4438-8
static / dynamic
CCE-3579-0
static / dynamic
CCE-4473-5
enabled / disabled
CCE-4491-7
enabled / disabled
CCE-4368-7
enabled / disabled
CCE-4024-6
enabled / disabled
CCE-4526-0
enabled / disabled
CCE-4544-3
enabled / disabled
CCE-4465-1
enabled / disabled
CCE-4350-5
enabled / disabled
CCE-3578-2
enabled / disabled
CCE-4219-2
installed / uninstalled
CCE-3985-9
group
The mountd service should be configured to use a static port or a dynamic portmapper port as appropriate
The rquotad service should be configured to use a static port or a dynamic portmapper port as appropriate
The nfs service should be enabled or disabled as appropriateThe rpcsvcgssd service should be enabled or disabled as appropriateThe nodev option should be enabled or disabled for all NFS mounts as appropriate
The nosuid option should be enabled or disabled for all NFS mounts as appropriate
The noexec option should be enabled or disabled for all NFS mounts as appropriate
Root squashing should be enabled or disabled as appropriate for all NFS shares
Restriction of NFS clients to privileged ports should be enabled or disabled as appropriate
Write access to NFS shares should be enabled or disabled as appropriateThe named service should be enabled or disabled as appropriate.The bind package should be installed or uninstalled as appropriate.
The /var/named/chroot/etc/named.conf file should be owned by the appropriate group.
CCE-4487-5
permissions
CCE-4258-0
user
CCE-4399-2
enabled / disabled
CCE-3919-8
enabled / disabled
CCE-4549-2
enabled / disabled
CCE-4554-2
enabled / disabled
CCE-4443-8
enabled / disabled
CCE-4461-0
enabled / disabled
CCE-4338-0
enabled / disabled
CCE-4514-6
installed / uninstalled
CCE-4346-3
installed / uninstalled
CCE-4474-3
text
CCE-3756-4
CCE-4509-6
permissions
File permissions for /var/named/chroot/etc/named.conf should be set correctly.
The /var/named/chroot/etc/named.conf file should be owned by the appropriate user.LDAP's dynamic updates feature should be enabled or disabled as appropriateThe vsftpd service should be enabled or disabled as appropriate.Logging of vsftpd transactions should be enabled or disabled as appropriate
A warning banner for all FTP users should be enabled or disabled as appropriate
Local user login to the vsftpd service should be enabled or disabled as appropriate
File uploads via vsftpd should be enabled or disabled as appropriateThe httpd service should be enabled or disabled as appropriate.The httpd package should be installed or uninstalled as appropriate.The apache 2 server software should be installed or removed as appropriate
The apache2 server's ServerTokens value should be set appropriately
The apache2 server's ServerSignature value should be set appropriately
File permissions for /etc/httpd/conf should be set correctly.
CCE-4386-9
permissions
CCE-4029-5
permissions
CCE-3581-6
CCE-4574-0
permissions
CCE-3847-1
enabled / disabled
CCE-4239-0
installed / uninstalled
CCE-4384-4
support / not support
CCE-3887-7
support / not support
CCE-4530-2
support / not support
CCE-4547-6
support / not support
CCE-4552-6
enabled / disabled
CCE-4371-1
enabled / disabled
CCE-4410-7
enabled / disabled
File permissions for /etc/httpd/conf/* should be set correctly.File permissions for /usr/sbin/httpd should be set correctly.The /etc/httpd/conf/* files should be owned by the appropriate group.File permissions for /var/log/httpd should be set correctly.The dovecot service should be enabled or disabled as appropriate.The dovecot package should be installed or uninstalled as appropriate.
Dovecot should be configured to support the imaps protocol or not as necessary
Dovecot should be configured to support the pop3s protocol or not as necessary
Dovecot should be configured to support the pop3 protocol or not as necessary
Dovecot should be configured to support the imap protocol or not as necessary
Dovecot plaintext authentication of clients should be enabled or disabled as necessary
The Dovecot option to drop privileges to user before executing mail process should be enabled or not as appropriate
The Dovecot option to spawn a new login process per connection should be enabled or not as appropriate
CCE-4551-8
enabled / disabled
CCE-4556-7
enabled / disabled
CCE-4076-6
installed / uninstalled
CCE-4454-5
enabled / disabled
CCE-4353-9
data length
CCE-4503-9
enabled / disabled
CCE-3585-7
enabled / disabled
CCE-4419-8
data length
CCE-3692-1
user
CCE-4459-4
enabled / disabled
CCE-4476-8
group
CCE-4181-4
enabled / disabled
The smb service should be enabled or disabled as appropriate.The squid service should be enabled or disabled as appropriate.The squid package should be installed or uninstalled as appropriate.
The Squid option to force FTP passive connections should be enabled or not as appropriate
The Squid max request HTTP header length should be set to an appropriate value
The Squid option to check for RFC compliant hostnames should be enabled or not as appropriate
The Squid option to ignore unknown nameservers should be enabled or not as appropriate
The Squid max reply HTTP header length should be set to an appropriate value
The Squid EUID should be set to an appropriate user
The Squid option to perform FTP sanity checks should be enabled or not as appropriate
The Squid GUID should be set to an appropriate group
The Squid option to show proxy client IP addresses in HTTP headers should be enabled or disabled as appropriate
CCE-4577-3
enabled / disabled
CCE-4344-8
enabled / disabled
CCE-4494-1
enabled / disabled
CCE-4511-2
allow / deny
CCE-4529-4
allow / deny
CCE-3610-3
allow / deny
CCE-4466-9
allow / deny
CCE-4607-8
allow / deny
CCE-4255-6
allow / deny
CCE-4127-7
allow / deny
CCE-4519-5
allow / deny
CCE-4413-1
allow / deny
The Squid option to log HTTP MIME headers should be enabled or disabled as appropriate
The Squid option to allow underscores in hostnames should be enabled or disabled as appropriate
The Squid option to suppress the httpd version string should be enabled or disabled as appropriate
Squid should be configured to allow gss-http traffic or not as appropriate
Squid should be configured to allow https traffic or not as appropriate
Squid should be configured to allow wais traffic or not as appropriate
Squid should be configured to allow multiling http traffic or not as appropriate
Squid should be configured to allow http traffic or not as appropriate
Squid should be configured to allow ftp traffic or not as appropriate
Squid should be configured to allow gopher traffic or not as appropriate
Squid should be configured to allow filemaker traffic or not as appropriate
Squid proxy access to localhost should be allowed or denied as appropriate
CCE-4373-7
allow / deny
CCE-3765-5
enabled / disabled
CCE-4404-0
installed / uninstalled
Squid should be configured to allow http-mgmt traffic or not as appropriate
The snmpd service should be enabled or disabled as appropriate.The net-smtp package should be installed or uninstalled as appropriate.
CCE Technical Mechanisms
via chkconfig 2.1.2.2
via chkconfig 2.1.2.3.2
via yum 2.1.3.1.1
via /etc/fstab 2.2.1.1
via /etc/fstab 2.2.1.2
via /etc/fstab 2.2.1.2
2.2.1.2
via /etc/security/console.perms.d/50-default.perms 2.2.2.1
via /etc/modprobe.conf 2.2.2.2.1
via kernel 2.2.2.2.2
via /etc/grub.conf 2.2.2.2.3
NSA "Guide to the Secure Configuration of
Red Hat Enterprise Linux 5" (Section)
via BIOS 2.2.2.2.4
via chkconfig 2.2.2.3
via gconf 2.2.2.4
via chown 2.2.3.1
via chown 2.2.3.1
via chown 2.2.3.1
via chmod 2.2.3.1
via chown 2.2.3.1
via chown 2.2.3.1
via chown 2.2.3.1
via chmod 2.2.3.1
via chown 2.2.3.1
via chmod 2.2.3.1
via chown 2.2.3.1
via chmod 2.2.3.1
via chmod 2.2.3.2
via chmod 2.2.3.3
via chmod 2.2.3.4
via chmod 2.2.3.4
via chown 2.2.3.5
via chgrp 2.2.3.5
via /etc/sysconfig/init 2.2.4.1
via /etc/security/limits.conf 2.2.4.2
via sysctl - fs.suid_dumpable 2.2.4.2
via sysctl - kernel.randomize_va_space 2.2.4.3
via sysctl - kernel.exec-shield 2.2.4.3
via kernel-PAE 2.2.4.4.2
via BIOS 2.2.4.4.3
via /etc/securetty 2.3.1.1
via /etc/securetty 2.3.1.1
via /etc/securetty 2.3.1.1
via /etc/securetty 2.3.1.1
via pam 2.3.1.2
vi /etc/sudoers 2.3.1.3
via /etc/passwd 2.3.1.4
via /etc/shadow 2.3.1.5
via /etc/passwd 2.3.1.6
via /etc/login.defs 2.3.1.7
via /etc/login.defs 2.3.1.7
via /etc/login.defs 2.3.1.7
via /etc/login.defs 2.3.1.7
2.3.1.8
via PAM 2.3.3.1
via PAM 2.3.3.2
via chgrp 2.3.3.4
via chmod 2.3.3.4
2.3.4.1
2.3.4.2
umask 2.3.4.4
2.3.4.4
2.3.4.4
via chown 2.3.5.2
via chmod 2.3.5.2
via /etc/grub.conf 2.3.5.2
via chown 2.3.5.2
via /etc/inittab 2.3.5.3
via /etc/sysconfig/init 2.3.5.4
via autolockout 2.3.5.5
via /etc/profile.d 2.3.5.5
via gconftool-2 2.3.5.6.1
via gconftool-2 2.3.5.6.1
via /etc/issue 2.3.7.1
via RHEL.xml 2.3.7.2
via /etc/selinux/config 2.4.2
via /etc/selinux/config 2.4.2
via /etc/selinux/config 2.4.2
via chkconfig 2.4.3.1
via yum 2.4.3.1
via chkconfig 2.4.3.2
via chkconfig 2.4.3.3
via sysctl - net.ipv4.conf.default.send_redirects 2.5.1.1
via sysctl - net.ipv4.conf.all.send_redirects 2.5.1.1
via sysctl - net.ipv4.ip_forward 2.5.1.1
via sysctl - net.ipv4.conf.all.secure_redirects 2.5.1.2
via sysctl - net.ipv4.conf.all.accept_redirects 2.5.1.2
via sysctl - net.ipv4.icmp_ignore_bogus_error_messages 2.5.1.2
via sysctl - net.ipv4.tcp_syncookies 2.5.1.2
via sysctl - net.ipv4.icmp_echo_ignore_broadcasts 2.5.1.2
via sysctl - net.ipv4.conf.default.accept_redirects 2.5.1.2
via sysctl - net.ipv4.conf.all.rp_filter 2.5.1.2
via sysctl - net.ipv4.conf.default.secure_redirects 2.5.1.2
via sysctl - net.ipv4.conf.all.log_martians 2.5.1.2
via sysctl - net.ipv4.conf.default.rp_filter 2.5.1.2
via sysctl - net.ipv4.conf.default.accept_source_route 2.5.1.2
via sysctl - net.ipv4.conf.all.accept_source_route 2.5.1.2
via BIOS menus 2.5.2.2.1
via ifconfig 2.5.2.2.2
via modprobe 2.5.2.2.3
via /etc/modprobe.conf 2.5.3.1.1
via /etc/sysconfig/network 2.5.3.1.2
via IPV6INIT in /etc/sysconfig/network-scripts/ifcfg-<interface> 2.5.3.1.2
via /etc/sysconfig/network 2.5.3.1.2
2.5.3.2.1
2.5.3.2.1
2.5.3.2.1
2.5.3.2.1
2.5.3.2.3
via sysctl - net.ipv6.conf.default.accept_ra_rtr_pref 2.5.3.2.5
via sysctl - net.ipv6.conf.default.max_addresses 2.5.3.2.5
via sysctl - net.ipv6.conf.default.router_solicitations 2.5.3.2.5
via sysctl - net.ipv6.conf.default.dad_transmits 2.5.3.2.5
(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network
(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network
(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network
(1) via sysctl (2) via IPV6_AUTOCONF in /etc/sysconfig/network
via IPV6_PRIVACY in /etc/sysconfig/network-scripts/ifcfg-<interface>
via sysctl - net.ipv6.conf.default.autoconf 2.5.3.2.5
via sysctl - net.ipv6.conf.default.accept_ra_pinfo 2.5.3.2.5
via sysctl - net.ipv6.conf.default.accept_ra_defrtr 2.5.3.2.5
via chkconfig 2.5.5.1
via chkconfig 2.5.5.1
via chkconfig 2.6.1
via chown 2.6.1.2
via chmod 2.6.1.2
via chown 2.6.1.2
via /etc/syslog.conf 2.6.1.3
via /etc/sysconfig/syslog 2.6.1.4
via cron 2.6.1.5
via cron 2.6.1.6
via chkconfig 2.6.2.1
via chkconfig 3.2.1
via chkconfig 3.2.1
via yum 3.2.1
via yum 3.2.1
via chkconfig 3.2.2
via yum 3.2.2
via chkconfig 3.2.3.1
via chkconfig 3.2.3.1
via chkconfig 3.2.3.1
via yum 3.2.3.1
via chkconfig 3.2.4
via yum 3.2.4
via chkconfig 3.2.5
via yum 3.2.5
via chkconfig 3.3.1
via chkconfig 3.3.2
via chkconfig 3.3.3
via chkconfig 3.3.4
via chkconfig 3.3.5
via chkconfig 3.3.6
via chkconfig 3.3.7
via chkconfig 3.3.8
via chkconfig 3.3.9
via chkconfig 3.3.10
via chkconfig 3.3.11
via chkconfig 3.3.12
via chkconfig 3.3.12
via chkconfig 3.3.13.1
via chkconfig 3.3.13.2
via chkconfig 3.3.14.1
via chkconfig 3.3.14.2
via chkconfig 3.3.15.1
via chkconfig 3.3.15.2
via chkconfig 3.3.15.3
via chkconfig 3.4
via chkconfig 3.4.1
via yum 3.4.1
via chown 3.4.2
via chmod 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chmod 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chown 3.4.2
via chmod 3.4.2
via chown 3.4.2
via chowns
3.4.2
via chown 3.4.2
via chmod 3.4.2
via chmod 3.4.2
via chmod 3.4.2
via chown 3.4.2
via chmod 3.4.2
via chkconfig 3.5.1.1
via yum 3.5.1.1
/etc/sysconfig/iptables 3.5.1.2
via /etc/ssh/sshd_config 3.5.2.1
via /etc/ssh/sshd_config 3.5.2.3
via /etc/ssh/sshd_config 3.5.2.4
via /etc/ssh/sshd_config 3.5.2.5
via /etc/ssh/sshd_config 3.5.2.6
via /etc/ssh/sshd_config 3.5.2.7
via /etc/ssh/sshd_config 3.5.2.8
via /etc/inittab 3.6.1.1
via yum 3.6.1.2
via chkconfig 3.6.1.3.1
via chkconfig 3.6.1.3.1
via /etc/X11/xinit/xserverrc 3.6.1.3.2
via /etc/gdm/custom.conf 3.6.2.1
via chkconfig 3.7.1.1
via /etc/avahi/avahi-daemon.conf 3.7.2.1
via /etc/avahi/avahi-daemon.conf 3.7.2.1
via /etc/avahi/avahi-daemon.conf 3.7.2.2
via /etc/avahi/avahi-daemon.conf 3.7.2.3
via /etc/avahi/avahi-daemon.conf 3.7.2.4
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via /etc/avahi/avahi-daemon.conf 3.7.2.5
via chkconfig 3.8.1
via chkconfig 3.8.1
via /etc/sysconfig/iptables 3.8.2
via /etc/cups/cupsd.conf 3.8.3.1.1
via /etc/cups/cupsd.conf 3.8.3.1.1
via chkconfig 3.8.4.1
via /etc/sysconfig/network-scripts/ifcfg-IFACE 3.9.1
via chkconfig 3.9.3
via yum 3.9.3
via /etc/dhcpd.conf 3.9.4.1
via /etc/dhcpd.conf 3.9.4.2
via /etc/dhcpd.conf 3.9.4.3
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/dhcpd.conf 3.9.4.4
via /etc/syslog.conf 3.9.4.5
via chkconfig 3.10.2.2.1
via /etc/ntp.conf 3.10.2.2.2
via /etc/ntp.conf 3.10.2.2.3
via openntpd package 3.10.3.1
via /etc/rc.local 3.10.3.2.1
via /usr/local/etc/ntpd.conf 3.10.3.2.2
via chkconfig 3.11
via /etc/sysconfig/sendmail 3.11.2.1
via chkconfig 3.12.3.1
via chmod 3.12.3.4.2
via chmod 3.12.3.4.2
via chown 3.12.3.4.2
via chmod 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chmod 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.4.2
via chown 3.12.3.7
via chown 3.12.3.7
via chkconfig 3.13.1.1
via chkconfig 3.13.1.1
via chkconfig 3.13.1.1
via chkconfig 3.13.1.2
via chkconfig 3.13.1.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via /etc/sysconfig/nfs 3.13.2.3
via chkconfig 3.13.3.1
via chkconfig 3.13.3.1
via /etc/fstab 3.13.3.2
via /etc/fstab 3.13.3.2
via /etc/fstab 3.13.3.2
via /etc/exports 3.13.4.1.2
via /etc/exports 3.13.4.1.3
via /etc/exports 3.13.4.1.4
via chkconfig 3.14.1
via yum 3.14.1
via chown 3.14.3.2
via chmod 3.14.3.2
via chown 3.14.3.2
via /etc/named.conf 3.14.4.5
via chkconfig 3.15.1
via /etc/vsftpd.conf 3.15.3.1
via /etc/vsftpd.conf 3.15.3.2
via /etc/vsftpd.conf 3.15.3.3.1
via /etc/vsftpd.conf 3.15.3.4
via chkconfig 3.16.1
via yum 3.16.1
via yum 3.16.2.1
via /etc/httpd/conf/httpd.conf 3.16.3.1
via /etc/httpd/conf/httpd.conf 3.16.3.1
via chmod 3.16.5.1
via chmod 3.16.5.1
via chmod 3.16.5.1
via chgrp 3.16.5.1
via chmod 3.16.5.1
via chkconfig 3.17.1
via yum 3.17.1
via /etc/dovecot.conf 3.17.2.1
via /etc/dovecot.conf 3.17.2.1
via /etc/dovecot.conf 3.17.2.1
via /etc/dovecot.conf 3.17.2.1
via /etc/dovecot.conf 3.17.2.2.4
via /etc/dovecot.conf 3.17.2.3
via /etc/dovecot.conf 3.17.2.3
via chkconfig 3.18.1
via chkconfig 3.19.1
via yum 3.19.1
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.2
via /etc/squid/squid.conf 3.19.2.3
via /etc/squid/squid.conf 3.19.2.3
via /etc/squid/squid.conf 3.19.2.3
via /etc/squid/squid.conf 3.19.2.3
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
via /etc/squid/squid.conf 3.19.2.5
disabled
CCE-U-203disabled
CCE-U-203installed
enabled
enabled
Similar to CCE-U-170enabled
Similar to CCE-U-170enabled CCE-U-170
root-only
not loaded
uninstalled
disabled
NSA "Guide to the Secure Configuration of
Red Hat Enterprise Linux 5"
(Recommended Value)
Old "Unix-CCE-DRAFT-2" ID
disabled
disabled
CCE-U-203disabled
CCE-U-203root
CCE-U-23root
CCE-U-202root
CCE-U-201400
CCE-U-200root
CCE-U-202root
CCE-U-201root
CCE-U-22644
CCE-U-19root
CCE-U-20644
CCE-U-200root
CCE-U-21400
CCE-U-24
set CCE-U-171
disabled
CCE-U-24not set
not set
user
group
027
disabled
disabled
enabled
enabled
enabled
enabled
enabled
CCE-U-200
enabled
CCE-U-200enabled
CCE-U-200enabled
CCE-U-155enabled
CCE-U-15granted
CCE-U-200disabled
CCE-U-200disabled
CCE-U-200disabled
CCE-U-2008
CCE-U-2007
CCE-U-7180
CCE-U-88
CCE-U-200
CCE-U-200???
CCE-U-200
???
CCE-U-4usergroup
CCE-U-2024710
???
CCE-U-26g-w,o-rwx
CCE-U-162077
CCE-U-31077
CCE-U-31077
CCE-U-31root
CCE-U-201600
CCE-U-200???
root
CCE-U-202enabled
CCE-U-1disabled
CCE-U-200
10
10
10
CCE-U-6
enabled
enforcing
targeted
disabled
CCE-U-203uninstalled
disabled
CCE-U-203enabled CCE-U-203
disabled
disabled
disabled
disabled
enabled CCE-U-203
enabled CCE-U-203
enabled CCE-U-203
root
CCE-U-202?600
CCE-U-200?root
CCE-U-201?sent
accept
CCE-U-131enabled
CCE-U-203
disabled
CCE-U-203enabled
CCE-U-203disabled CCE-U-72
disabled CCE-U-73
uninstalled
uninstalled
disabled CCE-U-104
uninstalled
disabled CCE-U-203
disabled CCE-U-83
disabled CCE-U-82
uninstalled
disabled CCE-U-203
uninstalled
disabled CCE-U-118
uninstalled
disabled
CCE-U-203disabled CCE-U-203
enabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
enabled CCE-U-203
disabled CCE-U-203
enabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
enabled CCE-U-203
enabled CCE-U-203
enabled CCE-U-203
disabled CCE-U-203
uninstalled
root
CCE-U-202700
CCE-U-200root
CCE-U-202root
CCE-U-201root
CCE-U-201600
CCE-U-200root
CCE-U-202
root
CCE-U-201root
CCE-U-202root
CCE-U-201root
CCE-U-201root
CCE-U-202700
CCE-U-200root
CCE-U-201root
CCE-U-202root
CCE-U-201600
CCE-U-200700
CCE-U-200700
CCE-U-200root
CCE-U-202700
CCE-U-200disabled CCE-U-203
uninstalled
disabled
not permitted
CCE-U-132no suggestion
disabled
disabled
disabled
disabled
enabled
disabled
uninstalled
disabled
disabled CCE-U-203
disabled
enabled
disabled CCE-U-203
no suggestion
no suggestion
reject
disallow
disabled
disabled
disabled
disabled
disabled
disabled
disabled CCE-U-203
disabled
disabled
disabled
deny
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
uninstalled
disabled
denied
denied
not sent
not sent
not sent
not sent
not sent
not sent
not sent
enabled
disabled CCE-U-203
deny
no suggestion
no suggestion
enabled
ntp server
enabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
644
CCE-U-200755
CCE-U-200root
CCE-U-201755
CCE-U-200root
CCE-U-201root
CCE-U-201755
CCE-U-200root
CCE-U-202ldap
CCE-U-202root
CCE-U-202root
CCE-U-201
ldap
CCE-U-202root
CCE-U-202ldap
CCE-U-201disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
disabled CCE-U-203
static
static
static
static
static
static
disabled
disabled
enabled
enabled
enabled
enabled
disabled
disabled
disabled CCE-U-203
uninstalled
root
CCE-U-202
644
CCE-U-200root
CCE-U-201disabled
disabled CCE-U-203
enabled
enabled
disabled
disabled
disabled CCE-U-203
uninstalled
installed
Prod
Off
750
CCE-U-200
640
CCE-U-200511
CCE-U-200apache
CCE-U-202750
CCE-U-200disabled CCE-U-203
uninstalled
not support
not support
not support
not support
disabled
enabled
enabled
disabled CCE-U-203
disabled CCE-U-160
uninstalled
enabled
20kb
enabled
enabled
20kb
squid
enabled
squid
disabled
CCE ID CCE Description
CCE-4508-8
CCE-4327-3
CCE-4468-5
CCE-4512-0
CCE-4375-2
CCE-4393-5
CCE-3662-4
CCE-4442-0
CCE-4596-3
CCE-4486-7
CCE-4362-0
CCE-3622-8
CCE-4299-4
CCE Parameters
The tooltalk service should be enabled or disabled as appropriate
enabled / disabled / offline
The calendar manager should be enabled or disabled as appropriate.
enabled / disabled / offline
The GNOME logon service should be enabled or disabled as appropriate
enabled / disabled / offline
The CDE logon service should be enabled or disabled as appropriate.
enabled / disabled / offline
The sendmail services should be enabled or disabled as appropriate.
enabled / disabled / offline
The web console should be enabled or disabled as appropriate.
enabled / disabled / offline
The WBEM services should be enabled or disabled as appropriate.
enabled / disabled / offline
The BSD line printer protocol should be enabled or disabled as appropriate.
enabled / disabled / offline
The keyserv service should be enabled or disabled as appropriate.
enabled / disabled / offline
The NIS server daemon should be enabled or disabled as appropriate
enabled / disabled / offline
The NIS passwd daemon should be enabled or disabled as appropriate
enabled / disabled / offline
The NIS update daemon should be enabled or disabled as appropriate
enabled / disabled / offline
The NIS xfr daemon should be enabled or disabled as appropriate
enabled / disabled / offline
CCE-4592-2
CCE-4614-4
CCE-4279-6
CCE-4557-5
CCE-4588-0
CCE-4354-7
CCE-4240-8
CCE-4517-9
CCE-4284-6
CCE-4429-7
CCE-4306-7
CCE-4499-0
CCE-4266-3
CCE-4411-5
CCE-4305-9
The NIS client daemons should be enabled or disabled as appropriate
enabled / disabled / offline
The nisplus daemons should be enabled or disabled as appropriate
enabled / disabled / offline
The ldap cache manager should be enabled or disabled as appropriate
enabled / disabled / offline
The Kerberos TGT Expiration warning should be enabled or disabled as appropriate
enabled / disabled / offline
The Generic Security Service daemons should be enabled or disabled as appropriate
enabled / disabled / offline
The volfs service should be enabled or disabled as appropriate
enabled / disabled / offline
The smserver service should be enabled or disabled as appropriate
enabled / disabled / offline
The Samba smbd service should be enabled or disabled as approriate
enabled / disabled / offline
The Samba nmbd service should be enabled or disabled as approriate
enabled / disabled / offline
The automount daemon should be enabled or disabled as appropriate
enabled / disabled / offline
The apache web servicer should be enabled or disabled as appropriate
enabled / disabled / offline
The mpxio-upgrade service should be enabled or disabled as appropriate
enabled / disabled / offline
The metainit service (Solaris 10 <= 11/06) should be enabled or disabled as appropriate
enabled / disabled / offline
The mdmonitor service (Solaris 10 <= 11/06) should be enabled or disabled as appropriate
enabled / disabled / offline
The volume manager GUI mdcomm service should be enabled or disabled as appropriate
enabled / disabled / offline
CCE-4477-6
CCE-3650-9
CCE-4571-6
CCE-3950-3
CCE-4470-1
CCE-4598-9
CCE-4620-1
CCE-4333-1
CCE-3857-0
CCE-4359-6
CCE-4615-1
CCE-4007-1
CCE-3901-6
CCE-4553-4
The meta service should be enabled or disabled as appropriate
enabled / disabled / offline
The metaed service should be enabled or disabled as appropriate
enabled / disabled / offline
The metamh service should be enabled or disabled as appropriate
enabled / disabled / offline
The local rpc port mapping service should be enabled or disabled as appropriate
enabled / disabled / offline
The Kerberos kadmind service should be enabled or disabled as appropriate.
enabled / disabled / offline
The Kerberos krb5kdc service should be enabled or disabled as appropriate.
enabled / disabled / offline
The Kerberos kpropd service should be enabled or disabled as appropriate.
enabled / disabled / offline
The Kerberos ktkt_warnd service should be enabled or disabled as appropriate.
enabled / disabled / offline
NFS server functionality should be enabled or disabled as appropriate.
enabled / disabled / offline
NFS client functionality should be enabled or disabled as appropriate.
enabled / disabled / offline
The telnet service should be enabled or disabled as appropriate.
enabled / disabled / offline
The FTP service should be enabled or disabled as appropriate.
enabled / disabled / offline
The BOOTP service should be enabled or disabled as appropriate.
enabled / disabled / offline
The RARP service should be enabled or disabled as appropriate.
enabled / disabled / offline
CCE-4584-9
CCE-4611-0
CCE-3655-8
CCE-4541-9
CCE-4483-4
CCE-3663-2
CCE-4037-8
CCE-4540-1 string
CCE-4434-7 enabled / disabled
CCE-4570-8 user
CCE-4478-4 group
CCE-4623-5 permissions
CCE-4522-9 enabled/disabled
CCE-4297-8 enabled/disabled
The DHCP server functionality should be enabled or disabled as appropriate.
enabled / disabled / offline
The DNS server functionality should be enabled or disabled as appropriate.
enabled / disabled / offline
The TFTP server functionality should be configured and enabled or disabled as appropriate.
enabled / disabled / offline
The BSD print spooler should enabled or disabled as appropriate.
enabled / disabled / offline
The Solaris print server functionality should be enabled or disabled as appropriate.
enabled / disabled / offline
The IPP listener should be enabled or disabled as appropriate.
enabled / disabled / offline
The SNMP service should be enabled or disabled as appropriate.
enabled / disabled / offline
The read-only SNMP community string should be set appropriately.
TCP Wrappers should be enabled or disabled as appropriate for all services.
The core dump directory owner should be restricted.The core dump directory group owner should be restricted.File permissions for the core dump directory should be set correctly.Core dumps should be enabled/disabled as appropriateKernel stack protection should be enabled or disabled as appropriate.
CCE-4548-4 enabled/disabled
CCE-4566-6 enabled/disabled
CCE-4439-6 enabled/disabled
CCE-4456-0 enabled/disabled
CCE-4602-9 enabled/disabled
CCE-3752-3 numeral
CCE-4417-2 numeral
CCE-4311-7 enabled/disabled
CCE-4562-5 enabled/disabled
CCE-4082-4 enabled/disabled
CCE-3681-4 enabled/disabled
CCE-4642-5 numeral
CCE-4532-8 numeral
CCE-4624-3 enabled/disabled
Strong TCP Sequence numbers should be enabled or disabled as appropriate.
IPv4 source route forwarding should be enabled or disabled as appropriate.
IPv6 source route forwarding should be enabled or disabled as appropriate.
Reverse source routed packets should be enabled or disabled as appropriate.Forwarding broadcasts should be enabled or disabled as appropriate.Unestablished tcp connection queue should be set appropriately.Established tcp connection queue should be set appropriately.
Respond to ICMP timestamp request should be enabled or disabled.
Respond to ICMP broadcast timestamp request should be enabled or disabled.
Respond to ICMP netmask request should be enabled or disabled as appropriate.
Respond to ICMP echo broadcast request should be enabled or disabled as appropriate.The ARP cache cleanup interval should be set appropriately.The ARP IRE scan rate should be set appropriately.The IPv4 ICMP redirect should be enabled or disabled
CCE-4518-7 enabled/disabled
CCE-4676-3
CCE-3699-6 enabled/disabled
CCE-4575-7 enabled/disabled
CCE-4593-0 enabled/disabled
CCE-4095-6 enabled/disabled
CCE-3684-8 enabled/disabled
CCE-4288-7 enabled/disabled
CCE-4671-4 enabled / disabled
CCE-4455-2 enabled / disabled
CCE-4397-6 user
CCE-4415-6 permissions
CCE-4560-9 group
CCE-4582-3 enabled / disabled
CCE-3979-2 enabled / disabled
CCE-4124-4 user
The IPv6 ICMP redirect should be enabled or disabled as appropriate.Extended TCP reserved ports should be set appropriately.
list of ports above 1023
IPv4 strict multihoming should be enabled or disabled as appropriate.IPv6 strict multihoming should be enabled or disabled as appropriate.ICMPv4 redirects should be enabled or disabled as appropriate.ICMPv6 redirects should be enabled or disabled as appropriate.IP forwarding should enabled or disabled as appropriate.IP routing should be enabled or disabled as appropriate.inetd tracing should be enabled as appropriate.
The logging option for the ftp service should be enabled or disabled as appropriate.
The daemon debug log file owner should be restricted.The daemon debug log file permissions should be set appropriately.The daemon debug log file group owner should be restricted.
The debug logging option for daemons should be enabled or disabled as appropriate.
Capture of syslog AUTH Messages should be enabled or disabled as appropriateThe loginlog file owner should be restricted.
CCE-4626-8 permissions
CCE-4635-9 group
CCE-3930-5 enabled / disabled
CCE-4309-1 numeric value
CCE-4591-4 enabled / disabled
CCE-4490-9 user
CCE-4683-9 group
CCE-4472-7 permissions
CCE-3992-5 enabled / disabled
CCE-4481-8 user
CCE-4630-0 group
CCE-4542-7 permissions
CCE-4675-5 enabled / disabled
CCE-4679-7
CCE-4075-8
The loginlog file permissions should be set appropriately.
The loginlog file group owner should be restricted.
Capture of failed login attempts should be enabled or disabled as appropriate
The threshold of syslog logging of failed login attempts should be configured correctly.Cron logging should be enabled or disabled as appropriate.Cron log file owner should be restrictedCron log file group owner should be restricted
Cron log file permissions should be set appropriatelySystem Accounting should be enabled or disabled as appropriate
The system accounting file owner should be restricted.The systems accounting file group owner should be restricted.The system accounting file permissions should be set appropriately.Kernel level auditing should be enabled or disabled as appropriate
Kernel level auditing for login/logout should be enabled or disabled as appropriate
successfull/unsuccesfull
Kernel level auditing for administrative actions should be enabled or disabled as appropriate
successfull/unsuccesfull
CCE-4600-3
CCE-4498-2
CCE-4401-6
CCE-4337-2
CCE-4606-0
CCE-4610-2
CCE-4126-9 user
CCE-4633-4 group
CCE-4527-8 permissions
CCE-4672-2 string
CCE-4315-8 string
CCE-3760-6
CCE-4312-5
Kernel level auditing for file attribute modification should be enabled or disabled as appropriate
successfull/unsuccesfull
Kernel level auditing for process start/stop should be enabled or disabled as appropriate
successfull/unsuccesfull
Kernel level auditing for process modify should be enabled or disabled as appropriate
successfull/unsuccesfull
Kernel level auditing for processes should be enabled or disabled as appropriate
successfull/unsuccesfull
Kernel level auditing for exec should be enabled or disabled as appropriate
successfull/unsuccesfull
Kernel level auditing for root login/logout should be enabled or disabled as appropriate
successfull/unsuccesfull
Audit log file ownership should be restricted.Audit log file group ownership should be restricted.Audit log permissions should be restricted.The daemon user's umask should be set appropriately.
The setuid option should be enabled or disabled on removable media as appropriate.
The pkgchk utility should be used to verify ownership, group ownership, and access permissions for installed packages as appropriate.
list of packages, or all packages
The pkgchk utility should be used to force default settings for ownership, group ownership, and access permissions for installed packages as appropriate.
list of packages, or all packages
CCE-4721-7 enabled / disabled
CCE-4351-3 permissions
CCE-4743-1 permissions
CCE-4281-2 permissions
CCE-4660-7
CCE-4682-1
CCE-4435-4 enabled/disabled
CCE-4576-5 string
CCE-4726-6 string
CCE-4638-3 string yes/no
CCE-4748-0 numeral
CCE-4395-0 numeral
CCE-4030-3 string yes/no
The sticky bit should be enabled or disabled as appropriate for all world-writable directories.
World-writable files should be found and examined for appropriateness.setgid files should be found and examined for appropriatenesssetuid files should be found and examined for appropriateness
Unowned files should be found and removed or given to a valid user as appropriate.
Files with extended attributes should be found and handled as appropriate.Serial port login prompts should be enabled or disabled as appropriate.
Access to secure RPC for the 'nobody' user should be enabled or disabled as appropriate.SSH version 2 protocol should be enabled or disabled as appropriate.SSH X11 forwarding should be enabled or disabled as appropriate.
SSH maximum number of retries for authentication should be set as appropriate.
SSH maximum number or retries for authentication log should be set as appropriate.
SSH integration with .rhosts should be enabled or disabled as appropriate.
CCE-4655-7 string yes/no
CCE-3946-1 string yes/no
CCE-4713-4 string yes/no
CCE-4708-4 string yes/no
CCE-4603-7 uncomment string
CCE-4021-2 enabled/disabled
CCE-4678-9 enabled/disabled
CCE-4695-3 enabled/disabled
CCE-4510-4 enabled/disabled
CCE-4157-4 enabled/disabled
CCE-4677-1 enabled/disabled
CCE-4179-8 enabled/disabled
CCE-4589-8 enabled/disabled
CCE-4113-7 enabled/disabled
CCE-4739-9 enabled/disabled
SSH integration with .rhosts/hosts.equiv should be enabled or disabled as appropriate.
SSH Rhosts RSA Authentication should be enabled or disabled as appropriate.Root login via SSH should be enabled or disabled as appropriate.
SSH should be configured to enable or disable empty passwords as appropriate.The SSH banner should be enabled or disabled as appropriate.PAM Rhosts support should be enabled or disabled.The ftpusers file should restrict the root account as appropriate.The ftpusers file should restrict the daemon account as appropriate.The ftpusers file should restrict the bin account as appropriate.The ftpusers file should restrict the sys account as appropriate.The ftpusers file should restrict the adm account as appropriate.The ftpusers file should restrict the lp account as appropriate.The ftpusers file should restrict the uucp account as appropriate.The ftpusers file should restrict the smmsp account as appropriate.The ftpusers file should restrict the listen account as appropriate.
CCE-4135-0 enabled/disabled
CCE-3768-9 enabled/disabled
CCE-3782-0 enabled/disabled
CCE-4347-1 enabled/disabled
CCE-4497-4 enabled/disabled
CCE-4432-1 number of seconds
CCE-4705-0 number of minutes
CCE-4723-3 number of minutes
CCE-4622-7 boolean true/false
CCE-4644-1 enabled/disabled
CCE-4543-5 enabled/disabled
CCE-4437-0 user
CCE-4706-8 group
CCE-4693-8 permissions
CCE-4710-0 permissions
The ftpusers file should restrict the gdm account as appropriate.The ftpusers file should restrict the webservd account as appropriate.The ftpusers file should restrict the nobody account as appropriate.The ftpusers file should restrict the noaccess account as appropriate.The ftpusers file should restrict the nobody4 account as appropriate.The failed login delay should be set appropriately.
The default CDE screenlock timeout should be set appropriately.
The default GNOME screenlock timeout should be set appropriately.The GNOME screenlock should be enabled or disabled as appropriate.Use of the cron.allow file should be enabled or disabled as appropriateUse of the at.allow file should be enabled or disabled as appropriateThe /etc/cron.d/cron.allow file should be owned by the appropriate user.The /etc/cron.d/cron.allow file should be owned by the appropriate group.
File permissions for the /etc/cron.d/cron.allow file should be configured correctly.
File permissions for the /etc/cron.d/at.allow file should be configured correctly.
CCE-4230-9 user
CCE-4445-3 group
CCE-4458-6 enabled/disabled
CCE-4102-0 number of retries
CCE-4754-8 yes/no
CCE-4648-2 none/full/command
CCE-3826-5 password
CCE-4525-2
CCE-4657-3
CCE-4661-5 path
CCE-4807-4
CCE-4701-9 path
CCE-4669-8
CCE-4436-2 path
CCE-4815-7
CCE-4696-1 path
The /etc/cron.d/at.allow file should be owned by the appropriate user.The /etc/cron.d/at.allow file should be owned by the appropriate group.The ability to login as root directly should be configured correctly.
The "account lockout threshold" policy should meet minimum requirements. Account lockout should be enabled or disabled as appropriate.The eeprom security mode should be configured appropriately.
The grub menu password protection should be enabled or disabled as appropriate.The daemon account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The bin account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the bin account should be assigned appropriately.The nuucp account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the nuucp account should be assigned appropriately.The smmsp account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the smmsp account should be assigned appropriately.The listen account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the listen account should be assigned appropriately.
CCE-4216-8
CCE-4758-9 path
CCE-4621-9
CCE-4515-3 path
CCE-4282-0
CCE-4802-5 path
CCE-4806-6
CCE-4471-9 path
CCE-4617-7
CCE-4418-0 path
CCE-4810-8
CCE-3955-2
CCE-3834-9 path
CCE-4408-1
CCE-4536-9 path
CCE-4809-0
The gdm account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the gdm account should be assigned appropriately.The webservd account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the webservd account should be assigned appropriately.The nobody account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the nobody account should be assigned appropriately.The noaccess account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the noaccess account should be assigned appropriately.The nobody4 account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the nobody4 account should be assigned appropriately.The sys account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The adm account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the adm account should be assigned appropriately.The lp account should be locked or unlocked as appropriate.
locked / unlocked / non-login
The shell for the lp account should be assigned appropriately.The uucp account should be locked or unlocked as appropriate.
locked / unlocked / non-login
CCE-3841-4 path
CCE-4724-1
CCE-4367-9 numeral
CCE-4165-7 numeral
CCE-4836-3 numeral
CCE-4625-0 numeral
CCE-4770-4 yes/no
CCE-4563-3 numeral
CCE-4832-2 numeral
CCE-4572-4 numeral
CCE-4480-0 numeral
CCE-4731-6 numeral
CCE-4753-0 numeral
The shell for the uucp account should be assigned appropriately.
All user login accounts with empty passwords should be locked or unlocked as appropriate.
locked / unlocked / non-login
The "minimum password age" policy should meet minimum requirements. The "maximum password age" policy should meet minimum requirements.The password expiration warning time should be set appropriately
The strong password PASSLENGTH value should meet minimum requirements
The strong password NAMECHECK value should meet minimum requirements
The strong password HISTORY value should meet minimum requirements
The strong password MINDIFF value should meet minimum requirements
The strong password MINALPHA value should meet minimum requirements
The strong password MINUPPER value should meet minimum requirements
The strong password MINLOWER value should meet minimum requirements
The strong password MINNONALPHA value should meet minimum requirements
CCE-4775-3 numeral
CCE-3856-2 yes / no
CCE-4402-4 path
CCE-4670-6 path
CCE-4314-1 file list
CCE-4816-5 account list
CCE-4834-8 group
CCE-4728-2 path
CCE-4631-8
CCE-4538-5 permissions
CCE-4561-7 permissions
CCE-4578-1 permissions
CCE-4843-9 true/false
CCE-4737-3 permissions mask
The strong password MAXREPEATS value should meet minimum requirements
The strong password WHITESPACE value should meet minimum requirements
The strong password DICTIONDBDIR value should be configured correctly
The strong password DICTIONLIST value should be configured correctly
No Legacy "+" entries in passwd, shadow, and group files should be verified to be appropriateNo UID 0 Accounts exist other than root should be verified to be appropriateDefault group for root account should be configured correctlyThe home directory of the root user should be set correctly.
The PATH for the root user should be configured correctly.
1) Set of directories to include 2) Set of directories to exclude
File permissions should be set correctly for the home directories for all user accounts.File permissions should be set correctly for user configuration files.
File permissions should be set correctly for .netrc files.Presence of .rhost files should be checked to be appropriateThe default umask should be configured correctly.
CCE-3897-6 permissions mask
CCE-4746-4 enabled / disabled
CCE-4760-5 banner text
CCE-4301-8 banner text
CCE-4698-7 banner text
CCE-4222-6 banner text
CCE-4103-8 banner text
CCE-4870-2 banner text
CCE-4896-7 banner text
CCE-4663-1 string
The default umask for ftp users should be set appropriately.
The default setting for all users to allow terminal messages via the mesg utility should be configured correctly.
General login services should display a banner as appropriate before authentication.
General login services should display a banner as appropriate after authentication.CDE should display a banner as appropriate before authentication.GNOME should display a banner as appropriate before authentication.
The FTP service should display a banner as appropriate before authentication.The telnet service banner should be set appropriately.The power-on banner should be set appropriately.The sendmail greeting should be set appropriately.
CCE Technical Mechanisms
(1) via svcadm 2.2.1
(1) via svcadm 2.2.2
(1) via svcadm 2.2.3
(1) via svcadm 2.2.3
(1) via svcadm 2.2.4
(1) via svcadm 2.2.5
(1) via svcadm 2.2.6
(1) via svcadm 2.2.7
(1) via svcadm 2.3.1
via svcadm 2.3.2
via svcadm 2.3.2
via svcadm 2.3.2
via svcadm 2.3.2
CIS Solaris 10 Benchmark v4.0
(Section)
via svcadm 2.3.3
via svcadm 2.3.4
via svcadm 2.3.5
via svcadm 2.3.6
via svcadm 2.3.7
via svcadm 2.3.8
via svcadm 2.3.8
2.3.9
2.3.9
via svcadm 2.3.10
via svcadm 2.3.11
via svcadm 2.3.12
via svcadm 2.3.12
via svcadm 2.3.12
via svcadm 2.3.13
(1) Solaris 10 <= 11/06 /etc/init.d/samba stop, mv /etc/sfw/smb.conf /etc/sfw/smb.conf.CIS (2) Solaris 10 >= 8/07via svcadm(1) Solaris 10 <= 11/06 /etc/init.d/samba stop, mv /etc/sfw/smb.conf /etc/sfw/smb.conf.CIS (2) Solaris 10 >= 8/07via svcadm
via svcadm 2.3.13
via svcadm 2.3.13
via svcadm 2.3.13
via svcadm 2.3.14
via svcadm 2.4.1
via svcadm 2.4.1
via svcadm 2.4.1
via svcadm 2.4.1
/etc/dfs/dfstab 2.4.2
/etc/vfstab 2.4.3
via svcadm 2.4.4
via svcadm 2.4.5
via svcadm 2.4.6
via svcadm 2.4.7
via svcadm 2.4.8
via svcadm 2.4.9
/etc/inetd.conf 2.4.10
via inetadm and svcadm 2.4.11
via svcadm 2.4.11
via svcadm 2.4.11
via svcadm 2.4.12
/etc/snmp/conf/snmpd.conf 2.4.12
via inetadm -M 2.5
/var/core 3.1
/var/core 3.1
/var/core 3.1
/etc/coreadm.conf 3.1
/etc/system 3.2
/etc/default/inetinit 3.3
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
/lib/svc/method/cis_netconfig.sh 3.4
via routeadm 3.5
via routeadm 3.5
via inetadm -M 4.1
via inetadm -m 4.2
/var/log/connlog 4.3
/var/log/connlog 4.3
/var/log/connlog 4.3
/etc/syslog.conf 4.3
/etc/syslog.conf 4.4
/var/adm/loginlog 4.5
/var/adm/loginlog 4.5
/var/adm/loginlog 4.5
/var/adm/loginlog 4.5
/etc/default/login 4.6
/etc/default/cron 4.7
/var/cron/log 4.7
/var/cron/log 4.7
/var/cron/log 4.7
via svcadm enable –r svc:/system/sar:default 4.8
/var/adm/sa/* 4.8
/var/adm/sa/* 4.8
/var/adm/sa/* 4.8
via /etc/security/bsmconv 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_control 4.9
/etc/security/audit_user 4.9
/var/audit/* 4.9
/var/audit/* 4.9
/var/audit/* 4.9
/etc/default/init 5.1
/etc/rmmount.conf 5.2
via pkgchk 5.3
via pkgchk -f 5.3
via chmod 5.4
5.5
5.6.1
5.6.2
via chown or rm 5.7
5.8
via pmadm 6.1
/etc/default/keyserv 6.2
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/ssh/sshd_config 6.3
/etc/pam.conf 6.4
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/ftpd/ftpusers 6.5
/etc/default/login 6.6
/usr/dt/config/*/sys.resources 6.7
/usr/openwin/lib/app-defaults/Xscreensaver 6.8
/usr/openwin/lib/app-defaults/Xscreensaver 6.8
/etc/cron.d/cron.allow 6.9
/etc/cron.d/at.allow 6.9
/etc/cron.d/cron.allow 6.9
/etc/cron.d/cron.allow 6.9
/etc/cron.d/cron.allow 6.9
/etc/cron.d/at.allow 6.9
/etc/cron.d/at.allow 6.9
/etc/cron.d/at.allow 6.9
/etc/default/login 6.1
/etc/default/login 6.11
/etc/security/policy.conf 6.11
via eeprom at OS command line or setenv at ok> prompt 6.12
vi grub> prompt md5cyrpt command 6.13
via passwd 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwds
7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.1
via passmgmt 7.1
via passwd 7.2
Use the set-user-password-reqs.fin Finish script 7.3
Use the set-user-password-reqs.fin Finish script 7.3
Use the set-user-password-reqs.fin Finish script 7.3
7.4
7.4
7.4
7.4
7.4
7.4
7.4
7.4
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
7.4
7.4
7.4
7.4
Use the check-include-nis-map.aud Audit script. 7.5
Use the check-uids-unique.aud Audit script 7,6
Use the set-root-group.fin Finish script 7.7
Use the set-root-home-dir.fin Finish script 7.8
Use the check-root-path.aud Audit script 7.9
Use the check-home-permissions.aud Audit script. 7.1
Use the check-hidden-files.aud Audit script 7.11
Use the check-netrc-files.aud Audit script 7.12
Use the print-rhosts.aud Audit script 7.13
Use the set-user-umask.fin Finish script 7.14
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-user-password-reqs.fin, set-strict-password-checks.fin and the enable-password-history.fin Finish scripts
Use the set-ftpd-umask.fin Finish script. 7.15
Use the disable-mesg.fin Finish script 7.16
/etc/issue 8.1
/etc/motd 8.1.1
/usr/dt/config/*/Xresources 8.2
/etc/X11/gdm/gdm.conf 8.3
/etc/ftpd/banner.msg 8.4
/etc/default/telnetd 8.5
8.6
8.7
via the 'eeprom oem-banner=' command (provide a string after the =) then the "eeprom oem-banner\?=true" command
via the "O SmtpGreetingMessage" setting in /etc/mail/sendmail.cf
disabled
disabled
disabled CCE-U-120
disabled CCE-U-120
disabled
disabled
disabled
disabled
disabled CCE-U-203
disabled
disabled
disabled
disabled
CIS Solaris 10 Benchmark v4.0
(Recommended Value)
Old "Unix-CCE-
DRAFT-2" ID
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled CCE-U-142
disabled CCE-U-142
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled
disabled CCE-U-104
disabled CCE-U-103
disabled
disabled
disabled
disabled
disabled CCE-U-118
disabled
disabled
disabled
disabled
disabled CCE-U-122
enabled
root CCE-U-65
root CCE-U-66
700 CCE-U-67
disabled
enabled CCE-U-68
2 CCE-U-70
disabled
disabled
disabled
disabled
4096
1024
disabled
disabled
disabled
disabled
60000
60000
enabled
enabled
6112
enabled
enabled
disabled
disabled
disabled
disabled
enabled CCE-U-80
enabled CCE-U-113
root
600
root
enabled
enabled CCE-U-2
root
600
sys
enabled CCE-U-2
0 CCE-U-2
enabled CCE-U-38
root
root
600
enabled
sys
sys
600
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
root
root
600
at least 022
disabled CCE-U-170
all packages
no
no
no
no
enabled
disabled CCE-U-28
disabled CCE-U-105
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
disabled CCE-U-108
4 CCE-U-5
10 CCE-U-158
10
1
root CCE-U-32
null CCE-U-47
root CCE-U-40
root CCE-U-41
400 CCE-U-36
400 CCE-U-51
root CCE-U-54
root CCE-U-55
disabled CCE-U-15
3 CCE-U-4
yes
command
enabled
Locked CCE-U-174
Locked CCE-U-175
/usr/bin/false
Locked CCE-U-180
/usr/bin/false
Locked CCE-U-181
/usr/bin/false
Locked CCE-U-182
/usr/bin/false
Locked
/usr/bin/false
Locked
/usr/bin/false
Locked CCE-U-183
/usr/bin/false
Locked CCE-U-184
/usr/bin/false
Locked CCE-U-185
/usr/bin/false
Non-login CCE-U-176
Non-login CCE-U-177
/usr/bin/false
Non-login CCE-U-178
/usr/bin/false
Non-login CCE-U-179
0
yes
/var/passwd
=/usr/share/lib/dict/words
None
None
GID 0
/root CCE-U-11
Exclude '.' and any writeable dir CCE-U-13
IAW site policy CCE-U-162
IAW site policy
IAW site policy
dependent upon 6.4
77 CCE-U-31
CCE ID CCE Description
CCE-2715-1 CCE-733
CCE-2363-0 CCE-980
CCE-3177-3 CCE-658
CCE-2820-9 CCE-2628 enabled/disabled
CCE-3089-0 CCE-2543 enabled/disabled
CCE-3234-2 CCE-2000 enabled/disabled
CCE-3287-0 CCE-1646 enabled/disabled
CCE-3041-1 CCE-2118 enabled/disabled
CCE-3309-2 CCE-2390 enabled/disabled
Old v4 CCE Id
CCE Parameters
The "reset account lockout counter after" policy should meet minimum requirements.
(1) number of minutes
The "account lockout duration" policy should meet minimum requirements.
(1) number of minutes
The "account lockout threshold" policy should meet minimum requirements.
(1) number of attempts
Auditing of "account logon" events on success should be enabled or disabled as appropriate..
Auditing of "account logon" events on failure should be enabled or disabled as appropriate..
Auditing of "account management" events on success should be enabled or disabled as appropriate..
Auditing of "account management" events on failure should be enabled or disabled as appropriate..
Auditing of "directory service access" events on success should be enabled or disabled as appropriate..
Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..
CCE-3076-7 CCE-1686 enabled/disabled
CCE-2970-2 CCE-1744 enabled/disabled
CCE-2724-3 CCE-2640 enabled/disabled
CCE-3243-3 CCE-1991 enabled/disabled
CCE-2746-6 CCE-2412 enabled/disabled
CCE-2653-4 CCE-2347 enabled/disabled
CCE-2322-6 CCE-2431 enabled/disabled
CCE-3257-3 CCE-2584 enabled/disabled
CCE-3024-7 CCE-2529 enabled/disabled
CCE-2927-2 CCE-2617 enabled/disabled
CCE-2953-8 CCE-2420 enabled/disabled
CCE-3222-7 CCE-1680 enabled/disabled
Auditing of "logon" events on success should be enabled or disabled as appropriate..
Auditing of "logon" events on failure should be enabled or disabled as appropriate..
Auditing of "object access" events on success should be enabled or disabled as appropriate..
Auditing of "object access" events on failure should be enabled or disabled as appropriate..
Auditing of "policy change" events on success should be enabled or disabled as appropriate..
Auditing of "policy change" events on failure should be enabled or disabled as appropriate..
Auditing of "privilege use" events on success should be enabled or disabled as appropriate..
Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..
Auditing of "process tracking" events on success should be enabled or disabled as appropriate..
Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..
Auditing of "system" events on success should be enabled or disabled as appropriate..
Auditing of "system" events on failure should be enabled or disabled as appropriate..
CCE-3121-1 CCE-299 (1) enabled/disabled
CCE-3015-5 CCE-185 (1) size of file
CCE-2905-8 CCE-285 type of retention
CCE-2659-1 CCE-462 (1) enabled/disabled
CCE-3302-7 CCE-757 (1) size of file
CCE-3196-3 CCE-523 type of retention
CCE-2839-9 CCE-726 (1) enabled/disabled
CCE-3165-8 CCE-735 (1) size of file
CCE-2931-4 CCE-664 type of retention
CCE-2967-8 CCE-871 (1) number of days
CCE-3240-9 CCE-324 (1) number of days
CCE-2883-7 CCE-100 (1) number of days
CCE-3033-8 CCE-633 (1) enabled/disabled
The "restrict guest access to application log" policy should be set correctly.
The application log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the Application log.
The "restrict guest access to security log" policy should be set correctly.
The security log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the Security log.
The "restrict guest access to system log" policy should be set correctly.
The system log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the System log. The "maximum password age" policy should meet minimum requirements. The "minimum password age" policy should meet minimum requirements.
The "minimum password length" policy should meet minimum requirements.
The "password must meet complexity requirments" policy should be set correctly.
CCE-2323-4 CCE-60
CCE-3311-8 CCE-479 (1) enabled/disabled
CCE-3316-7 CCE-729
CCE-3082-5 CCE-232
CCE-3232-6 CCE-195
CCE-3272-2 CCE-318
CCE-2339-0 CCE-953 (1) enabled/disabled
CCE-3248-2 CCE-332 (1) enabled/disabled
CCE-3032-0 CCE-499 (1) enabled/disabled
CCE-3314-2 CCE-23 (1) text caption
CCE-3336-5 CCE-829 (1) text statement
CCE-3072-6 CCE-283 (1) enabled/disabled
The "enforce password history" policy should meet minimum requirements.
(1) number of passwords remembered
The "store password using reversible encryption for all users in the domain" policy should be set correctly.
The startup type of the Messenger service should be correct.
(1) disabled/manual/automatic
The startup type of the NetMeeting Remote Desktop Sharing service should be correct.
(1) disabled/manual/automatic
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.
(1) restricted/unrestricted
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.
(1) restricted/unrestricted
The behavior surrounding Anonymous SID/Name translation should be correct.
Use of the built-in Guest account should be enabled or disabled as appropriate.
Use of the built-in Administrator account should be enabled or disabled as appropriate.
The "Message title for users attempting to log on" policy should be set correctly.
The "Message text for users attempting to log on" policy should be set correctly.
Automatic Logon should be properly configured.
CCE-2719-3 CCE-44 (1) enabled/disabled
CCE-3239-1 CCE-150 (1) enabled/ignored
CCE-3261-5 CCE-564 (1) enabled/disabled
CCE-3279-7 CCE-952 (1) enabled/disabled
CCE-3173-2 CCE-65 (1) enabled/disabled
CCE-3067-6 CCE-139 (1) available/hidden
CCE-3120-3 CCE-897 (1) enabled/disabled
CCE-3142-7 CCE-188
CCE-2785-4 CCE-817 (1) enabled/disabled
CCE-2679-9 CCE-284 (1) enabled/disabled
CCE-3181-5 CCE-125 (1) warning level
CCE-3199-7 CCE-271 (1) enabled/disabled
CCE-2714-4 CCE-438 (1) valid names
CCE-2359-8 CCE-834 (1) valid names
CCE-2519-7 CCE-222
CCE-3285-4 CCE-2 (1) enabled/disabled
Autoplay on all Drive Types should be properly configured.
ICMP Redirects should be properly configured.
IP Source Routing should be properly configured.
IRDP should be properly configured. Display Last User Name in Logon Screen should be properly configured. System availability to Master Browser should be properly configured. TCP/IP Dead Gateway Detection should be properly configured. The TCP/IP KeepAlive Time should be set correctly .
(1) number of milliseconds
TCP/IP NetBIOS Name Release on Request Prevented should be properly configured. TCP/IP SYN Flood Attack Protection should be properly configured. Security Audit log warning level should be properly configured. Safe DLL Search Mode should be properly configured. The built-in Administrator account should be correctly named. The built-in Guest account should be correctly named.
The amount of idle time required before disconnecting a session should be set correctly.
(1) number of minutes
The "Audit the access of global system objects" policy should be set correctly.
CCE-3303-5 CCE-905 (1) enabled/disabled
CCE-3307-6 CCE-133 (1) enabled/disabled
CCE-3325-8 CCE-402 (1) enabled/disabled
CCE-2858-9 CCE-565 (1) enabled/disabled
CCE-3168-2 CCE-463 (1) enabled/disabled
CCE-3212-8 CCE-417 (1) enabled/disabled
CCE-2838-1 CCE-228 (1) enabled/disabled
CCE-3230-0 CCE-814
CCE-3001-5 CCE-92 (1) enabled/disabled
CCE-3252-4 CCE-576 (1) enabled/disabled
CCE-2380-4 CCE-519 (1) enabled/disabled
The "Audit the use of backup and restore privilege" policy should be set correctly.
The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.
The "Prevent Users from Installing Printer Drivers" policy should be set correctly.
The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.
The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.
The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.
The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.
The "Users Prompted to Change Password Before Expiration" policy should be set correctly.
(1) number of days prior to expiration
The "Shut Down system immediately if unable to log security audits" policy should be set correctly.
The "Digitally Sign Client Communication (Always)" policy should be set correctly.
The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.
CCE-3023-9 CCE-171 (1) enabled/disabled
CCE-3164-1 CCE-104 (1) enabled/disabled
CCE-2376-2 CCE-773
CCE-3225-0 CCE-919 (1) Group(s)
CCE-3330-8 CCE-549 (1) enabled/disabled
CCE-2467-9 CCE-161 (1) enabled/disabled
CCE-3233-4 CCE-918 (1) enabled/disabled
CCE-3251-6 CCE-443 (1) behavior
CCE-3255-7 CCE-831 (1) enabled/disabled
CCE-2398-6 CCE-533 (1) enabled/disabled
CCE-3326-6 CCE-186 (1) enabled/disabled
The "Digitally Sign Server Communication (Always)" policy should be set correctly.
The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.
The "Number of Previous Logons to Cache" policy should be set correctly.
(1) number of logons
The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.
The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.
The "Smart Card Removal Behavior" policy should be set correctly.
The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.
The "Limit local account user of blank passwords to console logon only" policy should be set correctly.
The "Allow undock without having to logon" policy should be set correctly.
CCE-3075-9 CCE-194 (1) enabled/disabled
CCE-3220-1 CCE-374 (1) enabled/disabled
CCE-3361-3 CCE-278 (1) enabled/disabled
CCE-3379-5 CCE-542 (1) enabled/disabled
CCE-2457-0 CCE-18 (1) enabled/disabled
CCE-3380-3 CCE-136 (1) enabled/disabled
CCE-2825-8 CCE-189 (1) set of paths
CCE-3349-8 CCE-942 (1) set of shares
CCE-3367-0 CCE-343
CCE-3138-5 CCE-233 (1) enabled/disabled
CCE-3283-9 CCE-775 (1) enabled/disabled
CCE-3050-2 CCE-830 (1) time in seconds
The "Maximum machine account password age" policy should be set correctly.
The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.
The "Disconnect clients when logon hours expire" policy should be set correctly.
The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.
The "Let Everyone permissions apply to anonymous users" policy should be set correctly.
The "Named Pipes that can be accessed anonymously" policy should be set correctly.
The "Remotely accessible registry paths" policy should be set correctly.
The "Shares that can be accessed anonymously" policy should be set correctly.
The "Sharing and security model for local accounts" policy should be set correctly.
(1) Classic/Guest only
The "Do not store LAN Manager hash value on next password change" policy should be set correctly. The "Force logoff when logon hours expire" policy should be set correctly.
The "Current user screensaver timeout" policy should be set correctly.
CCE-3429-8 CCE-855 (1) enabled/disabled
CCE-3323-3 CCE-859 (1) enabled/disabled
CCE-3217-7 CCE-434 (1) enabled/disabled
CCE-3358-9 CCE-306
CCE-3345-6 CCE-989
CCE-3363-9 CCE-1
CCE-2462-0 CCE-641
CCE-2852-2 CCE-804
CCE-3371-2 CCE-458
CCE-3266-4 CCE-740
The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.
The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.
The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.The "Configure Automatic Updates" should be set correctly
The "Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box" should be set correctly
The "Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box" should be set correctlyThe "No auto-restart for scheduled Automatic Updates installations
The "Reschedule Automatic Updates scheduled installations" should be set correctly
The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.
The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.
CCE-3411-6 CCE-22
CCE-2772-2 CCE-828 enabled/disabled
CCE-3292-0 CCE-638
CCE-3459-5 CCE-577
CCE-3460-3 CCE-872
CCE-3244-1 CCE-511 (1) reg_dword
CCE-3394-4 CCE-145 (1) enabled/disabled
CCE-3160-9 CCE-423 (1) enabled/disabled
CCE-3054-4 CCE-806 (1) enabled/disabled
CCE-3187-2 CCE-969 (1) enabled/disabled
CCE-3405-8 CCE-502 (1) enabled/disabled
CCE-3158-3 CCE-771
The "Display user information when the session is locked" setting should be configured correctly.
The "Interactive logon: Requre smart card" setting should be configured correctly.
The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly.
MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged
(1) number of secondsMSS:
(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted
(1) number of seconds
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames.RPC Endpiont Mapper Client Authentication (SP2 only)Restrictions for Unauthenticated RPC clients (SP2 only)Domain Profile: Protect all network connections (SP2 only)Domain Profile: Do not allow exceptions (SP2 only)
Domain Profile: Allow local program exceptions
Domain Profile: Allow remote administration
(1) enabled/disabled (2) subnets for internal support only
CCE-3431-4 CCE-555 (1) enabled/disabled
CCE-3458-7 CCE-832
CCE-2964-5 CCE-590 (1) enabled/disabled
CCE-3365-4 CCE-762 (1) enabled/disabled
CCE-3260-7 CCE-251 (1) enabled/disabled
CCE-2533-8 CCE-793 (1) File path
CCE-3299-5 CCE-57 (1) Size limit (KB)
CCE-3414-0 CCE-617 (1) enabled/disabled
Domain Profile: Allow file and printer sharing exception (SP2 only)
Domain Profile: Allow Remote Desktop exception (SP2 only)
(1) enabled/disabled (2) subnets for internal support only
Domain Profile: Allow UPnP framework exception (SP2 only)
The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile.
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile.
The log file path and name for the Windows Firewall should be configured correctly for the Domain Profile.
The log file size limit for the Windows Firewall should be configured correctly for the Domain Profile.
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile.
CCE-3436-3 CCE-696 (1) enabled/disabled
CCE-3202-9 CCE-114 (1) enabled/disabled
CCE-3180-7 CCE-370 (1) enabled/disabled
CCE-3329-0 CCE-273 (1) enabled/disabled
CCE-3347-2 CCE-440 (1) enabled/disabled
CCE-3334-0 CCE-352 (1) enabled/disabled
CCE-3352-2 CCE-467 (1) enabled/disabled
CCE-3369-6 CCE-626 (1) enabled/disabled
CCE-3387-8 CCE-354 (1) enabled/disabled
CCE-3268-0 CCE-266 (1) enabled/disabled
CCE-3409-0 CCE-901 (1) enabled/disabled
CCE-3440-5 CCE-632 (1) enabled/disabled
CCE-3462-9 CCE-196 (1) enabled/disabled
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile.
Domain Profile: Define port exceptions (SP2 only)
Domain Profile: Allow local port exceptions (SP2 only)Standard Profile: Protect all network connections (SP2 only)Standard Profile: Do not allow exceptions (SP2 only)Standard Profile: Allow local program exceptions (SP2 only)Standard Profile: Allow remote administration exception (SP2 only)
Standard Profile: Allow file and printer sharing exception (SP2 only)Standard Profile: Allow Remote Desktop exception (SP2 only)Standard Profile: Allow UPnP framework exception (SP2 only)
The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile.
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile.
Standard Profile: Define port exceptions (SP2 only)
CCE-3356-3 CCE-77 (1) enabled/disabled
CCE-2999-1 CCE-249
CCE-3439-7 CCE-485
CCE-3457-9 CCE-400
CCE-2977-7 CCE-584
CCE-3373-8 CCE-7
CCE-3395-1 CCE-29
CCE-3166-6 CCE-32
CCE-3417-3 CCE-38
Standard Profile: Allow local port exceptions (SP2 only)
Domain Profile - Inbound Connections
Domain Profile - Outbound Connections
Domain Profile - Apply Local Firewall Rules
Domain Profile - Apply Local Connection Security Rules
Private Profile- Firewall State
Private Profile - Inbound Connections
Private Profile - Outbound Connections
User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Private Profile.
yes/no/not configured
CCE-2924-9 CCE-70 enabled/disabled
CCE-3360-5 CCE-117
CCE-2854-8 CCE-199
CCE-3246-6 CCE-295
CCE-3263-1 CCE-338
CCE-3351-4 CCE-342
CCE-2998-3 CCE-390
CCE-2641-9 CCE-414 enabled/disabled
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Private Profile.
Private Profile - Apply Local Firewall Rules
Private Profile - Apply Local Connection Security Rules
Public Profile- Firewall State
Public Profile - Inbound Connections
Public Profile - Outbound Connections
User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Public Profile.
yes/no/not configured
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Public Profile.
CCE-2650-0 CCE-421
CCE-3426-4 CCE-437
CCE-3320-9 CCE-503
CCE-3086-6 CCE-583
CCE-3452-0 CCE-584
CCE-3364-7 CCE-691
CCE-3259-9 CCE-722
CCE-2778-9 CCE-818
CCE-3421-5 CCE-852 Turn off printing over HTTP
CCE-2754-0 CCE-887
Public Profile - Apply Local Firewall Rules
Public Profile - Apply Local Connection Security Rules
Logon - Do not process the legacy run list
Logon - Do not process the run once list
Group Policy - Registry policy processing
Turn off Internet download for Web publishing and online ordering wizards
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Search Companion content file updates
Turn off downloading of print drivers over HTTP
CCE-3278-9 CCE-927
CCE-2471-1 CCE-935
CCE-3310-0 CCE-255
CCE-3327-4 CCE-466
CCE-2975-1 CCE-976
CCE-2874-6 CCE-648
CCE-3415-7 CCE-405
CCE-3169-0 CCE-509
CCE-3437-1 CCE-12
CCE-2979-3 CCE-58
CCE-3300-1 CCE-372
CCE-3305-0 CCE-886
Turn off Windows Update device driver searching
Enumerate administrator accounts on elevation
Require trusted path for credential entry
Deny all add-ons unless specifically allowed in the Add-on List
The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.
The "Do not allow drive redirection" setting should be configured correctly for Terminal Services.
Access to registry editing tools is set correctly.
Prompt for password on resume from hibernate/suspend is set correctly.
Do not preserve zone information in file attachments is set correcly.
Hide mechanisms to remove zone information is set correcly.
Notify antivirus programs when opening attachments is set correcly.
Outlook Express attachment blocking is set correctly.
CCE-3450-4 CCE-111
CCE-3102-1 CCE-1044 enabled/disabled
CCE-3388-6 CCE-84 enabled/disabled
CCE-3270-6 CCE-86 enabled/disabled
CCE-3045-2 CCE-629 enabled/disabled
CCE-3331-6 CCE-593 enabled/disabled
CCE-3464-5 CCE-849 enabled/disabled
CCE-3468-6 CCE-571 enabled/disabled
CCE-3362-1 CCE-91 enabled/disabled
CCE-3454-6 CCE-858 enabled/disabled
CCE-3348-0 CCE-263 enabled/disabled
Audit: Force audit policy subcategory settings are set correcly.The "Log Access For Setup Log" setting should be configured correctly.
The startup type of the Windows Search service should be configured correctly.
The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.
The "Prohibit Access of the Windows Connect Now Wizards" setting should be configured correctly.
The "Allow remote access to the PnP interface" setting should be configured correctly.
The "Do not create system restore point when new device driver installed" setting should be configured correctly.
The "Do not send a Windows Error Report when a generic driver is installed on a device" setting should be configured correctly.
The "Turn Off Access to All Windows Update Feature" setting should be configured correctly.
The "Turn Off Automatic Root Certificates Update" setting should be configured correctly.
The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.
CCE-2868-8 CCE-430 enabled/disabled
CCE-2877-9 CCE-756 enabled/disabled
CCE-3406-6 CCE-1029 enabled/disabled
CCE-3432-2 CCE-1055 enabled/disabled
CCE-2697-1 CCE-1064 enabled/disabled
CCE-3093-2 CCE-88 enabled/disabled
CCE-3115-3 CCE-375 enabled/disabled
CCE-2477-8 CCE-1009 enabled/disabled
CCE-3403-3 CCE-1040 enabled/disabled
CCE-3297-9 CCE-1062 enabled/disabled
The "Turn Off Handwriting Reconition Error Reporting" setting should be configured correctly.
The "Turn Off Help and Support Center "Did You Know?" Content" setting should be configured correctly.
The "Turn Off Help and Support Center Microsoft Knowledge Base Search" setting should be configured correctly.
The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.
The "Turn Off Internet File Association Service" setting should be configured correctly.
The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.
The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.
The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.
The "Turn Off Windows Movies Maker Automatic Codec Downloads" setting should be configured correctly.
The "Turn Off Windows Movie Maker Online Web Links" setting should be configured correctly.
CCE-3385-2 CCE-93 enabled/disabled
CCE-2781-3 CCE-1020 enabled/disabled
CCE-2922-3 CCE-681 enabled/disabled
CCE-2821-7 CCE-346 enabled/disabled
CCE-3469-4 CCE-1011 enabled/disabled
CCE-2742-5 CCE-1007 enabled/disabled
CCE-2887-8 CCE-923 enabled/disabled
CCE-3407-4 CCE-1056 enabled/disabled
CCE-3271-4 CCE-835 enabled/disabled
CCE-3288-8 CCE-474 enabled/disabled
CCE-3434-8 CCE-557 enabled/disabled
CCE-3046-0 CCE-95 enabled/disabled
The "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting should be configured correctly.
The "Don't Display the Getting Started Welcome Screen at Logon" setting should be configured correctly.
The "Turn off Windows Startup Sound" setting should be configured correctly.
The "Require a Password when a Computer Wakes (On Battery)" setting should be configured correctly.
The "Require a Password when a Computer Wakes (Plugged)" setting should be configured correctly.
The "Allow only Vista or later connections" setting should be configured correctly.
The "Customization Warning Messages" setting should be configured correctly.
The "Turn on bandwidth optimization" setting should be configured correctly.The "Turn on session logging" setting should be configured correctly.
The "Prevent IIS Installation" setting should be configured correctly.The "Turn off Active Help" setting should be configured correctly.The "Turn off Untrusted Content" setting should be configured correctly.
CCE-3477-7 CCE-767 enabled/disabled
CCE-3376-1 CCE-1049 enabled/disabled
CCE-3143-5 CCE-1058 enabled/disabled
CCE-2914-0 CCE-441 enabled/disabled
CCE-3178-1 CCE-97 enabled/disabled
CCE-3209-4 CCE-728 enabled/disabled
CCE-2962-9 CCE-384 enabled/disabled
CCE-3125-2 CCE-480 enabled/disabled
CCE-3398-5 CCE-612 enabled/disabled
CCE-3341-5 CCE-392 enabled/disabled
CCE-2521-3 CCE-96 enabled/disabled
CCE-2525-4 CCE-331 enabled/disabled
The "Turn off downloading of enclosures" setting should be configured correctly.
The "Allow indexing of encrypted files" setting should be configured correctly.
The "Prevent indexing uncached Exchange folders" setting should be configured correctly.The "Turn off Windows Calendar" setting should be configured correctly.
The "Allow Corporate redirection of Customer Experience Improvement uploads" setting should be configured correctly.The "Turn off Windows Defender" setting should be configured correctly.
The "Turn off Heap termination on corruption" setting should be configured correctly.
The "Turn off shell protocol protected mode" setting should be configured correctly.
The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.
The "Report Logon Server Not Available During User logon" setting should be configured correctly.
The "Turn off the communitication features" setting should be configured correctly.
The "Turn off Windows Mail application" setting should be configured correctly.
CCE-3486-8 CCE-1089 enabled/disabled
CCE-2557-7 CCE-992 enabled/disabled
CCE-3328-2 CCE-105 enabled/disabled
CCE-3456-1 CCE-297 enabled/disabled
CCE-3214-4 CCE-702 enabled/disabled
CCE-3500-6 CCE-644 enabled/disabled
CCE-3482-7 CCE-1747 enabled/disabled
CCE-2755-7 CCE-1778 enabled/disabled
CCE-2865-4 CCE-1795 enabled/disabled
CCE-3508-9 CCE-1293 enabled/disabled
CCE-4662-3 CCE-227 (1) enabled/disabled
CCE-4666-4 CCE-6
The "Prevent Windows Media DRM Internet Access" setting should be configured correctly.
The "Turn off Windows Meeting Space" setting should be configured correctly.
The "Turn on Windows Meeting Space audting" setting should be configured correctly.
The "Disable unpacking and installation of gadgets that are not digitally signed" setting should be configured correctly.
The "Override the More Gadgets Link" setting should be configured correctly.
The "Turn Off User Installed Windows Sidebar Gadgets" setting should be configured correctly.
The "Do not allow Digital Locker to run" setting should be configured correctly.
The "Turn Off Downloading of Game Information" setting should be configured correctly.
The "IPv6 Block of Protocols 41" setting should be configured correctly.
The "IPv6 Block of UDP 3544" setting should be configured correctly.The "Enforce user logon restrictions" policy should be set correctly. The "Maximum Service Ticket Litfetime" policy should be set correctly.
(1) number of minutes
CCE-3936-2 CCE-37 (1) number of hours
CCE-4755-5 CCE-33 (1) number of days
CCE-4702-7 CCE-588
CCE-3949-5 CCE-998 (1) enabled/disabled
CCE-4904-9 CCE-501 (1) enabled/disabled
CCE-4781-1 CCE-1185 set of paths
CCE-4922-1 CCE-719
CCE-4940-3 CCE-732 (1) enabled/disabled
CCE-4583-1 CCE-674 (1) enabled/disabled
CCE-4213-5 CCE-766 (1) enabled/disabled
CCE-4107-9 CCE-410 (1) enabled/disabled
CCE-3953-7 CCE-76 (1) enabled/disabled
CCE-3954-5 CCE-224 (1) enabled/disabled
The "Maximum User Ticket Lifetime" policy should be set correctly. The "Maximum User Renewal Lifetime" policy should be set correctly.
The "Maximum tolerance for computer clock synchronization" policy should be set correctly.
(1) number of minutes
TCP/IP PMTU Discovery should be properly configured.
Kerberos and RSVP Traffic Protected by IPSec should be properly configured.
The "Remotely accessible registry paths and subpaths" policy should be set correctly.
The "LAN Manager Authentication Level" policy should be set correctly.
(1) authentication level
The "LDAP client signing requirements" policy should be set correctly.
The "Minimum session security for NTLM SSP based clients" policy should be set correctly.
The "Minimum session security for NTLM SSP based servers" policy should be set correctly.
The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.
The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.
CCE-3969-3 CCE-422 (1) enabled/disabled
CCE-4774-6 CCE-55 (1) enabled/disabled
CCE-4841-3 CCE-300 (1) enabled/disabled
CCE-4011-3 CCE-508 (1) enabled/disabled
CCE-4955-1 CCE-1078 enabled/disabled
CCE-4016-2 CCE-1063
CCE-4969-2 CCE-1067
CCE-4612-8 CCE-1128 enabled/disabled
CCE-5004-7 CCE-1104 enabled/disabled
The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.
The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.
The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.
The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.
The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.
The "Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.
Prompt for consent/Prompt for credentials/Automatically deny
The "Behavior of the elevation prompt for standard users" setting should be configured correctly.
Prompt for credentials/Automatically deny
The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly.
The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly.
CCE-4020-4 CCE-986 enabled/disabled
CCE-4907-2 CCE-1050 enabled/disabled
CCE-4925-4 CCE-230 enabled/disabled
CCE-4194-7 CCE-673 enabled/disabled
CCE-4334-9 CCE-532 (1) set of accounts
CCE-4088-1 CCE-162 (1) set of accounts
CCE-4854-6 CCE-807 (1) set of accounts
CCE-4872-8 CCE-965 (1) set of accounts
CCE-4264-8 CCE-883 (1) set of accounts
CCE-4827-2 CCE-931 (1) set of accounts
The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly.
The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly.
The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly.
The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.
The "access this computer from the network" user right should be assigned to the correct accounts.
The "act as part of the operating system" user right should be assigned to the correct accounts.
The "adjust memory quotas for a process" user right should be assigned to the correct accounts. The "log on locally" user right should be assigned to the correct accounts.
The "allow logon through Terminal Services" user right should be assigned to the correct accounts.
The "back up files and directories" user right should be assigned to the correct accounts.
CCE-4973-4 CCE-376 (1) set of accounts
CCE-4863-7 CCE-799 (1) set of accounts
CCE-5008-8 CCE-470 list of accounts
CCE-4757-1 CCE-895 (1) set of accounts
CCE-4902-3 CCE-926 (1) set of accounts
CCE-4792-8 CCE-383 (1) set of accounts
CCE-4184-8 CCE-335 (1) set of accounts
CCE-4687-0 CCE-842 (1) set of accounts
CCE-4704-3 CCE-898 (1) set of accounts
CCE-4722-5 CCE-165 (1) set of accounts
CCE-4867-8 CCE-597 (1) set of accounts
CCE-4889-2 CCE-64 (1) set of accounts
The "bypass traverse checking" user right should be assigned to the correct accounts.
The "change the system time" user right should be assigned to the correct accounts.
The "Change the time zone" user right should be assigned to the appropriate accounts.
The "create a pagefile" user right should be assigned to the correct accounts.
The "Create a token object" user right should be assigned to the correct accounts.
The "Create global objects" user right should be assigned to the correct accounts.
The "create permanent shared objects" user right should be assigned to the correct accounts.
The "debug programs" user right should be assigned to the correct accounts.
The "deny access to this computer from the network" user right should be assigned to the correct accounts.
The "deny logon as a batch job" user right should be assigned to the correct accounts.
The "deny logon as a service" user right should be assigned to the correct accounts.
The "deny logon locally" user right should be assigned to the correct accounts.
CCE-4656-5 CCE-108 (1) set of accounts
CCE-4673-0 CCE-754 (1) set of accounts
CCE-4488-3 CCE-939 (1) set of accounts
CCE-4382-8 CCE-304 (1) set of accounts
CCE-4651-6 CCE-1027
CCE-4796-9 CCE-349 (1) set of accounts
CCE-4034-5 CCE-860 (1) set of accounts
CCE-4317-4 CCE-749 (1) set of accounts
CCE-4083-2 CCE-177 (1) set of accounts
CCE-4038-6 CCE-216 (1) set of accounts
CCE-4046-9 CCE-850 (1) set of accounts
CCE-4285-3 CCE-1023 list of accounts
The "deny logon through Terminal Services" user right should be assigned to the correct accounts.
The "force shutdown from a remote system" user right should be assigned to the correct accounts.
The "generate security audits" user right should be assigned to the correct accounts.
The "Impersonate a client after authentication" user right should be assigned to the correct accounts.
The "Increase a Process Working Set" setting should be configured correctly.
Set of users or groups
The "increase scheduling priority" user right should be assigned to the correct accounts.
The "load and unload device drivers" user right should be assigned to the correct accounts.
The "lock pages in memory" user right should be assigned to the correct accounts.
The "log on as a batch job" user right should be assigned to the correct accounts.
The "log on as a service" user right should be assigned to the correct accounts.
The "manage auditing and security log" user right should be assigned to the correct accounts.
The "Modify an object label" user right should be assigned to the appropriate accounts.
CCE-4048-5 CCE-17 (1) set of accounts
CCE-4071-7 CCE-314 (1) set of accounts
CCE-4962-7 CCE-260 (1) set of accounts
CCE-4618-5 CCE-599 (1) set of accounts
CCE-4861-1 CCE-656 (1) set of accounts
CCE-4372-9 CCE-667 (1) set of accounts
CCE-4948-6 CCE-553 (1) set of accounts
CCE-4569-0 CCE-839 (1) set of accounts
CCE-4970-0 CCE-381 (1) set of accounts
CCE-4988-2 CCE-492 (1) set of accounts
CCE-4627-6 CCE-957
The "modify firmware environment values" user right should be assigned to the correct accounts.
The "perform volume maintenance tasks" user right should be assigned to the correct accounts.
The "profile single process" user right should be assigned to the correct accounts.
The "profile system performance" user right should be assigned to the correct accounts.
The "remove computer from docking station" user right should be assigned to the correct accounts.
The "replace a process-level token" user right should be assigned to the correct accounts.
The "restore files and directories" user right should be assigned to the correct accounts.
The "shut down the system" user right should be assigned to the correct accounts.
The "synchronize directory service data" user right should be assigned to the correct accounts.
The "take ownership of files or other objects" user right should be assigned to the correct accounts.
The required permissions for the WLAN AutoConfig service should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-4992-4 CCE-347 enabled/disabled
CCE-4077-4 CCE-1134 enabled/disabled
CCE-4152-5 CCE-896 (1) enabled/disabled
CCE-5020-3 CCE-241 enabled/disabled
CCE-4078-2 CCE-672
CCE-5061-7 CCE-734 enabled/disabled
Internet Explorer Processes (Zone Elevation Protection)
The "Turn on Responder (RSPNDR) driver" setting should be configured correctly for the domain profile.
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.
The startup type of the Internet Connection Sharing service should be correct.
(1) disabled/manual/automatic
The "Configuration of wireless settings using Windows Connect Now" setting should be configured correctly for Wireless Connect Now over Ethernet (UPnP).
CCE-4081-6 CCE-365 enabled/disabled
CCE-4694-6 CCE-592 (1) enabled/disabled
CCE-4813-2 CCE-231 (1) logon type
CCE-4579-9 CCE-836 enabled/disabled
CCE-4086-5 CCE-262 (1) Size limit (KB)
CCE-4501-3 CCE-648
CCE-4866-0 CCE-397 (1) encryption level
CCE-5007-0 CCE-920
CCE-4267-1 CCE-123
CCE-4761-3 CCE-312
CCE-4915-5 CCE-959 enabled/disabled
The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly.The "Enable Error Reporting" policy should be set correctly.
Use Classic Logon should be properly configured.
The 'Approved Installation Sites for ActiveX Controls' security mechanism should be enabled or disabled as appropriate.The setup log maximum size should be configured correctly.
The "Do not allow drive redirection" setting should be configured correctly for Terminal Services.
The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.
The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.
(1) Time Limit (minutes)
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.
(1) Time limit (minutes)
Computer-wide, rather than per-user, use of Microsoft Spynet Reporting for Windows Defender should be enabled or disabled as appropriate.
enabled, disabled, or not configured
The "Disable Logging" setting should be configured correctly.
CCE-5034-4 CCE-803 enabled/disabled
CCE-4919-7 CCE-259 enabled/disabled
CCE-4089-9 CCE-798 enabled/disabled
CCE-4991-6 CCE-261 (1) enabled/disabled
CCE-4629-2 CCE-415 (1) enabled/disabled
CCE-4405-7 CCE-1140 enabled/disabled
CCE-4898-3 CCE-455 (1) enabled/disabled
CCE-5052-6 CCE-313 enabled/disabled
CCE-4797-7 CCE-309 (1) enabled/disabled
CCE-4290-3 CCE-949 (1) enabled/disabled
CCE-5070-8 CCE-1144 enabled/disabled
The "Disable Windows Error Reporting" setting should be configured correctly.
The "Display Error Notification" setting should be configured correctly.
The "Do not send additional data" setting should be configured correctly.The "Set Safe for Scripting" policy should be set correctly. The "Enable User Control Over Installs" policy should be set correctly.
The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.
The "Disable Media Player for automatic updates" policy should be set correctly.
The "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly.
The "Do Not Automatically Start Windows Messenger" policy should be set correctly.
The "Current user screensaver secure" policy should be set correctly.
The "Prevent users from sharing files within their profile" setting should be configured correctly.
CCE-4938-7 CCE-801 enabled/disabled
CCE-4700-1 CCE-1016 enabled/disabled
CCE-4093-1 CCE-1070 enabled/disabled
CCE-4228-3 CCE-840 enabled/disabled
CCE-4115-2 CCE-515 enabled/disabled
CCE-4140-0 CCE-1048 enabled/disabled
CCE-4916-3 CCE-206 enabled/disabled
CCE-4783-7 CCE-1202 enabled/disabled
Auditing of "Account Management: Application Group Management" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: Application Group Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: Computer Account Management" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: Computer Account Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: Distribution Group Management" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: Distribution Group Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: Other Account Management Events" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: Other Account Management Events" events on failure should be enabled or disabled as appropriate.
CCE-5048-4 CCE-1118 enabled/disabled
CCE-4142-6 CCE-369 enabled/disabled
CCE-4833-0 CCE-1043 enabled/disabled
CCE-5097-1 CCE-924 enabled/disabled
CCE-5000-5 CCE-1413 enabled/disabled
CCE-4493-3 CCE-699 enabled/disabled
CCE-4166-5 CCE-913 enabled/disabled
CCE-5094-8 CCE-1079 enabled/disabled
Auditing of "Account Management: Security Group Management" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: Security Group Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Management: User Account Management" events on success should be enabled or disabled as appropriate.
Auditing of "Account Management: User Account Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: DPAPI Activity" events on success should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: DPAPI Activity" events on failure should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: Process Creation" events on success should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: Process Creation" events on failure should be enabled or disabled as appropriate.
CCE-4869-4 CCE-416 enabled/disabled
CCE-4363-8 CCE-1250 enabled/disabled
CCE-4891-8 CCE-1219 enabled/disabled
CCE-4759-7 CCE-1365 enabled/disabled
CCE-5023-7 CCE-207 enabled/disabled
CCE-4658-1 CCE-1186 enabled/disabled
CCE-5028-6 CCE-1199 enabled/disabled
CCE-4931-2 CCE-459 enabled/disabled
CCE-5067-4 CCE-317 enabled/disabled
Auditing of "Detailed Tracking: Process Termination" events on success should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: Process Termination" events on failure should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: RPC Events" events on success should be enabled or disabled as appropriate.
Auditing of "Detailed Tracking: RPC Events" events on failure should be enabled or disabled as appropriate.
Auditing of "DS Access: Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate.
Auditing of "DS Access: Detailed Directory Service Replication" events on failure should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Access" events on success should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Access" events on failure should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Changes" events on success should be enabled or disabled as appropriate.
CCE-4808-2 CCE-982 enabled/disabled
CCE-5089-8 CCE-881 enabled/disabled
CCE-4176-4 CCE-247 enabled/disabled
CCE-4342-2 CCE-1264 enabled/disabled
CCE-4857-9 CCE-1282 enabled/disabled
CCE-5011-2 CCE-1028 enabled/disabled
CCE-4505-4 CCE-362 enabled/disabled
CCE-5016-1 CCE-1207 enabled/disabled
CCE-4650-8 CCE-351 enabled/disabled
Auditing of "DS Access: Directory Service Changes" events on failure should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Replication" events on success should be enabled or disabled as appropriate.
Auditing of "DS Access: Directory Service Replication" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Account Lockout" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Account Lockout" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Extended Mode" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Extended Mode" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Main Mode" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Main Mode" events on failure should be enabled or disabled as appropriate.
CCE-5038-5 CCE-1257 enabled/disabled
CCE-4928-8 CCE-1274 enabled/disabled
CCE-4703-5 CCE-493 enabled/disabled
CCE-4183-0 CCE-996 enabled/disabled
CCE-5018-7 CCE-1284 enabled/disabled
CCE-4423-0 CCE-1097 enabled/disabled
CCE-5163-1 CCE-378 enabled/disabled
CCE-5066-6 CCE-1208 enabled/disabled
CCE-4956-9 CCE-371 enabled/disabled
CCE-4824-9 CCE-1038 enabled/disabled
Auditing of "Logon/Logoff: IPsec Quick Mode" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: IPsec Quick Mode" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Logoff" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Logoff" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Logon" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Logon" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Other Logon/Logoff Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Special Logon" events on success should be enabled or disabled as appropriate.
Auditing of "Logon/Logoff: Special Logon" events on failure should be enabled or disabled as appropriate.
CCE-5084-9 CCE-1322 enabled/disabled
CCE-4829-8 CCE-379 enabled/disabled
CCE-4714-2 CCE-1345 enabled/disabled
CCE-4868-6 CCE-1261 enabled/disabled
CCE-4200-2 CCE-1372 enabled/disabled
CCE-5145-8 CCE-1033 enabled/disabled
CCE-4921-3 CCE-1085 enabled/disabled
CCE-5039-3 CCE-1340 enabled/disabled
CCE-4568-2 CCE-717 enabled/disabled
Auditing of "Object Access: Application Generated" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Application Generated" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Certification Services" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Certification Services" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: File Share" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: File Share" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: File System" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: File System" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Filtering Platform Connection" events on success should be enabled or disabled as appropriate.
CCE-5079-9 CCE-744 enabled/disabled
CCE-4947-8 CCE-385 enabled/disabled
CCE-4335-6 CCE-589 enabled/disabled
CCE-4828-0 CCE-1363 enabled/disabled
CCE-4965-0 CCE-1244 enabled/disabled
CCE-4996-5 CCE-1288 enabled/disabled
CCE-4885-0 CCE-1305 enabled/disabled
CCE-5132-6 CCE-642 enabled/disabled
Auditing of "Object Access: Filtering Platform Connection" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Filtering Platform Packet Drop" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Handle Manipulation" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Handle Manipulation" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Kernel Object" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Kernel Object" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Other Object Access Events" events on success should be enabled or disabled as appropriate.
CCE-4691-2 CCE-1026 enabled/disabled
CCE-4594-8 CCE-1138 enabled/disabled
CCE-5087-2 CCE-1283 enabled/disabled
CCE-4616-9 CCE-446 enabled/disabled
CCE-4982-5 CCE-451 enabled/disabled
CCE-4201-0 CCE-1110 enabled/disabled
CCE-5137-5 CCE-991 enabled/disabled
CCE-4877-7 CCE-388 enabled/disabled
CCE-4516-1 CCE-180 enabled/disabled
Auditing of "Object Access: Other Object Access Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: Registry" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: Registry" events on failure should be enabled or disabled as appropriate.
Auditing of "Object Access: SAM" events on success should be enabled or disabled as appropriate.
Auditing of "Object Access: SAM" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: Audit Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: Audit Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: Authentication Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: Authentication Policy Change" events on failure should be enabled or disabled as appropriate.
CCE-5172-2 CCE-187 enabled/disabled
CCE-5058-3 CCE-448 enabled/disabled
CCE-5177-1 CCE-1042 enabled/disabled
CCE-4939-5 CCE-1112 enabled/disabled
CCE-5181-3 CCE-203 enabled/disabled
CCE-4204-4 CCE-879 enabled/disabled
CCE-4479-2 CCE-205 enabled/disabled
CCE-4995-7 CCE-787 enabled/disabled
Auditing of "Policy Change: Authorization Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: Authorization Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: Filtering Platform Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: MPSSVC Rule-Level Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Policy Change: Other Policy Change Events" events on success should be enabled or disabled as appropriate.
Auditing of "Policy Change: Other Policy Change Events" events on failure should be enabled or disabled as appropriate.
CCE-5114-4 CCE-391 enabled/disabled
CCE-4990-8 CCE-404 enabled/disabled
CCE-5131-8 CCE-1203 enabled/disabled
CCE-4205-1 CCE-406 enabled/disabled
CCE-4300-0 CCE-488 enabled/disabled
CCE-4734-0 CCE-1258 enabled/disabled
CCE-4976-7 CCE-1177 enabled/disabled
CCE-4879-3 CCE-1314 enabled/disabled
CCE-4998-1 CCE-1332 enabled/disabled
Auditing of "Privilege Use: Non Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Non Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Other Privilege Use Events" events on success should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Privilege Use: Other Privilege Use Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.
Auditing of "Privilege Use: Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.
Auditing of "System: Ipsec Driver" events on success should be enabled or disabled as appropriate.
Auditing of "System: Ipsec Driver" events on failure should be enabled or disabled as appropriate.
Auditing of "System: Other System Events" events on success should be enabled or disabled as appropriate.
CCE-4883-5 CCE-337 enabled/disabled
CCE-4535-1 CCE-1121 enabled/disabled
CCE-5157-3 CCE-1139 enabled/disabled
CCE-5170-6 CCE-1270 enabled/disabled
CCE-4910-6 CCE-1102 enabled/disabled
CCE-5047-6 CCE-856 enabled/disabled
CCE-4822-3 CCE-336 enabled/disabled
CCE-4941-1 CCE-1047
Auditing of "System: Other System Events" events on failure should be enabled or disabled as appropriate.
Auditing of "System: Security State Change" events on success should be enabled or disabled as appropriate.
Auditing of "System: Security State Change" events on failure should be enabled or disabled as appropriate.
Auditing of "System: Security System Extension" events on success should be enabled or disabled as appropriate.
Auditing of "System: Security System Extension" events on failure should be enabled or disabled as appropriate.
Auditing of "System: System Integrity" events on success should be enabled or disabled as appropriate.
Auditing of "System: System Integrity" events on failure should be enabled or disabled as appropriate.
User notifications when a program is blocked from receiving inbound connections by Windows Firewall should be enabled or disabled as appropriate for the Domain Profile.
yes/no/not configured
CCE-4597-1 CCE-325 (1) enabled/disabled
CCE-4963-5 CCE-327 enable/disabled
CCE-4206-9 CCE-999 (1) File path
CCE-4207-7 CCE-1091 (1) Size limit (KB)
CCE-4507-0 CCE-1165 (1) enabled/disabled
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Private Profile.
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Private Profile.
The log file path and name for the Windows Firewall should be configured correctly for the Private Profile.
The log file size limit for the Windows Firewall should be configured correctly for the Private Profile.
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Public Profile.
CCE-5128-4 CCE-534 enable/disabled
CCE-4639-1 CCE-1263 (1) File path
CCE-4278-8 CCE-1313 (1) Size limit (KB)
CCE-5146-6 CCE-1227 enabled/disabled
CCE-5036-9 CCE-1036 enabled/disabled
CCE-4811-6 CCE-1148 enabled/disabled
CCE-5239-9 CCE-174 enabled/disabled
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Public Profile.
The log file path and name for the Windows Firewall should be configured correctly for the Public Profile.
The log file size limit for the Windows Firewall should be configured correctly for the Public Profile.
The ISATAP tunneling protocol for IPv6 should be enabled or disabled as appropriate.
The 6to4 tunneling protocol for IPv6 should be enabled or disabled as appropriate.
The Teredo tunneling protocol for IPv6 should be enabled or disabled as appropriate.
The "Turn off Help Experience Improvement Program" setting should be configured correctly.
CCE-4851-2 CCE-1109 enabled/disabled
CCE-4294-5 CCE-1176 list of accounts
The "Turn off Help Ratings" setting should be configured correctly.
The "Create Symbolic Links" user right should be assigned to the appropriate accounts.
CCE Technical Mechanisms
(1) defined by Local or Group Policy reset-account-lockout-counter
(1) defined by Local or Group Policy account-lockout-duration
(1) defined by Local or Group Policy account-lockout-threshold
(1) defined by Local or Group Policy audit-account-logon-events
(1) defined by Local or Group Policy audit-account-logon-events
(1) defined by Local or Group Policy audit-account-management
(1) defined by Local or Group Policy audit-account-management
(1) defined by Local or Group Policy audit-directory-services-access
(1) defined by Local or Group Policy audit-directory-services-access
NIST SCAP Windows Vista XCCDF (SCAP-WinVista-
XCCDF.xml rev 2007-02-06)
(1) defined by Local or Group Policy audit-logon-events
(1) defined by Local or Group Policy audit-logon-events
(1) defined by Local or Group Policy audit-object-access
(1) defined by Local or Group Policy audit-object-access
(1) defined by Local or Group Policy audit-policy-change
(1) defined by Local or Group Policy audit-policy-change
(1) defined by Local or Group Policy audit-privilege-use
(1) defined by Local or Group Policy audit-privilege-use
(1) defined by Local or Group Policy audit-process-tracking
(1) defined by Local or Group Policy audit-process-tracking
(1) defined by Local or Group Policy audit-system-events
(1) defined by Local or Group Policy audit-system-events
Prevent-Guest-Application-Log-Access
Maximum-Application-Log-Size
Retention-Method-For-Application-Log
Prevent-Guest-Security-Log-Access
Maximum-Security-Log-Size
Retention-Method-For-Security-Log
Prevent-Guest-System-Log-Access
Maximum-System-Log-Size
Retention-Method-For-System-Log
(1) defined by Local or Group Policy maximum-password-age
(1) defined by Local or Group Policy minimum-password-age
(1) defined by Local or Group Policy minimum-password-length
(1) defined by Local or Group Policy password-complexity
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
(1) defined by Local or Group Policy enforce-password-history
(1) defined by Local or Group Policy reversible-password-encryption
Do-not-allow-Windows-Messenger-to-be-run
Disable-remote-Desktop-Sharing
do-not-allow-anonymous-enumeration-sam
Anonymous-SID-Name-Translation
(1) Local Users and Groups MMC guest-account-status
(1) Local Users and Groups MMC administrator-account-status
message-title-users-attempting-logon
message-text-users-attempting-logon
enable-automatic-logon
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) defined by Local or Group Policy
do-not-allow-anonymous-enumeration-sam-accounts-shares
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AnonymousNameLookup (2) defined by Local or Group
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
Turn-off-Autoplay, no-drive-type-auto-run
enable-icmp-redirect
disable-ip-source-routing
perform-router-discovery
do-not-display-last-user-name
hide-system-from-browse-list
enable-dead-gw-detect
keep-alive-time
no-name-release-on-demand
syn-attack-protect
warning-level
safe-dll-search-mode
(1) defined by Local or Group Policy rename-administrator
(1) defined by Local or Group Policy rename-guest
audit-access-global-system-objects
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\SafeDllSearchMode
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) defined by Local or Group Policy
amount-of-idle-time-required-before-suspending-session
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) defined by Local or Group Policy
audit-use-backup-restore-privilege
do-not-require-ctrlaltdel
prevent-users-installing-printers
restrict-cdrom-access-local-users-only
restrict-floppy-access-local-users-only
require-strong-session-key
shutdown-system-unable-log-audits
digitally-sign-communications-client-always
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) defined by Local or Group Policy
send-unencrypted-password-to-third-party-smb-servers
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) defined by Local or Group Policy
prompt-user-to-change-password-before-expiration
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy
digitally-sign-communications-client-server-agrees
digitally-sign-communications-server-always
number-of-previous-logons-to-cache
allow-format-eject-removable-media
smart-card-removal-behaviour
disable-machine-account-password-changes
limit-blank-password-use
allow-undock-no-logon
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy
digitally-sign-communications-server-client-agrees
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) defined by Local or Group Policy
digitally-encrypt-or-sign-secure-channel-data-always
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy
digitally-encrypt-secure-channel-data-when-possible
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy
digitally-sign-secure-channel-data-when-possible
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon (2) defined by Local or Group Policy
maximum-machine-account-password-age
disconnect-client-when-logon-hours-expire
named-pipes-accessed-anonymously
Sharing-and-security-model-for-local-accounts
(1) defined by Local or Group Policy Force-logoff-when-logon-hours-expire
screen-saver-grace-period
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) defined by Local or Group Policy
require-domain-controller-authentication-to-unlock
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (2) defined by Local or Group Policy
do-not-allow-storage-credentials-net-passports-network-authn
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous (2) defined by Local or Group Policy
let-everyone-permissions-apply-to-anonymous-users
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPathsHKLM (2) defined by Local or Group Policy
Remotely-accessible-registry-paths, Remotely-accessible-registry-paths-and-sub-paths
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group Policy
Shares-that-can-be-accessed-anonymously -- NOTE: COMMENTED OUT
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash (2) defined by Local or Group Policy
Do-not-store-LAN-Manager-hash-value-on-next-password-change
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
Solicited-Remote-Assistance
Offer-Remote-Assistance
Configure-Automatic-Updates
MachineAccessRestrictions
MachineLaunchRestrictions
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
Always-prompt-client-for-password-upon-connection
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited
Do-not-adjust-default-option-to-Install-Updates-and-Shut-Down
Do-not-display-Install-Updates-and-Shut-Down
No-auto-restart-for-scheduled-Automatic-Updates-installations
Reschedule-Automatic-Updates-scheduled-installations
Require-Smart-Card
tcp-max-data-retransmissions
ntfs-disable-8dot3-name-creation
RPC-Endpoint-Mapper-Client-Authentication
Restrictions-for-Unauthenticated-RPC-clients
(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption
Restrict-anonymous-access-to-Named-Pipes-and-Shares
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions
tcp-max-connect-response-retransmissions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\EnableAuthEpResolution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\RestrictRemoteClientsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall
Domain-Profile-Firewall-Protect-All-Network-Connections, Domain-Profile-Firewall-State
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions
Domain-Profile-Firewall-Do-Not-Allow-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\AllowUserPrefMerge
Domain-Profile-Firewall-Allow-Local-Program-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Enabled
Domain-Profile-Firewall-Allow-Inbound-Remote-Administration-Exception
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint\Enabled
Domain-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exception
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop\Enabled
Domain-Profile-Firewall-Allow-Inbound-Remote-Desktop-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\UPnPFramework\Enabled
Domain-Profile-Firewall-Allow-Inbound-UPnP-Framework-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications
Domain-Profile-Firewall-Prohibit-Notifications, Domain-Profile-Display-Notification
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log Dropped Packets
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Name
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFileSize (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Size limit (KB)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log successful connections
Standard-Profile-Firewall-Prohibit-Notifications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableUnicastResponsesToMulticastBroadcast
Domain-Profile-Firewall-Prohibit-Unicast-Response, Domain-Profile-Allow-Unicast-Response
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
Domain-Profile-Firewall-Define-Inbound-Port-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\AllowUserPrefMerge
Domain-Profile-Firewall-Allow-Local-Port-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall
Standard-Profile-Firewall-Protect-All-Network-Connections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions
Standard-Profile-Firewall-Do-Not-Allow-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\AllowUserPrefMerge
Standard-Profile-Firewall-Define-Inbound-Program-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop
Standard-Profile-Firewall-Allow-Inbound-Remote-Administration-Exception
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled
Standard-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exception,Standard-Profile-Firewall-Allow-Inbound-File-And-Printer-Sharing-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled
Standard-Profile-Firewall-Allow-Inbound-Remote-Desktop-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\UPnPFramework\Enabled
Standard-Profile-Firewall-Allow-Inbound-UPnP-Framework-Exceptions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableUnicastResponsesToMulticastBroadcast
Standard-Profile-Firewall-Prohibit-Unicast-Response
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts
Standard-Profile-Firewall-Define-Inbound-Port-Exceptions
Domain-Profile-Inbound-Connections
Domain-Profile-Outbound-Connections
Private-Profile-Firewall-State
Private-Profile-Inbound-Connections
Private-Profile-Outbound-Connections
Private-Profile-Display-Notification
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\AllowUserPrefMerge
Standard-Profile-Firewall-Allow-Local-Port-Exceptions
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Inbound Connections Tab\(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge
Domain-Profile-Apply-Local-Firewall-Rules
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge
Domain-Profile-Apply-Local-Connection-Security-Rules
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications
Private-Profile-Allow-Unicast-Response
Public-Profile-Firewall-State
Public-Profile-Inbound-Connections
Public-Profile-Outbound-Connections
Public-Profile-Display-Notification
Public-Profile-Allow-Unicast-Response
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge
Private-Profile-Apply-Local-Firewall-Rules
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge
Private-Profile-Apply-Local-Connection-Security-Rules
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcast
Public-Profile-Apply-Local-Firewall-Rules
Do-Not-Process-Legacy-Run-List
Do-Not-Process-Run-Once-List
Registry-Policy-Processing
Turn-off-printing-over-HTTP
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge
(1)Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Customized Settings (2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge
Public-Profile-Apply-Local-Connection-Security-Rules
(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRun
(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnce
(1) Computer Configuration\Administrative Templates\System\Group Policy (2)HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoGPOListChanges
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
Turn-off-Internet-download-for-Web-publishing-and-online-ordering-wizards
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP
Turn-off-the-Windows-Messenger-Customer-Experience-Improvement-Program
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates
Turn-off-Search-Companion-content-file-updates
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
Turn-off-downloading-of-print-drivers-over-HTTP
Require-trusted-path-for-credential-entry
Do-not-allow-passwords-to-be-saved
Do-not-allow-drive-redirection
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate
Turn-off-Windows-Update-device-driver-searching
(1) Computer Configuration\Administrative Templates\System\Credential User Interface (2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
Enumerate-administrator-accounts-on-elevation
(1) Computer Configuration\Administrative Templates\System\Credential User Interface (2)HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnableSecureCredentialPrompting
(1) Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList
Deny-all-add-ons-unless-specifically-allowed-in-the-Add-on-List
(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DisablePasswordSaving
(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm(1) User Configuration\Administrative Templates\System (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
(1) User Configuration\Administrative Templates\System\Power Mangement (2)HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume
Prompt-for-password-on-resume-from-hibernate-suspend
(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation
Do-not-preserve-zone-information-in-file-attachments
(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties
Hide-mechanisms-to-remove-zone-information
(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus
Notify-antivirus-programs-when-opening-attachments
(1) User Configuration\Administrative Templates\Windows Components\Internet Explorer (2)HKEY_CURRENT_USER\Software\Microsoft\Outlook Express\BlockExeAttachments
override-audit-policy-settings
Log-Access-For-Setup-Log
Windows-Search
(1) Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (2)HKEY_LOCAL_MACHINE\System\Currentcontrolset\Control\Lsa\SCENoApplyLegacyAuditPolicy
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup\ChannelAccess
(2)HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Windows Search Service\Start
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Disabled
Turn-Off-Microsoft-Peer-to-Peer-Networking-Services
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WCN\UI\DisableWcnUi
Prohibit-Access-of-the-Windows-Connect-Now-Wizards
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\AllowRemoteRPC
Allow-remote-access-to-the-PnP-interface
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSystemRestore
Do-not-create-system-restore-point-when-new-device-driver-installed
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DeviceInstall\Settings\DisableSendGenericDriverNotFoundToWER
Do-not-send-Windows-Error-Report-when-generic-driver-is-installed-on-device
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\DisableWindowsUpdateAccess
Turn-Off-Access-to-All-Windows-Update-Feature
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
Turn-Off-Automatic-Root-Certificates-Update
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer\MicrosoftEventVwrDisableLinks
Turn-Off-Event-Views-Events.asp-Links
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\HandwritingErrorReports\PreventHandwritingErrorReports
Turn-Off-Handwriting-Reconition-Error-Reporting
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc\Headlines
Turn-Off-Help-and-Support-Center-Did-you-Know-Content
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\HelpSvc\MicrosoftKBSearchs
Turn-Off-Help-and-Support-Center-Microsoft-Knowledge-Base-Search
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW
Turn-Off-Internet-Connection-Wizard-if-URL-Connection-is-Referring-to-Microsoft.com
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith
Turn-Off-Internet-File-Association-Service
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration
Turn-Off-Registration-if-URL-Connection-is-Referring-to-Microsoft.com
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard
Turn-Off-the-Order-Prints-Picture-Task
(2)[HKEY_LOCAL_MACHINE | HKEY_CURRENT_USER] \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard
Turn-off-the-Publish-to-Web-task-for-files-and-folders
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\CodecDownload
Turn-Off-Windows-Movies-Maker-Automatic-Codec-Downloads
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebHelp
Turn-Off-Windows-Movie-Maker-Online-Web-Links
Turn-off-Windows-Startup-Sound
Allow-only-Vista-or-later-connections
Customization-Warning-Messages
Turn-on-bandwidth-optimization
Turn-on-session-logging
Prevent-IIS-Installation
Turn-Off-Active-Help
Turn-Off-Untrusted-Content
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebPublish
Turn-Off-Windows-Movie-Maker-Saving-to-Online-Video-Hosting-Provider
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWelcomeScreen
Do-Not-Display-the-Getting-Started-Welcome-Screen-at-Logon
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableStartupSound
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\DCSettingIndex
Require-a-Password-when-a-Computer-Wakes-On-Battery
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ACSettingIndex
Require-a-Password-when-a-Computer-Wakes-Plugged
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\CreateEncryptedOnlyTickets
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\UseCustomMessages
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\UseBandwidthOptimization
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\LoggingEnabled
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\IIS\PreventIISInstall
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assistance\Client\1.0\NoActiveHelp
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Assistance\Client\1.0\NoUntrustedContent
Turn-off-downloading-enclosures
Allow-indexing-of-encrypted-files
Turn-off-Windows-Calendar
Turn-off-Windows-Defender
Turn-off-communication-features
Turn-off-windows-mail-app
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingUncachedExchangeFolders
Prevent-indexing-uncached-Exchange-folders
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\TurnOffWinCal
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient\CorporateSQMURL
Allow-Corporate-Redirection-Customer-Experience-Improvement-Program-Uploads
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption
Turn-off-heap-termination-corruption
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior
Turn-off-shell-protocol-protected-mode
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching
Prohibit-Non-Administrators-applying-vendorpatches
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ReportControllerMissing
Report-logon-server-not-available-during-user-logon
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail\DisableCommunities
(2)HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Mail\ManualLaunchAllowed
Turn-off-windows-meeting-space
Override-more-gadgets-Lnk
ipv6_block_protocols_41
ipv6_block_udp_3544
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WMDRM\DisableOnline
Prevent-Windows-Media-DRM-Internet-Access
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Collaboration\TurnOffWindowsCollaboration
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Collaboration\TurnOnWindowsCollaborationAuditing
Turn-on-windows-meeting-space-auditing
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUnsignedGadgets
Disable-unpacking-installation-gadgets-not-digitally-signed
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\OverrideMoreGadgetsLink
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar\TurnOffUserInstalledGadgets
Turn-off-user-installed-windows-sidebar-gidgets
Computer Configuration\Administrative Templates\Windows Components\Digital Locker
do_not_allow_digital_locker_to_run_var
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Components\Game Explorer
turn_off_downloading_of_game_information
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Outbound Rules
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Remotely accessible registry paths and subpaths
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) defined by Local or Group Policy
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Admin Approval Mode for the Built-in Administrator account
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Behavior of the elevation prompt for standard users
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Detect application installations and prompt for elevation
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate executables that are signed and validated
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Only elevate UIAccess applications that are installed in secure locations
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Run all administrators in Admin Approval Mode
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Switch to the secure desktop when prompting for elevation
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\User Account Control: Virtualize file and registry write failures to per-user locations
(1) defined by the SeNetworkLogonRight setting in Local or Group Policy
(1) defined the SeTcbPrivilege setting in by Local or Group Policy
(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy
(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy
(1) defined the SeRemoteInteractiveLogonRight setting in by Local or Group Policy
(1) defined the SeBackupPrivilege setting in by Local or Group Policy
(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy
(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the time zone
(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy
(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy
(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy
(1) defined the SeDebugPrivilege setting in by Local or Group Policy
(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy
(1) defined the SeDenyBatchLogonRight setting in by Local or Group Policy
(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy
(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy
(1) defined the SeDenyRemoteInteractiveLogonRight setting in by Local or Group Policy
(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy
(1) defined the SeAuditPrivilege setting in by Local or Group Policy
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Increase a process working set
(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy
(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy
(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy
(1) defined the SeBatchLogonRight setting in by Local or Group Policy
(1) defined the SeServiceLogonRight setting in by Local or Group Policy
(1) defined the SeSecurityPrivilege setting in by Local or Group Policy
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Modify an object label
(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy
(1) defined the SeManageVolumePrivilege setting in by Local or Group Policy
(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy
(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy
(1) defined the SeUndockPrivilege setting in by Local or Group Policy
(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy
(1) defined the SeRestorePrivilege setting in by Local or Group Policy
(1) defined the SeShutdownPrivilege setting in by Local or Group Policy
(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy
(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy
(1) defined by the object's DACL (2) defined through group policy
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved), HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!explorer.exe, HKLM\Software\Policies\Microsoft\Internet,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Protection From Zone Elevation, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION\iexplore.exe
GPO Setting: Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA
GPO Setting: Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
GPO Setting: Computer Configuration\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now
GPO Setting: Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system\LogonType
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX ControlsGPO Setting: Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup\Maximum Log Size (KB)
(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Device and Resource Redirection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Defender\Configure Microsoft Spynet ReportingGPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Logging
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Disable Windows Error Reporting
GPO Settings: Computer Configuration\Administrative Templates\System\Error Reporting\Display Error Notification, Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Display Error Notification
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Do not send additional data
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\SafeForScripting\
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoupdate
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
GPO Setting: User Configuration\Administrative Templates\Windows Components\Network Sharing\Prevent users from sharing files within their profiles
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Settings\Firewall settings\Display a notification
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log Dropped Packets
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log successful connections (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Logged successful connections
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Private Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Name
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PrivateProfile\Logging\LogFileSize (2) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Private Profile Tab\Logging\Size limit (KB)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log Dropped Packets
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log successful connections (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Logged successful connections
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Public Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Name
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging\LogFileSize (2) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile Tab\Logging\Size limit (KB)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisableComponents
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisableComponents
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisableComponents
GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help Experience Improvement Program
GPO Setting: User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Help Ratings
GPO Setting: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Create Symbolic Links
oval:com.secure-elements.oval:def:6009 account_lockout_reset_counter
oval:com.secure-elements.oval:def:6007 account_lockout_duration
oval:com.secure-elements.oval:def:6008 account_lockout_threshold
oval:com.secure-elements.oval:def:6010 audit_account_logon_events
oval:com.secure-elements.oval:def:6010 audit_account_logon_events
oval:com.secure-elements.oval:def:6011 audit_account_management
oval:com.secure-elements.oval:def:6011 audit_account_management
oval:com.secure-elements.oval:def:6012 audit_directory_service_access
oval:com.secure-elements.oval:def:6012 audit_directory_service_access
NIST SCAP Windows Vista OVAL (SCAP-WinVista-OVAL.xml rev 2007-
02-06)
FDCC Windows Vista XCCDF (fdcc-accepted-content-20080110\fdcc-
winvista-xccdf.xml)
oval:com.secure-elements.oval:def:6013 audit_logon_events
oval:com.secure-elements.oval:def:6013 audit_logon_events
oval:com.secure-elements.oval:def:6014 audit_object_access
oval:com.secure-elements.oval:def:6014 audit_object_access
oval:com.secure-elements.oval:def:6015 audit_policy_change
oval:com.secure-elements.oval:def:6015 audit_policy_change
oval:com.secure-elements.oval:def:6016 audit_privilege_use
oval:com.secure-elements.oval:def:6016 audit_privilege_use
oval:com.secure-elements.oval:def:6017 audit_process_tracking
oval:com.secure-elements.oval:def:6017 audit_process_tracking
oval:com.secure-elements.oval:def:6018 audit_system_events
oval:com.secure-elements.oval:def:6018 audit_system_events
oval:com.secure-elements.oval:def:6509
oval:com.secure-elements.oval:def:6506 maximum_application_log_size
oval:com.secure-elements.oval:def:6512
oval:com.secure-elements.oval:def:6511
oval:com.secure-elements.oval:def:6507 maximum_security_log_size
oval:com.secure-elements.oval:def:6513
oval:com.secure-elements.oval:def:6510
oval:com.secure-elements.oval:def:6508 maximum_system_log_size
oval:com.secure-elements.oval:def:6514
oval:com.secure-elements.oval:def:6002 password-maximum_age
oval:com.secure-elements.oval:def:6003 password-minimum-age
oval:com.secure-elements.oval:def:6006 password-minimum-length
oval:com.secure-elements.oval:def:6004 password_complexity
oval:com.secure-elements.oval:def:6001 password_enforce_history
oval:com.secure-elements.oval:def:6005 password_reversible_encryption
oval:com.secure-elements.oval:def:6601 do_not_allow_windows_messenger_to_be_run
oval:com.secure-elements.oval:def:6595 Disable-remote-Desktop-Sharing
oval:com.secure-elements.oval:def:6071
oval:com.secure-elements.oval:def:6070 do-not-allow-anonymous-enumeration-sam
anonymous_sid_name_translation
oval:com.secure-elements.oval:def:6020 guest-account-status
oval:com.secure-elements.oval:def:6019
oval:com.secure-elements.oval:def:6042 message-title-users-attempting-logon
oval:com.secure-elements.oval:def:6041 message-text-users-attempting-logon
oval:com.secure-elements.oval:def:6054 enable-automatic-logon
do-not-allow-anonymous-enumeration-sam-accounts-shares
turn_off_autoplay
oval:com.secure-elements.oval:def:6057 enable-icmp-redirect
oval:com.secure-elements.oval:def:6055 disable-ip-source-routing
oval:com.secure-elements.oval:def:6063 perform-router-discovery
oval:com.secure-elements.oval:def:6039 do-not-display-last-user-name
oval:com.secure-elements.oval:def:6058 hide-system-from-browse-list
oval:com.secure-elements.oval:def:6056 enable-dead-gw-detect
oval:com.secure-elements.oval:def:6059 keep-alive-time
oval:com.secure-elements.oval:def:6061 no-name-release-on-demand
oval:com.secure-elements.oval:def:6066 syn-attack-protect
oval:com.secure-elements.oval:def:6069 warning-level
oval:com.secure-elements.oval:def:6064 safe-dll-search-mode
oval:com.secure-elements.oval:def:6022 rename-administrator
oval:com.secure-elements.oval:def:6023 rename-guest
oval:com.secure-elements.oval:def:6050
oval:com.secure-elements.oval:def:6024 audit-access-global-system-objects
oval:com.secure-elements.oval:def:6574, oval:com.secure-elements.oval:def:6060
amount-of-idle-time-required-before-suspending-session
oval:com.secure-elements.oval:def:6025 audit-use-backup-restore-privilege
oval:com.secure-elements.oval:def:6040 do-not-require-ctrlaltdel
oval:com.secure-elements.oval:def:6030 prevent-users-installing-printers
oval:com.secure-elements.oval:def:6031 restrict-cdrom-access-local-users-only
oval:com.secure-elements.oval:def:6032 restrict-floppy-access-local-users-only
oval:com.secure-elements.oval:def:6038 require-strong-session-key
oval:com.secure-elements.oval:def:6049
oval:com.secure-elements.oval:def:6044
oval:com.secure-elements.oval:def:6027 shutdown-system-unable-log-audits
oval:com.secure-elements.oval:def:6047 digitally-sign-communications-client-always
oval:com.secure-elements.oval:def:6048
send-unencrypted-password-to-third-party-smb-servers
prompt-user-to-change-password-before-expiration
digitally-sign-communications-client-server-agrees
oval:com.secure-elements.oval:def:6051 digitally-sign-communications-server-always
oval:com.secure-elements.oval:def:6052
oval:com.secure-elements.oval:def:6043 number-of-previous-logons-to-cache
oval:com.secure-elements.oval:def:6029 allow-format-eject-removable-media
oval:com.secure-elements.oval:def:6034
oval:com.secure-elements.oval:def:6033
oval:com.secure-elements.oval:def:6035 digitally-sign-secure-channel-data-when-possible
oval:com.secure-elements.oval:def:6046 smart-card-removal-behaviour
oval:com.secure-elements.oval:def:6036 disable-machine-account-password-changes
oval:com.secure-elements.oval:def:6021 limit-blank-password-use
oval:com.secure-elements.oval:def:6028 allow-undock-no-logon
digitally-sign-communications-server-client-agrees
digitally-encrypt-or-sign-secure-channel-data-always
digitally-encrypt-secure-channel-data-when-possible
oval:com.secure-elements.oval:def:6037 maximum_machine-account-password-age
oval:com.secure-elements.oval:def:6045 require-domain-controller-authentication-to-unlock
oval:com.secure-elements.oval:def:6053 disconnect-client-when-logon-hours-expire
oval:com.secure-elements.oval:def:6072
oval:com.secure-elements.oval:def:6073
oval:com.secure-elements.oval:def:6074 named-pipes-accessed-anonymously
Remotely-accessible-registry-paths
Shares-that-can-be-accessed-anonymously
oval:com.secure-elements.oval:def:6079 Sharing-and-security-model-for-local-accounts
oval:com.secure-elements.oval:def:6080
oval:com.secure-elements.oval:def:6081 Force-logoff-when-logon-hours-expire
oval:com.secure-elements.oval:def:6065 screen_save_timeout
do-not-allow-storage-credentials-net-passports-network-authn
let-everyone-permissions-apply-to-anonymous-users
oval:com.secure-elements.oval:def:6075oval:com.secure-elements.oval:def:6076
Do-not-store-LAN-Manager-hash-value-on-next-password-change
oval:com.secure-elements.oval:def:6599
oval:com.secure-elements.oval:def:6564 solicited_remote_assistance
oval:com.secure-elements.oval:def:6563 offer_remote_assistance
oval:com.secure-elements.oval:def:6604
oval:com.secure-elements.oval:def:6603
oval:com.secure-elements.oval:def:6602
oval:com.secure-elements.oval:def:6605
oval:com.secure-elements.oval:def:6606
MachineAccessRestrictions
MachineLaunchRestrictions
Always-prompt-client-for-password-upon-connection
oval:com.secure-elements.oval:def:6082
oval:com.secure-elements.oval:def:6077
oval:com.secure-elements.oval:def:6067 tcp-max-connect-response-retransmissions
oval:com.secure-elements.oval:def:6068 tcp-max-data-retransmissions
oval:com.secure-elements.oval:def:6062 ntfs-disable-8dot3-name-creation
oval:com.secure-elements.oval:def:6566 rpc_endpoint_mapper_client_authentication
oval:com.secure-elements.oval:def:6565 restrictions_for_unauthenticated_rpc_clients
oval:com.secure-elements.oval:def:6544
oval:com.secure-elements.oval:def:6541
oval:com.secure-elements.oval:def:6537
Restrict-anonymous-access-to-Named-Pipes-and-Shares
oval:com.secure-elements.oval:def:6547, oval:com.secure-elements.oval:def:6515
oval:com.secure-elements.oval:def:6536
oval:com.secure-elements.oval:def:6538
oval:com.secure-elements.oval:def:6539
oval:com.secure-elements.oval:def:6545, oval:com.secure-elements.oval:def:6518
oval:com.secure-elements.oval:def:6542
oval:com.secure-elements.oval:def:6540
oval:com.secure-elements.oval:def:6559
oval:com.secure-elements.oval:def:6556
oval:com.secure-elements.oval:def:6555
oval:com.secure-elements.oval:def:6549
oval:com.secure-elements.oval:def:6550
oval:com.secure-elements.oval:def:6551
oval:com.secure-elements.oval:def:6557
oval:com.secure-elements.oval:def:6558
oval:com.secure-elements.oval:def:6554
oval:com.secure-elements.oval:def:6546, oval:com.secure-elements.oval:def:6519
oval:com.secure-elements.oval:def:6548,oval:com.secure-elements.oval:def:6553
oval:com.secure-elements.oval:def:6552
oval:com.secure-elements.oval:def:6516
oval:com.secure-elements.oval:def:6517
oval:com.secure-elements.oval:def:6520
oval:com.secure-elements.oval:def:6521
oval:com.secure-elements.oval:def:6522
oval:com.secure-elements.oval:def:6523
oval:com.secure-elements.oval:def:6524
oval:com.secure-elements.oval:def:6525
oval:com.secure-elements.oval:def:6526
oval:com.secure-elements.oval:def:6527
oval:com.secure-elements.oval:def:6528
oval:com.secure-elements.oval:def:6529
oval:com.secure-elements.oval:def:6530
oval:com.secure-elements.oval:def:6531
oval:com.secure-elements.oval:def:6532
oval:com.secure-elements.oval:def:6533
oval:com.secure-elements.oval:def:6534
oval:com.secure-elements.oval:def:6535
oval:com.secure-elements.oval:def:6560
oval:com.secure-elements.oval:def:6561 do_not_process_run_once_list
oval:com.secure-elements.oval:def:6562
oval:com.secure-elements.oval:def:6568
oval:com.secure-elements.oval:def:6569
oval:com.secure-elements.oval:def:6570 Turn-off-Search-Companion-content-file-updates
oval:com.secure-elements.oval:def:6571 Turn-off-printing-over-HTTP
oval:com.secure-elements.oval:def:6572 turn_off_downloading_of_print_drivers_over_http
Turn-off-Internet-download-for-Web-publishing-and-online-ordering-wizards
Turn-off-the-Windows-Messenger-Customer-Experience-Improvement-Program
oval:com.secure-elements.oval:def:6573
oval:com.secure-elements.oval:def:6575 enumerate_administrator_accounts_on_elevation
oval:com.secure-elements.oval:def:6576
oval:com.secure-elements.oval:def:6594
oval:com.secure-elements.oval:def:6596 Do-not-allow-passwords-to-be-saved
oval:com.secure-elements.oval:def:6598
oval:com.secure-elements.oval:def:6500
oval:com.secure-elements.oval:def:6714
oval:com.secure-elements.oval:def:6502
oval:com.secure-elements.oval:def:6503 hide_mechanisms_to_remove_zone_information
oval:com.secure-elements.oval:def:6504
oval:com.secure-elements.oval:def:6505
Turn-off-Windows-Update-device-driver-searching
prompt_for_password_on_resume_from_hibernate_suspend
do_not_preserve_zone_information_in_file_attachments
notify_antivirus_programs_when_opening_attachments
oval:com.secure-elements.oval:def:6026 override-audit-policy-settings
oval:com.secure-elements.oval:def:6701
oval:com.secure-elements.oval:def:6148
oval:com.secure-elements.oval:def:6662
oval:com.secure-elements.oval:def:6665
oval:com.secure-elements.oval:def:6667 allow_remote_access_to_the_pnp_interface
oval:com.secure-elements.oval:def:6668
oval:com.secure-elements.oval:def:6669
oval:com.secure-elements.oval:def:6673
oval:com.secure-elements.oval:def:6674 turn_off_automatic_root_certificates_update
oval:com.secure-elements.oval:def:6675 turn_off_event_views_events.asp_links
turn_off_microsoft_peer_to_peer_networking_services
prohibit_access_of_the_windows_connect_now_wizards
do_not_create_system_restore_point_when_new_device_driver_installed
do_not_send_windows_error_report_when_generic_driver_is_installed_on_device
oval:com.secure-elements.oval:def:6676 turn_off_handwriting_reconition_error_reporting
oval:com.secure-elements.oval:def:6677
oval:com.secure-elements.oval:def:6678
oval:com.secure-elements.oval:def:6679
oval:com.secure-elements.oval:def:6680 Turn-Off-Internet-File-Association-Service
oval:com.secure-elements.oval:def:6681
oval:com.secure-elements.oval:def:6682 Turn-Off-the-Order-Prints-Picture-Task
oval:com.secure-elements.oval:def:6567
oval:com.secure-elements.oval:def:6696
oval:com.secure-elements.oval:def:6684
turn_off_internet_connection_wizard_if_url_connection_is_referring_to_microsoft.com
Turn-Off-Registration-if-URL-Connection-is-Referring-to-Microsoft.com
Turn-off-the-Publish-to-Web-task-for-files-and-folders
Turn-Off-Windows-Movies-Maker-Automatic-Codec-Downloads
Turn-Off-Windows-Movie-Maker-Online-Web-Links
oval:com.secure-elements.oval:def:6697
oval:com.secure-elements.oval:def:6687
oval:com.secure-elements.oval:def:6688 Turn-off-Windows-Startup-Sound
oval:com.secure-elements.oval:def:6689
oval:com.secure-elements.oval:def:6690
oval:com.secure-elements.oval:def:6691
oval:com.secure-elements.oval:def:6692
oval:com.secure-elements.oval:def:6693
oval:com.secure-elements.oval:def:6694 turn_on_session_logging
oval:com.secure-elements.oval:def:6107 Prevent-IIS-Installation
oval:com.secure-elements.oval:def:6108
oval:com.secure-elements.oval:def:6109 turn_off_untrusted_content
Turn-Off-Windows-Movie-Maker-Saving-to-Online-Video-Hosting-Provider
Do-Not-Display-the-Getting-Started-Welcome-Screen-at-Logon
Require-a-Password-when-a-Computer-Wakes-On-Battery
Require-a-Password-when-a-Computer-Wakes-Plugged
oval:com.secure-elements.oval:def:6110 turn_off_downloading_enclosures
oval:com.secure-elements.oval:def:6704 Allow-indexing-of-encrypted-files
oval:com.secure-elements.oval:def:6705 Prevent-indexing-uncached-Exchange-folders
oval:com.secure-elements.oval:def:6111
oval:com.secure-elements.oval:def:6112
oval:com.secure-elements.oval:def:6113
oval:com.secure-elements.oval:def:6118 turn_off_heap_termination_corruption
oval:com.secure-elements.oval:def:6119 turn_off_shell_protocol_protected_mode
oval:com.secure-elements.oval:def:6122
oval:com.secure-elements.oval:def:6123
oval:com.secure-elements.oval:def:6124 turn_off_communities_features
oval:com.secure-elements.oval:def:6125 turn_off_windows_mail_app
prohibit_non_administrators_install_signed_updates
report_logon_server_not_available_during_user_logon
oval:com.secure-elements.oval:def:6126 prevent_windows_media_drm_internet_access
oval:com.secure-elements.oval:def:6127 turn_off_windows_meeting_space
oval:com.secure-elements.oval:def:6128
oval:com.secure-elements.oval:def:6129
oval:com.secure-elements.oval:def:6130 override_more_gadgets_lnk
oval:com.secure-elements.oval:def:6131
oval:gov.nist.fdcc.vista:def:6698 do_not_allow_digital_locker_to_run
oval:gov.nist.fdcc.vista:def:6703 turn_off_downloading_of_game_information
oval:gov.nist.fdcc.vistafirewall:def:6491
oval:gov.nist.fdcc.vistafirewall:def:6492
kerberos-enforce-user-logon-restrictions
kerberos_maximum_lifetime_service_ticket
disable_unpacking_installation_gadgets_not_digitally_signed
turn_off_user_installed_windows_sidebar_gidgets
kerberos_maximum_lifetime_user_ticket
kerberos_maximum_lifetime_user_ticket_renewal
allow-automatic-detection-mtu-size
enable-nodefaultexempt-IPSec-Filtering
Lan-manager-authentication-level
LDAP-client-signing-requirements
minimum-session-security-ntlm-ssp-based-clients
recovery-console-allow-administrative-logon
kerberos_maximum_tolerance_computer_clock_synchronization
Remotely-accessible-registry-paths-and-sub-paths
minimum-session-security-ntlm-ssp-based-servers
recovery-console-allow-floppy-copy-access-all-drives-folders
shutdown-allow-system-shutdown-without-having-logon
shutdown-clear-virtual-memory-page
system-cryptography-use-fips-compliant-alorithm
system-objects-require-case-insesitivity
admin_approval_mode
behavior_elevation_prompt_administrators
behavior_elevation_prompt_standard_users
detect_application_installations_prompt_elevation
only_elevate_executables_signed_validated
system-objects-strengthen-default-permissions-internal-system-objects
only_elevate_uiaccess_applications
run_administrators_admin_approval_mode
switch_secure_desktop_prompting_elevation
virtualize_write_failures_per_user_locations
Access-Computer-From-Network-Administrators
Act-As-Part-Of-Operating-System-None
Allow-Log-On-Locally-Administrators-Users
Back-Up-Files-And-Directories-Administrators
Adjust-Memory-Quotas-Administrators-LocalService-NetworkService
Allow-Log-On-Through-Terminal-Services-Administrators-RemoteDesktopUsers
Create-Pagefile-Administrators
Create-Token-Object-None
Create-Permanent-Shared-Objects-None
Debug-Programs-None
Deny-Access-From-Network-Guests
Deny-Logon-As-Batch-Job-Guests
deny_logon_as_service_none
Deny-Logon-Locally-Guests
Bypass-Traverse-Checking-Administrators_Users_LocalService_NetworkService
Change-System-Time-LocalService-Administrators
Change-Time-Zone-Administrators_Users_LocalService
Create-Global-Objects-Administrators-SERVICE-LocalService-NetworkService
Deny-Logon-Through-Terminal-Services-Guest
Increase-Scheduling-Priority-Administrators
Load-And-Unload-Device-Drivers-Administrators
Lock-Pages-In-Memory-None
Log-On-As-Batch-Job-None
Log-On-As-Service-None
Modify-Object-Label-None
Force-Shutdown-From-Remote-System-Administrators
Generate-Security-Audits-LocalService-NetworkService
Impersonate-Client-After-Authentication-Administrators-SERVICE-LocalService-NetworkService
Increase-Process-Working-Set-Administrators_LocalService
Manage-Auditing-And-Security-Log-Administrators
Profile-Single-Process-Administrators
Profile-System-Performance-Administrators
Restore-Files-And-Directories-Administrators
Shut-Down-System-Administrators-Users
Synchronize-Directory-Service-Data-None
Take-Ownership-Of-Files-Administrators
wlan_autoconfig
Modify-Firmware-Environment-Values-Administrators
Perform-Volume-Maintenance-Tasks-Administrators
Remove-Computer-From-Docking-Station-Administrators-Users
Replace-Process-Level-Token-NetworkService-LocalService
turn_on_mapper_io_lltdio_driver
turn_on_responder_rspndr_driver
prohibit_installation_network_bridge
prohibit_internet_connection_firewall
prohibit_internet_connection_sharing
configuration_of_wireless_settings_using_windows_connect_now
turn_off_windows_error_reporting
Always-Use-Classic-Logon
approved_installation_sites_for_activex_controls
maximum_setup_log_size
Do-not-allow-drive-redirection
Set-client-connection-encryption-level
set_timelimit_for_disconnected_sessions
configure_ms_spynet_reporting
disable_logging
internet_explorer_maintenance_policy_processing_enabled
set_timelimit_for_active_but_idle_terminal_services_sessions
disable_windows_error_reporting
display_error_notification
do_not_send_additional_data
enable_user_control_over_installs
do_not_show_first_use_dialog_boxes
prevent_automatic_updates
prevent_desktop_shortcut_creation
password_protect_the_screen_saver
disable_ie_security_prompt_windows_installer_scripts
do_not_automatically_start_windows_messenger_initially
prevent_users_from_sharing_files_within_their_profile
application-group-management
application-group-management
computer-account-management
computer-account-management
distribution-group-management
distribution-group-management
other-account-management-events
other-account-management-events
security-group-management
security-group-management
user-account-management
user-account-management
dpapi-activity
dpapi-activity
process-creation
process-creation
process-termination
process-termination
rpc-events
rpc-events
detailed-directory-service-replication
detailed-directory-service-replication
directory-service-access
directory-service-access
directory-service-changes
directory-service-changes
directory-service-replication
directory-service-replication
account-lockout
account-lockout
ipsec-extended-mode
ipsec-extended-mode
ipsec-main-mode
ipsec-main-mode
ipsec-quick-mode
ipsec-quick-mode
logoff
logoff
logon
logon
other-logon-logoff-events
other-logon-logoff-events
special-logon
special-logon
application-generated
application-generated
certification-services
certification-services
file-share
file-share
file-system
file-system
filtering-platform-connection
filtering-platform-connection
filtering-platform-packet-drop
filtering-platform-packet-drop
handle-manipulation
handle-manipulation
kernel-object
kernel-object
other-object-access-events
other-object-access-events
registry
registry
sam
sam
policy_change_audit
policy_change_audit
authentication-policy-change
authentication-policy-change
authorization-policy-change
authorization-policy-change
filtering-platform-policy-change
filtering-platform-policy-change
mpssvc-rule-level-policy-change
mpssvc-rule-level-policy-change
other-policy-change-events
other-policy-change-events
non-sensitive-privilege-use
non-sensitive-privilege-use
other-privilege-use-events
other-privilege-use-events
sensitive-privilege-use
sensitive-privilege-use
ipsec-driver
ipsec-driver
other-system-events
other-system-events
security-state-change
security-state-change
security-system-extension
security-system-extension
system-integrity
system-integrity
disable_isatap_teredo_6to4_tunneling_protocols
disable_isatap_teredo_6to4_tunneling_protocols
disable_isatap_teredo_6to4_tunneling_protocols
turn_off_help_experience_improvement_program
oval:gov.nist.fdcc.vista:def:6009
oval:gov.nist.fdcc.vista:def:6007
oval:gov.nist.fdcc.vista:def:6008
oval:gov.nist.fdcc.vista:def:27
oval:gov.nist.fdcc.vista:def:27
oval:gov.nist.fdcc.vista:def:29
oval:gov.nist.fdcc.vista:def:29
oval:gov.nist.fdcc.vista:def:30
oval:gov.nist.fdcc.vista:def:30
FDCC Windows Vista OVAL (fdcc-accepted-content-20080110\fdcc-
winvista-oval.xml)
FDCC Windows Vista Firewall XCCDF (fdcc-accepted-content-
20080110\fdcc-vistafirewall-xccdf.xml)
oval:gov.nist.fdcc.vista:def:32
oval:gov.nist.fdcc.vista:def:32
oval:gov.nist.fdcc.vista:def:34
oval:gov.nist.fdcc.vista:def:34
oval:gov.nist.fdcc.vista:def:35
oval:gov.nist.fdcc.vista:def:35
oval:gov.nist.fdcc.vista:def:36
oval:gov.nist.fdcc.vista:def:36
oval:gov.nist.fdcc.vista:def:40
oval:gov.nist.fdcc.vista:def:40
oval:gov.nist.fdcc.vista:def:37
oval:gov.nist.fdcc.vista:def:37
oval:gov.nist.fdcc.vista:def:197
oval:gov.nist.fdcc.vista:def:198
oval:gov.nist.fdcc.vista:def:199
oval:gov.nist.fdcc.vista:def:6002
oval:gov.nist.fdcc.vista:def:6003
oval:gov.nist.fdcc.vista:def:6006
oval:gov.nist.fdcc.vista:def:6004
oval:gov.nist.fdcc.vista:def:6001
oval:gov.nist.fdcc.vista:def:6005
oval:gov.nist.fdcc.vista:def:6601
oval:gov.nist.fdcc.vista:def:6595
oval:gov.nist.fdcc.vista:def:6071
oval:gov.nist.fdcc.vista:def:6070
oval:gov.nist.fdcc.vista:def:6106
oval:gov.nist.fdcc.vista:def:6020
oval:gov.nist.fdcc.vista:def:6042
oval:gov.nist.fdcc.vista:def:6041
oval:gov.nist.fdcc.vista:def:6054
oval:gov.nist.fdcc.vista:def:6574
oval:gov.nist.fdcc.vista:def:6057
oval:gov.nist.fdcc.vista:def:6055
oval:gov.nist.fdcc.vista:def:6063
oval:gov.nist.fdcc.vista:def:6039
oval:gov.nist.fdcc.vista:def:6058
oval:gov.nist.fdcc.vista:def:6056
oval:gov.nist.fdcc.vista:def:6059
oval:gov.nist.fdcc.vista:def:6061
oval:gov.nist.fdcc.vista:def:6066
oval:gov.nist.fdcc.vista:def:6069
oval:gov.nist.fdcc.vista:def:6064
oval:gov.nist.fdcc.vista:def:6022
oval:gov.nist.fdcc.vista:def:6023
oval:gov.nist.fdcc.vista:def:6050
oval:gov.nist.fdcc.vista:def:6024
oval:gov.nist.fdcc.vista:def:6025
oval:gov.nist.fdcc.vista:def:6040
oval:gov.nist.fdcc.vista:def:6030
oval:gov.nist.fdcc.vista:def:6031
oval:gov.nist.fdcc.vista:def:6032
oval:gov.nist.fdcc.vista:def:6038
oval:gov.nist.fdcc.vista:def:6049
oval:gov.nist.fdcc.vista:def:6044
oval:gov.nist.fdcc.vista:def:6027
oval:gov.nist.fdcc.vista:def:6047
oval:gov.nist.fdcc.vista:def:6048
oval:gov.nist.fdcc.vista:def:6051
oval:gov.nist.fdcc.vista:def:6052
oval:gov.nist.fdcc.vista:def:6043
oval:gov.nist.fdcc.vista:def:6029
oval:gov.nist.fdcc.vista:def:6034
oval:gov.nist.fdcc.vista:def:6033
oval:gov.nist.fdcc.vista:def:6035
oval:gov.nist.fdcc.vista:def:6046
oval:gov.nist.fdcc.vista:def:6036
oval:gov.nist.fdcc.vista:def:6021
oval:gov.nist.fdcc.vista:def:6028
oval:gov.nist.fdcc.vista:def:6037
oval:gov.nist.fdcc.vista:def:6045
oval:gov.nist.fdcc.vista:def:6053
oval:gov.nist.fdcc.vista:def:6072
oval:gov.nist.fdcc.vista:def:6073
oval:gov.nist.fdcc.vista:def:6074
oval:gov.nist.fdcc.vista:def:6075
oval:gov.nist.fdcc.vista:def:60771
oval:gov.nist.fdcc.vista:def:6079
oval:gov.nist.fdcc.vista:def:6080
oval:gov.nist.fdcc.vista:def:6081
oval:gov.nist.fdcc.vista:def:6708
oval:gov.nist.fdcc.vista:def:6599
oval:gov.nist.fdcc.vista:def:6564
oval:gov.nist.fdcc.vista:def:6563
oval:gov.nist.fdcc.vista:def:608243
oval:gov.nist.fdcc.vista:def:608244
oval:gov.nist.fdcc.vista:def:6077
oval:gov.nist.fdcc.vista:def:6067
oval:gov.nist.fdcc.vista:def:6068
oval:gov.nist.fdcc.vista:def:6062
oval:gov.nist.fdcc.vista:def:6566
oval:gov.nist.fdcc.vista:def:6565
domain_profile_firewall_state
domain_profile_log_dropped_packets
domain_profile_name
domain_profile_size_limit
domain_profile_logged_successful_connections
domain_profile_inbound_connections
domain_profile_outbound_connections
domain_profile_apply_local_firewall_rules
private_profile_firewall_state
private_profile_inbound_connections
private_profile_outbound_connections
private_profile_display_notification
private_profile_allow_unicast_response
private_profile_apply_local_firewall_rules
public_profile_firewall_state
public_profile_inbound_connections
public_profile_outbound_connections
public_profile_display_notification
public_profile_allow_unicast_response
private_profile_apply_local_connection_security_rules
public_profile_apply_local_firewall_rules
oval:gov.nist.fdcc.vista:def:6561
oval:gov.nist.fdcc.vista:def:6568
oval:gov.nist.fdcc.vista:def:6569
oval:gov.nist.fdcc.vista:def:6570
oval:gov.nist.fdcc.vista:def:6571
oval:gov.nist.fdcc.vista:def:6572
public_profile_apply_local_connection_security_rules
oval:gov.nist.fdcc.vista:def:6573
oval:gov.nist.fdcc.vista:def:6575
oval:gov.nist.fdcc.vista:def:6596
oval:gov.nist.fdcc.vista:def:6714
oval:gov.nist.fdcc.vista:def:6502
oval:gov.nist.fdcc.vista:def:6503
oval:gov.nist.fdcc.vista:def:6504
oval:gov.nist.fdcc.vista:def:6026
oval:gov.nist.fdcc.vista:def:6662
oval:gov.nist.fdcc.vista:def:6666
oval:gov.nist.fdcc.vista:def:6667
oval:gov.nist.fdcc.vista:def:6668
oval:gov.nist.fdcc.vista:def:6669
oval:gov.nist.fdcc.vista:def:6674
oval:gov.nist.fdcc.vista:def:6675
oval:gov.nist.fdcc.vista:def:6676
oval:gov.nist.fdcc.vista:def:6679
oval:gov.nist.fdcc.vista:def:6680
oval:gov.nist.fdcc.vista:def:6681
oval:gov.nist.fdcc.vista:def:6682
oval:gov.nist.fdcc.vista:def:6567
oval:gov.nist.fdcc.vista:def:6696
oval:gov.nist.fdcc.vista:def:6684
oval:gov.nist.fdcc.vista:def:6697
oval:gov.nist.fdcc.vista:def:6687
oval:gov.nist.fdcc.vista:def:6688
oval:gov.nist.fdcc.vista:def:6689
oval:gov.nist.fdcc.vista:def:6690
oval:gov.nist.fdcc.vista:def:6694
oval:gov.nist.fdcc.vista:def:6107
oval:gov.nist.fdcc.vista:def:6109
oval:gov.nist.fdcc.vista:def:6110
oval:gov.nist.fdcc.vista:def:6704
oval:gov.nist.fdcc.vista:def:6705
oval:gov.nist.fdcc.vista:def:6118
oval:gov.nist.fdcc.vista:def:6119
oval:gov.nist.fdcc.vista:def:6122
oval:gov.nist.fdcc.vista:def:6123
oval:gov.nist.fdcc.vista:def:6124
oval:gov.nist.fdcc.vista:def:6125
oval:gov.nist.fdcc.vista:def:6126
oval:gov.nist.fdcc.vista:def:6127
oval:gov.nist.fdcc.vista:def:6129
oval:gov.nist.fdcc.vista:def:6130
oval:gov.nist.fdcc.vista:def:6131
oval:gov.nist.fdcc.vista:def:6698
oval:gov.nist.fdcc.vista:def:6703
ipv6_block_protocols_41
ipv6_block_udp_3544
oval:gov.nist.fdcc.vista:def:987651
oval:gov.nist.fdcc.vista:def:987652
oval:gov.nist.fdcc.vista:def:987653
oval:gov.nist.fdcc.vista:def:987654
oval:gov.nist.fdcc.vista:def:987655
oval:gov.nist.fdcc.vista:def:407
oval:gov.nist.fdcc.vista:def:116
oval:gov.nist.fdcc.vista:def:6076
oval:gov.nist.fdcc.vista:def:6094
oval:gov.nist.fdcc.vista:def:6095
oval:gov.nist.fdcc.vista:def:6096
oval:gov.nist.fdcc.vista:def:6097
oval:gov.nist.fdcc.vista:def:6098
oval:gov.nist.fdcc.vista:def:6099
oval:gov.nist.fdcc.vista:def:6100
oval:gov.nist.fdcc.vista:def:6101
oval:gov.nist.fdcc.vista:def:6102
oval:gov.nist.fdcc.vista:def:6104
oval:gov.nist.fdcc.vista:def:6105
oval:gov.nist.fdcc.vista:def:8081
oval:gov.nist.fdcc.vista:def:8082
oval:gov.nist.fdcc.vista:def:8083
oval:gov.nist.fdcc.vista:def:8084
oval:gov.nist.fdcc.vista:def:8085
oval:gov.nist.fdcc.vista:def:8086
oval:gov.nist.fdcc.vista:def:8087
oval:gov.nist.fdcc.vista:def:8088
oval:gov.nist.fdcc.vista:def:8089
oval:gov.nist.fdcc.vista:def:6607
oval:gov.nist.fdcc.vista:def:6609
oval:gov.nist.fdcc.vista:def:6612
oval:gov.nist.fdcc.vista:def:6613
oval:gov.nist.fdcc.vista:def:6616
oval:gov.nist.fdcc.vista:def:6617
oval:gov.nist.fdcc.vista:def:6621
oval:gov.nist.fdcc.vista:def:6623
oval:gov.nist.fdcc.vista:def:662381
oval:gov.nist.fdcc.vista:def:6624
oval:gov.nist.fdcc.vista:def:6625
oval:gov.nist.fdcc.vista:def:6626
oval:gov.nist.fdcc.vista:def:6627
oval:gov.nist.fdcc.vista:def:6628
oval:gov.nist.fdcc.vista:def:6630
oval:gov.nist.fdcc.vista:def:6631
oval:gov.nist.fdcc.vista:def:6633
oval:gov.nist.fdcc.vista:def:6634
oval:gov.nist.fdcc.vista:def:6636
oval:gov.nist.fdcc.vista:def:6638
oval:gov.nist.fdcc.vista:def:6639
oval:gov.nist.fdcc.vista:def:6640
oval:gov.nist.fdcc.vista:def:662391
oval:gov.nist.fdcc.vista:def:6641
oval:gov.nist.fdcc.vista:def:6642
oval:gov.nist.fdcc.vista:def:6643
oval:gov.nist.fdcc.vista:def:6644
oval:gov.nist.fdcc.vista:def:6647
oval:gov.nist.fdcc.vista:def:6648
oval:gov.nist.fdcc.vista:def:662371
oval:gov.nist.fdcc.vista:def:6649
oval:gov.nist.fdcc.vista:def:6650
oval:gov.nist.fdcc.vista:def:6651
oval:gov.nist.fdcc.vista:def:6652
oval:gov.nist.fdcc.vista:def:6653
oval:gov.nist.fdcc.vista:def:6654
oval:gov.nist.fdcc.vista:def:6655
oval:gov.nist.fdcc.vista:def:6657
oval:gov.nist.fdcc.vista:def:6658
oval:gov.nist.fdcc.vista:def:6659
oval:gov.nist.fdcc.vista:def:61481
oval:gov.nist.fdcc.vista:def:6660
oval:gov.nist.fdcc.vista:def:6661
oval:gov.nist.fdcc.vista:def:3366991
oval:gov.nist.fdcc.vista:def:3366992
oval:gov.nist.fdcc.vista:def:3366993
oval:gov.nist.fdcc.vista:def:6665
oval:gov.nist.fdcc.vista:def:6671
oval:gov.nist.fdcc.vista:def:6683
oval:gov.nist.fdcc.vista:def:6686
oval:gov.nist.fdcc.vista:def:6695
oval:gov.nist.fdcc.vista:def:19898
oval:gov.nist.fdcc.vista:def:6598
oval:gov.nist.fdcc.vista:def:6600
oval:gov.nist.fdcc.vista:def:6726
oval:gov.nist.fdcc.vista:def:6725
oval:gov.nist.fdcc.vista:def:6727
oval:gov.nist.fdcc.vista:def:6114
oval:gov.nist.fdcc.vista:def:6115
oval:gov.nist.fdcc.vista:def:3366994
oval:gov.nist.fdcc.vista:def:6117
oval:gov.nist.fdcc.vista:def:6120
oval:gov.nist.fdcc.vista:def:6121
oval:gov.nist.fdcc.vista:def:612261221
oval:gov.nist.fdcc.vista:def:612261222
oval:gov.nist.fdcc.vista:def:612261223
oval:gov.nist.fdcc.vista:def:612261224
oval:gov.nist.fdcc.vista:def:6707
oval:gov.nist.fdcc.vista:def:6715
oval:gov.nist.fdcc.vista:def:8001
oval:gov.nist.fdcc.vista:def:8001
oval:gov.nist.fdcc.vista:def:8002
oval:gov.nist.fdcc.vista:def:8002
oval:gov.nist.fdcc.vista:def:8003
oval:gov.nist.fdcc.vista:def:8003
oval:gov.nist.fdcc.vista:def:8004
oval:gov.nist.fdcc.vista:def:8004
oval:gov.nist.fdcc.vista:def:8005
oval:gov.nist.fdcc.vista:def:8005
oval:gov.nist.fdcc.vista:def:8006
oval:gov.nist.fdcc.vista:def:8006
oval:gov.nist.fdcc.vista:def:8007
oval:gov.nist.fdcc.vista:def:8007
oval:gov.nist.fdcc.vista:def:8008
oval:gov.nist.fdcc.vista:def:8008
oval:gov.nist.fdcc.vista:def:8009
oval:gov.nist.fdcc.vista:def:8009
oval:gov.nist.fdcc.vista:def:8010
oval:gov.nist.fdcc.vista:def:8010
oval:gov.nist.fdcc.vista:def:8011
oval:gov.nist.fdcc.vista:def:8011
oval:gov.nist.fdcc.vista:def:8012
oval:gov.nist.fdcc.vista:def:8012
oval:gov.nist.fdcc.vista:def:8013
oval:gov.nist.fdcc.vista:def:8013
oval:gov.nist.fdcc.vista:def:8014
oval:gov.nist.fdcc.vista:def:8014
oval:gov.nist.fdcc.vista:def:8015
oval:gov.nist.fdcc.vista:def:8015
oval:gov.nist.fdcc.vista:def:8016
oval:gov.nist.fdcc.vista:def:8016
oval:gov.nist.fdcc.vista:def:8017
oval:gov.nist.fdcc.vista:def:8017
oval:gov.nist.fdcc.vista:def:8018
oval:gov.nist.fdcc.vista:def:8018
oval:gov.nist.fdcc.vista:def:8019
oval:gov.nist.fdcc.vista:def:8019
oval:gov.nist.fdcc.vista:def:8020
oval:gov.nist.fdcc.vista:def:8020
oval:gov.nist.fdcc.vista:def:8021
oval:gov.nist.fdcc.vista:def:8021
oval:gov.nist.fdcc.vista:def:8022
oval:gov.nist.fdcc.vista:def:8022
oval:gov.nist.fdcc.vista:def:8023
oval:gov.nist.fdcc.vista:def:8023
oval:gov.nist.fdcc.vista:def:8024
oval:gov.nist.fdcc.vista:def:8024
oval:gov.nist.fdcc.vista:def:8025
oval:gov.nist.fdcc.vista:def:8025
oval:gov.nist.fdcc.vista:def:8026
oval:gov.nist.fdcc.vista:def:8026
oval:gov.nist.fdcc.vista:def:8027
oval:gov.nist.fdcc.vista:def:8027
oval:gov.nist.fdcc.vista:def:8028
oval:gov.nist.fdcc.vista:def:8028
oval:gov.nist.fdcc.vista:def:8029
oval:gov.nist.fdcc.vista:def:8029
oval:gov.nist.fdcc.vista:def:8030
oval:gov.nist.fdcc.vista:def:8030
oval:gov.nist.fdcc.vista:def:8031
oval:gov.nist.fdcc.vista:def:8031
oval:gov.nist.fdcc.vista:def:8032
oval:gov.nist.fdcc.vista:def:8032
oval:gov.nist.fdcc.vista:def:8033
oval:gov.nist.fdcc.vista:def:8033
oval:gov.nist.fdcc.vista:def:8034
oval:gov.nist.fdcc.vista:def:8034
oval:gov.nist.fdcc.vista:def:8035
oval:gov.nist.fdcc.vista:def:8035
oval:gov.nist.fdcc.vista:def:8036
oval:gov.nist.fdcc.vista:def:8036
oval:gov.nist.fdcc.vista:def:8037
oval:gov.nist.fdcc.vista:def:8037
oval:gov.nist.fdcc.vista:def:8038
oval:gov.nist.fdcc.vista:def:8038
oval:gov.nist.fdcc.vista:def:8039
oval:gov.nist.fdcc.vista:def:8039
oval:gov.nist.fdcc.vista:def:8040
oval:gov.nist.fdcc.vista:def:8040
oval:gov.nist.fdcc.vista:def:8041
oval:gov.nist.fdcc.vista:def:8041
oval:gov.nist.fdcc.vista:def:8042
oval:gov.nist.fdcc.vista:def:8042
oval:gov.nist.fdcc.vista:def:8043
oval:gov.nist.fdcc.vista:def:8043
oval:gov.nist.fdcc.vista:def:8044
oval:gov.nist.fdcc.vista:def:8044
oval:gov.nist.fdcc.vista:def:8045
oval:gov.nist.fdcc.vista:def:8045
oval:gov.nist.fdcc.vista:def:8046
oval:gov.nist.fdcc.vista:def:8046
oval:gov.nist.fdcc.vista:def:8047
oval:gov.nist.fdcc.vista:def:8047
domain_profile_display_notification
private_profile_log_dropped_packets
private_profile_name
private_profile_size_limit
public_profile_log_dropped_packets
private_profile_logged_successful_connections
public_profile_name
public_profile_size_limit
oval:gov.nist.fdcc.vista:def:6566666
oval:gov.nist.fdcc.vista:def:6566666
oval:gov.nist.fdcc.vista:def:6566666
oval:gov.nist.fdcc.vista:def:8091
public_profile_logged_successful_connections
oval:gov.nist.fdcc.vistafirewall:def:6401
oval:gov.nist.fdcc.vistafirewall:def:6403
oval:gov.nist.fdcc.vistafirewall:def:6404
oval:gov.nist.fdcc.vistafirewall:def:6402
oval:gov.nist.fdcc.vistafirewall:def:6516
oval:gov.nist.fdcc.vistafirewall:def:6517
oval:gov.nist.fdcc.vistafirewall:def:6520
oval:gov.nist.fdcc.vistafirewall:def:6522
oval:gov.nist.fdcc.vistafirewall:def:6523
oval:gov.nist.fdcc.vistafirewall:def:6524
oval:gov.nist.fdcc.vistafirewall:def:6525
oval:gov.nist.fdcc.vistafirewall:def:6526
oval:gov.nist.fdcc.vistafirewall:def:6527
oval:gov.nist.fdcc.vistafirewall:def:6528
oval:gov.nist.fdcc.vistafirewall:def:6529
oval:gov.nist.fdcc.vistafirewall:def:6530
oval:gov.nist.fdcc.vistafirewall:def:6531
oval:gov.nist.fdcc.vistafirewall:def:6532
oval:gov.nist.fdcc.vistafirewall:def:6533
oval:gov.nist.fdcc.vistafirewall:def:6411
oval:gov.nist.fdcc.vistafirewall:def:6412
oval:gov.nist.fdcc.vistafirewall:def:6413
oval:gov.nist.fdcc.vistafirewall:def:6414
oval:gov.nist.fdcc.vistafirewall:def:6421
oval:gov.nist.fdcc.vistafirewall:def:6422
oval:gov.nist.fdcc.vistafirewall:def:6423
oval:gov.nist.fdcc.vistafirewall:def:6424
CCE ID CCE Description
CCE-3062-7 CCE-898 (1) set of accounts
CCE-3322-5 CCE-532 (1) set of accounts
CCE-3490-0 CCE-162 (1) set of accounts
CCE-2869-6 CCE-931 (1) set of accounts
CCE-3375-3 CCE-376 (1) set of accounts
CCE-3397-7 CCE-799 (1) set of accounts
CCE-3538-6 CCE-895 (1) set of accounts
Old v4 CCE Id
CCE Parameters
The "deny access to this computer from the network" user right should be assigned to the correct accounts.
The "access this computer from the network" user right should be assigned to the correct accounts.
The "act as part of the operating system" user right should be assigned to the correct accounts.
The "back up files and directories" user right should be assigned to the correct accounts.
The "bypass traverse checking" user right should be assigned to the correct accounts.
The "change the system time" user right should be assigned to the correct accounts.
The "create a pagefile" user right should be assigned to the correct accounts.
CCE-3498-3 CCE-926 (1) set of accounts
CCE-3269-8 CCE-335 (1) set of accounts
CCE-2576-7 CCE-842 (1) set of accounts
CCE-3359-7 CCE-754 (1) set of accounts
CCE-3491-8 CCE-939 (1) set of accounts
CCE-3147-6 CCE-807 (1) set of accounts
CCE-3539-4 CCE-349 (1) set of accounts
CCE-3293-8 CCE-860 (1) set of accounts
CCE-2936-3 CCE-749 (1) set of accounts
The "Create a token object" user right should be assigned to the correct accounts.
The "create permanent shared objects" user right should be assigned to the correct accounts.
The "debug programs" user right should be assigned to the correct accounts.
The "force shutdown from a remote system" user right should be assigned to the correct accounts.
The "generate security audits" user right should be assigned to the correct accounts.
The "adjust memory quotas for a process" user right should be assigned to the correct accounts.
The "increase scheduling priority" user right should be assigned to the correct accounts.
The "load and unload device drivers" user right should be assigned to the correct accounts.
The "lock pages in memory" user right should be assigned to the correct accounts.
CCE-3191-4 CCE-177 (1) set of accounts
CCE-3332-4 CCE-216 (1) set of accounts
CCE-3557-6 CCE-965 (1) set of accounts
CCE-3575-8 CCE-850 (1) set of accounts
CCE-3218-5 CCE-17 (1) set of accounts
CCE-2861-3 CCE-260 (1) set of accounts
CCE-3002-3 CCE-599 (1) set of accounts
CCE-2663-3 CCE-656 (1) set of accounts
CCE-3447-0 CCE-667 (1) set of accounts
The "log on as a batch job" user right should be assigned to the correct accounts.
The "log on as a service" user right should be assigned to the correct accounts.
The "log on locally" user right should be assigned to the correct accounts.
The "manage auditing and security log" user right should be assigned to the correct accounts.
The "modify firmware environment values" user right should be assigned to the correct accounts.
The "profile single process" user right should be assigned to the correct accounts.
The "profile system performance" user right should be assigned to the correct accounts.
The "remove computer from docking station" user right should be assigned to the correct accounts.
The "replace a process-level token" user right should be assigned to the correct accounts.
CCE-3465-2 CCE-553 (1) set of accounts
CCE-3346-4 CCE-839 (1) set of accounts
CCE-2848-0 CCE-492 (1) set of accounts
CCE-3368-8 CCE-381 (1) set of accounts
CCE-3531-1 CCE-64 (1) set of accounts
CCE-3473-6 CCE-15 (1) set of accounts
CCE-3354-8 CCE-183 (1) set of accounts
The "restore files and directories" user right should be assigned to the correct accounts.
The "shut down the system" user right should be assigned to the correct accounts.
The "take ownership of files or other objects" user right should be assigned to the correct accounts.
The "synchronize directory service data" user right should be assigned to the correct accounts.
The "deny logon locally" user right should be assigned to the correct accounts.
The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts.
The "add workstations to domain" user right should be assigned to the correct accounts.
CCE-3499-1 CCE-883 (1) set of accounts
CCE-2649-2 CCE-165 (1) set of accounts
CCE-3543-6 CCE-597 (1) set of accounts
CCE-3438-9 CCE-108 (1) set of accounts
CCE-3319-1 CCE-314 (1) set of accounts
CCE-3574-1 CCE-733
CCE-2627-8 CCE-980
CCE-3551-9 CCE-658
CCE-3321-7 CCE-2628 enabled/disabled
CCE-3467-8 CCE-2543 enabled/disabled
The "allow logon through Terminal Services" user right should be assigned to the correct accounts.
The "deny logon as a batch job" user right should be assigned to the correct accounts.
The "deny logon as a service" user right should be assigned to the correct accounts.
The "deny logon through Terminal Services" user right should be assigned to the correct accounts.
The "perform volume maintenance tasks" user right should be assigned to the correct accounts.
The "reset account lockout counter after" policy should meet minimum requirements.
(1) number of minutes
The "account lockout duration" policy should meet minimum requirements.
(1) number of minutes
The "account lockout threshold" policy should meet minimum requirements.
(1) number of attempts
Auditing of "account logon" events on success should be enabled or disabled as appropriate..
Auditing of "account logon" events on failure should be enabled or disabled as appropriate..
CCE-3427-2 CCE-2000 enabled/disabled
CCE-3449-6 CCE-1646 enabled/disabled
CCE-2827-4 CCE-2118 enabled/disabled
CCE-3101-3 CCE-2390 enabled/disabled
CCE-3603-8 CCE-1686 enabled/disabled
CCE-3391-0 CCE-1744 enabled/disabled
CCE-3286-2 CCE-2640 enabled/disabled
CCE-3290-4 CCE-1991 enabled/disabled
CCE-3546-9 CCE-2412 enabled/disabled
CCE-3312-6 CCE-2347 enabled/disabled
CCE-3211-0 CCE-2431 enabled/disabled
Auditing of "account management" events on success should be enabled or disabled as appropriate..
Auditing of "account management" events on failure should be enabled or disabled as appropriate..
Auditing of "directory service access" events on success should be enabled or disabled as appropriate..
Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..
Auditing of "logon" events on success should be enabled or disabled as appropriate..
Auditing of "logon" events on failure should be enabled or disabled as appropriate..
Auditing of "object access" events on success should be enabled or disabled as appropriate..
Auditing of "object access" events on failure should be enabled or disabled as appropriate..
Auditing of "policy change" events on success should be enabled or disabled as appropriate..
Auditing of "policy change" events on failure should be enabled or disabled as appropriate..
Auditing of "privilege use" events on success should be enabled or disabled as appropriate..
CCE-3383-7 CCE-2584 enabled/disabled
CCE-3510-5 CCE-2529 enabled/disabled
CCE-3453-8 CCE-2617 enabled/disabled
CCE-3594-9 CCE-2420 enabled/disabled
CCE-3611-1 CCE-1680 enabled/disabled
CCE-2884-5 CCE-396 (1) enabled/disabled
CCE-3281-3 CCE-299 (1) enabled/disabled
CCE-3550-1 CCE-185 (1) size of file
CCE-3567-5 CCE-951 (1) number of days
CCE-2946-2 CCE-462 (1) enabled/disabled
Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..
Auditing of "process tracking" events on success should be enabled or disabled as appropriate..
Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..
Auditing of "system" events on success should be enabled or disabled as appropriate..
Auditing of "system" events on failure should be enabled or disabled as appropriate..
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.
The "restrict guest access to application log" policy should be set correctly.
The application log maximum size should be configured correctly..
If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
The "restrict guest access to security log" policy should be set correctly.
CCE-3343-1 CCE-757 (1) size of file
CCE-3484-3 CCE-523 type of retention
CCE-3127-8 CCE-682 (1) number of days
CCE-3488-4 CCE-726 (1) enabled/disabled
CCE-3506-3 CCE-735 (1) size of file
CCE-3422-3 CCE-664 type of retention
CCE-3512-1 CCE-210 (1) number of days
CCE-3530-3 CCE-871 (1) number of days
CCE-3548-5 CCE-324 (1) number of days
The security log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the Security log.
If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
The "restrict guest access to system log" policy should be set correctly.
The system log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the System log.
If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
The "maximum password age" policy should meet minimum requirements.
The "minimum password age" policy should meet minimum requirements.
CCE-3424-9 CCE-100 (1) number of days
CCE-3442-1 CCE-633 (1) enabled/disabled
CCE-3446-2 CCE-60
CCE-2644-3 CCE-479 (1) enabled/disabled
CCE-3635-0 CCE-487
CCE-2671-6 CCE-496
CCE-3200-3 CCE-148
CCE-3350-6 CCE-954
CCE-3565-9 CCE-78
CCE-3582-4 CCE-712
The "minimum password length" policy should meet minimum requirements.
The "password must meet complexity requirments" policy should be set correctly.
The "enforce password history" policy should meet minimum requirements.
(1) number of passwords remembered
The "store password using reversible encryption for all users in the domain" policy should be set correctly.
The startup type of the Alerter service should be correct.
(1) disabled/manual/automatic
The startup type of the Automatic Update service should be correct.
(1) disabled/manual/automatic
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.
(1) disabled/manual/automatic
The startup type of the ClipBook service should be correct.
(1) disabled/manual/automatic
The startup type of the Fax service should be correct.
(1) disabled/manual/automatic
The startup type of the FTP Publishing service should be correct.
(1) disabled/manual/automatic
CCE-3353-0 CCE-311
CCE-3618-6 CCE-738
CCE-3494-2 CCE-729
CCE-3640-0 CCE-650
CCE-2909-0 CCE-232
CCE-3552-7 CCE-857
CCE-3428-0 CCE-267
CCE-3556-8 CCE-663
CCE-2678-1 CCE-672
CCE-3612-9 CCE-73
The startup type of the IIS Admin service should be correct.
(1) disabled/manual/automatic
The startup type of the Indexing service should be correct.
(1) disabled/manual/automatic
The startup type of the Messenger service should be correct.
(1) disabled/manual/automatic
The startup type of the .NET Framework service should be correct.
(1) disabled/manual/automatic
The startup type of the NetMeeting Remote Desktop Sharing service should be correct.
(1) disabled/manual/automatic
The startup type of the Print Services for Unix service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Access Auto connection Manager service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Desktop Help Session Manager service should be correct.
(1) disabled/manual/automatic
The startup type of the Internet Connection Sharing service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Registry service should be correct.
(1) disabled/manual/automatic
CCE-3621-0 CCE-223
CCE-3602-0 CCE-522
CCE-3497-5 CCE-531
CCE-3386-0 CCE-870
CCE-3532-9 CCE-975
CCE-3536-0 CCE-892
CCE-3541-0 CCE-940
CCE-3558-4 CCE-40
CCE-3078-3 CCE-75
The startup type of the Routing and Remote Access service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Shell service should be correct.
(1) disabled/manual/automatic
The startup type of the Simple TCP/IP service should be correct.
(1) disabled/manual/automatic
The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct.
(1) disabled/manual/automatic
The startup type of the SNMP Service service should be correct.
(1) disabled/manual/automatic
The startup type of the SNMP Trap Service service should be correct.
(1) disabled/manual/automatic
The startup type of the SSDP Discovery service should be correct.
(1) disabled/manual/automatic
The startup type of the Task Scheduler service should be correct.
(1) disabled/manual/automatic
The startup type of the Telnet service should be correct.
(1) disabled/manual/automatic
CCE-2832-4 CCE-974
CCE-3475-1 CCE-608
CCE-3492-6 CCE-758
CCE-3633-5 CCE-559
CCE-3638-4 CCE-445
CCE-3175-7 CCE-115
CCE-2695-5 CCE-669
CCE-3637-6 CCE-889
CCE-3642-6 CCE-476
CCE-3664-0 CCE-87
CCE-3435-5 CCE-4
The startup type of the Terminal Services service should be correct.
(1) disabled/manual/automatic
The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct.
(1) disabled/manual/automatic
The startup type of the World Wide Web Publishing service should be correct.
(1) disabled/manual/automatic
The startup type of the Automatic Update service should be correct.
(1) disabled/manual/automatic
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.
(1) disabled/manual/automatic
The startup type of the Print Services for Unix service should be correct.
(1) disabled/manual/automatic
The correct service permissions for the Alerter service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Automatic Updates service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the ClipBook service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Fax service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the FTP Publishing service should be assigned.
(1) set of accounts (2) list of permissions
CCE-3580-8 CCE-792
CCE-3474-4 CCE-444
CCE-3496-7 CCE-79
CCE-3483-5 CCE-21
CCE-3254-0 CCE-109
CCE-3523-8 CCE-157
CCE-3673-1 CCE-915
CCE-3193-0 CCE-219
CCE-3461-1 CCE-426
CCE-3355-5 CCE-56
CCE-2687-2 CCE-521
CCE-3583-2 CCE-944
The correct service permissions for the IIS Admin service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Indexing service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Messenger service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the NetMeeting service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Printer service should be assigned.
(1) set of accounts (2) list of permissions
The startup type of the Remote Access Auto connection Manager service should be correct.
(1) disabled/manual/automatic
The correct service permissions for the Remote Desktop Help Session Manager service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Remote Registry service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the SMTP service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the SNMP service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the SNMP Trap service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Telnet service should be assigned.
(1) set of accounts (2) list of permissions
CCE-3226-8 CCE-605
CCE-3569-1 CCE-143
CCE-3591-5 CCE-195
CCE-3631-9 CCE-318
CCE-3402-5 CCE-953 (1) enabled/disabled
CCE-3525-3 CCE-653
CCE-2908-2 CCE-332 (1) enabled/disabled
CCE-2790-4 CCE-23 (1) text caption
The correct service permissions for the Terminal Services service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the WWW Publishing service should be assigned.
(1) set of accounts (2) list of permissions
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.
(1) restricted/unrestricted
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.
(1) restricted/unrestricted
The behavior surrounding Anonymous SID/Name translation should be correct.
The "Anonymous access to the security event log" policy should be set correctly.
(1) exist/not exist (2) enabled/disabled
Use of the built-in Guest account should be enabled or disabled as appropriate.
The "Message title for users attempting to log on" policy should be set correctly.
CCE-3672-3 CCE-829 (1) text statement
CCE-3690-5 CCE-283 (1) enabled/disabled
CCE-3597-2 CCE-44 (1) enabled/disabled
CCE-3725-9 CCE-150 (1) enabled/ignored
CCE-3227-6 CCE-564 (1) enabled/disabled
The "Message text for users attempting to log on" policy should be set correctly.
Automatic Logon should be properly configured.
Autoplay on all Drive Types should be properly configured.
ICMP Redirects should be properly configured.
IP Source Routing should be properly configured.
CCE-3509-7 CCE-952 (1) enabled/disabled
CCE-3527-9 CCE-65 (1) enabled/disabled
CCE-2919-9 CCE-897 (1) enabled/disabled
CCE-2812-6 CCE-188
CCE-2817-5 CCE-817 (1) enabled/disabled
CCE-3739-0 CCE-998 (1) enabled/disabled
CCE-3616-0 CCE-284 (1) enabled/disabled
IRDP should be properly configured.
Display Last User Name in Logon Screen should be properly configured.
TCP/IP Dead Gateway Detection should be properly configured.
The TCP/IP KeepAlive Time should be set correctly .
(1) number of milliseconds
TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.
TCP/IP PMTU Discovery should be properly configured.
TCP/IP SYN Flood Attack Protection should be properly configured.
CCE-3757-2 CCE-156 (1) enabled/disabled
CCE-3796-0 CCE-601 (1) enabled/disabled
CCE-3514-7 CCE-614 (1) enabled/disabled
CCE-3778-8 CCE-271 (1) enabled/disabled
CCE-3549-3 CCE-707 (1) enabled/disabled
CCE-3298-7 CCE-50 (1) enabled/disabled
CCE-3443-9 CCE-896 (1) enabled/disabled
CCE-3708-5 CCE-574 (1) enabled/disabled
CCE-3479-3 CCE-257 (1) enabled/disabled
CCE-2853-0 CCE-438 (1) valid names
Disable saving of dial-up passwords should be properly configured.
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.
Safe DLL Search Mode should be properly configured.
Always Wait for the Network at Computer Startup and Logon should be properly configured.
Background Refresh of Group Policy should be properly configured.
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
Disallow Installation of Printers Using Kernel-mode Drivers should be properly configured.
The "Allow Server Operators to Schedule Tasks" policy should be set correctly.
The built-in Administrator account should be correctly named.
CCE-3743-2 CCE-834 (1) valid names
CCE-3761-4 CCE-222
CCE-3774-7 CCE-2 (1) enabled/disabled
CCE-3814-1 CCE-905 (1) enabled/disabled
CCE-3060-1 CCE-133 (1) enabled/disabled
CCE-3703-6 CCE-719
CCE-3769-7 CCE-402 (1) enabled/disabled
The built-in Guest account should be correctly named.
The amount of idle time required before disconnecting a session should be set correctly.
(1) number of minutes
The "Audit the access of global system objects" policy should be set correctly.
The "Audit the use of backup and restore privilege" policy should be set correctly.
The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.
The "LAN Manager Authentication Level" policy should be set correctly.
(1) authentication level
The "Prevent Users from Installing Printer Drivers" policy should be set correctly.
CCE-3659-0 CCE-410 (1) enabled/disabled
CCE-3676-4 CCE-76 (1) enabled/disabled
CCE-3694-7 CCE-565 (1) enabled/disabled
CCE-2822-5 CCE-463 (1) enabled/disabled
CCE-2963-7 CCE-508 (1) enabled/disabled
CCE-3478-5 CCE-417 (1) enabled/disabled
CCE-2870-4 CCE-228 (1) enabled/disabled
CCE-3787-9 CCE-413 (1) behavior
The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.
The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.
The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.
The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.
The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.
The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.
The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.
The "Unsigned Driver Installation Behavior" policy should be set correctly.
CCE-3804-2 CCE-814
CCE-3430-6 CCE-92 (1) enabled/disabled
CCE-3448-8 CCE-224 (1) enabled/disabled
CCE-3593-1 CCE-422 (1) enabled/disabled
CCE-3652-5 CCE-576 (1) enabled/disabled
CCE-3295-3 CCE-171 (1) enabled/disabled
CCE-3189-8 CCE-104 (1) enabled/disabled
CCE-3709-3 CCE-773
The "Users Prompted to Change Password Before Expiration" policy should be set correctly.
(1) number of days prior to expiration
The "Shut Down system immediately if unable to log security audits" policy should be set correctly.
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.
The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.
The "Digitally Sign Client Communication (Always)" policy should be set correctly.
The "Digitally Sign Server Communication (Always)" policy should be set correctly.
The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.
The "Number of Previous Logons to Cache" policy should be set correctly.
(1) number of logons
CCE-3586-5 CCE-919 (1) Group(s)
CCE-3731-7 CCE-549 (1) enabled/disabled
CCE-3370-4 CCE-161 (1) enabled/disabled
CCE-3511-3 CCE-918 (1) enabled/disabled
CCE-3674-9 CCE-443 (1) behavior
CCE-3441-3 CCE-55 (1) enabled/disabled
CCE-2947-0 CCE-575 (1) enabled/disabled
The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.
The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.
The "Smart Card Removal Behavior" policy should be set correctly.
The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.
The "Default owner for objects created by members of the Administrators group" policy should be set correctly.
CCE-3714-3 CCE-300 (1) enabled/disabled
CCE-3357-1 CCE-533 (1) enabled/disabled
CCE-3613-7 CCE-186 (1) enabled/disabled
CCE-3801-8 CCE-710 (1) enabled/disabled
CCE-2819-1 CCE-732 (1) enabled/disabled
CCE-3605-3 CCE-490 (1) enabled/disabled
CCE-2984-3 CCE-194 (1) enabled/disabled
The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.
The "Limit local account user of blank passwords to console logon only" policy should be set correctly.
The "Allow undock without having to logon" policy should be set correctly.
The "LDAP server signing requirements" policy should be set correctly.
The "LDAP client signing requirements" policy should be set correctly.
The "Refuse machine account password change" policy should be set correctly.
The "Maximum machine account password age" policy should be set correctly.
CCE-3504-8 CCE-374 (1) enabled/disabled
CCE-3773-9 CCE-278 (1) enabled/disabled
CCE-3420-7 CCE-542 (1) enabled/disabled
CCE-3817-4 CCE-18 (1) enabled/disabled
CCE-3711-9 CCE-136 (1) enabled/disabled
The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.
The "Disconnect clients when logon hours expire" policy should be set correctly.
The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.
The "Let Everyone permissions apply to anonymous users" policy should be set correctly.
The "Named Pipes that can be accessed anonymously" policy should be set correctly.
CCE-3729-1 CCE-189 (1) set of paths
CCE-3592-3 CCE-942 (1) set of shares
CCE-3112-0 CCE-343
CCE-3632-7 CCE-233 (1) enabled/disabled
CCE-3719-2 CCE-775 (1) enabled/disabled
The "Remotely accessible registry paths" policy should be set correctly.
The "Shares that can be accessed anonymously" policy should be set correctly.
The "Sharing and security model for local accounts" policy should be set correctly.
(1) Classic/Guest only
The "Do not store LAN Manager hash value on next password change" policy should be set correctly.
The "Force logoff when logon hours expire" policy should be set correctly.
CCE-3614-5 CCE-674 (1) enabled/disabled
CCE-3759-8 CCE-766 (1) enabled/disabled
CCE-3526-1 CCE-764 (1) enabled/disabled
CCE-3764-8 CCE-830 (1) time in seconds
CCE-3781-2 CCE-949 (1) enabled/disabled
CCE-3799-4 CCE-742 (1) enabled/disabled
CCE-3693-9 CCE-517 (1) time in seconds
CCE-3698-8 CCE-433 (1) enabled/disabled
CCE-3715-0 CCE-103 (1) enabled/disabled
The "Minimum session security for NTLM SSP based clients" policy should be set correctly.
The "Minimum session security for NTLM SSP based servers" policy should be set correctly.
The "Current user screensaver" policy should be set correctly.
The "Current user screensaver timeout" policy should be set correctly.
The "Current user screensaver secure" policy should be set correctly.
The "Current user screensaver active" policy should be set correctly.
The "Default user screensaver timeout" policy should be set correctly.
The "Default user screensaver secure" policy should be set correctly.
The "Default user screensaver active" policy should be set correctly.
CCE-3609-5 CCE-54 (1) enabled/disabled
CCE-3253-2 CCE-221 (1) time in seconds
CCE-2900-9 CCE-235 (1) enabled/disabled
CCE-3671-5 CCE-287 (1) enabled/disabled
CCE-3182-3 CCE-442 (1) enabled/disabled
CCE-3534-5 CCE-481
CCE-3794-5 CCE-736 (1) enabled/disabled
CCE-3547-7 CCE-415 (1) enabled/disabled
CCE-3190-6 CCE-794 (1) enabled/disabled
CCE-3587-3 CCE-107 (1) enabled/disabled
CCE-2837-3 CCE-256 (1) enabled/disabled
CCE-3803-4 CCE-662 (1) enabled/disabled
The "Current user screensaver" policy should be set correctly.
The "Current user screensaver timeout" policy should be set correctly.
The "Current user screensaver secure" policy should be set correctly.
The "Current user screensaver active" policy should be set correctly.
The "password protect the screen saver" setting should be configured correctly
The "Screen Saver timeout" should be set correctly.
(1) enabled/disabled (2) number of seconds
The "Always Install with Elevated Privileges" policy should be set correctly.
The "Enable User Control Over Installs" policy should be set correctly.
The "Enable User to Browser for Source While Elevated" policy should be set correctly.
The "Enable User to Use Media Source While Elevated" policy should be set correctly.
The "Allow Administrator to Install from Terminal Services Session" policy should be set correctly.
The "Enable User to Patch Elevated Products" policy should be set correctly.
CCE-3702-8 CCE-424 (1) enabled/disabled
CCE-3720-0 CCE-455 (1) enabled/disabled
CCE-2863-9 CCE-124 (1) enabled/disabled
CCE-3636-8 CCE-525 (1) enabled/disabled
CCE-3658-2 CCE-802 (1) enabled/disabled
CCE-3306-8 CCE-309 (1) enabled/disabled
CCE-3728-3 CCE-785 (1) enabled/disabled
CCE-3746-5 CCE-578 (1) enabled/disabled
CCE-3654-1 CCE-507 (1) enabled/disabled
CCE-3786-1 CCE-80
CCE-3790-3 CCE-401 (1) enabled/disabled
The "Cache Transforms in Secure Location" policy should be set correctly.
The "Disable Media Player for automatic updates" policy should be set correctly.
The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer.
Internet access for Windows Messenger should be configured correctly.
The "Do Not Allow Windows Messenger to be Run" policy should be set correctly.
The "Do Not Automatically Start Windows Messenger" policy should be set correctly.
The "Hide Property Pages" policy should be set correctly for the Task Scheduler.
The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler.
The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services.
The "Limit Number of Connections" policy should be set correctly for Terminal Services.
(1) Maximum number of connections allowed
The "Do Not Allow New Client Connections" policy should be set correctly for Terminal Services.
CCE-3808-3 CCE-824 (1) enabled/disabled
CCE-3848-9 CCE-190 (1) enabled/disabled
CCE-3666-5 CCE-855 (1) enabled/disabled
CCE-3812-5 CCE-397 (1) encryption level
CCE-3710-1 CCE-670 (1) enabled/disabled
CCE-3627-7 CCE-961 (1) enabled/disabled
CCE-2875-3 CCE-920
CCE-3665-7 CCE-123
CCE-3683-0 CCE-524 (1) enabled/disabled
CCE-3577-4 CCE-568 (1) enabled/disabled
The "Do Not Allow Local Administrators to Customize Permissions" policy should be set correctly for Terminal Services.
The "Remote Control Settings" policy should be set correctly for Terminal Services.
The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.
The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.
The "Do not Use Temp folders per Session" policy should be set correctly for Terminal Services.
The "Do not Delete Temp folder on exit" policy should be set correctly for Terminal Services.
The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.
(1) Time Limit (minutes)
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.
(1) Time limit (minutes)
The "Allow Reconnection from Original Client Only" policy should be set correctly for Terminal Services.
The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services.
CCE-3828-1 CCE-705 (1) enabled/disabled
CCE-3599-8 CCE-859 (1) enabled/disabled
CCE-3617-8 CCE-434 (1) enabled/disabled
CCE-3758-0 CCE-592 (1) enabled/disabled
CCE-3700-2 CCE-227 (1) enabled/disabled
CCE-3237-5 CCE-6
CCE-3625-1 CCE-37 (1) number of hours
CCE-3396-9 CCE-588
CCE-3788-7 CCE-420
CCE-3806-7 CCE-861
CCE-3608-7 CCE-244
CCE-3740-8 CCE-306
CCE-3277-1 CCE-641
The "Enable Keep-Alive Messages" policy should be set correctly for Terminal Services.
The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.
The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.
The "Enable Error Reporting" policy should be set correctly.
The "Enforce user logon restrictions" policy should be set correctly.
The "Maximum Service Ticket Litfetime" policy should be set correctly.
(1) number of minutes
The "Maximum User Ticket Lifetime" policy should be set correctly.
The "Maximum tolerance for computer clock synchronization" policy should be set correctly.
(1) number of minutes
Removable storage should have correct permissions set
The "Allow automatic updates immediate installation" should be set correctly
The "Automatic Updates detection frequency" should be set correctly
The "Configure Automatic Updates" should be set correctly
The "No auto-restart for scheduled Automatic Updates installations
CCE-3661-6 CCE-804
CCE-3730-9 CCE-932
CCE-3250-8 CCE-418
CCE-3413-2 CCE-5 (1) enabled/disabled
CCE-3039-5 CCE-146 (1) enabled/disabled
CCE-3810-9 CCE-212 (1) enabled/disabled
The "Reschedule Automatic Updates scheduled installations" should be set correctly
The "Specify intranet Microsoft update service location" should be set correctly
MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection.
The "Security Zones: Use Only Machine Settings" setting should be configured correctly.
The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.
The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.
CCE-3832-3 CCE-622 (1) enabled/disabled
CCE-3598-0 CCE-684 (1) enabled/disabled
CCE-3713-5 CCE-693
CCE-3480-1 CCE-833 (1) enabled/disabled
The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.
The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.
The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.
(1) number of proxy settings
The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.
CCE Technical Mechanisms
….
….
….
Microsoft Security Guide for Windows
Server 2003
(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy
Table 3.28 Deny access to this computer from the network: ANONYMOUS LOGON; Built-in Administrator, Guests; Support_388945a0; Guest; all NON-Operating System service accounts (Legacy Client, Enterprise Client, and High Security)
(1) defined by the SeNetworkLogonRight setting in Local or Group Policy
Table 4.2 Access this computer from the network: Administrators, Authenticated Users, Enterprise Domain Controllers (High Security); Legacy Client and Enterprise Client are not defined
(1) defined the SeTcbPrivilege setting in by Local or Group Policy
Table 3.21 Act as part of the operating system: Not defined (Legacy Client and Enterprise Client); revoke all security groups and accounts (High Security)
(1) defined the SeBackupPrivilege setting in by Local or Group Policy
(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy
(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy
Table 3.26 Change the system time: Administrators and Power Users (default); Administrators (High Security); Legacy client and Enterprise Client are not defined
(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy
….
….
(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy
(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy
(1) defined the SeDebugPrivilege setting in by Local or Group Policy
Table 3.27 Debug programs: Administrators (default); Revoke all security groups and accounts (Legacy Client, Enterprise client and High Security)
(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy
Table 3.32 Force shutdown from a remote system: Administrators (High Security): Legacy client and Enterprise Client are not defined
(1) defined the SeAuditPrivilege setting in by Local or Group Policy
Table 3.33 Generate security audits: Network Service, Local Service (High Security): Legacy Client and Enterprise Client are not defined
(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy
Table 3.23 Adjust memory quotas for a process: Administrators, Network Service, Local Service (High Security); Legacy client and Enterprise Client are not defined
(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy
Table 3.35 Increase scheduling priority: Administrators (High Security): Legacy Client and Enterprise Client are not defined
(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy
Table 3.36 Load and unload device drivers: Administrators (High Security): Legacy Client and Enterprise Client are not defined
(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy
Table 3.37 Lock pages in memory: Administrators (High Security): Legacy Client and Enterprise Client are not defined
….
(1) defined the SeBatchLogonRight setting in by Local or Group Policy
Table 3.38 Log on as a batch job: Support_388945a0, Local Service (Default); Revoke all security groups and accounts (High Security); Legacy Client and Enterprise Client are not defined
(1) defined the SeServiceLogonRight setting in by Local or Group Policy
(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy
Table 4.4 Allow log on locally: Administrators (Legacy client, Enterprise Client, and High Security)
(1) defined the SeSecurityPrivilege setting in by Local or Group Policy
Table 3.39 Manage auditing and security log: Administrators (High Security); Legacy Client and Enterprise Client are not defined
(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy
Table 3.40 Modify firmware environment values: Administrators (High Security); Legacy client and Enterprise Client are not defined
(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy
Table 3.42 Profile single process: Administrators (High Security); Legacy Client and Enterprise Client are not defined
(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy
Table 3.43 Profile system performance: Administrators (High Security); Legacy client and Enterprise Client are not defined
(1) defined the SeUndockPrivilege setting in by Local or Group Policy
Table 3.44 Remove computer from docking station: Administrators, Power Users (Default)/Administrators (High Security); Legacy client and Enterprise Client are not defined
(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy
Table 3.45 Replace a process level token: Local Service, Network Service (High Security); Legacy Client and Enterprise Client are not defined
….
(1) defined the SeRestorePrivilege setting in by Local or Group Policy
Table 3.46 Restore files and directories: Administrators and Backup Operators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined
(1) defined the SeShutdownPrivilege setting in by Local or Group Policy
Table 3.47 Shut down the system: Backup Operators, Power Users and Administrators (Default)/Administrators (High Security); Legacy Client and Enterprise Client are not defined
(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy
Table 3.49 Take ownership of files or other objects: Administrators (High Security); Legacy Client and Enterprise Client are not defined
(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy
Table 3.48 Synchronize directory service data: Revoke all security groups and accounts (High Security); legacy client and Enterprise Client are not defined
(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy
(1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy
Table 4.7 Enable computer and user accounts to be trusted for delegation: Administrators (High Security); Legacy client and Enterprise Client are not defined
(1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy
Table 3.22 Add workstations to domain: Administrators (High Security); Legacy Client and Enterprise Client are not defined
….
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined the SeRemoteInteractiveLogonRight setting in by Local or Group Policy
Table 3.25 Allow log on through Terminal Services: Administrators (High Security); Administrators and Remote Desktop Users (Legacy Client and Enterprise Client)
(1) defined the SeDenyBatchLogonRight setting in by Local or Group Policy
Table 4.18 Deny log on as a batch job: Support_388945a0 and Guest (Legacy Client, Enterprise Client, and High Security)
(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy
(1) defined the SeDenyRemoteInteractiveLogonRight setting in by Local or Group Policy
Table 4.18 Deny log on through Terminal Services: Built-in Administrator; all NON-operating system service accounts (Legacy Client, Enterprise Client, and High Security)
(1) defined the SeManageVolumePrivilege setting in by Local or Group Policy
Table 3.41 Perform volume maintenance tasks: Administrators (High Security); Legacy client and Enterprise Client are not defined
Table 2.11 Reset account lockout counter after: 30 minutes; 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client)
Table 2.9 Account lockout duration: 15 minutes (High Security); 30 minutes (Legacy Client and Enterprise Client)
Table 2.10 Account lockout threshold: 50 invalid login attempts (Legacy Client and Enterprise Client); 10 invalid login attempts (High Security)
Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)
Table 3.2 Audit account logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security)
Table 3.4 Audit account management: Success/Failure (Legacy Client, Enterprise Client, and High Security)
Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security)
Table 3.6 Audit directory service access: Success/Failure (Legacy Client, Enterprise Client, and High Security)
Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)
Table 3.8 Audit logon events: Success/Failure (Legacy Client, Enterprise Client, and High Security)
Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security)
Table 3.10 Audit object access: Success/Failure (Legacy Client, Enterprise Client, and High Security)
Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security)
Table 3.12 Audit policy change: Success (legacy client, Enterprise Client, and High Security)
Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client)
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy ….
(1) defined by Local or Group Policy ….
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
….
….
Table 3.14 Audit privilege use: Success/Failure (High Security); No Auditing (Legacy Client); Failure (Enterprise Client)
Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security)
Table 3.18 Audit system events: Success (Legacy Client, Enterprise Client, and High Security)
Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize
Table 3.110 Maximum application log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)
Table 3.116 Retention method for application log: As needed (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize
Table 3.111 Maximum security log size: 81,920 KB (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
Table 3.117 Retention method for security log: As needed (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize
Table 3.112 Maximum system log size: 16,384 KB (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
3.118 Retention method for system log: As needed (Legacy Client, Enterprise Client, and High Security)
Table 2.4 Maximum password age: 42 days (Legacy Client, Enterprise Client, and High Security)
Table 2.5 Minimum password age: 2 days (Legacy Client, Enterprise Client, and High Security)
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
s
Table 2.6 Minimum password length: 12 characters (High Security); 8 characters (Legacy Client and Enterprise Client)
Table 2.7 Password must meet complexity requirements: Enabled (Legacy Client, Enterprise Client, and High Security)
Table 2.3 Enforce password history: 24 passwords remembered (Legacy Client, Enterprise Client, and High Security)
Table 2.8 Store password using reversible encryption: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.123 Automatic updates service: Automatic (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.124 Background Intelligent Transfer Service: Manual (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.127 Clipbook service: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.143 Fax Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.146 FTP Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
….
….
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.151 IIS Admin Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.153 Indexing Service: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.167 Messenger Service: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) defined by the Services Administrative Tool (2) definied by Group Policy
Table 3.172 .NET Framework Support Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.174 NetMeeting Remote Desktop Sharing: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
Table 3.187 Remote Access Auto Connection Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.190 Remote Desktop Help Session Manager: Manual (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.194 Remote Registry Service: Automatic (Legacy Client, Enterprise Client, and High Security)
….
….
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.201 Routing and Remote Access Service: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.208 Simple TCP/IP Services: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.207 Simple Mail Transport Protocol (SMTP): Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.211 SNMP Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.212 SNMP Trap Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.216 Task Scheduler: Automatic (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.220 Telnet Service: Disabled (Legacy Client, Enterprise Client, and High Security)
….
….
….
….
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.221 Terminal Services: Manual (default); Automatic (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.182 Plug and Play: Automatic (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 3.245 World Wide Web Publishing Service: Not installed (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 11.3 Automatic Update Service: Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Table 11.4 Background Intelligent Transfer Service: Disabled
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
Table 3.119 Alerter Service: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) set via Security Templates (2) definied by Group Policy
Table 3.123 Automatic Updates Service: Automatic (Legacy Client, Enterprise Client, and High Security)
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
….
….
….
….
….
….
….
….
….
….
….
….
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
….
….
….
(1) Local Users and Groups MMC ….
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) defined by Local or Group Policy
3.86 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (2) defined by Local or Group Policy
3.85 Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AnonymousNameLookup (2) defined by Local or Group
Table 2.13 Network Access: Allow anonymous SID/NAME translation: Disabled
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) defined by Local or Group Policy
Table 3.73 Interactive logon: Message title for users attempting to log on: "It is an offense to continue without proper authorization" (Legacy Client, Enterprise Client, and High Security)
….
….
….
….
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) defined by Local or Group Policy
Table 3.72 Interactive logon: Message text for users attempting to log on: "This system is restricted to authorized users. Individuals attempting unauthorized access will be prosecuted. If unauthorized, terminate access now! Clicking on OK indicates your acceptance of the information in the background. (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
…. (1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
Table 3.70 Interactive logon: Do not display last user name: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect
Table. 3.246 Security Consideration for Network Attack: EnableDeadGWDetect = 0 (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
Table 3.246 Security Consideration for Network Attacks: KeepAliveTime = 300,000 (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
Table 3.248 Configure NetBIOS Name Release Security: Allow the computer to ignore NetBIOS name release requests except from WINS server: NoNameReleaseOnDemand = 1 (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
Table 3.246 Security Consideration for Network Attacks: EnablePMTUDiscovery = 0 (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
Table 3.246 Security Consideration for Network Attacks: SynAttackProtect = 1 (Legacy Client, Enterprise Client, and High Security)
….
….
….
….
….
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy ….
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy
Table 3.64 Domain member: Digitally encrypt or sign secure channel data (always): Enabled (High Security); Disabled (Legacy Client and Enterprise Client)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy
Table 3.65 Domain member: Digitally encrypt or sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\SafeDllSearchMode
Table 3.253 Enable Safe DLL Search Order: Enable Safe DLL search mode (recommended): SafeDllSearchMode = 1 (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Policies\system\DisableBkGndGroupPolicy
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked
Table 3.61 Domain controller: Allow server operators to schedule tasks: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) defined by Local or Group Policy ….
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) defined by Local or Group Policy
Table 3.81 Microsoft network server: Amount of idle time required before suspending session: 15 minutes (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) defined by Local or Group Policy
Table 3.52 Audit: Audit the access of global system objects: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy
Table 3.53 Audit: Audit the use of backup and restore privilege: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) defined by Local or Group Policy
Table 3.71 Interactive logon: Do not require CRTL+ALT+DEL: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy
Table 3.96 Network security: LAN Manager authentication level: Send NTLM response only (default); Send NTLMv2 response only\refuse LM & NTLM (High Security); Send NTLMv2 responses only (Legacy Client and Enterprise Client)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) defined by Local or Group Policy
Table 3.57 Devices: Prevent users from installing printer drivers: Enabled (Legacy Client, Enterprise Client, and High Security)
….
….
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) defined by Local or Group Policy
Table 3.100 Recovery console: Allow automatic administrative logon: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) defined by Local or Group Policy
Table 3.101 Recovery console: Allow floppy copy and access to all drives and all folders: Disabled (High Security); Enabled (Legacy Client and Enterprise Client)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by Local or Group Policy
Table 10.2 Devices: Restrict floppy access to locally logged-on user only: Enabled (Enterprise Client)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) defined by Local or Group Policy
Table 3.108 System ojects: Strengthen default permissions of internal system objects: Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) defined by Local or Group Policy
Table 3.69 Domain member: Require strong (W2K or later) session key: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) defined by Local or Group Policy
Table 3.80 Microsoft network client: Send unencrypted password to third-party SMB servers: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) defined by Local or Group Policy
….
….
….
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) defined by Local or Group Policy
Table 3.75 Interactive logon: Prompt user to change password before expiration: 14 days (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) defined by Local or Group Policy
Table 3.54 Audit: Shut down system immediately if unable to log security audits: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) defined by Local or Group Policy
Table 3.102 Shutdown: Allow system to be shut down without having to log on: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) defined by Local or Group Policy
Table 3.103 Shutdown: Clear virtual memory page file: Disabled (Legacy Client and Enterprise Client); Enabled (High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined by Local or Group Policy
Table 3.74 Interactive logon: Number of previous logons to cache: 1 (Legacy Client); 0 (Enterprise Client and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Local or Group Policy
Table 3.56 Devices: Allowed to format and eject removable media: Administrators (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) defined by Local or Group Policy
Table 3.64 Domain member: Digitally encrypt or sign secure channel data: Enabled (High Security); disabled (Legacy Client and Enterprise Client)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy
Table 3.65 Domain member: Digitally encrypt secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy
Table 3.66 Domain member: Digitally sign secure channel data (when possible): Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Local or Group Policy
Table 3.77 Interactive logon: Smart card removal behavior: Lock Workstation (Enterprise Client and High Security); Legacy Client is not defined
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy (2) defined by Local or Group Policy
Table 3.105 System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner (2) defined by Local or Group Policy
Table 3.106 System objects: Default owner for objects created by members of the Administrators group: Administrators group (default); Object creator (Legacy Client, Enterprise Client, and High Security)
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive (2) defined by Local or Group Policy
Table 3.107 System objects: Require case insensitivity for non-Windows subsystems: Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (2) defined by Local or Group Policy
Table 3.51 Accounts: Limit local account use of blank passwords to console logon only: Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon (2) defined by Local or Group Policy
Table 3.55 Devices: Allow undock without having to log on: Enabled (default); Disabled (Legacy Client, Enterprise Client, and High Security)
Table 3.62 Domain controller: LDAP server signing requirements: Not Defined (Legacy Client and Enterprise Client); Require signing (High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity (2) defined by Local or Group Policy
Table 3.97 Network security: LDAP client signing requirements: Negotiate signing (Legacy Client, Enterprise Client, and High Security)
Table 3.63 Domain controller: Refuse machine account password changes: Not Defined (default); Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge (2) defined by Local or Group Policy
Table 3.68 Domain member: Maximum machine account password age: 30 days (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) defined by Local or Group Policy
Table 3.76 Interactive logon: Require domain controller authentication to unlock workstation: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy
Table 3.84 Microsoft network server: Disconnect clients when logon hours expire: Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (2) defined by Local or Group Policy
Table 3.87 Network access: Do not allow storage of credentials or .NET Passports for network authentications: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous (2) defined by Local or Group Policy
Table 3.88 Network access: Let Everyone permissions apply to anonymous users: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes (2) defined by Local or Group Policy
Table 3.89 Network access: Named Pipes that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPathsHKLM (2) defined by Local or Group Policy
Table 3.90 Network access: Remotely accessible registry paths: System\currentControlSet\Control\Products Options; System\CurrentControlSet\Control\server Applications; Software\Microsoft\Windows NT\CurrentVersion (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group Policy
Table 3.93 Network Access: Shares that can be accessed anonymously: None (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest (2) defined by Local or Group Policy
Table 3.94 Network Access: Sharing and security model for local accounts: Classic - local users authenticate as themselves (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash (2) defined by Local or Group Policy
Table 3.95 Network Security: Do not store LAN Manager hash value on next password change: Enabled (Legacy Client, Enterprise Client, and High Security)
Table 2.14 Network Security: Force Logoff when logon hours expire: Disabled (default); Enabled (Legacy Client, Enterprise Client, and High Security)
….
….
….
….
….
….
….
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local or Group Policy
Table 3.98 Network Security: Minimum session security for NTLM SSP based clients: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local or Group Policy
Table 3.99 Network Security: Minimum session security for NTLM SSP based servers: No minimum (Legacy Client); Enabled all settings (Enterprise Client and High Security)
(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveActive
….
….
….
….
….
….
….
….
….
….
….
(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive
GPO path: User Configuration\Administrative Templates\Control Panel\Display\Password protect the screen saver
Table 3.251 Make screensaver password protection immediate: the time in seconds before the screen saver grace period expires: 0 (Legacy Client, Enterprise Client, and High Security)
GPO path: User Configuration\Administrative Templates\Control Panel\Display\Screen Saver timeout
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownBrowse
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch
….
….
….
….
….
….
….
….
….
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoupdate
(1) HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\{9b017612-c9f1-11d2-8d9f-0000f875c541}\Disabled (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MessengerService
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun
Table 3.167 Messenger: Disabled (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections
….
….
….
….
….
….
….
….
….
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
Table 3.255 Set client connection encryption level: High (Legacy Client, Enterprise Client, and High Security)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken
….
….
….
….
….
….
….
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport
Table 3.257 Error Reporting: Disabled (Legacy Client, Enterprise Client, and High Security)
Table 3.199 Removale Storage: Disabled (Legacy Client, Enterprise Client, and High Security)
Table 11.3 Automatic Updates: Disabled
Table 11.3 Automatic Updates: Disabled
Table 11.3 Automatic Updates: Disabled
Table 11.3 Automatic Updates: Disabled
….
….
….
….
Table 11.3 Automatic Updates: Disabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TCPMaxPortsExhausted
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck
….
….
….
….
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit
DISA Stig for Windows 2003
….
….
….
….
….
Center for Internet Security Windows Server
2003
4.2.15 Deny access to this computer from the network (minimum): Not Defined
4.2.1 Access this computer from the network: Not Defined; Administrators, Authenticated Users, Enterprise Domain Controllers (Specialized Security)
5.1 User Rights: (4.015: CAT I) Built-in Guest account, Everyone group, guests group, and Domain Guests group DO NOT have the right to "access this computer from the network"
4.2.2 Act as part of the operating system: none
5.1 User Rights: (4.009: CAT I) Individual and group accounts DO NOT have the right to "act as part of the operating system"
4.2.36 Backup files and directories: Administrators (Specialized Security)
4.2.8 Bypass traverse checking: Not Defined
4.2.9 Change the system time: Administrators
4.2.10 Create a pagefile: Administrators (Specialized Security)
4.2.11 Create a token object: None ….
….
4.2.14 Debug Programs: None ….
….
….
….
….
….
….
4.2.13 Create permanent shared objects: None
4.2.21 Force shutdown from a remote system: Administrators (Specialized Security)
4.2.22 Generate security audits: Local Service, Network Service (Specialized Security)
4.2.4 Adjust memory quotas for a process: Network Service, Local Service, Administrators (Specialized Security)
4.2.24 Increase scheduling priority: Administrators (Specialized Security)
4.2.25 Load and unload device drivers: Administrators
4.2.26 Lock pages in memory: Administrators (Specialized Security)
4.2.27 Log on as a batch job: None ….
….
….
….
….
….
….
….
4.2.28 Log on as a service: Not Defined
4.2.5 Allow log on locally: Administrators
5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally
4.2.29 Manage auditing and security log: Administrators (Specialized Security)
4.2.30 Modify firmware environment values: Administrators (Specialized Security)
4.2.32 Profile single process: Administrators (Specialized Security)
4.2.33 Profile system performance: Administrators (Specialized Security)
4.2.34 Remove computer from docking station: Administrators (Specialized Security)
4.2.35 Replace a process level token: Network Service, Local Service
….
….
….
….
….
….
4.2.36 Restore files and directories: Administrators (Specialized Security)
4.2.37 Shut down the system: Administrators (Enterprise, Specialized Security)
4.2.39 Take ownership of file or other objects: Administrators
4.2.38 Synchronize directory service data: None
4.2.18 Deny logon locally: Not Defined
5.1 User rights: (4.026: CAT II) Built-in Guest account, guests group, and Domain guests group, HelpAssistant, and Suppor_388945a0 are assigned the right to DENY log on locally
4.2.20 enable computer and user accounts to be trusted for delegation: None
4.2.3 Add workstations to domain: Not Defined; None (Specialized Security)
….
….
….
….
4.2.6 Allow logon through terminal services: Administrators
5.1 User Rights: (4.040: CAT I) No one has the right to allow logn through Terminal Services unless the machine is performing the role of a Terminal Server
4.2.16 Deny logon as a batch job: Not Defined
4.2.17 Deny logon as a service: Not Defined
4.2.19 Deny logon through Terminal Services: Not Defined
5.1 User Rights: (4.041: CAT II) The Everyone group is assigned the right to deny logon through Terminal Services unless the machine is performing the roale of a Terminal Server, then the Guests group is assigned
4.2.31 Perform volume maintenance tasks: Administrators (Specialized Security)
5.4.5.1 [AP] User Rights Assignments: Perform Volume Maintenance Tasks: Administrators
2.2.3.3 Reset Account Lockout After: 15 minutes
5.4.2.2 [A] Bad Logon Counter Reset: 15 minutes
2.2.3.1 Account Lockout Duration: 15 minutes
4.5.3 Password Policy (4.004: CAT II) The Account Lockout duration set to 15 minutes or more
2.2.3.2 Account Lockout Threshold: 15 attempts; 10 attempts (Specialized Security)
4.5.3 Password Policy (4.002: CAT II) The Account Lockout Threshold will be set to 3 or less
2.2.1.1 Audit Account Logon Events: Success/Failure
2.2.1.1 Audit Account Logon Events: Success/Failure
….
….
….
….
2.2.1.2 Audit Account Management: Success/Failure
2.2.1.2 Audit Account Management: Success/Failure
2.2.1.3 Audit Directory Service Access: Not Defined
6.4 System Audit Settings: Audit directory service access: Not Defined
2.2.1.3 Audit Directory Service Access: Not Defined
6.4 System Audit Settings: Audit directory service access: Not Defined
2.2.1.4 Audit Logon Events: Success and Failure
6.4 System Audit Settings: Audit logon events: Success, Failure
2.2.1.4 Audit Logon Events: Success and Failure
6.4 System Audit Settings: Audit logon events: Success, Failure
2.2.1.5 Audit Object Access: Success/Failure
2.2.1.5 Audit Object Access: Success/Failure
2.2.1.6 Audit Policy Change: Success
6.4 System Audit Settings: Audit policy change: Success, Failure
2.2.1.6 Audit Policy Change: Success
6.4 System Audit Settings: Audit policy change: Success, Failure
2.2.1.7 Audit Privilege Use: Not Defined
6.4 System Audit Settings: Audit privilege use: Failure
….
….
…. ….
….
3.5 [M] Access to Security Event Log: Auditors
2.2.1.7 Audit Privilege Use: Not Defined
6.4 System Audit Settings: Audit privilege use: Failure
6.4 System Audit Settings: Audit process tracking: Not Defined
6.4 System Audit Settings: Audit process tracking: Not Defined
2.2.1.9 Audit System Events: Success
6.4 System Audit Settings: Audit system events: Success, Failure
2.2.1.9 Audit System Events: Success
6.4 System Audit Settings: Audit system events: Success, Failure
2.2.4.1.2 Restrict Guest Access: Enabled
2.2.4.1.1 Maximum Event Log Size: 16MB
5.4.7.1 [A] Event Log Sizes: Maximum application log size: 16384 kilobytes
2.2.4.1.3 Log Retention Method: Not Defined
5.4.7.3 [AP] Preserving Security Events: Retention method for application log: Do not overwrite events (clear log manually)
2.2.4.2.2 Restrict Guest Access: Enabled
….
….
….
…. ….
5.4.7.1 [A] Event Log Sizes: Maximum security log size: 16384 kilobytes
6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB
2.2.4.2.3 Log Retention Method: Not Defined
2.2.4.3.2 Restrict Guest Access: Enabled
5.4.7.2 [A] Restrict Event Log Access Over Network: Prevent local guests group from accessing security log: Enabled
2.2.4.3.1 Maximum Event Log Size: 16MB
5.4.7.1 [A] Even Log Sizes: Maximum system log size: 16384 kilobytes
6.2 Audit Log Requirements: (5.002: CAT II) minimum of 81920KB
2.1.2 Maximum Password Age: 90 Days
4.5.3 Password Policy: (4.011: CAT II) Maximum password age is set to 90 days or less
2.2.2.1 Minimum Password Age: 1 day
4.5.3 Password Policy: (4.012: CAT II) Minimum password age is set to 1 day or more
4.1.1 Alerter: Disabled ….
….
….
4.1.3 Clipbook: Disabled ….
4.1.4 Fax Service: Disabled ….
7.6.3 FTP Service: Disabled
2.2.2.3 Minimum Password Length: 8 characters; 12 characters (Specialized Security)
5.4.1.3 [AP] Minimum Password Length: 8 characters
2.2.2.4 Password Complexity: Enabled
5.4.1.5 [M] Enable strong Password Filtering: Password must meet complexity requirements: Enabled
2.2.2.5 Password History: 24 passwords remembered
5.4.1.4 [A] Password Uniqueness: Enforce password history: 24 passwords
2.2.2.6 Store Passwords Using Reversible Encryption: Disabled
5.4.1.6 [M] Disable Reversible Password Encryption: Disabled
7.6.1 Automatic Updates Service: Disable if not needed
7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed
4.1.7 FTP Publishing Service: Disabled
4.1.10 IIS Admin Service: Disabled ….
4.1.11 Indexing Service: Disabled ….
4.1.13 Messenger: Disabled 8.3.4 Windows Messenger: Disabled
….
….
….
7.6.9 Remote Registry Service: Disabled
8.4.3 .NET Framework: (5.069: CAT II) the .NET Framwork is not active on the system unless it only supports locally developed .NET applications
4.1.15 NetMeeting Remote Desktop Sharing: Disabled
7.6.4 NetMeeting Remote Desktop Sharing Service: (5.063: CAT II) Disabled
7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required
4.1.20 Remote Access Auto Connection Manager: Disabled
7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled
4.1.23 Remote Desktop Help Session Manager: Disabled
7.6.8 Remote Desktop Help Session Manager: (5.065: CAT II) Disabled
8.3.9.1 Internet Connection Sharing: (3.085: CAT II) Prohibit use of Internet Connection Sharing on your DNS domain networks is Enabled
4.1.26 Remote Registry Service: Disabled (Specialized Security)
….
….
….
….
….
….
….
4.1.35 Telnet: Disabled ….
7.6.11 Routing and Remote Access Service: (5.067: CAT II) Disabled if not required
7.6.10 Remote Shell Service: (5.008: CAT II) Service is removed by typing instsrv rshsvc remove at the command prompt
7.6.16 Telnet Servers: (5.010: CAT II) Simple TCP/IP services are disabled
4.1.31 Simple Mail Transfer Protocol: Disabled
4.1.32 Simple Network Management Protocol Service: Disabled
7.6.13 SNMP Service: (5.026: CAT II) SNMP is disabled if not required
4.1.33 Simple Network Management Protocol Trap: Disabled
7.6.14 Simple Service Discovery Protocol (SSDP) Service: 5.019: CAT I) Disabled
7.6.15 Task Scheduler Service: (5.009: CAT II) Disabled
…. ….
….
….
….
….
4.1.1. Alerter: Disabled ….
…. ….
4.1.3 Clipbook: Disabled ….
4.1.4 Fax Service: Disabled ….
….
4.1.36 Terminal Services: Disabled (Specialized Security)
7.6.17 Terminal Services: (5.020: CAT I) Disabled on machines that are not performing as Terminal Servers
4.1.39 World Wide Web Publishing Services: Disabled
7.6.1 Automatic Updates Service: Disable if not needed
7.6.2 Background Intelligent Transfer Service (BITs): Disable if not needed
7.6.5 Print Services for Unix: (5.026: CAT II) Remove if not required
4.1.7 FTP Publishing Service: Disabled
4.1.10 IIS Admin Service: Disabled ….
4.1.11 Indexing Service: Disabled ….
4.1.13 Messenger: Disabled ….
….
….
….
….
….
….
….
4.1.35 Telnet: Disabled ….
4.1.15 NetMeeting Remote Desktop Sharing: Disabled
4.1.19 Print Spooler: Disabled (Specialized Security)
4.1.20 Remote Access Auto Connection Manager: Disabled
7.6.7 Remote Access Auto Connection Manager Service: (5.064: CAT II) Disabled
4.1.23 Remote Desktop Help Session Manager: Disabled
4.1.26 Remote Registry Service: Disabled (Specialized Security)
4.1.31 Simple Mail Transfer Protocol: Disabled
4.1.32 Simple Network Management Protocol Service: Disabled
4.1.33 Simple Network Management Protocol Trap: Disabled
….
….
…. ….
…. 3.5 [M] Access to Security Event Log: Auditors
….
4.1.36 Terminal Services: Disabled (Specialized Security)
4.1.39 World Wide Web Publishing Services: Disabled
3.1.3 Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled (Enterprise and Specialized Security)
5.4.6.53 [AP] Restrict Anonymous Network Shares: Network Access: Do not allow anonymous enumeration of SAM accounts: Enabled
3.1.1 Network Access: Allow Anonymous SID/Name Translation: Disabled (Specialized Security)
5/4/6/52 Network Access: Allow anonymous SID/Name translation: Disabled
5.2 Windows Server 2003 Built-in Accounts: (4.048: CAT II) Disabled
3.2.1.27 Interactive Logon: Message Title for Users Attmpting to Log On: <Custom or DoJ Approved>
5.4.6.22 [AP] Display Legal Notice: Interactive Logon: Message title for users attempting to log on: US Deparment of Defense Warning Statement
….
….
….
3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On: <Custom or DoJ Approved>
5.4.6.22 Interactive Logon: Message text for users attempting to log on
5.4.6.38 [A] Disable Administrator Automatic Logon: Disabled
5.4.6.47 [A] Disable Media Autoplay: MSS: Disable Autorun on all drives: 255, disable Autorun for all drives
5.4.6.41 [A] ICMP Redirects: MSS: (EnablEICMPRedirect) Allow ICMP redirects to override OSPF generated routes: Disabled
3.2.1.69 MSS: IP Source Routing protection level: Highest Protection, source routing is automatically disabled
5.4.6.39 MISS: DisableIPSourceRouting, IP source routing packet spoofing: Highest protection, source routing is completely disabled
….
….
….
3.2.1.74 MSS: Allow IRDP to detect and configure DefaultGateway addresses: Disabled
3.2.1.24 Interactive Logon: Do Not Display Last User Name: Enabled
3.2.1.70 MSS: Allow automatic detection of dead network gateways: Disabled
5.4.6.40 [A] Detection of Dead Gateways: MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways: Disabled
3.2.1.82 MSS: How often keepalive packets are sent in milliseconds: 300000
5.4.6.49 MSS: How often keepalive packets are sent in milliseconds: 300000
3.2.1.73 MSS: Allow the computer to ignore NetBIOS name release requestions except from WINS servers: Enabled
5.4.6.42 [A] NetBIOS Name Release: MSS: (NoNameReleaseOnDemand) Allow computer to ignore NetBIOS name release requests except from WINS Servers: Enabled
3.2.1.72 MSS: EnablePMTUDiscovery, Allow automatic detection of MTU size: Enabled (Specialized Security)
5.4.6.44 MSS (SynAttackProtect) Syn attack protection level: Connections time out sooner if a SYN attack is detected
….
….
….
….
….
….
5.4.6.6 ConGp: Prevent the dial-up password from being saved: Enabled
3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled
5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled
3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled
5.4.6.17: [A] Signing of Secure Channel Traffic: Domain Membore: Digitally sign secure channel data (when possible): Enabled
3.2.1.80 MSS: Enable Safe DLL search mode: Enabled
5.4.6.48 [A] Safe DLL Search Mode: MSS: Enable Safe DLL search mode: Enabled
8.3.5 Always wait for the network at computer startup: Enabled
8.3.6 Group Policy: (3.080: CAT II) Turn off backroung refresh of Group Policy is set to Disabled
8.3.9.2 Network Bridge: (3.086: CAT II) The setting Prohibit installation and configuration of network Bridge on your DNS doman network is set to Enabled
8.3.10 Installation of Printers Using Kernel-mode Drivers: (3.087: CAT II) the setting Disallow installation of printers using kernel-mode drivers is set to Enabled
3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks: Disabled
5.4.6.12 [A] Server Operators Scheduling Tasks: Domain Controller: Allo server operators to schedule tasks: Disabled
5.4.6.3 Accounts: Rename administrator account: Should not be Administrator
….
`
….
….
5.4.6.4 Account: Rename guest account: Any value other than ‘Guest’
5.4.6.30[A] Idle Time Before Suspending a Session: Microsoft Network Server: Amount of idle time required before suspending a session: 15 minutes
3.2.1.6 Audit: Audit the access of global system objects: Not Defined
5.4.7.76 [A] Global System Object Permission Strength: System objects: Strengthen default permissions of internal system objects: Enabled
3.2.1.7 Audit: Audit the use of backup and restore privilege: Not Defined
5.4.6.21 [A] CTRL+ALT+DEL Security Attention Sequence: Interactive Logon: Do not require CTRL+ALT+DEL: Disabled
3.2.1.50 Network Security: LAN Manager Authentication Level: Send NTLMv2 (Legacy), Send NTLMv2, refuse LM (Enterprise), Send NTLMv2, refuse LM and NTLM (Specialized Security)
5.4.6.64 [AP] LanMan Compatible Password Option Not Properly Set: Network Security: LAN Manager authentication level: Send NTLMv2 response only/refuse LM & NTLM
3.2.1.11 Devices: Prevent users from installing printer drivers: Enabled
5.4.6.9 [A] Secure Print Driver Installation: Devices: Prevent users from installing printer drivers: Enabled
….
3.2.1.54 Recovery Console: Allow Automatic Administrative Logon: Disabled
5.4.6.68 [A] Recovery Console - Automatic Logon: Allow automatic administrative logon: Disabled
3.2.1.55 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Not Defined
5.4.6.69 [A] Recovery Console - Set Command: Recovery console: Allow floppy copy and access to all drives and folders: Disabled
3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only: Not Defined
3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User only: Not Defined
5.4.6.10 [A] Secure Removable Media: Devices: Restrict floppy access to locally logged-on user only: Enabled
3.2.1.62 System Objects: Strengthen default permissions of internal system objects: Enabled
5.4.6.76 [A] Global System Object Permission Strength: System Objects: Strengthen default permissions of internal system objects: Enabled
3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key: Not Defined
5.4.6.20 [AP] Strong Session Key (WIN2K/W2K3 Native Domains): Domain Member: Require Strong (Windows 2000 or later) Session Key: Enabled
3.2.1.35 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server: Disabled
5.4.6.29 [A] Unencrypted Passwords to 3rd party SMB Servers: Disabled
3.2.1.14 Devices: Unsigned driver installation behavior: "Warn, but allow . . . "
5.4.6.11 [AP] Unsigned Driver installation Behavior: Warn but allow installation
….
3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration: 14 days
5.4.6.24 [A] Password Expiration Warning: Interactive Logon: Prompt user to change password before expiration: 14 days
3.2.1.8 Audit: Shut down system immediately if unable to log security alerts: Enabled (Specialized Security)
5.4.6.5 [AP] Halt on Audit Failure: Audit: Shut down system immediately if unable to log security audits: Enabled
3.2.1.56 Shutdown: Allow system to be shut down without having to log on: Disabled
3.2.1.57 Shutdown: Clear virtual memory pagefule: Not Defined
5.4.6.71 [AP] Clear System Page File During Shutdown: Shutdown: Clear virtual memory pagefile: Enabled
3.2.1.33 Microsoft Network Client: Digitally sign communications (always): Enabled (Specialized Security)
5.4.6.27 [A] SMB Client Packet Signing (Always): Microsoft Network Client: Digitally sign communications (always): Enabled
3.2.1.37 Microsoft Network Server: Digitally sign communications (always): Not Defined
5.4.6.31 [A] SMB Server Packet Signing (Always): Microsoft Network Server: Digitally sign communications (always): Enabled
Microsoft network server: Digitally sign communications (if client agrees): Disabled
5.4.6.32 Microsoft Network Server: digitally sign server communications (if client agrees): Enabled
3.2.1.28 Interactive Logon: Number of Previous Logons to Cache: Not Defined
5.4.6.23 Interactive Logon: Number of previous logons to cache (in case Domain Controller is unavailable): 0 logons or 1 logon
3.2.1.10 Devices: Allowed to format and eject removable media: Administrators
5.4.6.8 [A] Format and Eject Removable Media: Devices: Allowed to Format and Eject Removable Media: Administrators
3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined
5.4.6.15 [A] Encrypting and Signing of Secure Channel Traffic: Domain Member: Digitally encrypt or sign secure channel data (always): Enabled
3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible): Enabled
5.4.6.16 [A] Encryption of Secure Channel Traffic: Domain Member: Digitally encrypt secure channel data (when possible): Enabled
3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible): Enabled
5.4.6.17 [A] Signing of Secure Channel Traffic: Domain Member: Digitally sign secure channel data (when possible): Enabled
3.2.1.32 Interactive Logon: Smart Card Removale Behavior: Lock Workstation
5.4.6.26 [A] Smart Card Removal Option: interactive Logon: Smart card removal behavior: Lock Workstation or Force Logoff
3.2.1.59 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Not Defined
5.4.6.73 [A] FIPS compliant algorithms: System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled
3.2.1.60 System Objects: Default owner for objects created by members of the Administrators group: Object Creator
5.4.6.74 [A] Object Created by members of the Administrators Group: System ojects: Default owner for object created by members of the Administrators groups: Object creator
3.2.1.61 System objects: Require case insensitivity for non-Windows subsystems: Not Defined
5.4.6.75 [A] Case Insensitivity for Non-Windows Subsystems: System object: Require Case Insensitivity for non-Windows Subsystems: Enabled
3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only: Enabled
5.4.6.2 [A] Limit Blank Passwords: Accounts: Limit local account use of blank passwords to console logon only: Enabled
3.2.1.9 Devices: Allow undock without having to log on: Enabled (Specialized Security)
5.4.6.7 [A] Undock Without Loggon On: Devices: Allow Undock Without Having to Log On: Disabled
3.2.1.16 Domain Controller: LDAP Server Signing Requirements: Require Signing (Specialized Security)
5.4.6.13 [A] LDA Signing Requirements (Domain Controller): Domain controller: LDAP Server signing requirements: Require signing
3.2.1.51 Network Security: LDAP client signing requirements: Negotiate Signing or Require Signing
5.4.6.65 [A] LDAP Client Signing: Network security: LDAP client signing requirements: Negotiate signing
3.2.1.17 Domain Controller: Refuse machine account password changes: Disabled
5.4.6.14 [A] computer Account Password change Requests: Domain Controller: Refuse machine account password changes: Disabled
3.2.1.22 Domain Member: Maximum Machine Account Password Age: 30 days
5.4.6.19 [A] Maximum Machine Account Password Age: Domain Member: Maximum Machine Account Password Age: 30
3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation: Not Applicable
5.4.6.25 [A] Domain Controller Authentication to Unlock Workstation: Interactive logon: Require domain controller authentication to unlock workstation: Enabled
3.2.1.30 Microsoft Network Server: Disconnect clients when logon hours expire: Enabled
5.4.6.33 [A] forcibly disconnect when logon hours expire: Microsoft network Server: Disconnect clients when logon hours expire: Enabled
3.2.1.40 Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled (Specialized Security)
5.4.6.54 [A] Storage of credentials or .NET passports: Network Access: Do not allow storage of credentials or .NET passports for network authentication: Enabled
3.2.1.41 Network Access: Let Everyone permissions apply to anonymous users: Disabled
5.4.6.55 [AP] Everyone Permissions Apply to Anonymous Users: Network Access: Let everyone permissions apply to anonymous users: Disabled
3.2.1.42 Network Access: Named pipes that can be accessed anonymously: None
5.4.6.56 [MA] Anonymous Access to Named Pipes: Network Access: Named pipes that can be accessed anonymously: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, EPMAPPER, LOCATOR, TrkWks, and TrkSvr
3.2.1.43 Network Access: Remotely accessible registry paths: System\CurrentControlSet\Control\Product Options, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\WindowsNT\CurrentVersion
5.4.6.57 [MA] Remotely Accessible Registry Paths: Network Access: Remotely accessible registry paths: System\currentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion
3.2.1.46 Network Access: Shares that can be accessed anonymously: None
5.4.6.60 [MA] Anonymous Access to Network Shares: Network Access: Shares that can be accessed anonymously: <should be blank>
3.2.1.47 Network Access: Sharing and security model for local accounts: Classic
5.4.6.61 [A] Sharing and Security Model for Local Accounts: Network Access: Sharing and security model for local accounts: "Classis - local users authenticate as themselves"
3.2.1.48 Network Security:Do not store LAN Manager password hash value on next password change: Enabled (Specialized Security)
5.4.6.62 [AP] LAN Manager Hash Value: network security: Do not store LAN Manager hash value on next password change: Enabled
3.2.1.49 Network Security: Force logoff when logon hours expire: Not Defined
5.4.6.63 [A] force Logoff when Logon Hours Expire: Enabled
….
….
….
….
….
….
3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security)
5.4.6.66 [A] Minimum Session Security for NTLM SSP-based Clients: "Require NTLMv2 session security", "Require 128-bit encryption", "Require Message Integrity", and "Require Message Confidentiality"
3.2.1.52 Network Security: Minimum session security for NTLM SSP based clients: Require Message Integrity, Message Confidentiality, NTLMv2 Session Security, 128-bit Encryption (Specialized Security)
5.4.6.67 [A] Minimum Session Security for NTLM SSP-based servers: "Require NTLMv2 session security", Require 128-bit encryption", Require Message Integrity", and "Require Message Confidentiality"
5.5.1 [AP] Password Protected Screen Savers: Passwords are required
3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)
7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1
7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)
7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1
7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1
….
….
….
….
….
….
….
….
….
….
5.5.1 [AP] Password Protected Screen Savers: Passwords are required
3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)
7.5.1 Configuring Default User Screensaver Options: ScreenSaverIsSecure: 1
7.5.1 Configuring Default User Screensaver Options: ScreenSaveActive: 1
5.5.1 [AP] Password Protected Screen Savers: Passwords are required
3.2.1.84 MSS: The time in seconds before the screen saver grace period expires: 0
7.5.1 Configuring Default User Screensaver Options: ScreenSaveTimeout: 900 Seconds (15 minutes)
8.3.3.1 Always Install with Elevated Privileges: (4.037: CAT II) Disabled
8.3.3.3 Enable User Control Over Installs: (5.051: CAT II) Disabled
8.3.3.4 Enable User to Browse for Source While Elevated: (5.052: CAT II) Disabled
8.3.3.5 Enable User to Use Media Source While Elevated: (5.053: CAT II) Disabled
8.3.3.7 Allow Admin to Install from Terminal Services Session: (5.055: CAT II) Disabled
8.3.3.6 Enable User to Patch Elevated Products: (5.054: CAT II) Disabled
….
….
….
….
4.1.13 Messenger: Disabled
….
….
….
….
….
….
8.3.3.8 Cache Transforms in Secure Location on Workstation: (5.056: CAT II) Enabled
5.6.4.1 [A] Media Player - Disabling Media Player for Automatic Updates: Enabled
8.3.11 Media Player - Automatic Downloads: (5.061: CAT II) Prevent Codec Download is set to Enabled
5.6.5.3 [A] Windows Messenger - internet Access Blocked: 1
8.3.4.1 Do Not Allow Windows Messenger to be Run: (5.017: CAT I) Enabled
8.3.4.2 Do Not Automatically Start Windows Messenger Intially: (5.029: CAT I) Enabled
7.6.15 Task Scheduler Service: (5.035: CAT III) Hide Property Page is Enabled
7.6.15 Task Scheduler Service: (5.036: CAT III) Prohibit New Task Creation is Enabled
8.3.2.2 Limit User to One Remote Session: (5.038: CAT II) Enabled
8.3.2.3 Limit Number of Connections: (5.039: CAT II) Enabled
8.3.2.4 Do Not Allow New Client Connections: (5.040: CAT II) Enabled
….
….
….
….
….
….
….
….
…..
….
5.6.3.3 [A] Terminal Services - Do Not Allow Local Administrators to Customize Permissions: Enabled
5.6.3.4 [A] Terminal Services - Remote Control Settings: "Set rules for remote control of Terminal Services user settings: Enabled
5.6.3.5 [A] Terminal Services - Always prompt client for password upon connections: Enabled
5.6.3.6 [A] Terminal Services - Set Client Connection Encryption Level: Enabled
8.3.2.5 Do Not Use Temp Folders per Session: (5.044: CAT II) Disabled
8.3.2.6 Do Not Delete Temp Folder upon Exit: (5.045: CAT II) Disabled
5.6.3.10 [A] Terminal Services - Set time Limit for Disconnected Sessions: Enabled ("End a disconnected session" is set to "1")
8.3.2.7 Set Time Limit for Idle Sessions: (5.047: CAT II) Enabled and set to no more than 15 minutes
5.6.3.12 [A] Terminal Services - Allow Reconnection from Original Client Only: Enabled
8.3.2.8 Terminate Session When Time Limits are Reached: (5.049: CAT II) Enabled
….
….
….
…. 5.6.9.1 Report Errors: Disabled
….
….
….
….
…. ….
…. ….
…. ….
…. ….
…. ….
8.3.2.1 Keep-Alive Messages: (5.037: CAT III) Enabled
5.6.8.1 [A] Remote Assistance - Solicited Remote Assistance: Disabled
5.6.8.2 [A] Remote Assistance - Offer Remote Assistance: Disabled
5.4.3.1 [M] User Logon Restrictions: Enforce user logon restrictions: Enabled
5.4.3.2 [M] Service Ticket Lifetime: Maximum lifetime for service ticket: 600 minutes
5.4.3.3 [M] User Ticket Lifetime: Maximum lifetime for user ticket: 10 hours
5.4.3.5 [M] Computer Clock Synchronization: Maximum tolerance for computer clock synchronizations: 5 minutes
…. ….
….
….
….
….
2.2.2 Microsoft Software Updates Services: Specify intranet Microsoft update service location: enabled
3.2.1.78 MSS: TCPMaxPortsExhausted, How many dropped connect requests to initiate SYN attack protection: 5
8.3.1.1 Security Zones: Use Only Machine Settings: (5.028: CAT II) Enabled
8.3.1.3 Security Zones: Do Not Allow Users to Add/Delete Sites: (5.030: CAT II) Enabled
8.3.1.6 Disable Peridoic Check for Internet Explorer Software Updates: (5.033: CAT II) Enabled
….
….
….
….
8.3.1.7 Disable Software Update Shell Notificiations on Program Launch: (5.034: CAT II) Disabled
8.3.1.5 Disable Automatic Install of Internet Explorer Components: (5.032: CAT II) Enabled
8.3.1.4 Make Proxy Settings Per Machine: (5.031: CAT II) Enabled
8.3.1.2 Security Zones: Do Not Allow Users to Change Policies: (5.029: CAT II) Enabled
CCE ID CCE Description
CCE-1841-6 enabled/disabled
CCE-2348-1 enabled/disabled
CCE-2608-8 enabled/disabled
CCE-2022-2 enabled/disabled
CCE-2414-1 enabled/disabled
CCE-2441-4 enabled/disabled
CCE-2569-2 enabled/disabled
CCE-2110-5 enabled/disabled
CCE-2260-8 enabled/disabled
CCE Parameters
Auditing of "Security System Extension" events on success should be enabled or disabled as appropriate.
Auditing of "System Integrity" events on success should be enabled or disabled as appropriate.
Auditing of "IPsec Driver" events on success should be enabled or disabled as appropriate.
Auditing of "Other System Events" events on success should be enabled or disabled as appropriate.
Auditing of "Security State Change" events on success should be enabled or disabled as appropriate.
Auditing of "Logon" events on success should be enabled or disabled as appropriate.
Auditing of "Logoff" events on success should be enabled or disabled as appropriate.
Auditing of "Account Lockout" events on success should be enabled or disabled as appropriate.
Auditing of "IPsec Main Mode" events on success should be enabled or disabled as appropriate.
CCE-2064-4 enabled/disabled
CCE-2350-7 enabled/disabled
CCE-2610-4 enabled/disabled
CCE-2615-3 enabled/disabled
CCE-2373-9 enabled/disabled
CCE-2531-2 enabled/disabled
CCE-2553-6 enabled/disabled
CCE-2417-4 enabled/disabled
CCE-2465-3 enabled/disabled
CCE-2095-8 enabled/disabled
Auditing of "IPsec Quick Mode" events on success should be enabled or disabled as appropriate.
Auditing of "IPsec Extended Mode" events on success should be enabled or disabled as appropriate.
Auditing of "Special Logon" events on success should be enabled or disabled as appropriate.
Auditing of "Other Logon/Logoff Events" events on success should be enabled or disabled as appropriate.
Auditing of "Network Policy Server" events on success should be enabled or disabled as appropriate.
Auditing of "File System" events on success should be enabled or disabled as appropriate.
Auditing of "Registry" events on success should be enabled or disabled as appropriate.
Auditing of "Kernel Object" events on success should be enabled or disabled as appropriate.
Auditing of "SAM" events on success should be enabled or disabled as appropriate.
Auditing of "Certification Services" events on success should be enabled or disabled as appropriate.
CCE-2368-9 enabled/disabled
CCE-2408-3 enabled/disabled
CCE-2601-3 enabled/disabled
CCE-2482-8 enabled/disabled
CCE-2504-9 enabled/disabled
CCE-2033-9 enabled/disabled
CCE-2205-3 enabled/disabled
CCE-2104-8 enabled/disabled
CCE-2386-1 enabled/disabled
CCE-2518-9 enabled/disabled
Auditing of "Application Generated" events on success should be enabled or disabled as appropriate.
Auditing of "Handle Manipulation" events on success should be enabled or disabled as appropriate.
Auditing of "File Share" events on success should be enabled or disabled as appropriate.
Auditing of "Filtering Platform Packet Drop" events on success should be enabled or disabled as appropriate.
Auditing of "Filtering Platform Connection" events on success should be enabled or disabled as appropriate.
Auditing of "Other Object Access Events" events on success should be enabled or disabled as appropriate.
Auditing of "Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.
Auditing of "Non Sensitive Privilege Use" events on success should be enabled or disabled as appropriate.
Auditing of "Other Privilege Use Events" events on success should be enabled or disabled as appropriate.
Auditing of "Process Termination" events on success should be enabled or disabled as appropriate.
CCE-2522-1 enabled/disabled
CCE-2544-5 enabled/disabled
CCE-2002-4 enabled/disabled
CCE-2433-1 enabled/disabled
CCE-2566-8 enabled/disabled
CCE-2570-0 enabled/disabled
CCE-2464-6 enabled/disabled
CCE-2614-6 enabled/disabled
CCE-2385-3 enabled/disabled
Auditing of "DPAPI Activity" events on success should be enabled or disabled as appropriate.
Auditing of "RPC Events" events on success should be enabled or disabled as appropriate.
Auditing of "Process Creation" events on success should be enabled or disabled as appropriate.
Auditing of "Audit Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Authentication Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Authorization Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "MPSSVC Rule-Level Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Filtering Platform Policy Change" events on success should be enabled or disabled as appropriate.
Auditing of "Other Policy Change Events" events on success should be enabled or disabled as appropriate.
CCE-2394-5 enabled/disabled
CCE-2288-9 enabled/disabled
CCE-2443-0 enabled/disabled
CCE-1642-8 enabled/disabled
CCE-2468-7 enabled/disabled
CCE-2485-1 enabled/disabled
CCE-2367-1 enabled/disabled
CCE-2635-1 enabled/disabled
CCE-2534-6 enabled/disabled
Auditing of "User Account Management" events on success should be enabled or disabled as appropriate.
Auditing of "Computer Account Management" events on success should be enabled or disabled as appropriate.
Auditing of "Security Group Management" events on success should be enabled or disabled as appropriate.
Auditing of "Distribution Group Management" events on success should be enabled or disabled as appropriate.
Auditing of "Application Group Management" events on success should be enabled or disabled as appropriate.
Auditing of "Other Account Management Events" events on success should be enabled or disabled as appropriate.
Auditing of "Directory Service Access" events on success should be enabled or disabled as appropriate.
Auditing of "Directory Service Changes" events on success should be enabled or disabled as appropriate.
Auditing of "Directory Service Replication" events on success should be enabled or disabled as appropriate.
CCE-2556-9 enabled/disabled
CCE-2586-6 enabled/disabled
CCE-2463-8 enabled/disabled
CCE-2405-9 enabled/disabled
CCE-1678-2 enabled/disabled
CCE-2545-2 enabled/disabled
CCE-2440-6 enabled/disabled
CCE-2351-5 enabled/disabled
CCE-2193-1 enabled/disabled
CCE-2448-9 enabled/disabled
Auditing of "Detailed Directory Service Replication" events on success should be enabled or disabled as appropriate.
Auditing of "Kerberos Authentication Service" events on success should be enabled or disabled as appropriate.
Auditing of " Credential Validation" events on success should be enabled or disabled as appropriate.
Auditing of "Kerberos Service Ticket Operations" events on success should be enabled or disabled as appropriate.
Auditing of "Other Account Logon Events" events on success should be enabled or disabled as appropriate.
Auditing of "Security System Extension" events on failure should be enabled or disabled as appropriate.
Auditing of "System Integrity" events on failure should be enabled or disabled as appropriate.
Auditing of "IPsec Driver" events on failure should be enabled or disabled as appropriate.
Auditing of "Other System Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Security State Change" events on failure should be enabled or disabled as appropriate.
CCE-2470-3 enabled/disabled
CCE-2616-1 enabled/disabled
CCE-1889-5 enabled/disabled
CCE-2409-1 enabled/disabled
,CCE-2536-1 enabled/disabled
CCE-2267-3 enabled/disabled
CCE-2558-5 enabled/disabled
CCE-1968-7 enabled/disabled
CCE-2575-9 enabled/disabled
CCE-2488-5 enabled/disabled
CCE-2505-6 enabled/disabled
Auditing of "Logon" events on failure should be enabled or disabled as appropriate.
Auditing of "Logoff" events on failure should be enabled or disabled as appropriate.
Auditing of "Account Lockout" events on failure should be enabled or disabled as appropriate.
Auditing of "IPsec Main Mode" events on failure should be enabled or disabled as appropriate.
Auditing of "IPsec Quick Mode" events on failure should be enabled or disabled as appropriate.
Auditing of "IPsec Extended Mode" events on failure should be enabled or disabled as appropriate.
Auditing of "Special Logon" events on failure should be enabled or disabled as appropriate.
Auditing of "Other Logon/Logoff Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Network Policy Server" events on failure should be enabled or disabled as appropriate.
Auditing of "File System" events on failure should be enabled or disabled as appropriate.
Auditing of "Registry" events on failure should be enabled or disabled as appropriate.
CCE-2195-6 enabled/disabled
CCE-1961-2 enabled/disabled
CCE-2358-0 enabled/disabled
CCE-2622-9 enabled/disabled
CCE-2503-1 enabled/disabled
,CCE-2402-6 enabled/disabled
CCE-2292-1 enabled/disabled
CCE-2437-2 enabled/disabled
CCE-2583-3 enabled/disabled
CCE-2349-9 enabled/disabled
Auditing of "Kernel Object" events on failure should be enabled or disabled as appropriate.
Auditing of "SAM" events on failure should be enabled or disabled as appropriate.
Auditing of "Certification Services" events on failure should be enabled or disabled as appropriate.
Auditing of "Application Generated" events on failure should be enabled or disabled as appropriate.
Auditing of "Handle Manipulation" events on failure should be enabled or disabled as appropriate.
Auditing of "File Share" events on failure should be enabled or disabled as appropriate.
Auditing of "Filtering Platform Packet Drop" events on failure should be enabled or disabled as appropriate.
Auditing of "Filtering Platform Connection" events on failure should be enabled or disabled as appropriate.
Auditing of "Other Object Access Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.
CCE-2605-4 enabled/disabled
CCE-2371-3 enabled/disabled
CCE-2389-5 enabled/disabled
CCE-2604-7 enabled/disabled
CCE-2498-4 enabled/disabled
CCE-2375-4 enabled/disabled
CCE-2269-9 enabled/disabled
CCE-2151-9 enabled/disabled
CCE-2459-6 enabled/disabled
CCE-2353-1 enabled/disabled
Auditing of "Non Sensitive Privilege Use" events on failure should be enabled or disabled as appropriate.
Auditing of "Other Privilege Use Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Process Termination" events on failure should be enabled or disabled as appropriate.
Auditing of "DPAPI Activity" events on failure should be enabled or disabled as appropriate.
Auditing of "RPC Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Process Creation" events on failure should be enabled or disabled as appropriate.
Auditing of "Audit Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Authentication Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Authorization Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "MPSSVC Rule-Level Policy Change" events on failure should be enabled or disabled as appropriate.
CCE-2490-1 enabled/disabled
CCE-1759-0 enabled/disabled
CCE-2411-7 enabled/disabled
CCE-2415-8 enabled/disabled
CCE-2560-1 enabled/disabled
CCE-2273-1 enabled/disabled
CCE-2542-9 enabled/disabled
CCE-2062-8 enabled/disabled
CCE-1926-5 enabled/disabled
CCE-2445-5 enabled/disabled
Auditing of "Filtering Platform Policy Change" events on failure should be enabled or disabled as appropriate.
Auditing of "Other Policy Change Events" events on failure should be enabled or disabled as appropriate.
Auditing of "User Account Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Computer Account Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Security Group Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Distribution Group Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Application Group Management" events on failure should be enabled or disabled as appropriate.
Auditing of "Other Account Management Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Directory Service Access" events on failure should be enabled or disabled as appropriate.
Auditing of "Directory Service Changes" events on failure should be enabled or disabled as appropriate.
CCE-1718-6 enabled/disabled
CCE-2489-3 enabled/disabled
CCE-2511-4 enabled/disabled
CCE-2516-3 enabled/disabled
CCE-2291-3 enabled/disabled
CCE-2564-3 enabled/disabled
CCE-2251-7 enabled/disabled
CCE-2211-1 enabled/disabled
CCE-2215-2 enabled/disabled
Auditing of "Directory Service Replication" events on failure should be enabled or disabled as appropriate.
Auditing of "Detailed Directory Service Replication" events on failure should be enabled or disabled as appropriate.
Auditing of "Kerberos Authentication Service" events on failure should be enabled or disabled as appropriate.
Auditing of " Credential Validation" events on failure should be enabled or disabled as appropriate.
Auditing of "Kerberos Service Ticket Operations" events on failure should be enabled or disabled as appropriate.
Auditing of "Other Account Logon Events" events on failure should be enabled or disabled as appropriate.
Auditing of "Audit account logon events" events on sucess should be enabled or disabled as appropriate.
Auditing of "Audit account management" events on sucess should be enabled or disabled as appropriate.
Auditing of "Audit directory service access" events on sucess should be enabled or disabled as appropriate.
CCE-2242-6 enabled/disabled
CCE-2136-0 enabled/disabled
CCE-2268-1 enabled/disabled
CCE-2035-4 enabled/disabled
CCE-2295-4 enabled/disabled
CCE-1837-4 enabled/disabled
CCE-1779-8 enabled/disabled
CCE-2538-7 enabled/disabled
CCE-2582-5 enabled/disabled
CCE-2574-2 enabled/disabled
Auditing of "Audit logon events" events on sucess should be enabled or disabled as appropriate.
Auditing of "Audit object access" events on sucess should be enabled or disabled as appropriate.
Auditing of "Audit policy change" events on sucess should be enabled or disabled as appropriate.
Auditing of "Audit privilege use" events on sucess should be enabled or disabled as appropriate.
Auditing of "Audit process tracking" events on sucess should be enabled or disabled as appropriate.
Auditing of "Audit system events" events on sucess should be enabled or disabled as appropriate.
Auditing of "Audit account logon events" events on failure should be enabled or disabled as appropriate.
Auditing of "Audit account management" events on failure should be enabled or disabled as appropriate.
Auditing of "Audit directory service access" events on failure should be enabled or disabled as appropriate.
Auditing of "Audit logon events" events on failure should be enabled or disabled as appropriate.
CCE-2217-8 enabled/disabled
CCE-2512-2 enabled/disabled
CCE-2265-7 enabled/disabled
CCE-1895-2 enabled/disabled
CCE-1939-8 enabled/disabled
CCE-2026-3
CCE-2075-0
CCE-2079-2
CCE-2246-7
CCE-2004-0
CCE-2286-3
Auditing of "Audit object access" events on failure should be enabled or disabled as appropriate.
Auditing of "Audit policy change" events on failure should be enabled or disabled as appropriate.
Auditing of "Audit privilege use" events on failure should be enabled or disabled as appropriate.
Auditing of "Audit process tracking" events on failure should be enabled or disabled as appropriate.
Auditing of "Audit system events" events on failure should be enabled or disabled as appropriate.
The "Access credential Manager as a trusted caller" setting should be configured correctly.
The "Access this computer from the network (SeNetworkLogonRight)" setting should be configured correctly.
The "Act as part of the operating system (SeTcbPrivilege)" setting should be configured correctly.The "Add workstations to domain" setting should be configured correctly.
The "Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)" setting should be configured correctly.
The "Allow log on locally" setting should be configured correctly.
CCE-2308-5
CCE-1321-9
CCE-2285-5
CCE-2290-5
CCE-2171-7
CCE-1328-4
CCE-1491-0
CCE-2226-9
CCE-1341-7
CCE-2305-1
CCE-2310-1
The "Allow log on through Terminal Services (SeRemoteInteractiveLogonRight)" setting should be configured correctly.
The "Back up files and directories (SeBackupPrivilege)" setting should be configured correctly.
The "Bypass traverse checking (SeChangeNotifyPrivilege)" setting should be configured correctly.
The "Change the system time (SeSystemTimePrivilege)" setting should be configured correctly.
The "Change the time zone" setting should be configured correctly.
The "Create a pagefile (SeCreatePagefilePrivilege)" setting should be configured correctly.
The "Create a token object (SeCreateTokenPrivilege)" setting should be configured correctly.
The "Create global objects (SeCreateGlobalPrivilege)" setting should be configured correctly.
The "Create permanent shared objects" setting should be configured correctly.
The "Create symbolic links" setting should be configured correctly.
The "Debug programs (SeDebugPrivilege)" setting should be configured correctly.
CCE-2314-3
CCE-1834-1
CCE-2296-2
CCE-1944-8
CCE-2102-2
CCE-1481-1
CCE-1750-9
CCE-2129-5
CCE-1346-6
CCE-2306-9
The "Deny access to this computer from the network (SeDenyNetworkLogonRight)" setting should be configured correctly.
The "Deny log on as a batch job (SeDenyBatchLogonRight)" setting should be configured correctly.
The "Deny log on locally (SeDenyInteractiveLogonRight)" setting should be configured correctly.
The "Deny log on as a service(SeDenyServiceLogonRight)" setting should be configured correctly.
The "Deny log on through Terminal Services (SeDenyRemoteInteractiveLogonRight)" setting should be configured correctly.
The "Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)" setting should be configured correctly.
The "Force shutdown from a remote system (SeRemoteShutdownPrivilege)" setting should be configured correctly.
The "Generate security audits (SeAuditPrivilege)" setting should be configured correctly.
The "Impersonate a client after authentication" setting should be configured correctly.
The "Increase a process working set" setting should be configured correctly.
CCE-2328-3
CCE-1455-5
CCE-2332-5
CCE-1975-2
CCE-2270-7
CCE-1843-2
CCE-2142-8
CCE-2257-4
CCE-1383-9
CCE-2360-6
The "Increase scheduling priority (SeIncreaseBasePriorityPrivilege)" setting should be configured correctly.
The "Load and unload device drivers (SeLoadDriverPrivilege)" setting should be configured correctly.
The "Lock pages in memory (SeLockMemoryPrivilege)" setting should be configured correctly.
The "Log on as a batch job (SeBatchLogonRight)" setting should be configured correctly.
The "Log on as a service (SeServiceLogonRight)" setting should be configured correctly.
The "Manage auditing and security log (SeSecurityPrivilege)" setting should be configured correctly.The "Modify an object label" setting should be configured correctly.
The "Modify firmware environment values (SeSystemEnvironmentPrivilege)" setting should be configured correctly.
The "Perform volume maintenance tasks (SeManageVolumePrivilege)" setting should be configured correctly.
The "Profile single process (SeProfileSingleProcessPrivilege)" setting should be configured correctly.
CCE-2113-9
CCE-2382-0
CCE-1527-1
CCE-2294-7
CCE-2078-4
CCE-2137-8 enabled/disabled
CCE-2506-4
CCE-2337-4 enabled/disabled
CCE-2342-4 enabled/disabled
CCE-2364-8 enabled/disabled
The "Profile system performance (SeSystemProfilePrivilege)" setting should be configured correctly.
The "Remove computer from docking station (SeUndockPrivilege)" setting should be configured correctly.
The "Replace a process level token (SeAssignPrimaryTokenPrivilege)" setting should be configured correctly.
The "Restore files and directories (SeRestorePrivilege)" setting should be configured correctly.
The "Shut down the system (SeShutdownPrivilege)" setting should be configured correctly.
The "Synchronize directory service data" setting should be configured correctly.
The "Take ownership of files or other objects (SeTakeOwnershipPrivilege)" setting should be configured correctly.
The "Accounts: Administrator account status" setting should be configured correctly.
The "Accounts: Guest account status" setting should be configured correctly.
The "Accounts: Limit local account use of blank passwords to console logon only" setting should be configured correctly.
CCE-2227-7 enabled/disabled
CCE-2372-1 enabled/disabled
CCE-1751-7 enabled/disabled
CCE-1773-1 enabled/disabled
CCE-2276-4 enabled/disabled
CCE-2315-0 enabled/disabled
CCE-2196-4 enabled/disabled
CCE-2201-2 enabled/disabled
CCE-2249-1 enabled/disabled
The "Accounts: Rename administrator account" setting should be configured correctly.
The "Accounts: Rename guest account" setting should be configured correctly.
The "Audit: Audit the access of global system objects" setting should be configured correctly.
The "Audit: Audit the use of Backup and Restore privilege" setting should be configured correctly.
The "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" setting should be configured correctly.
The "Audit: Shut down system immediately if unable to log security audits" setting should be configured correctly.
The "DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.
The "DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.
The "Devices: Allow undock without having to log on" setting should be configured correctly.
CCE-2377-0 enabled/disabled
CCE-2152-7 enabled/disabled
CCE-1390-4 enabled/disabled
CCE-2383-8 enabled/disabled
CCE-2049-5 enabled/disabled
CCE-2317-6
CCE-1934-9 enabled/disabled
CCE-2203-8 enabled/disabled
CCE-1868-9 enabled/disabled
CCE-2362-2 enabled/disabled
The "Devices: Allowed to format and eject removable media" setting should be configured correctly.
The "Devices: Prevent users from installing printer drivers" setting should be configured correctly.
The "Devices: Restrict CD-ROM access to locally logged-on user only" setting should be configured correctly.
The "Devices: Restrict floppy access to locally logged-on user only" setting should be configured correctly.
The "Domain Controller: Allow server operators to schedule tasks" setting should be configured correctly.
The "Domain Controller: LDAP server signing requirements" setting should be configured correctly.
The "Domain Controller: Refuse machine account password changes" setting should be configured correctly.
The "Domain member: Digitally encrypt or sign secure channel data (always)" setting should be configured correctly.
The "Domain member: Digitally encrypt secure channel data (when possible)" setting should be configured correctly.
The "Domain member: Digitally sign secure channel data (when possible)" setting should be configured correctly.
CCE-2256-6
CCE-2278-0
CCE-1802-8 enabled/disabled
CCE-2199-8 enabled/disabled
CCE-2331-7 enabled/disabled
CCE-2225-1
CCE-2037-0
CCE-2297-0
CCE-2324-2 enabled/disabled
The "Domain member: Disable machine account password changes" setting should be configured correctly.
The "Domain member: Maximum machine account password age" setting should be configured correctly.
The "Domain member: Require strong (Windows 2000 or later) session key" setting should be configured correctly.
The "Interactive logon: Do not display last user name" setting should be configured correctly.
The "Interactive logon: Do not require CTRL+ALT+DEL" setting should be configured correctly.
The "Interactive logon: Message text for users attempting to log on" setting should be configured correctly.
The "Interactive logon: Message title for users attempting to log on" setting should be configured correctly.
The "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" setting should be configured correctly.
The "Interactive logon: Prompt user to change password before expiration" setting should be configured correctly.
CCE-2346-5 enabled/disabled
CCE-2223-6 enabled/disabled
CCE-1448-0
CCE-2356-4 enabled/disabled
CCE-2378-8 enabled/disabled
CCE-2272-3 enabled/disabled
CCE-2236-8
CCE-2381-2 enabled/disabled
CCE-2263-2 enabled/disabled
The "Interactive logon: Require Domain Controller authentication to unlock workstation" setting should be configured correctly.
The "Interactive logon: Require smart card" setting should be configured correctly.
The "Interactive logon: Smart card removal behavior" setting should be configured correctly.
The "Microsoft network client: Digitally sign communications (always)" setting should be configured correctly.
The "Microsoft network client: Digitally sign communications (if server agrees)" setting should be configured correctly.
The "Microsoft network client: Send unencrypted password to third-party SMB servers" setting should be configured correctly.
The "Microsoft network server: Amount of idle time required before suspending session" setting should be configured correctly.
The "Microsoft network server: Digitally sign communications (always)" setting should be configured correctly.
The "Microsoft network server: Digitally sign communications (if client agrees)" setting should be configured correctly.
CCE-2029-7 enabled/disabled
CCE-2307-7 enabled/disabled
CCE-1826-7 enabled/disabled
CCE-1967-9 enabled/disabled
CCE-1470-4 enabled/disabled
CCE-2241-8 enabled/disabled
CCE-2399-4
The "Microsoft network server: Disconnect clients when logon hours expire" setting should be configured correctly.
The "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" setting should be configured correctly.
The "MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)" setting should be configured correctly.
The "MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)" setting should be configured correctly.
The "MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes" setting should be configured correctly.
The "MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)" setting should be configured correctly.
The "MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds" setting should be configured correctly.
CCE-2404-2 enabled/disabled
CCE-2298-8 enabled/disabled
CCE-2320-0 enabled/disabled
CCE-2156-8 enabled/disabled
CCE-1800-2 enabled/disabled
CCE-2447-1 enabled/disabled
The "MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic." setting should be configured correctly.
The "MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)" setting should be configured correctly.
The "MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers" setting should be configured correctly.
The "MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)" setting should be configured correctly.
The "MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)" setting should be configured correctly.
The "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" setting should be configured correctly.
CCE-2183-2
CCE-1460-5
CCE-2384-6 enabled/disabled
CCE-2424-0
CCE-2442-2
CCE-2318-4 enabled/disabled
CCE-1962-0 enabled/disabled
The "MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)" setting should be configured correctly.
The "MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)" setting should be configured correctly.
The "MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged" setting should be configured correctly.
The "MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)" setting should be configured correctly.
The "MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning" setting should be configured correctly.
The "Network access: Allow anonymous SID/Name translation" setting should be configured correctly.
The "Network access: Do not allow anonymous enumeration of SAM accounts" setting should be configured correctly.
CCE-2340-8 enabled/disabled
CCE-2111-3 enabled/disabled
CCE-1824-2 enabled/disabled
CCE-2089-1
CCE-1521-4
CCE-2357-2
CCE-2361-4 enabled/disabled
CCE-2507-2
CCE-2406-7
The "Network access: Do not allow anonymous enumeration of SAM accounts and shares" setting should be configured correctly.
The "Network access: Do not allow storage of credentials or .NET Passports for network authentication" setting should be configured correctly.
The "Network access: Let Everyone permissions apply to anonymous users" setting should be configured correctly.
The "Network access: Named Pipes that can be accessed anonymously" setting should be configured correctly.
The "Network access: Remotely accessible registry paths" setting should be configured correctly.
The "Network access: Remotely accessible registry paths and sub paths" setting should be configured correctly.
The "Network access: Restrict anonymous access to Named Pipes and Shares" setting should be configured correctly.
The "Network access: Shares that can be accessed anonymously" setting should be configured correctly.
The "Network access: Sharing and security model for local accounts" setting should be configured correctly.
CCE-2304-4 enabled/disabled
CCE-2432-3 enabled/disabled
CCE-2454-7
CCE-2327-5
CCE-1767-3 enabled/disabled
CCE-2410-9 enabled/disabled
CCE-2309-3 enabled/disabled
CCE-1553-7 enabled/disabled
CCE-2403-4 enabled/disabled
The "Network security: Do not store LAN Manager hash value on next password change" setting should be configured correctly.
The "Network security: Force logoff when logon hours expire" setting should be configured correctly.
The "Network security: LAN Manager authentication level" setting should be configured correctly.
The "Network security: LDAP client signing requirements" setting should be configured correctly.
The "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" setting should be configured correctly.
The "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" setting should be configured correctly.
The "Recovery console: Allow automatic administrative logon" setting should be configured correctly.
The "Recovery console: Allow floppy copy and access to all drives and all folders" setting should be configured correctly.
The "Shutdown: Allow system to be shut down without having to log on" setting should be configured correctly.
CCE-2416-6 enabled/disabled
CCE-2319-2 enabled/disabled
CCE-2261-6 enabled/disabled
CCE-2429-9 enabled/disabled
CCE-2451-3 enabled/disabled
CCE-1598-2
CCE-2421-6 enabled/disabled
CCE-2302-8
The "Shutdown: Clear virtual memory pagefile" setting should be configured correctly.
The "System cryptography: Force strong key protection for user keys stored on the computer" setting should be configured correctly.
The "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" setting should be configured correctly.
The "System objects: Require case insensitivity for non-Windows subsystems" setting should be configured correctly.
The "System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)" setting should be configured correctly.
The "System settings: Optional subsystems" setting should be configured correctly.
The "System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies" setting should be configured correctly.
The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly.
CCE-2434-9 enabled/disabled
CCE-2474-5
CCE-2355-6
CCE-2487-7 enabled/disabled
CCE-2509-8 enabled/disabled
CCE-2473-7 enabled/disabled
CCE-2478-6 enabled/disabled
The "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" setting should be configured correctly.
The "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly.
The "User Account Control: Behavior of the elevation prompt for standard users" setting should be configured correctly.
The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly.
The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly.
The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly.
The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly.
CCE-2500-7 enabled/disabled
CCE-2266-5 enabled/disabled
CCE-2539-5
CCE-2244-2
CCE-2262-4
CCE-1622-0 enabled/disabled
CCE-2189-9 enabled/disabled
CCE-2149-3 enabled/disabled
CCE-2541-1 enabled/disabled
CCE-2435-6 enabled/disabled
CCE-2581-7 enabled/disabled
CCE-1819-2
The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly.
The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly.
The "Maximum application log size" setting should be configured correctly.The "Maximum security log size" setting should be configured correctly.The "Maximum system log size" setting should be configured correctly.
The "Prevent local guests group from accessing application log" setting should be configured correctly.
The "Prevent local guests group from accessing system log" setting should be configured correctly.
The "Prevent local guests group from accessing security log" setting should be configured correctly.The "Retain application log" setting should be configured correctly.The "Retain security log" setting should be configured correctly.The "Retain system log" setting should be configured correctly.
The "Retention method for application log" setting should be configured correctly.
CCE-1836-6
CCE-2607-0
CCE-2237-6 enabled/disabled
CCE-2200-4
CCE-1861-4
CCE-2240-0
CCE-2126-1 enabled/disabled
CCE-2289-7 enabled/disabled
CCE-1317-7
CCE-1872-1
CCE-2311-9
The "Retention method for security log" setting should be configured correctly.
The "Retention method for system log" setting should be configured correctly.
The "Enforce password history" setting should be configured correctly.
The "Maximum password age" setting should be configured correctly.
The "Minimum password age" setting should be configured correctly.
The "Minimum password length" setting should be configured correctly.
The "Password must meet complexity requirements" setting should be configured correctly.
The "Store passwords using reversible encryption" setting should be configured correctly.
The "Account lockout duration" setting should be configured correctly.
The "Account lockout threshold" setting should be configured correctly.
The "Reset account lockout counter after" setting should be configured correctly.
CCE Technical Mechanisms
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) via auditpol
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account logon events (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account management (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit directory service access (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit logon events (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit policy change (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit privilege use (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit process tracking (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit system events (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account logon events (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account management (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit directory service access (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit logon events (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit policy change (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit privilege use (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit process tracking (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit system events (2) Audit Policy security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Access credential Manager as a trusted caller (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Access this computer from the network (SeNetworkLogonRight) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Act as part of the operating system (SeTcbPrivilege) (2) User Rights security settings are not registry keys(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to domain (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Adjust memory quotas for a process (SeIncreaseQuotaPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on locally (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on through Terminal Services (SeRemoteInteractiveLogonRight) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Back up files and directories (SeBackupPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Bypass traverse checking (SeChangeNotifyPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Change the system time (SeSystemTimePrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Change the time zone (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create a pagefile (SeCreatePagefilePrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create a token object (SeCreateTokenPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create global objects (SeCreateGlobalPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create permanent shared objects (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create symbolic links (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Debug programs (SeDebugPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny access to this computer from the network (SeDenyNetworkLogonRight) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on as a batch job (SeDenyBatchLogonRight) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on locally (SeDenyInteractiveLogonRight) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on as a service(SeDenyServiceLogonRight) (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on through Terminal Services (SeDenyRemoteInteractiveLogonRight) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Force shutdown from a remote system (SeRemoteShutdownPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Generate security audits (SeAuditPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Impersonate a client after authentication (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Increase a process working set (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Increase scheduling priority (SeIncreaseBasePriorityPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Load and unload device drivers (SeLoadDriverPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Lock pages in memory (SeLockMemoryPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on as a batch job (SeBatchLogonRight) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on as a service (SeServiceLogonRight) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Manage auditing and security log (SeSecurityPrivilege) (2) User Rights security settings are not registry keys(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Modify an object label (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Modify firmware environment values (SeSystemEnvironmentPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Perform volume maintenance tasks (SeManageVolumePrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile single process (SeProfileSingleProcessPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile system performance (SeSystemProfilePrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Remove computer from docking station (SeUndockPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Replace a process level token (SeAssignPrimaryTokenPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Restore files and directories (SeRestorePrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Shut down the system (SeShutdownPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Synchronize directory service data (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Take ownership of files or other objects (SeTakeOwnershipPrivilege) (2) User Rights security settings are not registry keys
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Administrator account status (2) Not a Registry Key
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Guest account status (2) Not a Registry Key
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Limit local account use of blank passwords to console logon only (2) MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Rename administrator account (2) Not a Registry Key
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Rename guest account (2) Not a Registry Key
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Audit the access of global system objects (2) MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Audit the use of Backup and Restore privilege (2) MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings (2) MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Shut down system immediately if unable to log security audits (2) MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Allow undock without having to log on (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Allowed to format and eject removable media (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Prevent users from installing printer drivers (2) MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Restrict CD-ROM access to locally logged-on user only (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Restrict floppy access to locally logged-on user only (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Allow server operators to schedule tasks (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: LDAP server signing requirements (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Refuse machine account password changes (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally encrypt or sign secure channel data (always) (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally encrypt secure channel data (when possible) (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally sign secure channel data (when possible) (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Disable machine account password changes (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Maximum machine account password age (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Require strong (Windows 2000 or later) session key (2) MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Do not display last user name (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Do not require CTRL+ALT+DEL (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Message text for users attempting to log on (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Message title for users attempting to log on (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Number of previous logons to cache (in case domain controller is not available) (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Prompt user to change password before expiration (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Require Domain Controller authentication to unlock workstation (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Require smart card (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Smart card removal behavior (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Digitally sign communications (always) (2) MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Digitally sign communications (if server agrees) (2) MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Send unencrypted password to third-party SMB servers (2) MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Amount of idle time required before suspending session (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Digitally sign communications (always) (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Digitally sign communications (if client agrees) (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Disconnect clients when logon hours expire (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) (2) MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. (2) MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended) (2) MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (2) MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended) (2) MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) (2) MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) (2) MACHINE\SYSTEM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (SynAttackProtect) Syn attack protection level (protects against DoS) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) (2) MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning (2) MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Allow anonymous SID/Name translation (2) Not a Registry Key
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow anonymous enumeration of SAM accounts (2) MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow anonymous enumeration of SAM accounts and shares (2) MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow storage of credentials or .NET Passports for network authentication (2) MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Let Everyone permissions apply to anonymous users (2) MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Named Pipes that can be accessed anonymously (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Remotely accessible registry paths (2) MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Remotely accessible registry paths and sub paths (2) MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Restrict anonymous access to Named Pipes and Shares (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Shares that can be accessed anonymously (2) MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Sharing and security model for local accounts (2) MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Do not store LAN Manager hash value on next password change (2) MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Force logoff when logon hours expire (2) Not a Registry Key
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: LAN Manager authentication level (2) MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: LDAP client signing requirements (2) MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Minimum session security for NTLM SSP based (including secure RPC) clients (2) MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Minimum session security for NTLM SSP based (including secure RPC) servers (2) MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Recovery console: Allow automatic administrative logon (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Recovery console: Allow floppy copy and access to all drives and all folders (2) MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Shutdown: Allow system to be shut down without having to log on (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Shutdown: Clear virtual memory pagefile (2) MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System cryptography: Force strong key protection for user keys stored on the computer (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing (2) MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System objects: Require case insensitivity for non-Windows subsystems (2) MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) (2) MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System settings: Optional subsystems (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Admin Approval Mode for the Built-in Administrator account (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop (2)
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Behavior of the elevation prompt for standard users (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Detect application installations and prompt for elevation (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Only elevate executables that are signed and validated (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Only elevate UIAccess applications that are installed in secure locations (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Run all administrators in Admin Approval Mode (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Switch to the secure desktop when prompting for elevation (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
(1) Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Virtualize file and registry write failures to per-user locations (2) MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum application log size (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum security log size (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum system log size (2) Event Log security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing application log (2) Event Log security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing system log (2) Event Log security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing security log (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retain application log (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retain security log (2) Event Log security settings are not registry keys.(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retain system log (2) Event Log security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for application log (2) Event Log security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for security log (2) Event Log security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for system log (2) Event Log security settings are not registry keys.
(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy (Settings included in Domain Policies)
(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy (Settings included in Domain Policies)
(1) Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy (Settings included in Domain Policies)
Windows Server® 2008 Security Guide Spreadsheet (Windows Server 2008
Security Guide Settings.xls)
System / Security System Extension
System / System Integrity
System / IPsec Driver
System / Other System Events
System / Security State Change
Logon/Logoff / Logon
Logon/Logoff / Logoff
Logon/Logoff / Account Lockout
Logon/Logoff / IPsec Main Mode
Logon/Logoff / Network Policy Server
Logon/Logoff / IPsec Quick Mode
Logon/Logoff / IPsec Extended Mode
Logon/Logoff / Special Logon
Logon/Logoff / Other Logon/Logoff Events
Object Access / File System
Object Access / Registry
Object Access / Kernel Object
Object Access / SAM
Object Access / Certification Services
Object Access / Application Generated
Object Access / Handle Manipulation
Object Access / File Share
Object Access / Filtering Platform Packet Drop
Object Access / Filtering Platform Connection
Object Access / Other Object Access Events
Privilege Use / Sensitive Privilege Use
Privilege Use / Non Sensitive Privilege Use
Privilege Use / Other Privilege Use Events
Detailed Tracking / Process Termination
Detailed Tracking / DPAPI Activity
Detailed Tracking / RPC Events
Detailed Tracking / Process Creation
Policy Change / Audit Policy Change
Policy Change / Authentication Policy Change
Policy Change / Authorization Policy Change
Policy Change / MPSSVC Rule-Level Policy Change
Policy Change / Filtering Platform Policy Change
Policy Change / Other Policy Change Events
Account Management / User Account Management
Account Management / Computer Account Management
Account Management / Security Group Management
Account Management / Distribution Group Management
Account Management / Application Group Management
Account Management / Other Account Management Events
DS Access / Directory Service Access
DS Access / Directory Service Changes
DS Access / Directory Service Replication
DS Access / Detailed Directory Service Replication
Account Logon / Kerberos Authentication Service
Account Logon / Credential Validation
Account Logon / Kerberos Service Ticket Operations
Account Logon / Other Account Logon Events
System / Security System Extension
System / System Integrity
System / IPsec Driver
System / Other System Events
System / Security State Change
Logon/Logoff / Network Policy Server
Logon/Logoff / Logon
Logon/Logoff / Logoff
Logon/Logoff / Account Lockout
Logon/Logoff / IPsec Main Mode
Logon/Logoff / IPsec Quick Mode
Logon/Logoff / IPsec Extended Mode
Logon/Logoff / Special Logon
Logon/Logoff / Other Logon/Logoff Events
Object Access / File System
Object Access / Registry
Object Access / Kernel Object
Object Access / SAM
Object Access / Certification Services
Object Access / Application Generated
Object Access / Handle Manipulation
Object Access / File Share
Object Access / Filtering Platform Packet Drop
Object Access / Filtering Platform Connection
Object Access / Other Object Access Events
Privilege Use / Sensitive Privilege Use
Privilege Use / Non Sensitive Privilege Use
Privilege Use / Other Privilege Use Events
Detailed Tracking / Process Termination
Detailed Tracking / DPAPI Activity
Detailed Tracking / RPC Events
Detailed Tracking / Process Creation
Policy Change / Audit Policy Change
Policy Change / Authentication Policy Change
Policy Change / Authorization Policy Change
Policy Change / MPSSVC Rule-Level Policy Change
Policy Change / Filtering Platform Policy Change
Policy Change / Other Policy Change Events
Account Management / User Account Management
Account Management / Computer Account Management
Account Management / Security Group Management
Account Management / Distribution Group Management
Account Management / Application Group Management
Account Management / Other Account Management Events
DS Access / Directory Service Access
DS Access / Directory Service Changes
DS Access / Directory Service Replication
DS Access / Detailed Directory Service Replication
Account Logon / Kerberos Authentication Service
Account Logon / Credential Validation
Account Logon / Kerberos Service Ticket Operations
Account Logon / Other Account Logon Events
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account logon events
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account management
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit directory service access
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit logon events
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit policy change
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit privilege use
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit process tracking
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit system events
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account logon events
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit account management
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit directory service access
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit logon events
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit policy change
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit privilege use
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit process tracking
Computer Configuration/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit system events
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Access credential Manager as a trusted caller
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Access this computer from the network (SeNetworkLogonRight)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Act as part of the operating system (SeTcbPrivilege)Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Add workstations to domain
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Adjust memory quotas for a process (SeIncreaseQuotaPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on locally
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Allow log on through Terminal Services (SeRemoteInteractiveLogonRight)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Back up files and directories (SeBackupPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Bypass traverse checking (SeChangeNotifyPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Change the system time (SeSystemTimePrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Change the time zone
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create a pagefile (SeCreatePagefilePrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create a token object (SeCreateTokenPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create global objects (SeCreateGlobalPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create permanent shared objects
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Create symbolic links
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Debug programs (SeDebugPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny access to this computer from the network (SeDenyNetworkLogonRight)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on as a batch job (SeDenyBatchLogonRight)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on locally (SeDenyInteractiveLogonRight)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on as a service(SeDenyServiceLogonRight)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Deny log on through Terminal Services (SeDenyRemoteInteractiveLogonRight)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Enable computer and user accounts to be trusted for delegation (SeEnableDelegationPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Force shutdown from a remote system (SeRemoteShutdownPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Generate security audits (SeAuditPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Impersonate a client after authentication
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Increase a process working set
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Increase scheduling priority (SeIncreaseBasePriorityPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Load and unload device drivers (SeLoadDriverPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Lock pages in memory (SeLockMemoryPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on as a batch job (SeBatchLogonRight)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on as a service (SeServiceLogonRight)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Manage auditing and security log (SeSecurityPrivilege)Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Modify an object label
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Modify firmware environment values (SeSystemEnvironmentPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Perform volume maintenance tasks (SeManageVolumePrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile single process (SeProfileSingleProcessPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Profile system performance (SeSystemProfilePrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Remove computer from docking station (SeUndockPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Replace a process level token (SeAssignPrimaryTokenPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Restore files and directories (SeRestorePrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Shut down the system (SeShutdownPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Synchronize directory service data
Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Take ownership of files or other objects (SeTakeOwnershipPrivilege)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Administrator account status
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Guest account status
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Limit local account use of blank passwords to console logon only
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Rename administrator account
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Accounts: Rename guest account
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Audit the access of global system objects
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Audit the use of Backup and Restore privilege
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Audit: Shut down system immediately if unable to log security audits
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Allow undock without having to log on
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Allowed to format and eject removable media
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Prevent users from installing printer drivers
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Restrict CD-ROM access to locally logged-on user only
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Devices: Restrict floppy access to locally logged-on user only
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Allow server operators to schedule tasks
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: LDAP server signing requirements
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain Controller: Refuse machine account password changes
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally encrypt or sign secure channel data (always)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally encrypt secure channel data (when possible)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Digitally sign secure channel data (when possible)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Disable machine account password changes
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Maximum machine account password age
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Domain member: Require strong (Windows 2000 or later) session key
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Do not display last user name
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Do not require CTRL+ALT+DEL
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Message text for users attempting to log on
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Message title for users attempting to log on
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Prompt user to change password before expiration
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Require Domain Controller authentication to unlock workstation
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Require smart card
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Interactive logon: Smart card removal behavior
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Digitally sign communications (always)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Digitally sign communications (if server agrees)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network client: Send unencrypted password to third-party SMB servers
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Amount of idle time required before suspending session
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Digitally sign communications (always)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Digitally sign communications (if client agrees)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Microsoft network server: Disconnect clients when logon hours expire
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoDriveTypeAutoRun) Disable Autorun for all drives (recommended)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames (recommended)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (TCPMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Allow anonymous SID/Name translation
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow anonymous enumeration of SAM accounts
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow anonymous enumeration of SAM accounts and shares
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Do not allow storage of credentials or .NET Passports for network authentication
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Let Everyone permissions apply to anonymous users
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Named Pipes that can be accessed anonymously
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Remotely accessible registry paths
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Remotely accessible registry paths and sub paths
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Restrict anonymous access to Named Pipes and Shares
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Shares that can be accessed anonymously
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network access: Sharing and security model for local accounts
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Do not store LAN Manager hash value on next password change
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Force logoff when logon hours expire
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: LAN Manager authentication level
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: LDAP client signing requirements
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Recovery console: Allow automatic administrative logon
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Recovery console: Allow floppy copy and access to all drives and all folders
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Shutdown: Allow system to be shut down without having to log on
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/Shutdown: Clear virtual memory pagefile
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System cryptography: Force strong key protection for user keys stored on the computer
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System objects: Require case insensitivity for non-Windows subsystems
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System settings: Optional subsystems
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Admin Approval Mode for the Built-in Administrator account
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Behavior of the elevation prompt for standard users
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Detect application installations and prompt for elevation
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Only elevate executables that are signed and validated
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Only elevate UIAccess applications that are installed in secure locations
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Run all administrators in Admin Approval Mode
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Switch to the secure desktop when prompting for elevation
Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options/User Account Control: Virtualize file and registry write failures to per-user locations
Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum application log size
Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum security log size
Computer Configuration/Windows Settings/Security Settings/Event Log//Maximum system log size
Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing application log
Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing system log
Computer Configuration/Windows Settings/Security Settings/Event Log//Prevent local guests group from accessing security log
Computer Configuration/Windows Settings/Security Settings/Event Log//Retain application log
Computer Configuration/Windows Settings/Security Settings/Event Log//Retain security log
Computer Configuration/Windows Settings/Security Settings/Event Log//Retain system log
Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for application log
Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for security log
Computer Configuration/Windows Settings/Security Settings/Event Log//Retention method for system log
GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy (Settings included in Domain Policies)
GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy (Settings included in Domain Policies)
GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy (Settings included in Domain Policies)
GPO Settings: Computer Configuration/Windows Settings/Security Settings/Account Policies/Account Lockout Policy (Settings included in Domain Policies)
CCE ID CCE Description
CCE-3858-8 CCE-25
CCE-3748-1 CCE-899
CCE-3770-5 CCE-727
CCE-3809-1 CCE-24
CCE-3869-5 CCE-570
CCE-3785-3 CCE-204
CCE-3807-5 CCE-411
CCE-2879-5 CCE-816
CCE-3344-9 CCE-746
Old v4 CCE Id
CCE Parameters
The required auditing for %SystemDrive% directory should be enabled.
(1) set of accounts (2) events to audit (3) applicability
The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled.
(1) set of accounts (2) events to audit (3) applicability
The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled.
(1) set of accounts (2) events to audit (3) applicability
The required permissions for the directory %ProgramFiles% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ProgramFiles%\Resource Kit should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ProgramFiles%\Resource Pro Kit should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\AUTOEXEC.BAT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\BOOT.INI should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3864-6 CCE-987
CCE-3080-9 CCE-419
CCE-3873-7 CCE-120
CCE-3419-9 CCE-181
CCE-3763-0 CCE-868
CCE-3657-4 CCE-776
CCE-3697-0 CCE-714
CCE-3789-5 CCE-540
CCE-3560-0 CCE-602
The required permissions for the file %SystemDrive%\CONFIG.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\Documents and Settings should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\Administrator should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\All Users should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\Default User should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\IO.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\MSDOS.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3335-7 CCE-399
CCE-3749-9 CCE-192
CCE-3771-3 CCE-561
CCE-2895-1 CCE-755
CCE-3686-3 CCE-341
CCE-3083-3 CCE-971
CCE-3105-4 CCE-645
CCE-3876-0 CCE-579
CCE-3519-6 CCE-505
CCE-3197-1 CCE-640
The required permissions for the file %SystemDrive%\NTBOOTDD.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\NTDETECT.COM should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\NTLDR should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Temp should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\My Download Files should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\System Volume Information should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Driver Cache\I386\Driver.cab should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3342-3 CCE-328
CCE-3505-5 CCE-134
CCE-3791-1 CCE-293
CCE-3192-2 CCE-94
CCE-3836-4 CCE-795
CCE-3091-6 CCE-248
CCE-3862-0 CCE-398
CCE-3867-9 CCE-155
CCE-3404-1 CCE-873
CCE-3052-8 CCE-67
CCE-3879-4 CCE-979
The required permissions for any of the %SystemRoot%\$NtUninstall* directories should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\CSC should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Debug should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Debug\UserMode should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\regedit.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\NTDS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Offline Web Pages should be assigned.
(1) set of accounts (2) list of permissions (3) applicabilityThe required permissions
for the directory %SystemRoot%\Registration should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\repair should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\SYSVOL should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3544-4 CCE-701
CCE-3408-2 CCE-380
CCE-3800-0 CCE-45
CCE-3571-7 CCE-600
CCE-3712-7 CCE-393
CCE-3716-8 CCE-197
CCE-3734-1 CCE-765
CCE-3641-8 CCE-334
CCE-3540-2 CCE-350
CCE-3831-5 CCE-361
The required permissions for the directory %SystemRoot%\SYSVOL\domain\Policies should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Temp should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\CONFIG should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\CONFIG\AppEvent.evt should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\CONFIG\*.evt should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\dllcache should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\DTCLog should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3745-7 CCE-789
CCE-3890-1 CCE-894
CCE-3784-6 CCE-821
CCE-3793-7 CCE-486
CCE-3815-8 CCE-997
CCE-3824-0 CCE-865
CCE-3595-6 CCE-89
CCE-3516-2 CCE-274
CCE-3520-4 CCE-353
CCE-3776-2 CCE-922
The required permissions for the directory %SystemRoot%\System32\GroupPolicy should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\ias should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Ntbackup.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\NTMSData should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\system32\ReinstallBackups should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3670-7 CCE-587
CCE-3340-7 CCE-326
CCE-3780-4 CCE-357
CCE-3423-1 CCE-291
CCE-3802-6 CCE-692
CCE-3079-1 CCE-322
CCE-3727-5 CCE-864
CCE-3493-4 CCE-364
CCE-3872-9 CCE-46
The required permissions for the directory %SystemRoot%\System32\Setup should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\repl should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\repl\export should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\repl\import should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\spool\Printers should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Tasks should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ALL%\Program Files\MQSeries should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ALL%\Program Files\MQSeries\qmggr should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\HTML Help ACL should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3656-6 CCE-447
CCE-2929-8 CCE-760
CCE-3308-4 CCE-279
CCE-3723-4 CCE-843
CCE-3868-7 CCE-253
CCE-3563-4 CCE-394
CCE-3691-3 CCE-240
CCE-3735-8 CCE-618
The required permissions for the directory %SystemDrive%\WINNT\SECURITY\Database\SECEDIT.SDB ACL should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Regfile\Shell\Open\Command should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OS/2 Subsystem for NT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3242-5 CCE-19
CCE-3374-6 CCE-790
CCE-3167-4 CCE-268
CCE-3533-7 CCE-321
CCE-2897-7 CCE-135
CCE-3839-8 CCE-558
CCE-3865-3 CCE-867
CCE-3513-9 CCE-545
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\clone should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset001 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset002 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3896-8 CCE-289
CCE-3838-0 CCE-465
CCE-3750-7 CCE-254
CCE-3384-5 CCE-606
CCE-3680-6 CCE-694
CCE-3816-6 CCE-500
CCE-3318-3 CCE-809
CCE-3882-8 CCE-99
CCE-3521-2 CCE-934
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset003 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset004 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset005 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset006 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset007 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset008 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset009 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\controlset010 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2932-2 CCE-53
CCE-3651-7 CCE-269
CCE-3210-2 CCE-960
CCE-3466-0 CCE-330
CCE-2978-5 CCE-594
CCE-3957-8 CCE-127
CCE-3961-0 CCE-483
CCE-3732-5 CCE-796
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers should
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities should
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\NetDDE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\Protected Storage System Provider should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-3737-4 CCE-845
CCE-3503-0 CCE-898 (1) set of accounts
CCE-3917-2 CCE-532 (1) set of accounts
CCE-3736-6 CCE-162 (1) set of accounts
CCE-3393-6 CCE-931 (1) set of accounts
CCE-3653-3 CCE-376 (1) set of accounts
CCE-3296-1 CCE-799 (1) set of accounts
CCE-3943-8 CCE-895 (1) set of accounts
CCE-3860-4 CCE-926 (1) set of accounts
CCE-3767-1 CCE-335 (1) set of accounts
CCE-3772-1 CCE-842 (1) set of accounts
The required permissions for the registry key HKEY_CLASSES_ROOT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The "deny access to this computer from the network" user right should be assigned to the correct accounts.
The "access this computer from the network" user right should be assigned to the correct accounts.
The "act as part of the operating system" user right should be assigned to the correct accounts.
The "back up files and directories" user right should be assigned to the correct accounts.
The "bypass traverse checking" user right should be assigned to the correct accounts.
The "change the system time" user right should be assigned to the correct accounts.
The "create a pagefile" user right should be assigned to the correct accounts.
The "Create a token object" user right should be assigned to the correct accounts.
The "create permanent shared objects" user right should be assigned to the correct accounts.
The "debug programs" user right should be assigned to the correct accounts.
CCE-3904-0 CCE-754 (1) set of accounts
CCE-3811-7 CCE-939 (1) set of accounts
CCE-3688-9 CCE-807 (1) set of accounts
CCE-3630-1 CCE-349 (1) set of accounts
CCE-3798-6 CCE-860 (1) set of accounts
CCE-3317-5 CCE-749 (1) set of accounts
CCE-3965-1 CCE-177 (1) set of accounts
CCE-3877-8 CCE-216 (1) set of accounts
CCE-3238-3 CCE-965 (1) set of accounts
CCE-3507-1 CCE-850 (1) set of accounts
CCE-3903-2 CCE-17 (1) set of accounts
CCE-3926-3 CCE-260 (1) set of accounts
The "force shutdown from a remote system" user right should be assigned to the correct accounts.
The "generate security audits" user right should be assigned to the correct accounts.
The "adjust memory quotas for a process" user right should be assigned to the correct accounts.
The "increase scheduling priority" user right should be assigned to the correct accounts.
The "load and unload device drivers" user right should be assigned to the correct accounts.
The "lock pages in memory" user right should be assigned to the correct accounts.
The "log on as a batch job" user right should be assigned to the correct accounts.
The "log on as a service" user right should be assigned to the correct accounts.
The "log on locally" user right should be assigned to the correct accounts.
The "manage auditing and security log" user right should be assigned to the correct accounts.
The "modify firmware environment values" user right should be assigned to the correct accounts.
The "profile single process" user right should be assigned to the correct accounts.
CCE-3445-4 CCE-599 (1) set of accounts
CCE-3829-9 CCE-656 (1) set of accounts
CCE-3970-1 CCE-667 (1) set of accounts
CCE-3912-3 CCE-553 (1) set of accounts
CCE-3934-7 CCE-839 (1) set of accounts
CCE-3471-0 CCE-492 (1) set of accounts
CCE-3850-5 CCE-381 (1) set of accounts
CCE-3489-2 CCE-64 (1) set of accounts
CCE-3282-1 CCE-15 (1) set of accounts
CCE-3542-8 CCE-183 (1) set of accounts
CCE-3687-1 CCE-733
The "profile system performance" user right should be assigned to the correct accounts.
The "remove computer from docking station" user right should be assigned to the correct accounts.
The "replace a process-level token" user right should be assigned to the correct accounts.
The "restore files and directories" user right should be assigned to the correct accounts.
The "shut down the system" user right should be assigned to the correct accounts.
The "take ownership of files or other objects" user right should be assigned to the correct accounts.
The "synchronize directory service data" user right should be assigned to the correct accounts.
The "deny logon locally" user right should be assigned to the correct accounts.
The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts.
The "add workstations to domain" user right should be assigned to the correct accounts.
The "reset account lockout counter after" policy should meet minimum requirements.
(1) number of minutes
CCE-3960-2 CCE-980
CCE-3229-2 CCE-658
CCE-3859-6 CCE-2628 enabled/disabled
CCE-3881-0 CCE-2543 enabled/disabled
CCE-3753-1 CCE-2000 enabled/disabled
CCE-3885-1 CCE-1646 enabled/disabled
CCE-3907-3 CCE-1686 enabled/disabled
CCE-3678-0 CCE-1744 enabled/disabled
CCE-3313-4 CCE-2640 enabled/disabled
CCE-3846-3 CCE-1991 enabled/disabled
CCE-3366-2 CCE-2412 enabled/disabled
The "account lockout duration" policy should meet minimum requirements.
(1) number of minutes
The "account lockout threshold" policy should meet minimum requirements.
(1) number of attempts
Auditing of "account logon" events on success should be enabled or disabled as appropriate..
Auditing of "account logon" events on failure should be enabled or disabled as appropriate..
Auditing of "account management" events on success should be enabled or disabled as appropriate..
Auditing of "account management" events on failure should be enabled or disabled as appropriate..
Auditing of "logon" events on success should be enabled or disabled as appropriate..
Auditing of "logon" events on failure should be enabled or disabled as appropriate..
Auditing of "object access" events on success should be enabled or disabled as appropriate..
Auditing of "object access" events on failure should be enabled or disabled as appropriate..
Auditing of "policy change" events on success should be enabled or disabled as appropriate..
CCE-2995-9 CCE-2347 enabled/disabled
CCE-3779-6 CCE-2431 enabled/disabled
CCE-3925-5 CCE-2584 enabled/disabled
CCE-3215-1 CCE-2529 enabled/disabled
CCE-3911-5 CCE-2617 enabled/disabled
CCE-3792-9 CCE-2420 enabled/disabled
CCE-3937-0 CCE-1680 enabled/disabled
CCE-3959-4 CCE-396 (1) enabled/disabled
CCE-3470-2 CCE-916 (1) enabled/disabled
CCE-3880-2 CCE-299 (1) enabled/disabled
CCE-3775-4 CCE-185 (1) size of file
Auditing of "policy change" events on failure should be enabled or disabled as appropriate..
Auditing of "privilege use" events on success should be enabled or disabled as appropriate..
Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..
Auditing of "process tracking" events on success should be enabled or disabled as appropriate..
Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..
Auditing of "system" events on success should be enabled or disabled as appropriate..
Auditing of "system" events on failure should be enabled or disabled as appropriate..
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.
The "Decoy Admin Account Not Disabled" policy should be set correctly.
The "restrict guest access to application log" policy should be set correctly.
The application log maximum size should be configured correctly..
CCE-3797-8 CCE-285 type of retention
CCE-3444-7 CCE-951 (1) number of days
CCE-3964-4 CCE-462 (1) enabled/disabled
CCE-3096-5 CCE-757 (1) size of file
CCE-3589-9 CCE-523 type of retention
CCE-3968-5 CCE-682 (1) number of days
CCE-3990-9 CCE-726 (1) enabled/disabled
CCE-3889-3 CCE-735 (1) size of file
CCE-3805-9 CCE-664 type of retention
The "when maximum log size is reached" property should be set correctly for the Application log.
If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
The "restrict guest access to security log" policy should be set correctly.
The security log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the Security log.
If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
The "restrict guest access to system log" policy should be set correctly.
The system log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the System log.
CCE-3823-2 CCE-210 (1) number of days
CCE-3827-3 CCE-871 (1) number of days
CCE-3224-3 CCE-324 (1) number of days
CCE-3228-4 CCE-100 (1) number of days
CCE-3986-7 CCE-514
CCE-3042-9 CCE-633 (1) enabled/disabled
CCE-3588-1 CCE-60
CCE-3852-1 CCE-479 (1) enabled/disabled
CCE-3372-0 CCE-487
CCE-3892-7 CCE-954
CCE-4041-0 CCE-294
If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.The "maximum password age" policy should meet minimum requirements. The "minimum password age" policy should meet minimum requirements.
The "minimum password length" policy should meet minimum requirements.
The correct password filtering DLL should be installed.
(1) file name (2) version (3) file size (4) file hash
The "password must meet complexity requirments" policy should be set correctly.
The "enforce password history" policy should meet minimum requirements.
(1) number of passwords remembered
The "store password using reversible encryption for all users in the domain" policy should be set correctly.
The startup type of the Alerter service should be correct.
(1) disabled/manual/automatic
The startup type of the ClipBook service should be correct.
(1) disabled/manual/automatic
The startup type of the Computer Browser service should be correct.
(1) disabled/manual/automatic
CCE-3059-3 CCE-78
CCE-3830-7 CCE-712
CCE-3835-6 CCE-311
CCE-3738-2 CCE-729
CCE-4035-2 CCE-232
CCE-3554-3 CCE-672
CCE-3572-5 CCE-73
CCE-3973-5 CCE-223
CCE-3995-8 CCE-522
CCE-3515-4 CCE-531
The startup type of the Fax service should be correct.
(1) disabled/manual/automatic
The startup type of the FTP Publishing service should be correct.
(1) disabled/manual/automatic
The startup type of the IIS Admin service should be correct.
(1) disabled/manual/automatic
The startup type of the Messenger service should be correct.
(1) disabled/manual/automatic
The startup type of the NetMeeting Remote Desktop Sharing service should be correct.
(1) disabled/manual/automatic
The startup type of the Internet Connection Sharing service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Registry service should be correct.
(1) disabled/manual/automatic
The startup type of the Routing and Remote Access service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Shell service should be correct.
(1) disabled/manual/automatic
The startup type of the Simple TCP/IP service should be correct.
(1) disabled/manual/automatic
CCE-3643-4 CCE-870
CCE-3524-6 CCE-975
CCE-3819-0 CCE-892
CCE-3951-1 CCE-75
CCE-3722-6 CCE-758
CCE-3634-3 CCE-559
CCE-3721-8 CCE-445
CCE-3069-2 CCE-115
CCE-3898-4 CCE-109
CCE-3418-1 CCE-407
CCE-3938-8 CCE-310 (1) enabled/disabled
The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct.
(1) disabled/manual/automatic
The startup type of the SNMP Service service should be correct.
(1) disabled/manual/automatic
The startup type of the SNMP Trap Service service should be correct.
(1) disabled/manual/automatic
The startup type of the Telnet service should be correct.
(1) disabled/manual/automatic
The startup type of the World Wide Web Publishing service should be correct.
(1) disabled/manual/automatic
The startup type of the Automatic Update service should be correct.
(1) disabled/manual/automatic
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.
(1) disabled/manual/automatic
The startup type of the Print Services for Unix service should be correct.
(1) disabled/manual/automatic
The correct service permissions for the Printer service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Task Scheduler service should be assigned.
(1) set of accounts (2) list of permissions
The "Additional restrictions for anonymous connections" policy should be set correctly.
CCE-3837-2 CCE-195
CCE-3982-6 CCE-653
CCE-4004-8 CCE-464 (1) enabled/disabled
CCE-3766-3 CCE-332 (1) enabled/disabled
CCE-3669-9 CCE-23 (1) text caption
CCE-4012-1 CCE-829 (1) text statement
CCE-3893-5 CCE-512 (1) allowed/removed
CCE-4039-4 CCE-243 (1) enabled/disabled
CCE-3559-2 CCE-283 (1) enabled/disabled
CCE-4061-8 CCE-137 (1) enabled/disabled
CCE-3726-7 CCE-44 (1) enabled/disabled
CCE-3871-1 CCE-36 (1) enabled/disabled
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.
(1) restricted/unrestricted
The "Anonymous access to the security event log" policy should be set correctly.
(1) exist/not exist (2) enabled/disabled
The "Anonymous access to the registry" policy should be set correctly.
Use of the built-in Guest account should be enabled or disabled as appropriate.
The "Message title for users attempting to log on" policy should be set correctly.
The "Message text for users attempting to log on" policy should be set correctly.
Administrative Shares should be properly configured.
Automatic Execution of the System Debugger should be properly configured.
Automatic Logon should be properly configured.
Automatic Reboot After System Crash should be properly configured.
Autoplay on all Drive Types should be properly configured.
Autoplay for Current User should be properly configured.
CCE-3528-7 CCE-820 (1) enabled/disabled
CCE-3555-0 CCE-344 (1) enabled/disabled
CCE-3682-2 CCE-282 (1) enabled/ignored
CCE-3704-4 CCE-150 (1) enabled/ignored
CCE-3915-6 CCE-564 (1) enabled/disabled
CCE-4065-9 CCE-952 (1) enabled/disabled
CCE-3942-0 CCE-501 (1) enabled/disabled
CCE-3981-8 CCE-536 (1) enabled/disabled
CCE-3646-7 CCE-65 (1) enabled/disabled
CCE-3920-6 CCE-544 (1) enabled/disabled
CCE-3095-7 CCE-580 (1) enabled/disabled
CCE-3972-7 CCE-236 (1) visible/invisible
Autoplay for Default User should be properly configured.
CD-ROM Autorun should be properly configured.
Computer Browser ResetBrowser Frames should be properly configured.
ICMP Redirects should be properly configured.
IP Source Routing should be properly configured.
IRDP should be properly configured.
Kerberos and RSVP Traffic Protected by IPSec should be properly configured.
Dr. Watson Crash Dumps should be properly configured.
Display Last User Name in Logon Screen should be properly configured.
File System Checker and Popups should be properly configured.
System File Checker should be properly configured.
System File Checker Progress Meter should be properly configured.
CCE-3620-2 CCE-139 (1) available/hidden
CCE-3884-4 CCE-897 (1) enabled/disabled
CCE-3600-4 CCE-188
CCE-3878-6 CCE-333
CCE-4027-9 CCE-751
CCE-3922-2 CCE-817 (1) enabled/disabled
CCE-3939-6 CCE-998 (1) enabled/disabled
CCE-4085-7 CCE-284 (1) enabled/disabled
CCE-3948-7 CCE-112 (1) security level
CCE-3966-9 CCE-125 (1) warning level
CCE-4010-5 CCE-156 (1) enabled/disabled
CCE-3900-8 CCE-601 (1) enabled/disabled
System availability to Master Browser should be properly configured.
TCP/IP Dead Gateway Detection should be properly configured.
The TCP/IP KeepAlive Time should be set correctly .
(1) number of milliseconds
The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly .
(1) number of sockets
The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly .
(1) number of sockets
TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.
TCP/IP PMTU Discovery should be properly configured.
TCP/IP SYN Flood Attack Protection should be properly configured.
Protect Kernel object attributes should be properly configured.
Security Audit log warning level should be properly configured.
Disable saving of dial-up passwords should be properly configured.
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.
CCE-4063-4 CCE-614 (1) enabled/disabled
CCE-4005-5 CCE-257 (1) enabled/disabled
CCE-3899-2 CCE-438 (1) valid names
CCE-4045-1 CCE-834 (1) valid names
CCE-3921-4 CCE-222
CCE-4049-3 CCE-2 (1) enabled/disabled
CCE-3476-9 CCE-905 (1) enabled/disabled
CCE-3886-9 CCE-133 (1) enabled/disabled
CCE-4014-7 CCE-719
CCE-3908-1 CCE-275
CCE-3675-6 CCE-402 (1) enabled/disabled
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.
The "Allow Server Operators to Schedule Tasks" policy should be set correctly. The built-in Administrator account should be correctly named. The built-in Guest account should be correctly named.
The amount of idle time required before disconnecting a session should be set correctly.
(1) number of minutes
The "Audit the access of global system objects" policy should be set correctly.
The "Audit the use of backup and restore privilege" policy should be set correctly.
The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.
The "LAN Manager Authentication Level" policy should be set correctly.
(1) authentication level
The "Send LanMan compatible password" setting should be configured correctly.
The "Prevent Users from Installing Printer Drivers" policy should be set correctly.
CCE-4067-5 CCE-410 (1) enabled/disabled
CCE-3463-7 CCE-76 (1) enabled/disabled
CCE-3529-5 CCE-565 (1) enabled/disabled
CCE-3185-6 CCE-463 (1) enabled/disabled
CCE-3956-0 CCE-508 (1) enabled/disabled
CCE-3978-4 CCE-417 (1) enabled/disabled
CCE-3392-8 CCE-228 (1) enabled/disabled
CCE-3648-3 CCE-413 (1) behavior
CCE-3401-7 CCE-307 (1) behavior
CCE-3098-1 CCE-814
The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.
The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.
The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.
The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.
The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.
The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.
The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.
The "Unsigned Driver Installation Behavior" policy should be set correctly.
The "Unsigned Non-Driver Installation Behavior" policy should be set correctly.
The "Users Prompted to Change Password Before Expiration" policy should be set correctly.
(1) number of days prior to expiration
CCE-4070-9 CCE-92 (1) enabled/disabled
CCE-3629-3 CCE-224 (1) enabled/disabled
CCE-3813-3 CCE-360 (1) enabled/disabled
CCE-3333-2 CCE-422 (1) enabled/disabled
CCE-3747-3 CCE-576 (1) enabled/disabled
CCE-3994-1 CCE-519 (1) enabled/disabled
CCE-3783-8 CCE-171 (1) enabled/disabled
CCE-3928-9 CCE-104 (1) enabled/disabled
CCE-3545-1 CCE-773
CCE-4069-1 CCE-919 (1) Group(s)
The "Shut Down system immediately if unable to log security audits" policy should be set correctly.
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.
The "Automatically Log Off Users When Logon Time Expires (local)" policy should be set correctly.
The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.
The "Digitally Sign Client Communication (Always)" policy should be set correctly.
The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.
The "Digitally Sign Server Communication (Always)" policy should be set correctly.
The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.
The "Number of Previous Logons to Cache" policy should be set correctly.
(1) number of logons
The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.
CCE-3607-9 CCE-549 (1) enabled/disabled
CCE-3849-7 CCE-161 (1) enabled/disabled
CCE-4025-3 CCE-918 (1) enabled/disabled
CCE-3596-4 CCE-443 (1) behavior
CCE-3145-0 CCE-831 (1) enabled/disabled
CCE-3947-9 CCE-621
CCE-3863-8 CCE-546 (1) enabled/disabled
CCE-4008-9 CCE-764 (1) enabled/disabled
CCE-4000-6 CCE-830 (1) time in seconds
CCE-4145-9 CCE-949 (1) enabled/disabled
CCE-3149-2 CCE-742 (1) enabled/disabled
CCE-3152-6 CCE-736 (1) enabled/disabled
The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.
The "Smart Card Removal Behavior" policy should be set correctly.
The "Prevent System Maintenance of Computer Account Password" policy should be set correctly. Local volumes should be formatted correctly.
(1) type of formatting
Unused USB Ports should be enabled or disabled as appropriate. The "Current user screensaver" policy should be set correctly.
The "Current user screensaver timeout" policy should be set correctly.
The "Current user screensaver secure" policy should be set correctly.
The "Current user screensaver active" policy should be set correctly.
The "Always Install with Elevated Privileges" policy should be set correctly.
CCE-4108-7 CCE-261 (1) enabled/disabled
CCE-3861-2 CCE-415 (1) enabled/disabled
CCE-3931-3 CCE-794 (1) enabled/disabled
CCE-4094-9 CCE-107 (1) enabled/disabled
CCE-4116-0 CCE-256 (1) enabled/disabled
CCE-3980-0 CCE-662 (1) enabled/disabled
CCE-4002-2 CCE-424 (1) enabled/disabled
CCE-4033-7 CCE-525 (1) enabled/disabled
CCE-4055-0 CCE-785 (1) enabled/disabled
CCE-3451-2 CCE-578 (1) enabled/disabled
The "Set Safe for Scripting" policy should be set correctly.
The "Enable User Control Over Installs" policy should be set correctly.
The "Enable User to Browser for Source While Elevated" policy should be set correctly.
The "Enable User to Use Media Source While Elevated" policy should be set correctly.
The "Allow Administrator to Install from Terminal Services Session" policy should be set correctly.
The "Enable User to Patch Elevated Products" policy should be set correctly.
The "Cache Transforms in Secure Location" policy should be set correctly.
Internet access for Windows Messenger should be configured correctly.
The "Hide Property Pages" policy should be set correctly for the Task Scheduler.
The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler.
CCE-3971-9 CCE-5 (1) enabled/disabled
CCE-4117-8 CCE-146 (1) enabled/disabled
CCE-3874-5 CCE-212 (1) enabled/disabled
CCE-3517-0 CCE-622 (1) enabled/disabled
The "Security Zones: Use Only Machine Settings" setting should be configured correctly.
The "Security Zones: Do Not Allow Users to Add/Delete Sites" setting should be configured correctly.
The "Disable Periodic Check For Internet Explorer Software Updates" setting should be configured correctly.
The "Disable Software Update Shell Notifications on Program Launch" setting should be configured correctly.
CCE-3962-8 CCE-684 (1) enabled/disabled
CCE-4125-1 CCE-693
CCE-4019-6 CCE-833 (1) enabled/disabled
CCE-4812-4 CCE-10
CCE-5236-5 CCE-2118 enabled/disabled
CCE-4719-1 CCE-2390 enabled/disabled
CCE-4874-4 CCE-1001
CCE-4777-9 CCE-1298
CCE-4156-6 CCE-165 (1) set of accounts
The "Disable Automatic Install of Internet Explorer Components" setting should be configured correctly.
The "Make Proxy Settings Per-Machine (Rather Then Per-User)" setting should be configured correctly.
(1) number of proxy settings
The "Security Zones: Do Not Allow Users to Change Policies" setting should be configured correctly.
DEPRECATED in favor of CCE-5236-5, CCE-4719-1.
Auditing of "directory service access" events on success should be enabled or disabled as appropriate..
Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..
The Smart Card Helper service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The License Logging service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The "deny logon as a batch job" user right should be assigned to the correct accounts.
CCE-4825-6 CCE-167
CCE-4720-9 CCE-1786
CCE-4848-8 CCE-1984 enabled/disabled
CCE-4729-0 CCE-2166
CCE-4495-8 CCE-217
CCE-4768-8 CCE-828 enabled/disabled
CCE-4253-1 CCE-2258
CCE-4539-3 CCE-267
CCE-4786-0 CCE-278 (1) enabled/disabled
CCE-4447-9 CCE-303
CCE-4332-3 CCE-304 (1) set of accounts
The Application Management service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Resultant Set of Policy (RSoP) Provider Service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
Use of the Recycle Bin on file deletion should be enabled or disabled as appropriate.
The Network News Transport Protocol (NNTP) service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The "Interactive logon: Requre smart card" setting should be configured correctly.The Distributed Link Tracking Server service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The startup type of the Remote Access Auto connection Manager service should be correct.
(1) disabled/manual/automatic
The "Disconnect clients when logon hours expire" policy should be set correctly.
The Distributed Transaction Coordinator service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The "Impersonate a client after authentication" user right should be assigned to the correct accounts.
CCE-4830-6 CCE-340
CCE-4751-4 CCE-366
CCE-4645-8 CCE-227 enabled/disabled
CCE-4750-6 CCE-37 (1) number of hours
CCE-4865-2 CCE-6
CCE-4684-7 CCE-33 (1) number of days
CCE-4715-9 CCE-588
CCE-4790-2 CCE-383 (1) set of accounts
CCE-4667-2 CCE-40
CCE-4882-7 CCE-428
CCE-4799-3 CCE-458
CCE-4195-4
CCE-4235-8 CCE-597 (1) set of accounts
The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The Uninterruptable Power Supply service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The "Enforce user logon restrictions" policy should be set correctly. The "Maximum User Ticket Lifetime" policy should be set correctly. The "Maximum Service Ticket Litfetime" policy should be set correctly.
(1) number of minutes
The "Maximum User Renewal Lifetime" policy should be set correctly.
The "Maximum tolerance for computer clock synchronization" policy should be set correctly.
(1) number of minutes
The "Create global objects" user right should be assigned to the correct accounts.
The startup type of the Task Scheduler service should be correct.
(1) disabled/manual/automatic
The Telephony service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.The DHCP Server service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The "deny logon as a service" user right should be assigned to the correct accounts.
CCE-4244-0 CCE-604
CCE-4764-7 CCE-650
CCE-4803-3 CCE-651
CCE-4794-4 CCE-738
CCE-4689-6 CCE-740
CCE-4779-5 CCE-750
CCE-4801-7 CCE-768
CCE-4453-7
CCE-4096-4 CCE-98
CCE-4003-0 CCE-990 (1) list of accounts
The Wireless Zero Configuration service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The startup type of the .NET Framework service should be correct.
(1) disabled/manual/automatic
The Distributed Link Tracking Client service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The startup type of the Indexing service should be correct.
(1) disabled/manual/automatic
The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.
The Remote Access Connection Manager service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Certificate Services service should be enabled or disabled as appropriate.The Smart Card service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
Membership in the Power Users group should be assigned to the appropriate accounts.
CCE Technical Mechanisms
(1) defined by the object's SACL
(1) defined by the object's SACL
(1) defined by the object's SACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy
(1) defined by the SeNetworkLogonRight setting in Local or Group Policy
(1) defined the SeTcbPrivilege setting in by Local or Group Policy
(1) defined the SeBackupPrivilege setting in by Local or Group Policy
(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy
(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy
(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy
(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy
(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy
(1) defined the SeDebugPrivilege setting in by Local or Group Policy
(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy
(1) defined the SeAuditPrivilege setting in by Local or Group Policy
(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy
(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy
(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy
(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy
(1) defined the SeBatchLogonRight setting in by Local or Group Policy
(1) defined the SeServiceLogonRight setting in by Local or Group Policy
(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy
(1) defined the SeSecurityPrivilege setting in by Local or Group Policy
(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy
(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy
(1) defined the SeUndockPrivilege setting in by Local or Group Policy
(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy
(1) defined the SeRestorePrivilege setting in by Local or Group Policy
(1) defined the SeShutdownPrivilege setting in by Local or Group Policy
(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy
(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy
(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy
(1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy
(1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) determined by the local filesystem
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
s
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) Local Users and Groups MMC
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
(1) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
(1) HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDrom\Autorun
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\CreateCrashDump
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\EnhancedSecurityLevel
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel Paramenters: (1) level
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Local or Group Policy
(1) Disk Management MMC
(1) ?
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange (2) defined by Local or Group Policy
(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\SafeForScripting\
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownBrowse
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\{9b017612-c9f1-11d2-8d9f-0000f875c541}\Disabled (2) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MessengerService
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Property Pages
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Use_HKLM_only Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_Zones_Map_Edit Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_zones_map_edit
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoUpdateCheck Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoUpdateCheck
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMSAppLogo5ChannelNotify,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer/Internet Control Panel/Security Features/Restrict File Download, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\(Reserved), [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\explorer.exe, [HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\iexplore.exe
(1) via auditpol
(1) via auditpol
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\InfoDelivery\Restrictions\NoJITSetup,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\NoJITSetup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit,Local Internet Options: GPO Settings:[Computer Configuration | User Configuration]/Network/Internet Explorer, Registry Keys:[HKLM | HKCU]\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_options_edit
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the SeDenyBatchLogonRight setting in by Local or Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\NukeOnDelete
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the object's DACL
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
CIS W2K Server Level 2 Benchmark v2.2.1
4.4.3.1 %System Drive% - Everyone: Failures (this folder, propagate inheritable permissions to all subfolders and files)
4.4.3.2 HKLM\Software – Everyone: Failures (this key, propagate inheritable permission to all subkeys)
4.4.3.3 HKLM\System – Everyone: Failures (this key, propagate inheritable permission to all subkeys)4.4.1.15 %ProgramFiles% - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List
4.4.1.16 %Program Files%\Resource Kit – Administrators: Full; System: Full
4.4.1.17 %Program Files%\Resource Pro Kit – Administrators: Full; System: Full4.4.1.1 %SystemDrive%\ - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List
4.4.1.2 %SystemDrive%\autoexec.bat - Administrator: Full; System: Full
4.4.1.3 %SystemDrive%\boot.ini – Administrators: Full; System: Full
4.4.1.4 %SystemDrive%\config.sys - Administrators: Full; System: Full
?
4.4.1.5 %SystemDrive%\io.sys - Administrators: Full; System: Full
4.4.1.10 %SystemDrive%\Documents and Settings - Administrators: Full; System: Full; Users: Read and Execute, List
4.4.1.11 %SystemDrive%\Documents and Settings\Administrator - Administrators: Full; System: Full
4.4.1.12 %SystemDrive%\Documents and Settings\All Users – Administrators: Full; System: Full; Users: Read and Execute, List
4.4.1.13 %SystemDrive%\Documents and Settings\All Users\Documents\DrWatson – Administrators: Full; System: Full;Creator Owner: Full; Users: Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions (This folder, subfolders, and files); Users: Traverse Folder/Execute Files, CreateFiles/Write Data, Create Folder/Append Data (Subfolders and files only)
4.4.1.14 %SystemDrive%\Documents and Settings\Default User - Administrators: Full; System: Full; Users: Read and Execute, List
4.4.1.6 %SystemDrive%\msdos.sys - Administrators: Full; System: Full
?
?
4.4.1.7 %SystemDrive%\ntbootdd.sys - Administrators: Full; System: Full
4.4.1.8 %SystemDrive%\ntdetect.com – Administrators: Full; System: Full
4.4.1.9 %SystemDrive%\ntldr - Administrators: Full; System: Full
4.4.1.47 %SystemDrive%\System Volume Information – (Do not allow permissions on this folder to be replaced)
4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List
4.4.1.18 %SystemRoot% – Administrators: Full; System: Full; Creator Onwer: Full; Users: Read and Execute, List
4.4.1.19 %SystemRoot%\$NtServicePackUninstall$ – Administrators: Full; System: Full
?
?
?
4.4.1.20 %SystemRoot%\CSC – Administrators: Full; System: Full
4.4.1.21 %SystemRoot%\Debug - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List
4.4.1.22 %SystemRoot%\Debug\UserMode - Administrators: Full; System: Full; Users: Traverse Folder/Execute File, Listfolder/Read data, Create files/Write data (This folder, only); Create files/Write data, Create folders/Append data(Files only)
4.4.1.31 %SystemRoot%\regedit.exe – Administrators: Full; System: Full
4.4.1.23 %SystemRoot%\Offline Web Pages – Ignore Parent Permission Changes
4.4.1.24 %SystemRoot%\Registration - Administrators: Full; System: Full; Users: Read
4.4.1.25 %SystemRoot%\repair - Administrators: Full; System: Full
4.4.1.26 %SystemRoot%\security - Administrators: Full; System: Full; Creator Owner: Full
?
?
?
?
4.4.1.27 %SystemRoot%\system32 - Administrators: Full; System: Full; Creator Owner: Full; Users: Read and Execute, List
4.4.1.36 %SystemRoot%\system32\appmgmt – Administrators: Full; System: Full; Users: Read and Execute, List
4.4.1.28 %SystemRoot%\system32\at.exe – Administrators: Full; System: Full
4.4.1.37 %SystemRoot%\system32\config – Administrators: Full; System: Full
4.4.1.38 %SystemRoot%\system32\dllcache – Administrators: Full; System: Full; Creator Owner: Full
4.4.1.39 %SystemRoot%\system32\DTCLog - Administrators: Full; System: Full; Creator Owner: Full; Users: Read andExecute, List
4.4.1.40 %SystemRoot%\system32\Group Policy - Administrators: Full; System: Full; Authenticated Users: Read andExecute, List
4.4.1.41 %SystemRoot%\system32\ias - Administrators: Full; System: Full; Creator Owner: Full
4.4.1.29 %SystemRoot%\system32\Ntbackup.exe – Administrators: Full; System: Full
4.4.1.42 %SystemRoot%\system32\NTMSData – Administrators: Full; System: Full
4.4.1.30 %SystemRoot%\system32\rcp.exe – Administrators: Full; System: Full
4.4.1.32 %SystemRoot%\system32\regedt32.exe – Administrators: Full; System: Full
4.4.1.43 %SystemRoot%\system32\reinstallbackups – Administrators: Full; System: Full; Creator Owner: Full; PowerUsers: Read and Execute, List
4.4.1.33 %SystemRoot%\system32\rexec.exe – Administrators: Full; System: Full
4.4.1.34 %SystemRoot%\system32\rsh.exe – Administrators: Full; System: Full
4.4.1.35 %SystemRoot%\system32\secedit.exe – Administrators: Full; System: Full
?
?
?
?
?
4.4.1.44 %SystemRoot%\system32\Setup – Administrators: Full; System: Full; Users: Read and Execute, List
4.4.1.45 %SystemRoot%\system32\spool\printers – Administrators: Full; System: Full; Creator Owner: Full; Users:Traverse Folder, Execute File, Read, Read Extended Attributes, Create folders, Append Data
4.4.1.46 %SystemRoot%\Tasks - (Do not allow permissions on this folder to be replaced)
?
?
4.4.2.2 HKLM\Software – Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.1 HKLM\Software\Classes - Administrators: Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.3 HKLM\Software\Microsoft\Net DDE – Administrators: Full; System: Full
4.4.2.4 HKLM\Software\Microsoft\OS/2 Subsystem for NT – Administrators: Full; System: Full; Creator Owner: Full
4.4.2.5 HKLM\Software\Microsoft\Windows NT\CurrentVersion\AsrCommands – Administrators: Full; System: Full;Creator Owner: Full; Users: Read; Backup Operators: Query Value, Set Value, Create Subkey, EnumerateSubkeys, Notify, Delete, Read (this key and subkeys)
4.4.2.6 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib – Administrators: Full; System: Full; CreatorOwner: Full; Interactive: Read (this key and subkeys)
4.4.2.7 HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy - Administrators: Full; System: Full;Authenticated Users: Read
4.4.2.8 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer - Administrators Full; System: Full; Users: Read
4.4.2.9 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies - Administrators: Full; System: Full; AuthenticatedUsers: Read
4.4.2.10 HKLM\System - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.11 HKLM\System\Clone – Allow inheritable permissions to propagate to this object
4.4.2.12 HKLM\System\ControlSet001 - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.13 HKLM\System\ControlSet00x - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.14 HKLM\System\CurrentControlSet\Control\SecurePipeServers\WinReg – Administrators: Full
4.4.2.15 HKLM\System\CurrentControlSet\Control\WMI\Security – Administrators: Full; System: Full; Creator Owner: Full(this key and subkeys)
4.4.2.16 HKLM\System\CurrentControlSet\Enum - (Do not allow permissions on this key to be replaced)
4.4.2.17 HKLM\System\CurrentControlSet\Hardware Profiles – Administrators Full; System: Full; Creator Owner: Full;Users: Read
4.4.2.18 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers - Administrators Full; System: Full;Creator Owner: Full
4.4.2.19 HKLM\System\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities - Administrators Full; System: Full;Creator Owner: Full
4.4.2.20 HKU\.Default - Administrators Full; System: Full; Creator Owner: Full; Users: Read
4.4.2.21 HKU\.Default\Software\Microsoft\NetDDE - Administrators Full; System: Full
4.4.2.22 HKU\.Default\Software\Microsoft\Protected Storage System Provider – No entries
?
4.2.11 Deny access to this computer from the network: Guests
4.2.2 Act as part of the operating system: None
4.2.4 Back up files and directories: Administrators
4.2.5 Bypass traverse checking: Users
4.2.6 Change the system time: Administrators
4.2.7 Create a pagefile: Administrators
4.2.8 Create a token object: None
4.2.9 Create permanent shared objects: None
4.2.10 Debug Programs: None
4.2.1 Access this computer from the network: Users, Administrators (or none)
4.2.16 Force shutdown from a remote system: Administrators
4.2.17 Generate security audits: None
4.2.18 Increase quotas: Administrators
4.2.19 Increase scheduling priority: Administrators
4.2.20 Load and unload device drivers: Administrators
4.2.21 Lock pages in memory: None
4.2.22 Log on as a batch job: None
4.2.23 Log on as a service: None
4.2.25 Manage auditing and security log: Administrators
4.2.26 Modify firmware environment values: Administrators
4.2.27 Profile single process: Administrators
4.2.24 Log on locally: Users, Administrators (further restriction allowable)
4.2.28 Profile system performance: Administrators
4.2.29 Remove computer from docking station: Users, Administrators
4.2.30 Replace a process level token: None
4.2.31 Restore files and directories: Administrators
4.2.32 Shut down the system: Users, Administrators
4.2.34 Take ownership of file or other objects: Administrators
4.2.33 Synchronize directory service data: Not Applicable
4.2.3 Add workstations to domain: Not applicable
Reset Account Lockout After: 15 Minutes (minimum)
4.2.14 Deny logon locally: None by default (others allowable as appropriate)
4.2.15 Enable computer and user accounts to be trusted for delegation: Not Applicable
Account Lockout Duration: 15 Minutes (minimum)
Account Lockout Threshold: 3 Bad Login Attempts (maximum)
Audit Account Logon Events: Success and Failure
Audit Account Logon Events: Success and Failure
Audit Account Management: Success and Failure
Audit Account Management: Success and Failure
Audit Logon Events: Success and Failure
Audit Logon Events: Success and Failure
Audit Object Access: Failure (minimum)
Audit Object Access: Failure (minimum)
Audit Policy Change: Failure (minimum)
Audit Policy Change: Failure (minimum)
Audit Privilege Use: Failure (minimum)
Audit Privilege Use: Failure (minimum)
Audit Process Tracking: Not Defined
Audit Process Tracking: Not Defined
Audit System Events: Success and Failure
Audit System Events: Success and Failure
Allow System to be Shut Down Without Having to Log On?
Application Log: Restrict Guest Access to Logs: Enabled
Application Log: Maximum Event Log Size: 80 Mb (minimum)
Security Log: Restrict Guest Access to Logs: Enabled
Security Log: Maximum Event Log Size: 80 Mb (minimum)
Security Log: Log Retention Method: “Overwrite Events As Needed”
System Log: Restrict Guest Access to Logs: Enabled
System Log: Maximum Event Log Size: 80 Mb (minimum)
System Log: Log Retention Method: “Overwrite Events As Needed”
Application Log: Log Retention Method: “Overwrite Events As Needed”
All passwords are no more than 90 days old (maximum).
Minimum Password Age: 1 day
All passwords are at least 8 characters long (minimum).?
Password Complexity: Enabled
Password History: 24 Passwords Remembered
Store Passwords using Reversible Encryption: Disabled
4.1.1 Alerter – Disabled
4.1.2 Clipbook – Disabled
4.1.3 Computer Browser – Disabled
4.1.4 Fax Service – Disabled
4.1.5 FTP Publishing Service – Disabled
4.1.6 IIS Admin Service – Disabled
4.1.8 Messenger – Disabled
4.1.9 NetMeeting Remote Desktop Sharing – Disabled
4.1.7 Internet Connection Sharing – Disabled
4.1.10 Remote Registry Service – Disabled
4.1.11 Routing and Remote Access – Disabled?
?
4.1.12 Simple Mail Transfer Protocol (SMTP) – Disabled
4.1.15 Telnet – Disabled
4.1.16 World Wide Web Publishing Services – Disabled
4.1.17 Automatic Updates – Not Defined
4.1.18 Background Intelligent Transfer Service – Not Defined
?
4.1.13 Simple Network Management Protocol (SNMP) Service – Disabled
4.1.14 Simple Network Management Protocol (SNMP) Trap – Disabled
Additional Restrictions for Anonymous Connections: “No Access Without Explicit Anonymous Permissions”
?
?
?
Message Title for Users Attempting to Log On: “Warning:” or custom title.
Message Text for Users Attempting to Log On: Custom Message or “This
Remove administrative shares on workstation (Professional): HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks (REG_DWORD) 0
Disable Automatic Execution of the System Debugger: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto (REG_DWORD) 0
Disable Automatic Logon: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon(REG_DWORD) 0
Disable automatic reboots after a Blue Screen of Death: HKLM\System\CurrentControlSet\Control\CrashControl\AutoReboot (REG_DWORD) 0
Disable autoplay from any disk type, regardless of application: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255
Disable autoplay for current user: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) 255
Disable autoplay for new users by default: HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun (REG_DWORD) Not Defined
Disable CD Autorun: HKLM\System\CurrentControlSet\Services\CDrom\Autorun (REG_DWORD) 0
Protect against Computer Browser Spoofing Attacks: HKLM\System\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset (REG_DWORD) 1
Ensure ICMP Routing via shortest path first: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect (REG_DWORD) 0
Protect against source-routing spoofing: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting (REG_DWORD) 2
Ensure Router Discovery is Disabled: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery (REG_DWORD) 0
Enable IPSec to protect Kerberos RSVP Traffic: HKLM\System\CurrentControlSet\Services\IPSEC\NoDefaultExempt (REG_DWORD) 1
Suppress Dr. Watson Crash Dumps: HKLM\Software\Microsoft\DrWatson\CreateCrashDump (REG_DWORD) 0
Don’t display username of last successful logon at the logon screen: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName (REG_SZ) Not Defined; 3.2.1.15 Do Not Display Last User Name in Logon Screen: Enabled
Enable the File System Checker and Disable Popups: HKLM\ Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable (REG_DWORD) Not Defined
Enable the System File Checker to verify all operating system files at boot time: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCScan (REG_DWORD) Not DefinedNote: Due to the processor-intensive nature of the System File Checker, it is no longer required on startup.
Do not show the System File Checker progress meter: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCShowProgress (REG_DWORD) Not Defined
3.2.2.24 Do not announce this computer to domain master browsers: HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden (REG_DWORD) 1
Protect the Default Gateway network setting: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect (REG_DWORD) 0
Manage Keep-alive times: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime(REG_DWORD) 300000
SYN Attack protection – Manage TCP Maximum half-open sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen (REG_DWORD) 100
SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetired (REG_DWORD) 80
Protect Against Malicious Name-Release Attacks: HKLM\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand (REG_DWORD) 1
Help protect against packet fragmentation: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery (REG_DWORD) 0
Protect against SYN Flood attacks: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect (REG_DWORD) 2
Allow Server Operators to Schedule Tasks: Not Applicable
Rename Administrator Account: Any value other than ‘Administrator’
Rename Guest Account: Any value other than ‘Guest’
Audit the access of global system objects: Not Defined
Audit the use of backup and restore privilege: Not Defined
Disable CTRL+ALT+Delete Requirement for Logon: Disabled
Prevent Users from Installing Printer Drivers: Enabled
Amount of Idle Time Required Before Disconnecting Session: 30 Minutes (minimum)
LAN Manager Authentication Level: “Send NTLMv2 response only” (minimum)
Recovery Console: Allow Automatic Administrative Logon: Disabled
Restrict CD-ROM Access to Locally Logged-On User Only: Enabled
Restrict Floppy Access to Locally Logged-On User Only: Enabled
Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders: Disabled
Strengthen Default Permissions of Global System Objects (e.g. Symbolic Links): Enabled
Secure Channel: Require Strong (Windows 2000 or later) Session Key: Not Defined
Send Unencrypted Password to Connect to Third-Party SMB Servers: Disabled
Unsigned Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation”.
Unsigned Non-Driver Installation Behavior: “Warn, but allow installation” (minimum) or “Do Not Allow Installation”
Prompt User to Change Password Before Expiration: 14 Days (minimum)
Allow System to be Shut Down Without Having to Log On: Disabled
Clear Virtual Memory Pagefile When System Shuts Down: Enabled
Digitally Sign Client Communication (Always): Not Defined
Digitally Sign Client Communication (When Possible): Enabled
Digitally Sign Server Communication (Always): Not Defined
Digitally Sign Server Communication (When Possible): Enabled
Number of Previous Logons to Cache: 1 (maximum)
Allowed to Eject Removable NTFS Media: Administrators
Shut Down system immediately if unable to log security audits: Not Defined
Automatically Log Off Users When Logon Time Expires (local): Enabled
Smart Card Removal Behavior: “Lock Workstation” (minimum)
4.3.1 Ensure all disk volumes are using the NTFS file system
?
?
?
?
?
Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always): Not Defined
Secure Channel: Digitally Encrypt Secure Channel Data (When Possible): Enabled
Secure Channel: Digitally Sign Secure Channel Data (When Possible): Enabled
Prevent System Maintenance of Computer Account Password: Disabled
?
Reg Auditing Local Machine
Reg Auditing Local Machine
Program Files ACL
Resource Kit ACL Servers and DCs
Resource Kit ACL WorkstationSystemDrive ACL
Autoexec.bat ACL
BOOT.INI ACL
DISA Gold Disk Check Name for W2K (golddisk.win2k.ecve.txt)
CONFIG.SYS ACL
Documents and Settings ACL
Documents and Settings\Administrator ACL
Documents and Settings\All Users ACL
DrWatson ACL
DrWatson Log ACLDefault User ACL
IO.SYS ACL
MSDOS.SYS ACL
NTBOOTDD.SYS ACL
NTDETECT.COM ACL
NTLDR ACL
Temp ACL
My Download ACL
System Root ACL
Driver.cab ACL
System Root ACL
%SystemRoot%\$NtServicePackUninstall$
NT SP Uninstall ACL
CSC ACL
Debug ACL
UserMode Directory ACL
regedit.exe ACL
NTDS ACL
Registration ACL
Repair ACL
Security ACL
SYSVOL ACL
%SystemRoot%\SYSVOL\domain\Policies
Temp ACL
System32 ACL
appmgmt ACL
at.exe ACL
CONFIG ACL
%SystemRoot%\System32\CONFIG\AppEvent.evt
%SystemRoot%\System32\CONFIG\SecEvent.evt
dllcache ACL
GroupPolicy ACL
ias ACL
NTbackup.exe ACL
NTMSData ACL
Rcp.exe ACL
Regedt32.exe ACL
Rexec.exe ACL
Rsh.exe ACL?
SECEDIT.SDB ACL
Registry ACL Check CLASSES_ROOT
Registry ACL Check Software?
Reg ACL NetDDE Check test
Reg ACL OS2 Check test
Reg ACL Check AsrCommands
\SOFTWARE\Classes\Regfile\Shell\Open\Command
Registry ACL Check Perflib
Reg ACL Check Group Policy
Reg ACL Check Installer
Reg ACL Check Policies
Registry ACL Check SYSTEM
Registry ACL Check controlset001
Registry ACL Check controlset002
Registry ACL Check controlset003
Registry ACL Check controlset004
Registry ACL Check controlset005
Registry ACL Check controlset006
Registry ACL Check controlset007
Registry ACL Check controlset008
Registry ACL Check controlset009
Registry ACL Check controlset010
Winreg ACL
Registry ACL Check Security
Registry ACL Check Hardware Profiles
Registry ACL Check Permitted Managers
Registry ACL Check ValidCommunities
Registry ACL Check Default
Registry ACL Check NetDDE
Registry ACL Check CLASSES_ROOT
User Right Check deny access from network
User Right Check Network Logon
User Right Check Act as OS
User Right Check Backup
User Right Check Bypass Traverse checking
User Right Check change system time
User Right Check create pagefile
User Right Check create token object
User Right Check create permanent shared objects
User Right Check debug programs
User Right Check remote shutdown
User Right Check generate security audits
User Right Check increase quotas
User Right Check increase scheduling priority
User Right Check load and unload device drivers
User Right Check lock pages in memory
User Right Check log on as a batch job
User Right Check log on as a service job
User Right Check log on locally
User Right Check modify firmware
User Right Check Profile single process
Manage Auditing and Security Logs on a Member Server
User Right Check Profile system performance
User Right Check undock
User Right replace process token
User Right restore
User Right shut down
User Right take ownership
User Right synch directory
User Right Check deny logon locally
User Right Check allow trust for delegation
User Right Check Add wkstn to domain
Lockout Reset (15)
Lockout Duration (15)
Lockout Count (3)
Account logon auditing
Account logon auditing
Account management auditing
Account management auditing
logon auditing
logon auditing
object access auditing
object access auditing
policy change auditing
policy change auditing
priv use auditing
priv use auditing?
?
System Event auditing
System Event auditing?
Decoy Admin, Account Exists
Application Event Log size key value
Anonymous Access to the Application Event Log value
Application Event Log retention key value
Application Event Log retention key value
Security Event Log size key value
Security Event Log retention key value
Security Event Log retention key value
System Event Log size key value
System Event Log retention key value
Anonymous Access to the Security Event Log value
Anonymous Access to the System Event Log value
System Event Log retention key value
Maximum Password Age (90)
Minimum Password Age
Password Length (8)
Check for Enpasflt.dll
EnPasFlt Check
Password History (24)
Reversible Pwd Encryption?
?
Computer Browser Disabled
?
?
?
?
?
Remote Shell Service
Simple TCP/IP Service
NetMeeting Remote Desktop Sharing Disabled
Remote Access Auto Connection Manager Disabled
?
?
?
Telnet Disabled?
Print Services for UNIX
Printer Permissions
"Schedule" service is run as the system account.
Restrict Anonymous value
Anonymous access to the event logs is not restricted.
Anonymous access to the Registry is not restricted.
Guest Account Disabled
?
?
Admin Autologon Value
CIS: Disable Reboot After Crash value
Autoplay value?
Legal notice is not configured to display before console logon.
CIS: Automatic Execution of the System Debugger value
?
Computer Browser Spoofing Attacks
Disable ICMP Redirect
Disable IP Source Routing
Disable Router Discovery
CIS: Allow Dr. Watson Crash Dumps value?
CIS: Disable Media Autoplay (HKU-.Default hive)
CIS: Enable IPSec security for Kerberos RSVP Traffic value
Disable Dead Gateway Detection
TCP Connection Keep-Alive Time
Half-open TCP Sockets
Half-open retired TCP Sockets
Name-Release Attacks?
SYN Attack Protection
Protect Kernel object attributes
Audit Log Warning Level
Disable saving of dial up password
Encrypt Secure Channel Traffic Value
CIS: Hide computer Name from other domain controllers value
Sign Secure Channel Traffic Value?
Administrator Account Renamed
Guest Account Renamed
?
?
Ctrl+Alt+Del security attention sequence is Disabled.
LMCompatibility Value
Print Driver Installation value
Amount of idle time before disconnecting value (<= 15)
The Send download LanMan compatible password option is not set to "Send LM and NTLM - Use NTLMv2 if Negotiated."
Recovery Console Autologon value
Recovery Console Full Access Value?
Floppy Allocation
Strength permissions on GSO value?
Unsigned Driver Behavior Value
Unsigned Non-Driver Behavior Value
Password Expiration value
Send unencrypted password to 3rd party SMB value
Crash on audit fail Value
The system allows shutdown from the logon dialog box
Logon Time Enforcement (0)
Clear Pagefile value?
Enable Security Signature Value?
SMB Server Packet Signing Value
Logon Caching value (<= 2)
NTFS Media Ejection value
?
?
?
Smart Card Removal Behavior Value
Disable password change Value
Non-NTFS Partition
Unused USB ports are not disabled.
current user scrnsave.exe
Current user screensaver timeout
Current user screensaver secure
Current user screensaver active
Always Install with Elevated Privileges
Enable User Control Over Installs
Enable User to Patch Elevated Products
Windows Messenger Internet Access
Hide Property Pages
Prohibit New Task Creation
Disable IE Security Prompt for Windows Installer Scripts
Enable User to Browse for Source While Elevated
Enable User to Use Media Source While Elevated
Allow Admin to Install from Terminal Services Session
Cache Transforms in Secure Location on Workstation
Security Zones: Use Only Machine Settings
Security Zones: Do Not Allow Users to Add/Delete Sites
Disable Periodic Check for Internet Explorer Software Updates
Disable Software Update Shell Notifications on Program Launch
Make Proxy Settings Per Machine
Audit Directory Service Access
Audit Directory Service Access
Smart Card Helper Service Disabled
License Logging Service Disabled
Denied Logon As A Batch Job
Disable Automatic Install of Internet Explorer Components
Security Zones: Do Not Allow Users to Change Policies
Application Management Service Disabled
Resultant Set of Policy Provider Service Disabled
CAC logon required (NIPRNet only) Requirement
Distributed Link Tracking Server Service Disabled
Impersonate a Client After Authentication
Recycle Bin Configured to Delete Files (Servers) Requirements
Network News Transport Protocol Service Disabled
Network Dynamic Data Exchange (DDE) Service Disabled
Remote Access Auto Connection Manager Service Disabled
Forcibly Disconnect when Logon Hours Expire Requirements
Distributed Transaction Coordinator Service Disabled
DCOM - RunAs Value Requirements
Uninterrupted Power Supply Service Disabled
Right To Create Global Objects
Task Scheduler Service Disabled
Telephony Service Disabled
DHCP Server Service Disabled
Denied Logon As A Service
Kerberos - User Logon Restrictions (DC) Requirements
Kerberos - User Ticket Lifetime (DC) Requirements
Kerberos - Service Ticket Lifetime (DC) Requirements
Kerberos - User Ticket Renewal Lifetime (DC Requirements
Kerberos - Computer Clock Synchronization (DC) Requirements
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
Wireless Zero Configuration
ASP .NET State Service Disabled
Distributed Link Tracking Client Service Disabled
Indexing Service Disabled
Certificate Service Disabled
Smart Card Service Disabled
Power Users Restricted Group
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Remote Access Connection Manager Service Disabled
Network DDE DDE Share Database Manager (DSDM) Service Disabled
CCE ID CCE Description
CCE-2682-3 CCE-25
CCE-2796-1 CCE-899
CCE-1840-8 CCE-727
CCE-2483-6 CCE-211
CCE-1849-9 CCE-39
CCE-2620-3 CCE-83
CCE-2787-0 CCE-854
CCE-2673-2 CCE-783
Old v4 CCE Id
CCE Parameters
The required auditing for %SystemDrive% directory should be enabled.
(1) set of accounts (2) events to audit (3) applicability
The required auditing for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be enabled.
(1) set of accounts (2) events to audit (3) applicability
The required auditing for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be enabled.
(1) set of accounts (2) events to audit (3) applicability
The required permissions for the directory %ALL% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2782-1 CCE-713
CCE-2676-5 CCE-387
CCE-1815-0 CCE-527
CCE-2728-4 CCE-686
CCE-2763-1 CCE-3
CCE-2768-0 CCE-356
CCE-2561-9 CCE-85
CCE-2706-0 CCE-24
CCE-2085-9 CCE-411
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\HTML Help should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Application Data\Microsoft\MediaIndex should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\Documents\desktop.ini should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %AllUsersProfile%\DRM should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %ProgramFiles% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2702-9 CCE-816
CCE-2623-7 CCE-987
CCE-2565-0 CCE-419
CCE-2115-4 CCE-120
CCE-2741-7 CCE-714
CCE-2745-8 CCE-540
CCE-2287-1 CCE-602
CCE-2798-7 CCE-399
CCE-2578-3 CCE-192
CCE-2234-3 CCE-561
The required permissions for the file %SystemDrive%\AUTOEXEC.BAT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\CONFIG.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\Documents and Settings should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\Administrator should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemDrive%\Documents and Settings\Default User should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\IO.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\MSDOS.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\NTBOOTDD.SYS should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\NTDETECT.COM should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemDrive%\NTLDR should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2750-8 CCE-971
CCE-2160-0 CCE-645
CCE-2475-2 CCE-579
CCE-2387-9 CCE-505
CCE-2647-6 CCE-134
CCE-2418-2 CCE-293
CCE-2329-1 CCE-94
CCE-2105-5 CCE-152
CCE-2752-4 CCE-482
CCE-2757-3 CCE-147
CCE-2264-0 CCE-737
The required permissions for the file %SystemDrive%\System Volume Information should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot% should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Driver Cache\I386\Driver.cab should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\$NtServicePackUninstall$ should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\CSC should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Debug should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Debug\UserMode should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Debug\UserMode\userenv.log should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\Installer should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\Offline Web Pages should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\Prefetch should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2175-8 CCE-795
CCE-2325-9 CCE-155
CCE-1833-3 CCE-323
CCE-2805-0 CCE-873
CCE-2739-1 CCE-67
CCE-2638-5 CCE-380
CCE-2660-9 CCE-45
CCE-2052-9 CCE-600
CCE-2184-0 CCE-393
CCE-2312-7 CCE-166
CCE-2726-8 CCE-977
The required permissions for the file %SystemRoot%\regedit.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicabilityThe required permissions
for the directory %SystemRoot%\Registration should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Registration\CRMLog should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\repair should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Temp should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32 should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\arp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\at.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\attrib.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\cacls.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2250-9 CCE-272
CCE-1924-0 CCE-994
CCE-2598-1 CCE-170
CCE-1842-4 CCE-197
CCE-1846-5 CCE-765
CCE-2800-1 CCE-334
CCE-2699-7 CCE-201
CCE-2844-9 CCE-386
CCE-2109-7 CCE-941
CCE-2514-8 CCE-981
The required permissions for the file %SystemRoot%\System32\ciadv.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Com\comexp.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\compmgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\CONFIG should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\CONFIG\AppEvent.evt should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\CONFIG\*.evt should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\debug.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\devmgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\dfrg.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\diskmgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-1863-0 CCE-350
CCE-2760-7 CCE-403
CCE-2425-7 CCE-972
CCE-1909-1 CCE-20
CCE-2145-1 CCE-489
CCE-2436-4 CCE-917
CCE-2704-5 CCE-846
CCE-2334-1 CCE-529
CCE-2229-3 CCE-264
CCE-2621-1 CCE-819
The required permissions for the directory %SystemRoot%\System32\dllcache should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\drwatson.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\drwtsn32.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\edlin.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\eventcreate.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\eventtriggers.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\eventvwr.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\fsmgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\ftp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\gpedit.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2876-1 CCE-789
CCE-2813-4 CCE-894
CCE-2597-3 CCE-198
CCE-2747-4 CCE-634
CCE-2139-4 CCE-550
CCE-2178-2 CCE-731
CCE-2672-4 CCE-607
CCE-1916-6 CCE-158
CCE-2732-6 CCE-220
The required permissions for the directory %SystemRoot%\System32\GroupPolicy should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\ias should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\lusrmgr.msg should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\MSDTC should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\nbstat.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\net.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\net1.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\netsh.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\netstat.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2613-8 CCE-242
CCE-2903-3 CCE-821
CCE-1925-7 CCE-486
CCE-2727-6 CCE-548
CCE-2749-0 CCE-715
CCE-2912-4 CCE-151
CCE-2784-7 CCE-997
CCE-2220-2 CCE-547
CCE-2833-2 CCE-865
The required permissions for the file %SystemRoot%\System32\nslookup.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Ntbackup.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\NTMSData should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\ntmsoprq.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\ntmsmgr.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\perfmon.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Rcp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\reg.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Regedt32.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2855-5 CCE-543
CCE-2894-4 CCE-657
CCE-2899-3 CCE-274
CCE-2546-0 CCE-168
CCE-2674-0 CCE-353
CCE-2070-1 CCE-27
CCE-2762-3 CCE-340
CCE-2176-6 CCE-516
CCE-2198-0 CCE-922
CCE-2185-7 CCE-847
The required permissions for the file %SystemRoot%\System32\regini.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\regsvr32.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Rexec.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\route.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Rsh.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\RSoP.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\runas.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\sc.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\Secedit.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\secpol.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2458-8 CCE-904
CCE-2872-0 CCE-587
CCE-2753-2 CCE-692
CCE-2788-8 CCE-921
CCE-2797-9 CCE-225
CCE-2691-4 CCE-159
CCE-2731-8 CCE-348
CCE-1937-2 CCE-718
CCE-2857-1 CCE-154
CCE-2738-3 CCE-322
The required permissions for the file %SystemRoot%\System32\services.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\Setup should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\System32\spool\Printers should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\subst.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\systeminfo.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\telnet.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\tftp.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\tlntsvr.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the file %SystemRoot%\System32\wmimgmt.msc should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the directory %SystemRoot%\Tasks should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2619-5 CCE-279
CCE-2284-8 CCE-59
CCE-2809-2 CCE-90
CCE-1943-0 CCE-477
CCE-2612-0 CCE-394
CCE-2758-1 CCE-826
CCE-2401-8 CCE-618
CCE-2921-5 CCE-19
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography/Calais should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2392-9 CCE-363
CCE-2771-4 CCE-790
CCE-2793-8 CCE-268
CCE-2207-9 CCE-321
CCE-2625-2 CCE-131
CCE-2736-7 CCE-34
CCE-2630-2 CCE-135
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2775-5 CCE-558
CCE-2300-2 CCE-837
CCE-2172-5 CCE-9
CCE-1960-4 CCE-934
CCE-2859-7 CCE-53
CCE-2938-9 CCE-269
CCE-2850-6 CCE-960
CCE-2590-8 CCE-613
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\clone should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2484-4 CCE-930
CCE-2524-7 CCE-163
CCE-2907-4 CCE-978
CCE-2911-6 CCE-877
CCE-2555-1 CCE-683
CCE-2202-0 CCE-238
CCE-2352-3 CCE-101
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2634-4 CCE-788
CCE-1973-7 CCE-823
CCE-2603-9 CCE-246
CCE-2871-2 CCE-902
CCE-2396-0 CCE-193
CCE-1966-1 CCE-110
CCE-2696-3 CCE-661
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdd\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2595-7 CCE-330
CCE-2238-4 CCE-594
CCE-2881-1 CCE-35
CCE-2780-5 CCE-290
CCE-2428-1 CCE-202
CCE-2885-2 CCE-603
CCE-2537-9 CCE-748
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers should
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities should
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
CCE-2057-8 CCE-907
CCE-2951-2 CCE-127
CCE-2845-6 CCE-483
CCE-2740-9 CCE-730
CCE-1978-6 CCE-898 (1) set of accounts
CCE-2379-6 CCE-532 (1) set of accounts
CCE-2167-5 CCE-162 (1) set of accounts
CCE-2299-6 CCE-931 (1) set of accounts
CCE-2806-8 CCE-376 (1) set of accounts
CCE-2846-4 CCE-799 (1) set of accounts
The required permissions for the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\NetDDE should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The required permissions for the registry key HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The "deny access to this computer from the network" user right should be assigned to the correct accounts.
The "access this computer from the network" user right should be assigned to the correct accounts.
The "act as part of the operating system" user right should be assigned to the correct accounts.
The "back up files and directories" user right should be assigned to the correct accounts.
The "bypass traverse checking" user right should be assigned to the correct accounts.
The "change the system time" user right should be assigned to the correct accounts.
CCE-2786-2 CCE-895 (1) set of accounts
CCE-2791-2 CCE-926 (1) set of accounts
CCE-1969-5 CCE-335 (1) set of accounts
CCE-2864-7 CCE-842 (1) set of accounts
CCE-2886-0 CCE-754 (1) set of accounts
CCE-2767-2 CCE-939 (1) set of accounts
CCE-2547-8 CCE-807 (1) set of accounts
CCE-2944-7 CCE-349 (1) set of accounts
CCE-2446-3 CCE-860 (1) set of accounts
CCE-2609-6 CCE-749 (1) set of accounts
CCE-2882-9 CCE-177 (1) set of accounts
CCE-2948-8 CCE-216 (1) set of accounts
The "create a pagefile" user right should be assigned to the correct accounts.
The "Create a token object" user right should be assigned to the correct accounts.
The "create permanent shared objects" user right should be assigned to the correct accounts.
The "debug programs" user right should be assigned to the correct accounts.
The "force shutdown from a remote system" user right should be assigned to the correct accounts.
The "generate security audits" user right should be assigned to the correct accounts.
The "adjust memory quotas for a process" user right should be assigned to the correct accounts.
The "increase scheduling priority" user right should be assigned to the correct accounts.
The "load and unload device drivers" user right should be assigned to the correct accounts.
The "lock pages in memory" user right should be assigned to the correct accounts.
The "log on as a batch job" user right should be assigned to the correct accounts.
The "log on as a service" user right should be assigned to the correct accounts.
CCE-2829-0 CCE-965 (1) set of accounts
CCE-2247-5 CCE-850 (1) set of accounts
CCE-2657-5 CCE-17 (1) set of accounts
CCE-2807-6 CCE-260 (1) set of accounts
CCE-2675-7 CCE-599 (1) set of accounts
CCE-2335-8 CCE-656 (1) set of accounts
CCE-2860-5 CCE-667 (1) set of accounts
CCE-2847-2 CCE-553 (1) set of accounts
CCE-2366-3 CCE-839 (1) set of accounts
CCE-2021-4 CCE-492 (1) set of accounts
CCE-2810-0 CCE-381 (1) set of accounts
The "log on locally" user right should be assigned to the correct accounts.
The "manage auditing and security log" user right should be assigned to the correct accounts.
The "modify firmware environment values" user right should be assigned to the correct accounts.
The "profile single process" user right should be assigned to the correct accounts.
The "profile system performance" user right should be assigned to the correct accounts.
The "remove computer from docking station" user right should be assigned to the correct accounts.
The "replace a process-level token" user right should be assigned to the correct accounts.
The "restore files and directories" user right should be assigned to the correct accounts.
The "shut down the system" user right should be assigned to the correct accounts.
The "take ownership of files or other objects" user right should be assigned to the correct accounts.
The "synchronize directory service data" user right should be assigned to the correct accounts.
CCE-2700-3 CCE-64 (1) set of accounts
CCE-2982-7 CCE-15 (1) set of accounts
CCE-2374-7 CCE-183 (1) set of accounts
CCE-3004-9 CCE-883 (1) set of accounts
CCE-2898-5 CCE-165 (1) set of accounts
CCE-2792-0 CCE-597 (1) set of accounts
CCE-2814-2 CCE-108 (1) set of accounts
CCE-2960-3 CCE-314 (1) set of accounts
CCE-2466-1 CCE-733
CCE-2928-0 CCE-980
CCE-2986-8 CCE-658
CCE-2867-0 CCE-2628 enabled/disabled
The "deny logon locally" user right should be assigned to the correct accounts.
The "enable computer and user accounts to be trusted for delegation" user right should be assigned to the correct accounts.
The "add workstations to domain" user right should be assigned to the correct accounts.
The "allow logon through Terminal Services" user right should be assigned to the correct accounts.
The "deny logon as a batch job" user right should be assigned to the correct accounts.
The "deny logon as a service" user right should be assigned to the correct accounts.
The "deny logon through Terminal Services" user right should be assigned to the correct accounts.
The "perform volume maintenance tasks" user right should be assigned to the correct accounts.
The "reset account lockout counter after" policy should meet minimum requirements.
(1) number of minutes
The "account lockout duration" policy should meet minimum requirements.
(1) number of minutes
The "account lockout threshold" policy should meet minimum requirements.
(1) number of attempts
Auditing of "account logon" events on success should be enabled or disabled as appropriate..
CCE-3008-0 CCE-2543 enabled/disabled
CCE-2902-5 CCE-2000 enabled/disabled
CCE-2906-6 CCE-1646 enabled/disabled
CCE-2933-0 CCE-2118 enabled/disabled
CCE-2206-1 CCE-2390 enabled/disabled
CCE-2100-6 CCE-1686 enabled/disabled
CCE-2343-2 CCE-1744 enabled/disabled
CCE-2259-0 CCE-2640 enabled/disabled
CCE-2766-4 CCE-1991 enabled/disabled
CCE-2971-0 CCE-2412 enabled/disabled
CCE-2759-9 CCE-2347 enabled/disabled
Auditing of "account logon" events on failure should be enabled or disabled as appropriate..
Auditing of "account management" events on success should be enabled or disabled as appropriate..
Auditing of "account management" events on failure should be enabled or disabled as appropriate..
Auditing of "directory service access" events on success should be enabled or disabled as appropriate..
Auditing of "directory service access" events on failure should be enabled or disabled as appropriate..
Auditing of "logon" events on success should be enabled or disabled as appropriate..
Auditing of "logon" events on failure should be enabled or disabled as appropriate..
Auditing of "object access" events on success should be enabled or disabled as appropriate..
Auditing of "object access" events on failure should be enabled or disabled as appropriate..
Auditing of "policy change" events on success should be enabled or disabled as appropriate..
Auditing of "policy change" events on failure should be enabled or disabled as appropriate..
CCE-2913-2 CCE-2431 enabled/disabled
CCE-2918-1 CCE-2584 enabled/disabled
CCE-2816-7 CCE-2529 enabled/disabled
CCE-2939-7 CCE-2617 enabled/disabled
CCE-2878-7 CCE-2420 enabled/disabled
CCE-2843-1 CCE-1680 enabled/disabled
CCE-2116-2 CCE-299 (1) enabled/disabled
CCE-2904-1 CCE-185 (1) size of file
CCE-3014-8 CCE-285 type of retention
CCE-3019-7 CCE-951 (1) number of days
Auditing of "privilege use" events on success should be enabled or disabled as appropriate..
Auditing of "privilege use" events on failure should be enabled or disabled as appropriate..
Auditing of "process tracking" events on success should be enabled or disabled as appropriate..
Auditing of "process tracking" events on failure should be enabled or disabled as appropriate..
Auditing of "system" events on success should be enabled or disabled as appropriate..
Auditing of "system" events on failure should be enabled or disabled as appropriate..
The "restrict guest access to application log" policy should be set correctly.
The application log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the Application log.
If the Application log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
CCE-2794-6 CCE-462 (1) enabled/disabled
CCE-2693-0 CCE-757 (1) size of file
CCE-2336-6 CCE-523 type of retention
CCE-2966-0 CCE-682 (1) number of days
CCE-2345-7 CCE-726 (1) enabled/disabled
CCE-3006-4 CCE-735 (1) size of file
CCE-2777-1 CCE-664 type of retention
CCE-2050-3 CCE-210 (1) number of days
CCE-2920-7 CCE-871 (1) number of days
CCE-2439-8 CCE-324 (1) number of days
The "restrict guest access to security log" policy should be set correctly.
The security log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the Security log.
If the Security log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.
The "restrict guest access to system log" policy should be set correctly.
The system log maximum size should be configured correctly..
The "when maximum log size is reached" property should be set correctly for the System log.
If the System log's retention method is set to "Overwrite events by days," an appropriate value should be set for the number of days' logs to keep.The "maximum password age" policy should meet minimum requirements. The "minimum password age" policy should meet minimum requirements.
CCE-2981-9 CCE-100 (1) number of days
CCE-2735-9 CCE-633 (1) enabled/disabled
CCE-2994-2 CCE-60
CCE-2889-4 CCE-479 (1) enabled/disabled
CCE-3034-6 CCE-487
CCE-2937-1 CCE-496
CCE-2818-3 CCE-148
CCE-2713-6 CCE-954
CCE-2880-3 CCE-294
CCE-2950-4 CCE-800
The "minimum password length" policy should meet minimum requirements.
The "password must meet complexity requirments" policy should be set correctly.
The "enforce password history" policy should meet minimum requirements.
(1) number of passwords remembered
The "store password using reversible encryption for all users in the domain" policy should be set correctly.
The startup type of the Alerter service should be correct.
(1) disabled/manual/automatic
The startup type of the Automatic Update service should be correct.
(1) disabled/manual/automatic
The startup type of the Background Intelligent Transfer Service (BITS) service should be correct.
(1) disabled/manual/automatic
The startup type of the ClipBook service should be correct.
(1) disabled/manual/automatic
The startup type of the Computer Browser service should be correct.
(1) disabled/manual/automatic
The startup type of the Fast User Switching service should be correct.
(1) disabled/manual/automatic
CCE-2849-8 CCE-78
CCE-2888-6 CCE-712
CCE-3016-3 CCE-311
CCE-2910-8 CCE-738
CCE-2915-7 CCE-729
CCE-2053-7 CCE-650
CCE-2071-9 CCE-408
CCE-2896-9 CCE-232
CCE-2280-6 CCE-857
CCE-2940-5 CCE-267
CCE-2255-8 CCE-663
The startup type of the Fax service should be correct.
(1) disabled/manual/automatic
The startup type of the FTP Publishing service should be correct.
(1) disabled/manual/automatic
The startup type of the IIS Admin service should be correct.
(1) disabled/manual/automatic
The startup type of the Indexing service should be correct.
(1) disabled/manual/automatic
The startup type of the Messenger service should be correct.
(1) disabled/manual/automatic
The startup type of the .NET Framework service should be correct.
(1) disabled/manual/automatic
The startup type of the Net Logon service should be correct.
(1) disabled/manual/automatic
The startup type of the NetMeeting Remote Desktop Sharing service should be correct.
(1) disabled/manual/automatic
The startup type of the Print Services for Unix service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Access Auto connection Manager service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Desktop Help Session Manager service should be correct.
(1) disabled/manual/automatic
CCE-3026-2 CCE-672
CCE-3030-4 CCE-73
CCE-3035-3 CCE-223
CCE-2427-3 CCE-522
CCE-2449-7 CCE-531
CCE-2233-5 CCE-870
CCE-2779-7 CCE-975
CCE-2520-5 CCE-892
CCE-2661-7 CCE-940
CCE-2934-8 CCE-40
The startup type of the Internet Connection Sharing service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Registry service should be correct.
(1) disabled/manual/automatic
The startup type of the Routing and Remote Access service should be correct.
(1) disabled/manual/automatic
The startup type of the Remote Shell service should be correct.
(1) disabled/manual/automatic
The startup type of the Simple TCP/IP service should be correct.
(1) disabled/manual/automatic
The startup type of the Simple Mail Transport Protocol (SMTP) service should be correct.
(1) disabled/manual/automatic
The startup type of the SNMP Service service should be correct.
(1) disabled/manual/automatic
The startup type of the SNMP Trap Service service should be correct.
(1) disabled/manual/automatic
The startup type of the SSDP Discovery service should be correct.
(1) disabled/manual/automatic
The startup type of the Task Scheduler service should be correct.
(1) disabled/manual/automatic
CCE-2326-7 CCE-75
CCE-3043-7 CCE-974
CCE-3048-6 CCE-608
CCE-2942-1 CCE-758
CCE-2076-8 CCE-669
CCE-2626-0 CCE-889
CCE-3022-1 CCE-61
CCE-2815-9 CCE-476
CCE-2568-4 CCE-643
CCE-3071-8 CCE-87
The startup type of the Telnet service should be correct.
(1) disabled/manual/automatic
The startup type of the Terminal Services service should be correct.
(1) disabled/manual/automatic
The startup type of the Universal Plug and Play Device Host (UPnP) service should be correct.
(1) disabled/manual/automatic
The startup type of the World Wide Web Publishing service should be correct.
(1) disabled/manual/automatic
The correct service permissions for the Alerter service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Automatic Updates service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Background Intelligent Transfer service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the ClipBook service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Computer Browser service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Fax service should be assigned.
(1) set of accounts (2) list of permissions
CCE-2969-4 CCE-968
CCE-3057-7 CCE-4
CCE-2563-5 CCE-792
CCE-2836-5 CCE-444
CCE-2480-2 CCE-79
CCE-2502-3 CCE-497
CCE-2119-6 CCE-21
CCE-2976-9 CCE-109
CCE-2990-0 CCE-915
CCE-3021-3 CCE-219
The correct service permissions for the File Shares service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the FTP Publishing service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the IIS Admin service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Indexing service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Messenger service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Net Logon service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the NetMeeting service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Printer service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Remote Desktop Help Session Manager service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Remote Registry service should be assigned.
(1) set of accounts (2) list of permissions
CCE-2141-0 CCE-779
CCE-2773-0 CCE-426
CCE-2941-3 CCE-56
CCE-2945-4 CCE-521
CCE-3077-5 CCE-407
CCE-3108-8 CCE-944
CCE-3130-2 CCE-605
CCE-3029-6 CCE-869
CCE-3051-0 CCE-143
The correct service permissions for the Routing and Remote Access service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the SMTP service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the SNMP service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the SNMP Trap service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Task Scheduler service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Telnet service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Terminal Services service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the Universal Plug and Play service should be assigned.
(1) set of accounts (2) list of permissions
The correct service permissions for the WWW Publishing service should be assigned.
(1) set of accounts (2) list of permissions
CCE-2804-3 CCE-195
CCE-2147-7 CCE-318
CCE-2973-6 CCE-953 (1) enabled/disabled
CCE-3119-5 CCE-983
CCE-2890-2 CCE-142
CCE-2643-5 CCE-653
CCE-3040-3 CCE-332 (1) enabled/disabled
CCE-2943-9 CCE-499 (1) enabled/disabled
CCE-2573-4 CCE-23 (1) text caption
CCE-2472-9 CCE-829 (1) text statement
CCE-3137-7 CCE-512 (1) allowed/removed
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts and shares should be correct.
(1) restricted/unrestricted
The behavior surrounding Anonymous users' abiliity to display lists of SAM accounts should be correct.
(1) restricted/unrestricted
The behavior surrounding Anonymous SID/Name translation should be correct.
The "Anonymous access to the application event log" policy should be set correctly.
(1) exist/not exist (2) enabled/disabled
The "Anonymous access to the system event log" policy should be set correctly.
(1) exist/not exist (2) enabled/disabled
The "Anonymous access to the security event log" policy should be set correctly.
(1) exist/not exist (2) enabled/disabled
Use of the built-in Guest account should be enabled or disabled as appropriate.
Use of the built-in Administrator account should be enabled or disabled as appropriate.
The "Message title for users attempting to log on" policy should be set correctly.
The "Message text for users attempting to log on" policy should be set correctly.
Administrative Shares should be properly configured.
CCE-3031-2 CCE-243 (1) enabled/disabled
CCE-2776-3 CCE-283 (1) enabled/disabled
CCE-2419-0 CCE-137 (1) enabled/disabled
CCE-2710-2 CCE-44 (1) enabled/disabled
CCE-2154-3 CCE-36 (1) enabled/disabled
CCE-2423-2 CCE-820 (1) enabled/disabled
CCE-2925-6 CCE-344 (1) enabled/disabled
CCE-3070-0 CCE-282 (1) enabled/ignored
CCE-2824-1 CCE-150 (1) enabled/ignored
Automatic Execution of the System Debugger should be properly configured.
Automatic Logon should be properly configured.
Automatic Reboot After System Crash should be properly configured.
Autoplay on all Drive Types should be properly configured.
Autoplay for Current User should be properly configured.
Autoplay for Default User should be properly configured.
CD-ROM Autorun should be properly configured.
Computer Browser ResetBrowser Frames should be properly configured.
ICMP Redirects should be properly configured.
CCE-3132-8 CCE-564 (1) enabled/disabled
CCE-2652-6 CCE-952 (1) enabled/disabled
CCE-3044-5 CCE-501 (1) enabled/disabled
CCE-3066-8 CCE-536 (1) enabled/disabled
CCE-2930-6 CCE-65 (1) enabled/disabled
CCE-2952-0 CCE-139 (1) available/hidden
CCE-2718-5 CCE-897 (1) enabled/disabled
CCE-2559-3 CCE-188
CCE-2453-9 CCE-333
IP Source Routing should be properly configured.
IRDP should be properly configured.
Kerberos and RSVP Traffic Protected by IPSec should be properly configured.
Dr. Watson Crash Dumps should be properly configured.
Display Last User Name in Logon Screen should be properly configured.
System availability to Master Browser should be properly configured.
TCP/IP Dead Gateway Detection should be properly configured.
The TCP/IP KeepAlive Time should be set correctly .
(1) number of milliseconds
The permitted number of TCP/IP Maximum Half-open Sockets should be set correctly .
(1) number of sockets
CCE-3114-6 CCE-751
CCE-3118-7 CCE-817 (1) enabled/disabled
CCE-3017-1 CCE-998 (1) enabled/disabled
CCE-2916-5 CCE-284 (1) enabled/disabled
CCE-3061-9 CCE-125 (1) warning level
CCE-2444-8 CCE-156 (1) enabled/disabled
CCE-2841-5 CCE-271 (1) enabled/disabled
CCE-3092-4 CCE-707 (1) enabled/disabled
The permitted number of TCP/IP Maximum Retried Half-open Sockets should be set correctly .
(1) number of sockets
TCP/IP NetBIOS Name Release on Request Prevented should be properly configured.
TCP/IP PMTU Discovery should be properly configured.
TCP/IP SYN Flood Attack Protection should be properly configured.
Security Audit log warning level should be properly configured.
Disable saving of dial-up passwords should be properly configured.
Safe DLL Search Mode should be properly configured.
Always Wait for the Network at Computer Startup and Logon should be properly configured.
CCE-3013-0 CCE-213 (1) enabled/disabled
CCE-3100-5 CCE-231 (1) logon type
CCE-2893-6 CCE-50 (1) enabled/disabled
CCE-2774-8 CCE-81 (1) enabled/disabled
CCE-2173-3 CCE-896 (1) enabled/disabled
CCE-3087-4 CCE-574 (1) enabled/disabled
CCE-2968-6 CCE-257 (1) enabled/disabled
CCE-3135-1 CCE-438 (1) valid names
CCE-3025-4 CCE-834 (1) valid names
CCE-3157-5 CCE-222
CCE-3162-5 CCE-2 (1) enabled/disabled
Delete Roaming Cached Profiles should be properly configured.
Use Classic Logon should be properly configured.
Background Refresh of Group Policy should be properly configured.
Show Shared Internet Connection Access UI should be properly configured.
Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured.
Disallow Installation of Printers Using Kernel-mode Drivers should be properly configured.
The "Allow Server Operators to Schedule Tasks" policy should be set correctly.
The built-in Administrator account should be correctly named. The built-in Guest account should be correctly named.
The amount of idle time required before disconnecting a session should be set correctly.
(1) number of minutes
The "Audit the access of global system objects" policy should be set correctly.
CCE-2955-3 CCE-905 (1) enabled/disabled
CCE-2891-0 CCE-133 (1) enabled/disabled
CCE-2926-4 CCE-719
CCE-2789-6 CCE-402 (1) enabled/disabled
CCE-2935-5 CCE-410 (1) enabled/disabled
CCE-2957-9 CCE-76 (1) enabled/disabled
CCE-2974-4 CCE-565 (1) enabled/disabled
CCE-2873-8 CCE-463 (1) enabled/disabled
CCE-3005-6 CCE-508 (1) enabled/disabled
The "Audit the use of backup and restore privilege" policy should be set correctly.
The "Disable CTRL+ALT+Delete Requirement for Logon" policy should be set correctly.
The "LAN Manager Authentication Level" policy should be set correctly.
(1) authentication level
The "Prevent Users from Installing Printer Drivers" policy should be set correctly.
The "Recovery Console: Allow Automatic Administrative Logon" policy should be set correctly.
The "Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders" policy should be set correctly.
The "Restrict CD-ROM Access to Locally Logged-On User Only" policy should be set correctly.
The "Restrict Floppy Access to Locally Logged-On User Only" policy should be set correctly.
The "Strengthen Default Permissions of Global System Objects" policy should be set correctly.
CCE-3151-8 CCE-417 (1) enabled/disabled
CCE-3049-4 CCE-228 (1) enabled/disabled
CCE-3085-8 CCE-413 (1) behavior
CCE-2701-1 CCE-814
CCE-2851-4 CCE-92 (1) enabled/disabled
CCE-2983-5 CCE-224 (1) enabled/disabled
CCE-3128-6 CCE-422 (1) enabled/disabled
CCE-3027-0 CCE-576 (1) enabled/disabled
CCE-2802-7 CCE-519 (1) enabled/disabled
CCE-3053-6 CCE-171 (1) enabled/disabled
The "Secure Channel: Require Strong (Windows 2000 or later) Session Key" policy should be set correctly.
The "Send Unencrypted Password to Connect to Third-Party SMB Servers" policy should be set correctly.
The "Unsigned Driver Installation Behavior" policy should be set correctly.
The "Users Prompted to Change Password Before Expiration" policy should be set correctly.
(1) number of days prior to expiration
The "Shut Down system immediately if unable to log security audits" policy should be set correctly.
The "Allow System to be Shut Down Without Having to Log On" policy should be set correctly.
The "Clear Virtual Memory Pagefile at shutdown" policy should be set correctly.
The "Digitally Sign Client Communication (Always)" policy should be set correctly.
The "Digitally Sign Client Communication (When Possible)" policy should be set correctly.
The "Digitally Sign Server Communication (Always)" policy should be set correctly.
CCE-2688-0 CCE-104 (1) enabled/disabled
CCE-3106-2 CCE-773
CCE-3111-2 CCE-919 (1) Group(s)
CCE-3097-3 CCE-549 (1) enabled/disabled
CCE-2996-7 CCE-161 (1) enabled/disabled
CCE-3000-7 CCE-918 (1) enabled/disabled
CCE-3133-6 CCE-443 (1) behavior
CCE-2313-5 CCE-831 (1) enabled/disabled
CCE-3084-1 CCE-55 (1) enabled/disabled
The "Digitally Sign Server Communication (When Possible)" policy should be set correctly.
The "Number of Previous Logons to Cache" policy should be set correctly.
(1) number of logons
The "Allowed to Format and Eject Removable NTFS Media" policy should be set correctly.
The "Secure Channel: Digitally Encrypt or Sign Secure Channel Data (Always)" policy should be set correctly.
The "Secure Channel: Digitally Encrypt Secure Channel Data (When Possible)" policy should be set correctly.
The "Secure Channel: Digitally Sign Secure Channel Data (When Possible)" policy should be set correctly.
The "Smart Card Removal Behavior" policy should be set correctly.
The "Prevent System Maintenance of Computer Account Password" policy should be set correctly.
The "Use FIPS compliant algorithms for encryption, hashing, and signing" policy should be set correctly.
CCE-2842-3 CCE-575 (1) enabled/disabled
CCE-2987-6 CCE-300 (1) enabled/disabled
CCE-2344-0 CCE-533 (1) enabled/disabled
CCE-3009-8 CCE-186 (1) enabled/disabled
CCE-2551-0 CCE-710 (1) enabled/disabled
CCE-2991-8 CCE-732 (1) enabled/disabled
CCE-3123-7 CCE-490 (1) enabled/disabled
CCE-3018-9 CCE-194 (1) enabled/disabled
CCE-3172-4 CCE-374 (1) enabled/disabled
CCE-2692-2 CCE-278 (1) enabled/disabled
The "Default owner for objects created by members of the Administrators group" policy should be set correctly.
The "Require Case Insensitivity for Non-Windows Sybsystems" policy should be set correctly.
The "Limit local account user of blank passwords to console logon only" policy should be set correctly.
The "Allow undock without having to logon" policy should be set correctly.
The "LDAP server signing requirements" policy should be set correctly.
The "LDAP client signing requirements" policy should be set correctly.
The "Refuse machine account password change" policy should be set correctly.
The "Maximum machine account password age" policy should be set correctly.
The "Require Domain Controller authentication to unlock workstation" policy should be set correctly.
The "Disconnect clients when logon hours expire" policy should be set correctly.
CCE-3088-2 CCE-542 (1) enabled/disabled
CCE-3110-4 CCE-18 (1) enabled/disabled
CCE-3150-0 CCE-136 (1) enabled/disabled
CCE-3155-9 CCE-189 (1) set of paths
CCE-3036-1 CCE-942 (1) set of shares
CCE-3058-5 CCE-343
CCE-2993-4 CCE-233 (1) enabled/disabled
CCE-3139-3 CCE-775 (1) enabled/disabled
The "Do not allow storage of credentials or .NET Passports" policy should be set correctly.
The "Let Everyone permissions apply to anonymous users" policy should be set correctly.
The "Named Pipes that can be accessed anonymously" policy should be set correctly.
The "Remotely accessible registry paths" policy should be set correctly.
The "Shares that can be accessed anonymously" policy should be set correctly.
The "Sharing and security model for local accounts" policy should be set correctly.
(1) Classic/Guest only
The "Do not store LAN Manager hash value on next password change" policy should be set correctly.
The "Force logoff when logon hours expire" policy should be set correctly.
CCE-3156-7 CCE-674 (1) enabled/disabled
CCE-2799-5 CCE-766 (1) enabled/disabled
CCE-2795-3 CCE-621
CCE-2980-1 CCE-830 (1) time in seconds
CCE-3099-9 CCE-623 (1) enabled/disabled
CCE-2764-9 CCE-517 (1) time in seconds
CCE-3161-7 CCE-433 (1) enabled/disabled
CCE-2901-7 CCE-103 (1) enabled/disabled
CCE-3170-8 CCE-54 (1) enabled/disabled
The "Minimum session security for NTLM SSP based clients" policy should be set correctly.
The "Minimum session security for NTLM SSP based servers" policy should be set correctly.
Local volumes should be formatted correctly.
(1) type of formatting
The "Current user screensaver timeout" policy should be set correctly. The "Default user screensaver" policy should be set correctly.
The "Default user screensaver timeout" policy should be set correctly.
The "Default user screensaver secure" policy should be set correctly.
The "Default user screensaver active" policy should be set correctly. The "Current user screensaver" policy should be set correctly.
CCE-3064-3 CCE-221 (1) time in seconds
CCE-2526-2 CCE-235 (1) enabled/disabled
CCE-2174-1 CCE-287 (1) enabled/disabled
CCE-2552-8 CCE-736 (1) enabled/disabled
CCE-2830-8 CCE-261 (1) enabled/disabled
CCE-3094-0 CCE-415 (1) enabled/disabled
CCE-3011-4 CCE-107 (1) enabled/disabled
CCE-3020-5 CCE-256 (1) enabled/disabled
CCE-2293-9 CCE-662 (1) enabled/disabled
CCE-3068-4 CCE-424 (1) enabled/disabled
CCE-2826-6 CCE-455 (1) enabled/disabled
The "Current user screensaver timeout" policy should be set correctly.
The "Current user screensaver secure" policy should be set correctly.
The "Current user screensaver active" policy should be set correctly.
The "Always Install with Elevated Privileges" policy should be set correctly.
The "Set Safe for Scripting" policy should be set correctly.
The "Enable User Control Over Installs" policy should be set correctly.
The "Enable User to Use Media Source While Elevated" policy should be set correctly.
The "Allow Administrator to Install from Terminal Services Session" policy should be set correctly.
The "Enable User to Patch Elevated Products" policy should be set correctly.
The "Cache Transforms in Secure Location" policy should be set correctly.
The "Disable Media Player for automatic updates" policy should be set correctly.
CCE-3117-9 CCE-124 (1) enabled/disabled
CCE-2684-9 CCE-802 (1) enabled/disabled
CCE-2455-4 CCE-309 (1) enabled/disabled
CCE-2711-0 CCE-578 (1) enabled/disabled
CCE-2354-9 CCE-507 (1) enabled/disabled
CCE-3129-4 CCE-80
CCE-3028-8 CCE-401 (1) enabled/disabled
CCE-2407-5 CCE-824 (1) enabled/disabled
CCE-2808-4 CCE-190 (1) enabled/disabled
CCE-2949-6 CCE-855 (1) enabled/disabled
The "Prevent Codec Download" policy should be set correctly for Windows MediaPlayer.
The "Do Not Allow Windows Messenger to be Run" policy should be set correctly.
The "Do Not Automatically Start Windows Messenger" policy should be set correctly.
The "Prohibit New Task Creation" policy should be set correctly for the Task Scheduler.
The "Limit Users to One Remote Session" policy should be set correctly for Terminal Services.
The "Limit Number of Connections" policy should be set correctly for Terminal Services.
(1) Maximum number of connections allowed
The "Do Not Allow New Client Connections" policy should be set correctly for Terminal Services.
The "Do Not Allow Local Administrators to Customize Permissions" policy should be set correctly for Terminal Services.
The "Remote Control Settings" policy should be set correctly for Terminal Services.
The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services.
CCE-3116-1 CCE-397 (1) encryption level
CCE-2997-5 CCE-670 (1) enabled/disabled
CCE-2892-8 CCE-961 (1) enabled/disabled
CCE-2961-1 CCE-920
CCE-3124-5 CCE-123
CCE-2210-3 CCE-524 (1) enabled/disabled
CCE-2959-5 CCE-568 (1) enabled/disabled
CCE-3109-6 CCE-705 (1) enabled/disabled
CCE-3007-2 CCE-859 (1) enabled/disabled
CCE-3012-2 CCE-434 (1) enabled/disabled
The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services.
The "Do not Use Temp folders per Session" policy should be set correctly for Terminal Services.
The "Do not Delete Temp folder on exit" policy should be set correctly for Terminal Services.
The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services.
(1) Time Limit (minutes)
The "Set time limit for idle sessions" policy should be set correctly for Terminal Services.
(1) Time limit (minutes)
The "Allow Reconnection from Original Client Only" policy should be set correctly for Terminal Services.
The "Terminate session when time limits are reached" policy should be set correctly for Terminal Services.
The "Enable Keep-Alive Messages" policy should be set correctly for Terminal Services.
The "Allow Solicited Remote Assistance" policy should be set correctly for Terminal Services.
The "Allow Unsolicited Remote Assistance" policy should be set correctly for Terminal Services.
CCE-3038-7 CCE-592 (1) enabled/disabled
CCE-3188-0 CCE-227 (1) enabled/disabled
CCE-2708-6 CCE-6
CCE-2803-5 CCE-37 (1) number of hours
CCE-3063-5 CCE-33 (1) number of days
CCE-3208-6 CCE-588
CCE-3107-0 CCE-383 (1) set of accounts
CCE-2737-5 CCE-304 (1) set of accounts
CCE-3010-6 CCE-458
CCE-2662-5 CCE-740
CCE-2917-3 CCE-22
CCE-3186-4 CCE-828 enabled/disabled
The "Enable Error Reporting" policy should be set correctly. The "Enforce user logon restrictions" policy should be set correctly. The "Maximum Service Ticket Litfetime" policy should be set correctly.
(1) number of minutes
The "Maximum User Ticket Lifetime" policy should be set correctly. The "Maximum User Renewal Lifetime" policy should be set correctly.
The "Maximum tolerance for computer clock synchronization" policy should be set correctly.
(1) number of minutes
The "Create global objects" user right should be assigned to the correct accounts.
The "Impersonate a client after authentication" user right should be assigned to the correct accounts.
The "DCOM: Machine access Restrictions in Security Descriptor Definition Language (SDDL) syntax" setting should be configured correctly.
The "DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax" security option should be set correctly.
The "Display user information when the session is locked" setting should be configured correctly.
The "Interactive logon: Requre smart card" setting should be configured correctly.
CCE-2834-0 CCE-638
CCE-2992-6 CCE-647
CCE-2705-2 CCE-48
CCE-2723-5 CCE-572
CCE-2213-7 CCE-577
CCE-2239-2 CCE-872
CCE-2690-6 CCE-506 (1) list of accounts
CCE-2862-1 CCE-990 (1) list of accounts
CCE-3136-9 CCE-250 (1) list of accounts
The "Network access: Restrict anonymous access to named pipes and shares" setting should be configured correctly.
The "System cryptography: Force strong key protection for user keys stored on the computer" setting should be configured correctly.
The "System settings: optional subsystems" setting should be configured correctly.
the "System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices" setting should be configured correctly.
MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged
(1) number of seconds
MSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted
(1) number of seconds
Membership in the Backup Operators group should be assigned to the appropriate accounts.
Membership in the Power Users group should be assigned to the appropriate accounts.
Membership in the Remote Desktop Users group should be assigned to the appropriate accounts.
CCE-3171-6 CCE-43
CCE-3047-8 CCE-167
CCE-3113-8 CCE-585
CCE-2756-5 CCE-484
CCE-3153-4 CCE-651
CCE-3184-9 CCE-303
CCE-2985-0 CCE-436
CCE-3236-7 CCE-774
CCE-3140-1 CCE-435
CCE-2301-0 CCE-950
CCE-3003-1 CCE-118
CCE-2716-9 CCE-624
CCE-3223-5 CCE-453
The Application Layer Gateway Service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Application Management service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Cryptographic Services service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The DHCP Client service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Distributed Link Tracking Client service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Distributed Transaction Coordinator service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The DNS Client service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Error Reporting Service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Event Log service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Help and Support service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Human Interface Device Access service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The IMAPI CD-Burning COM Service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Infrared Monitor service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
CCE-3245-8 CCE-72
CCE-3294-6 CCE-988
CCE-3073-4 CCE-891
CCE-3065-0 CCE-900
CCE-2840-7 CCE-671
CCE-3131-0 CCE-217
CCE-3122-9 CCE-768
CCE-3267-2 CCE-825
CCE-3056-9 CCE-472
CCE-3144-3 CCE-265
CCE-3289-6 CCE-759
CCE-3205-2 CCE-697
The IPSEC Services service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Logical Disk Manager service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Logical Disk Manager Administrative Service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The MS Software Shadow Copy Provider service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Network Connections service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Network Dynamic Data Exchange (DDE) service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Network DDE DDE Share Database Manager (DSDM) service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Network Location Awareness (NLA) service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The NT LM Security Support Provider service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Performance Logs and Alerts service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Portable Media Serial Number Service service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Protected Storage service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
CCE-3206-0 CCE-706
CCE-3104-7 CCE-750
CCE-3126-0 CCE-993
CCE-3148-4 CCE-164
CCE-2567-6 CCE-741
CCE-2823-3 CCE-172
CCE-3074-2 CCE-679
CCE-3219-3 CCE-102
CCE-3241-7 CCE-98
CCE-2831-6 CCE-1001
CCE-2835-7 CCE-772
CCE-2321-8 CCE-450
CCE-3274-8 CCE-665
The QoS RSVP service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Remote Access Connection Manager service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Remote Procedure Call (RPC) service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Remote Procedure Call (RPC) Locator service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Removable Storage service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Secondary Logon service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Security Accounts Manager service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Server service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Smart Card service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Smart Card Helper service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The System Event Notification service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The System Restore Service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The TCP/IP NetBIOS Helper service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
CCE-2811-8 CCE-428
CCE-3195-5 CCE-956
CCE-3221-9 CCE-366
CCE-2988-4 CCE-652
CCE-3146-8 CCE-538
CCE-3291-2 CCE-305
CCE-3256-5 CCE-851
CCE-2639-3 CCE-234
CCE-3159-1 CCE-890
CCE-3163-3 CCE-912
CCE-3203-7 CCE-815
CCE-2599-9 CCE-560
The Telephony service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Themes service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Uninterruptable Power Supply service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Upload Manager service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Volume Shadow Copy service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The WebClient service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Windows Audio service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Windows Image Acquisition (WIA) service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Windows Installer service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Windows Management Instrumentation service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Windows Management Instrumentation Driver Extensions service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Windows Time service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
CCE-2494-3 CCE-604
CCE-3265-6 CCE-745
CCE-2397-8 CCE-296
CCE-2683-1 CCE-511 (1) reg_dword
CCE-2956-1 CCE-145 (1) enabled/disabled
CCE-3273-0 CCE-423 (1) enabled/disabled
CCE-3154-2 CCE-806 (1) enabled/disabled
CCE-3194-8 CCE-969 (1) enabled/disabled
CCE-2828-2 CCE-502 (1) enabled/disabled
CCE-2476-0 CCE-771
CCE-3247-4 CCE-555 (1) enabled/disabled
CCE-3141-9 CCE-277 (1) enabled/disabled
CCE-3304-3 CCE-832
The Wireless Zero Configuration service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The WMI Performance Adapter service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
The Workstation service should be enabled or disabled as appropriate.
(1) disabled/manual/automatic
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames.
RPC Endpiont Mapper Client Authentication (SP2 only)Restrictions for Unauthenticated RPC clients (SP2 only)Domain Profile: Protect all network connections (SP2 only)Domain Profile: Do not allow exceptions (SP2 only)
Domain Profile: Allow local program exceptions
Domain Profile: Allow remote administration
(1) enabled/disabled (2) subnets for internal support only
Domain Profile: Allow file and printer sharing exception (SP2 only)Domain Profile: Allow ICMP exceptions (SP2 only)
Domain Profile: Allow Remote Desktop exception (SP2 only)
(1) enabled/disabled (2) subnets for internal support only
CCE-3176-5 CCE-590 (1) enabled/disabled
CCE-3198-9 CCE-762 (1) enabled/disabled
CCE-2965-2 CCE-251 (1) enabled/disabled
CCE-2923-1 CCE-793 (1) File path
CCE-2958-7 CCE-57 (1) Size limit (KB)
CCE-3090-8 CCE-617 (1) enabled/disabled
CCE-2972-8 CCE-696 (1) enabled/disabled
CCE-2866-2 CCE-114 (1) enabled/disabled
Domain Profile: Allow UPnP framework exception (SP2 only)
The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Domain Profile.
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Domain Profile.
The log file path and name for the Windows Firewall should be configured correctly for the Domain Profile.
The log file size limit for the Windows Firewall should be configured correctly for the Domain Profile.
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Domain Profile.
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Domain Profile.
Domain Profile: Define port exceptions (SP2 only)
CCE-3258-1 CCE-370 (1) enabled/disabled
CCE-3284-7 CCE-273 (1) enabled/disabled
CCE-3179-9 CCE-440 (1) enabled/disabled
CCE-3183-1 CCE-352 (1) enabled/disabled
CCE-2954-6 CCE-467 (1) enabled/disabled
CCE-3262-3 CCE-626 (1) enabled/disabled
CCE-3081-7 CCE-797
CCE-3213-6 CCE-354 (1) enabled/disabled
CCE-3235-9 CCE-266 (1) enabled/disabled
CCE-3134-4 CCE-901 (1) enabled/disabled
CCE-3280-5 CCE-945 (1) enabled/disabled
CCE-3174-0 CCE-609 (1) file path
Domain Profile: Allow local port exceptions (SP2 only)Standard Profile: Protect all network connections (SP2 only)Standard Profile: Do not allow exceptions (SP2 only)Standard Profile: Allow local program exceptions (SP2 only)Standard Profile: Allow remote administration exception (SP2 only)Standard Profile: Allow file and printer sharing exception (SP2 only)
Standard Profile: Allow ICMP exceptions (SP2 only)
(1) enabled/ Allow outboud source quench, Allow inbound echo request, Allow outbound packet too big
Standard Profile: Allow Remote Desktop exception (SP2 only)Standard Profile: Allow UPnP framework exception (SP2 only)
The "Windows Firewall: Prohibit notifications" setting should be configured correctly for the Standard Profile.
The "Log Dropped Packets" option for the Windows Firewall should be configured correctly for the Standard Profile.
The log file path and name for the Windows Firewall should be configured correctly for the Standard Profile.
CCE-3055-1 CCE-160 (1) Size limit (KB)
CCE-2707-8 CCE-962 (1) enabled/disabled
CCE-3103-9 CCE-632 (1) enabled/disabled
CCE-3231-8 CCE-196 (1) enabled/disabled
CCE-2989-2 CCE-77 (1) enabled/disabled
CCE-3037-9 CCE-530 (1) enabled/disabled
CCE-2856-3 CCE-301
CCE-4952-8 CCE-1225
CCE-5194-6 CCE-86 enabled/disabled
CCE-5022-9 CCE-241 enabled/disabled
CCE-5136-7 CCE-259 enabled/disabled
The log file size limit for the Windows Firewall should be configured correctly for the Standard Profile.
The "Log Successful Connections" option for the Windows Firewall should be configured correctly for the Standard Profile.
Unicast response to multicast or broadcast requests should be enabled or disabled as appropriate for the Standard Profile.
Standard Profile: Define port exceptions (SP2 only)Standard Profile: Allow local port exceptions (SP2 only)
The startup type of the Internet Connection Firewall service should be correct. Restricted Groups have been set on the system
(1) Group enumeration
The required permissions for the file %SystemRoot%\System32\mshta.exe should be assigned.
(1) set of accounts (2) list of permissions (3) applicability
The startup type of Microsoft Peer-to-Peer Networking Services should be configured correctly.
The "Prohibit use of Internet Connection Firewall on your DNS domain network" setting should be configured correctly.
The "Display Error Notification" setting should be configured correctly.
CCE-4665-6 CCE-365 enabled/disabled
CCE-5053-4 CCE-584
CCE-5054-2 CCE-858 enabled/disabled
CCE-5200-1 CCE-887
CCE-4953-6 CCE-263 enabled/disabled
CCE-4707-6 CCE-1055 enabled/disabled
CCE-5099-7 CCE-691
CCE-5121-9 CCE-1064 enabled/disabled
CCE-4513-8 CCE-852 Turn off printing over HTTP
CCE-4641-7 CCE-88 enabled/disabled
The "Internet Explorer Maintenance Policy Processing - Allow processing across a slow network connection" setting should be configured correctly.
Group Policy - Registry policy processing
The "Turn Off Automatic Root Certificates Update" setting should be configured correctly.
Turn off downloading of print drivers over HTTP
The "Turn Off Event Views 'Events.asp' Links" setting should be configured correctly.
The "Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com" setting should be configured correctly.
Turn off Internet download for Web publishing and online ordering wizards
The "Turn Off Internet File Association Service" setting should be configured correctly.
The "Turn Off Registration if URL Connection is Referring to Microsoft.com" setting should be configured correctly.
CCE-5055-9 CCE-818
CCE-5072-4 CCE-375 enabled/disabled
CCE-4887-6 CCE-1009 enabled/disabled
CCE-4224-2 CCE-722
CCE-4242-4 CCE-1040 enabled/disabled
CCE-4732-4 CCE-1062 enabled/disabled
CCE-4997-3 CCE-93 enabled/disabled
CCE-5014-6 CCE-927
CCE-5032-8 CCE-583
CCE-5160-7 CCE-1020 enabled/disabled
CCE-4262-2 CCE-474 enabled/disabled
Turn off Search Companion content file updates
The "Turn Off the 'Order Prints' Picture Task" setting should be configured correctly.
The "Turn off the 'Publish to Web' task for files and folders" setting should be configured correctly.
Turn off the Windows Messenger Customer Experience Improvement Program
The "Turn Off Windows Movies Maker Automatic Codec Downloads" setting should be configured correctly.
The "Turn Off Windows Movie Maker Online Web Links" setting should be configured correctly.
The "Turn Off Windows Movie Maker Saving to Online Video Hosting Provider" setting should be configured correctly.
Turn off Windows Update device driver searching
Logon - Do not process the run once list
The "Don't Display the Getting Started Welcome Screen at Logon" setting should be configured correctly.
The "Prevent IIS Installation" setting should be configured correctly.
CCE-4581-5 CCE-767 enabled/disabled
CCE-4849-6 CCE-976
CCE-4270-5 CCE-480 enabled/disabled
CCE-5025-2 CCE-612 enabled/disabled
CCE-4791-0 CCE-1140 enabled/disabled
CCE-4482-6 CCE-313 enabled/disabled
CCE-4500-5 CCE-949 (1) enabled/disabled
CCE-4390-1 CCE-509
CCE-4412-3 CCE-12
CCE-5042-7 CCE-58
CCE-5059-1 CCE-372
The "Turn off downloading of enclosures" setting should be configured correctly.
The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services.
The "Turn off shell protocol protected mode" setting should be configured correctly.
The "Prohibit non-administrators from applying vendor signed updates" setting should be configured correctly.
The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly.
The "Prevent Desktop Shortcut Creation" setting for Windows Media Player should be configured correctly.
The "Current user screensaver secure" policy should be set correctly.
Prompt for password on resume from hibernate/suspend should be set correctly.
Do not preserve zone information in file attachments should be set correcly.
Hide mechanisms to remove zone information should be set correcly.
Notify antivirus programs when opening attachments should be set correcly.
CCE Technical Mechanisms
(1) defined by the object's SACL
?
(1) defined by the object's SACL
?
(1) defined by the object's SACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
DISA Gold Disk for WXP
File Auditing - Must Have ACE (CID:269)
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL System Drive ACL (CID:2000)
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
Driver.cab ACL (CID:4083)
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
regedit.exe ACL (CID:2001)
arp.exe ACL (CID:2002)
at.exe ACL (CID:2003)
attrib.exe ACL (CID:2004)
cacls.exe ACL (CID:2005)
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
Eventlog ACL (CID:225)
debug.exe ACL (CID:2006)
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL ftp.exe ACL (CID:2
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
edlin.exe ACL (CID:2007)
eventcreate.exe ACL (CID:2008)
eventtriggers.exe ACL (CID:2009)
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
nbtstat.exe ACL (CID:2011)
net.exe ACL (CID:2012)
net1.exe ACL (CID:2013)
netsh.exe ACL (CID:2014)
netstat.exe ACL (CID:2015)
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
nslookup.exe ACL (CID:2016)
ntbackup.exe ACL (CID:2017)
rcp.exe ACL (CID:2018)
reg.exe ACL (CID:2019)
regedt32.exe ACL (CID:2020)
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
?
regini.exe ACL (CID:2021)
regsvr32.exe ACL (CID:2022)
rexec.exe ACL (CID:2023)
route.exe ACL (CID:2024)
rsh.exe ACL (CID:2025)
sc.exe ACL (CID:2026)
secedit.exe ACL (CID:2027)
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
subst.exe ACL (CID:2028)
systeminfo.exe ACL (CID:2029)
telnet.exe ACL (CID:2030)
tftp.exe ACL (CID:2031)
tlntsvr.exe ACL (CID:2032)
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
Winreg ACL (CID:237)
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
(1) defined by the object's DACL
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
SNMP - Permitted Managers (CID:1033)
SNMP Communities (CID:4046)
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the object's DACL
?
(1) defined by the SeDenyNetworkLogonRight setting in Local or Group Policy
User Right Check deny access from network (CID:162)
(1) defined by the SeNetworkLogonRight setting in Local or Group Policy
User Right Check Logon on network (CID:152)
(1) defined the SeTcbPrivilege setting in by Local or Group Policy
User Right Check act as OS (CID:153)
(1) defined the SeBackupPrivilege setting in by Local or Group Policy
User Right Check Backup (CID:155)
(1) defined the SeChangeNotifyPrivilege setting in by Local or Group Policy
User Right Check Bypass Traverse Checking (CID:156)
(1) defined the SeSystemTimePrivilege setting in by Local or Group Policy
User Right Check change system time (CID:157)
(1) defined the SeCreatePagefilePrivilege setting in by Local or Group Policy
User Right Check create pagefile (CID:158)
(1) defined the SeCreateTokenPrivilege setting in by Local or Group Policy
User Right Check create token object (CID:159)
(1) defined the SeCreatePermanentPrivilege setting in by Local or Group Policy
User Right Check create permanent shared objects (CID:160)
(1) defined the SeDebugPrivilege setting in by Local or Group Policy
User Right Check debug programs (CID:161)
(1) defined the SeRemoteShutdownPrivilege setting in by Local or Group Policy
User Right Check remote shutdown (CID:165)
(1) defined the SeAuditPrivilege setting in by Local or Group Policy
User Right Check generate security audits (CID:173)
(1) defined the SeIncreaseQuotaPrivilege setting in by Local or Group Policy
User Right Check increase quotas (CID:166)
(1) defined the SeIncreaseBasePriorityPrivilege setting in by Local or Group Policy
User Right Check increase scheduling priority (CID:167)
(1) defined the SeLoadDriverPrivilege setting in by Local or Group Policy
User Right Check load and unload device drivers (CID:168)
(1) defined the SeLockMemoryPrivilege setting in by Local or Group Policy
User Right Check lock pages in memory (CID:169)
(1) defined the SeBatchLogonRight setting in by Local or Group Policy
User Right Check log on as a batch job (CID:170)
(1) defined the SeServiceLogonRight setting in by Local or Group Policy
User Right Check log on as a service job (CID:171)
?
(1) defined the SeInteractiveLogonRight setting in by Local or Group Policy
User Right Check log on locally (CID:172)
(1) defined the SeSecurityPrivilege setting in by Local or Group Policy
(1) defined the SeSystemEnvironmentPrivilege setting in by Local or Group Policy
User Right Check modify firmware (CID:174)
(1) defined the SeProfileSingleProcessPrivilege setting in by Local or Group Policy
User Right Check Profile single process (CID:175)
(1) defined the SeSystemProfilePrivilege setting in by Local or Group Policy
User Right Check Profile system performance (CID:176)
(1) defined the SeUndockPrivilege setting in by Local or Group Policy
User Right Check undock (CID:177)
(1) defined the SeAssignPrimaryTokenPrivilege setting in by Local or Group Policy
User Right replace process token (CID:178)
(1) defined the SeRestorePrivilege setting in by Local or Group Policy
User Right restore (CID:179)
(1) defined the SeShutdownPrivilege setting in by Local or Group Policy
User Right shut down (CID:180)
(1) defined the SeTakeOwnershipPrivilege setting in by Local or Group Policy
User Right take ownership (CID:182)
(1) defined the SeSynchAgentPrivilege setting in by Local or Group Policy
User Right synch directory (CID:181)
?
?
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined the SeDenyInteractiveLogonRight setting in by Local or Group Policy
User Right Check deny logon locally (CID:163)
(1) defined the SeEnableDelegationPrivilege setting in by Local or Group Policy
User Right Check allow trust for delegation (CID:164)
(1) defined the SeMachineAccountPrivilege setting in by Local or Group Policy
User Right Check Add wkstn to domain (CID:154)
(1) defined the SeRemoteInteractiveLogonRight setting in by Local or Group Policy
User Right allow logon terminal service (CID:737)
(1) defined the SeDenyBatchLogonRight setting in by Local or Group Policy
(1) defined the SeDenyServiceLogonRight setting in by Local or Group Policy
(1) defined the SeDenyRemoteInteractiveLogonRight setting in by Local or Group Policy
User Right deny logon terminal service (CID:738)
(1) defined the SeManageVolumePrivilege setting in by Local or Group Policy
User Right perform volume maintenance (CID:739)
Lockout Reset (CID:45)
Lockout Duration (CID:44)
Lockout Count (CID:43)
Account logon auditing (CID:49)
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
Account logon auditing (CID:49)
Account management auditing (CID:51)
Account management auditing (CID:51)
logon auditing (CID:53)
logon auditing (CID:53)
object access auditing (CID:55)
object access auditing (CID:55)
policy change auditing (CID:56)
policy change auditing (CID:56)
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
priv use auditing (CID:58)
priv use auditing (CID:58)
system event auditing (CID:59)
system event auditing (CID:59)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\RestrictGuestAccess (2) defined by Group Policy
Anonymous Access to the Security Event Log value (CID:479)
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\MaxSize
Application log size (CID:82)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
Application log retention (CID:85)
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\RestrictGuestAccess (2) defined by Group Policy
Anonymous Access to the Security Event Log value (CID:477)
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\MaxSize
Security log size (CID:80)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
Security log retention (CID:83)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\RestrictGuestAccess (2) defined by Group Policy
Anonymous Access to the Security Event Log value (CID:482)
(1) defined by the Windows Event Log (2) defined by Group Policy (3) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\MaxSize
System log size (CID:81)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\Retention (2) defined by Group Policy
System log retention (CID:84)
Maximum Password Age (CID:40)Minimum Password Age (CID:41)
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy ?
?
?
?
Password Length (CID:39)
Password History (CID:42)
Reversible Pwd Encryption (CID:232)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Computer Browser Disabled (CID:22)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Fast User Swithcing Compatibility Disabled (CID:729)
s
?
?
?
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Fax\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IISADMIN\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Internet Information System Installed - IIS Admin (CIS:4066)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CiSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Windows Messenger Internet Access (CIS:4036)
(1) defined by the Services Administrative Tool (2) definied by Group Policy
.NET Framework service (CIS:4035)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
NetMeeting Romote Desktop Sharing Disabled (CIS:730)
(1) defined by the Services Administrative Tool (2) definied by Group Policy
Print Services for Unix Service (CIS:4031)
(1) defined by the Services Administrative Tool (2) definied by Group Policy
Remote Access Auto Connection Manager Disabled (CIS:731)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDSessMgr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Remote Desktop Help Session Manager Disabled (CIS:732)
?
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Routing and Remote Access Disabled (CIS:733)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RshSvc\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Remote Shell Service (CIS:24)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SIMPTCP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Simple TCP/IP Service (CIS:25)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SMTPSVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Management and Monitoring Tools Installed - SNMP Service (CIS:4071)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMPTRAP\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Management and Monitoring Tools Installed - SNMP Trap (CIS:4072)
(1) defined by the Services Administrative Tool (2) definied by Group Policy
SSDP Discovery Service Disabled (CIS:734)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Task Scheduler Check (CIS:28)
?
?
?
?
?
?
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
23 - Telnet Disabled (CIS:23)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Terminal Services Disabled (CIS:735)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Start (2) defined by the Services Administrative Tool (3) definied by Group Policy
Internet Information Sytem Installed - World Wide Web Publishing (CIS:4067)
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
?
?
?
?
?
?
?
?
(1) set via Security Templates (2) definied by Group Policy
File Shares (CIS:230)
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
Printer ACL (CIS:229)
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
?
?
?
?
?
?
?
?
?
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
(1) set via Security Templates (2) definied by Group Policy
?
?
(1) Local Users and Groups MMC
(1) Local Users and Groups MMC
?
?
?
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous (2) defined by Local or Group Policy
Restrict Anonymous value (CIS:97)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AnonymousNameLookup (2) defined by Local or Group
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
Anon Access to Application log (CIS:78)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
Anon Access to Security log (CIS:79)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
Anon Access to System log (CIS:77)
Guest Account Disabled (CIS:29)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\AutoShareWks
?
?
?
?
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AEDebug\Auto
CIS: Automatic Execution of the System Debugger value (CIS:749)
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon
Admin Autologon password values not exist: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultPassword; Admin Autologon Value: HKEY_LOCAL_MACHINE\*\AutoAdminLogon (CIS:188, 189)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot
CIS: Disable Reboot After Crash value (CID:755)
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Autoplay value (CID:103)
(1) HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
(1) HKEY_USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Disable Media Autoplay (HKEY_USER-.Default hive) Value (CID:752)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CDrom\Autorun
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MrxSmb\Parameters\RefuseReset
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ServicesTcpip\Parameters\EnableICMPRedirect
?
?
?
?
?
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PerformRouterDiscovery
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC\NoDefaultExempt
CIS: Enable IPSec secuiryt for Kerberos RSVP Traffic value (CID:758)
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson\CreateCrashDump
CIS: Allow Dr. Watson Crash Dumps value (CID:746)
(1) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
CIS: Hide computer Name from other domain controllers value (CID:761)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
?
?
?
?
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\Security\WarningLevel
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters\DisableSavePassword
Disable saving of dial up password (CID:105)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\SafeDllSearchMode
Safe DLL Search Mode value (CID:774)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon\SyncForegroundPolicy
Always Wait for the Network at Computer Startup and Logon (CID:927)
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
(1) defined by Local or Group Policy
?
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\DeleteRoamingCache
Cached Profiles value (CID:93)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\system\LogonType
Always Use Classic Logon (CID:924)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Policies\system\DisableBkGndGroupPolicy
Turn Off Background Refresh of Group Policy (CID:930)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI
Internet Connection Sharing (CID:942)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA
Prohibit Installation and Configuration of Network Bridge on the DNS Domain Network (CID:945)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\KMPrintersAreBlocked
Disallow Installation of Printers Using Kernel-mode Drivers (CID:948)
Administrator Account Renamed (CID:30)
Guest Account Renamed (CID:31)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect (2) defined by Local or Group Policy
Amount of idle time before disconnecting value (CID:213)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects (2) defined by Local or Group Policy
?
?
?
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel (2) defined by Local or Group Policy
LMCompatibility Value (CID:123)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers (2) defined by Local or Group Policy
Print Driver Installation value (CID:99)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel (2) defined by Local or Group Policy
Recovery Console Autologon value (CID:117)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand (2) defined by Local or Group Policy
Recovery Console Full Access Value (CID:119)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies (2) defined by Local or Group Policy
Floppy Allocation (CID:89)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode (2) defined by Local or Group Policy
Strength permissions on GSO value (CID:204)
?
?
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey (2) defined by Local or Group Policy
Domain member: Require strong (Windows 2000 or later) session key value (CID:770)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword (2) defined by Local or Group Policy
Send unencrypted password to 3rd party SMB value (CID:207)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing\Policy (2) defined by Local or Group Policy
Unsigned Driver Behavior Value (CID:127)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning (2) defined by Local or Group Policy
Password Expiration value (CID:199)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail (2) defined by Local or Group Policy
Crash on audit fail Value (CID:121)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon (2) defined by Local or Group Policy
Shutdown before logon Check (CID:217)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown (2) defined by Local or Group Policy
Clear Pagefile value (CID:101)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy
Enable Security Signature Value (CID:113)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature (2) defined by Local or Group Policy
? (1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount (2) defined by Local or Group Policy
Logon Caching value (CID:91)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD (2) defined by Local or Group Policy
NTFS Media Ejection value (CID:2010)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal (2) defined by Local or Group Policy
Digitally encrypt or sign secure channel data (always) value (CID:743)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel (2) defined by Local or Group Policy
Sign Secure Channel Traffic Value (CID:109)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel (2) defined by Local or Group Policy
Sign Secure Channel Traffic Value (CID:107)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption (2) defined by Local or Group Policy
Smart Card Removal Behavior Value (CID:125)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange (2) defined by Local or Group Policy
Disable password change Value (CID:111)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy (2) defined by Local or Group Policy
Use FIPS compliant algorithms for encryption, hashing, and signing (CID:804)
?
(1) defined by Local or Group Policy
?
(1) defined by Local or Group Policy
?
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoDefaultAdminOwner (2) defined by Local or Group Policy
Default owner for objects created by members of the Administrators group (CID:807)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive (2) defined by Local or Group Policy
System Object: Require Case Insensitivity for Non-Windows Subsystems (CID:810)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse (2) defined by Local or Group Policy
Limit Blank Passwords value (CID:764)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity (2) defined by Local or Group Policy
LDAP client signing requirements (CID:795)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge (2) defined by Local or Group Policy
Accounts: Maximum machine account password age value (CID:767)
(1) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon (2) defined by Local or Group Policy
Domain Controller Authentication to Unlock Workstation Value (CID:777)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff (2) defined by Local or Group Policy
Automatically log off user when logon time expires value (CID:210)
?
?
?
(1) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds (2) defined by Local or Group Policy
Do not allow storage of credentials or .NET Passports for network authentication value (CID:780)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous (2) defined by Local or Group Policy
Let Everyone permissions apply to anonymous users Value (CID:783)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPathsHKLM (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares (2) defined by Local or Group Policy
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest (2) defined by Local or Group Policy
Sharing and security model for local accounts Value (CID:786)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash (2) defined by Local or Group Policy
Do not store LAN Manager hash value on next password change (CID:789)
Logon Time Enforcement (CID:46)
(1) Disk Management MMC
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec (2) defined by Local or Group Policy
Minimum session security for NTLM SSP based clients (CID:798)
(1) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec (2) defined by Local or Group Policy
Minimum session security for NTLM SSP based servers (CID:801)
Non-NTFS Partition (CID:10)
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\SCRNSAVE.EXE
Default user scrnsave.exe (CID:67)
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveTimeOut
Default user screensaver timeout (CID:68, 71)
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaverIsSecure
Default user screensaver secure (CID:69)
(1) HKEY_USER\.DEFAULT\Control Panel\Desktop\ScreenSaveActive
Default user screensaver active (CID:70)
(1) HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
Current user scrnsave.exe (CID:76)
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
Current user screensaver timeout (CID:74)
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
Current user screensaver secure (CID:72)
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActive
Current user screensaver active (CID:73)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Always Install with Elevated Privileges (CID:888)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\SafeForScripting\
Disable IE Security Prompt for Windows Installer Scripts (CID:891)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl
Enable User Control Over Installs (CID:894)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownMedia
Enable User to Use Media Source While Elevated (CID:900)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableAdminTSRemote
Allow Admin to Install from Terminal Services Session (CID:906)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AllowLockDownPatch
Enable User to Patch Elevated Products (CID:903)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\TransformSecure
Cache Transforms in Secure Location on Workstation (CID:908)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMediaPlayer\DisableAutoupdate
Disable Media Player for XP automatic Updates (CID:912)
(1) HKEY_CURRENT_USER\Software\Policies\Microsoft\WindowsMediaPlayer\PreventCodecDownload
951 - Prevent Codec Download
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventRun
Do Not Allow Windows Messenger to be Run (CID:915)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Messenger\Client\PreventAutoRun
918 - Do Not Automatically Start Windows Messenger Initially
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Task Scheduler5.0\Task Creation
Prohibit New Task Creation (CID:843)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fSingleSessionPerUser
Limit Users to One Remote Session (CID:849)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxInstanceCount
Limit Number of Connections (CID:852)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fDenyTSConnections
Do Not Allow New Client Connections (CID:855)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fWritableTSCCPermTab
Do Not Allow Local Administrators to Customize (CID:858)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\Shadow
Remote Control Settings (CID:861)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
Always Prompt Client for Password upon Connection (CID:864)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
Set Client Connection Encryption (CID:867)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir
Do Not Use Temp Folders per Session (CID:870)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit
Do Not Delete Temp Folder upon Exit (CID:873)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxDisconnectionTime
Set Time Limit for Disconnected Sessions (CID:876)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\MaxIdleTime
Set Time Limit for Idle Sessions (CID:879)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fReconnectSame
Allow Reconnection from Original Client Only (CID:882)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fResetBroken
Terminate Session When Time Limits are Reached (CID:885)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\KeepAliveEnable
Keep-Alive Messages (CID:846)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
Solicited Remote Assistance (CID:933)
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited
Unsolicited Remote Assistance (CID:936)
?
?
?
?
?
(1) HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PCHealth\ErrorReporting\DoReport
Report Errors (CID:939)
(1) HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SCForceOption
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxConnectResponseRetransmissions
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxDataRetransmissions
`
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
(1) defined by the Services Administrative Tool (2) definied by Group Policy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisable8dot3NameCreation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\EnableAuthEpResolution
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\RPC\RestrictRemoteClientsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewallHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptionsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnabledHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\FileAndPrint\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\RemoteDesktop\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Services\UPnPFramework\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log Dropped Packets
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFilePath (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log file path and name (3) Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile Tab\Logging\Name
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogFileSize (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Size limit (KB)
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging\LogSuccessfulConnections (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow Logging - Log successful connections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableUnicastResponsesToMulticastBroadcastHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\AllowUserPrefMergeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewallHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptionsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\AllowUserPrefMergeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktopHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ICMPSettings\*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\RemoteDesktop\EnabledHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Services\UPnPFramework\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications
(1) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogDroppedPackets (2) Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\Windows Firewall: Allow Logging - Log Dropped Packets
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFilePath
(1) defined by the object's DACL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogFileSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging\LogSuccessfulConnections
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableUnicastResponsesToMulticastBroadcastHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPortsHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\AllowUserPrefMerge
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
(2)HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Peernet\Disabled
GPO Setting: Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network
GPO Settings: Computer Configuration\Administrative Templates\System\Error Reporting\Display Error Notification, Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting\Display Error Notification
GPO Setting: Computer Configuration\Administrative Templates\System\Group Policy\Internet Explorer Maintenance Policy Processing
(1) Computer Configuration\Administrative Templates\System\Group Policy (2)HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoBackgroundPolicy, HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}!NoGPOListChanges
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EventViewer\MicrosoftEventVwrDisableLinks
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Registration Wizard Control\NoRegistration
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoOnlinePrintsWizard
(2)[HKEY_LOCAL_MACHINE | HKEY_CURRENT_USER] \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPublishingWizard
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\CodecDownload
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebHelp
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsMovieMaker\WebPublish
(1) Computer Configuration\Administrative Templates\System\Internet Communication Settings (2)HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate
(1) Computer Configuration\Administrative Templates\System\Logon (2)HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableLocalMachineRunOnce
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWelcomeScreen
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\IIS\PreventIISInstall
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
(1) Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection (2)HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DisablePasswordSaving
(2)HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior
(2)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\DisableLUAPatching
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes
GPO Setting: Computer Configuration\Administrative Templates\Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation
(1) HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure (1) User Configuration\Administrative Templates\System\Power Mangement (2)HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Power\PromptPasswordOnResume
(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation
(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\HideZoneInfoOnProperties
(1) User Configuration\Administrative Templates\System\Attachment Manager (2)HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus
?
4.4.3.1 %SystemDrive%?
?
?
%AllUsersProfile%
NSA Security Guide for WXP (NSA-XP-
C44-026-02.pdf)CIS WXP Pro
Benchmark v1.3
CIS WXP Pro Benchmark v2.01
(CIS_WindowsXP_Benchmark_v2.01.
pdf)
4.4.3.2 HKEY_LOCAL_MACHINE\Software
4.4.3.3 HKEY_LOCAL_MACHINE\System
%AllUsersProfile%\Application Data
%AllUsersProfile%\Application Data\Microsoft
%AllUsersProfile%\Application Data\Microsoft\Crypto\DSSHKLMKeys
%AllUsersProfile%\DRM
%ProgramFiles%
%SystemDrive% 4.4.1.1 %SystemDrive%
%AllUsersProfile%\Application Data\Microsoft\Crypto\RSAHKLMKeys
%AllUsersProfile%\Application Data\Microsoft\Dr Watson
%AllUsersProfile%\Application Data\Microsoft\Dr Watson\drwtsn32.log
%AllUsersProfile%\Application Data\Microsoft\HTML Help
%AllUsersProfile%\Application Data\Microsoft\Media Index
%AllUsersProfile%\Documents\desktop.ini
%SystemDrive%\io.sys
%SystemDrive%\ntldr
%SystemDrive%\autoexec.bat
%SystemDrive%\config.sys
%SystemDrive%\Documents and Settings
%SystemDrive%\Documents and Settings\Administrator
%SystemDrive%\Documents and Settings\Default User
%SystemDrive%\msdos.sys
%SystemDrive%\ntbootdd.sys
%SystemDrive%\ntdetect.com
%SystemRoot%?
%SystemRoot%\CSC
%SystemRoot%\Debug
?
%SystemRoot%\Installer
%SystemRoot%\Prefetch
%SystemDrive%\System Volume Information
%SystemRoot%\$NtServicePackUninstall$
%SystemRoot%\Debug\UserMode
%SystemRoot%\Debug\UserMode\userenv.log
%SystemRoot%\Offline Web Pages
%SystemRoot%\repair
%SystemRoot%\security
%SystemRoot%\Temp
%SystemRoot%\system32
?
?
%SystemRoot%\regedit.exe
4.4.1.17 %SystemRoot%\regedit.exe
%SystemRoot%\Registration
%SystemRoot%\Registration\CRMLog
%SystemRoot%\system32\arp.exe
%SystemRoot%\system32\at.exe
4.4.1.2 %SystemRoot%\system32\at.exe
4.4.1.3 %SystemRoot%\system32\attrib.exe
4.4.1.4 %SystemRoot%\system32\cacls.exe
?
?
%SystemRoot%\system32\ciadv.msc
%SystemRoot%\system32\Com\comexp.msc
%SystemRoot%\system32\compmgmt.msc
%SystemRoot%\system32\config
4.4.1.5 %SystemRoot%\system32\debug.exe
%SystemRoot%\system32\devmgmt.msc
%SystemRoot%\system32\dfrg.msc
%SystemRoot%\system32\diskmgmt.msc
%SystemRoot%\system32\dllcache
?
?
?
?
?
?
4.4.1.6 %SystemRoot%\system32\drwatson.exe
4.4.1.7 %SystemRoot%\system32\drwtsn32.exe
4.4.1.8 %SystemRoot%\system32\edlin.exe
4.4.1.9 %SystemRoot%\system32\eventcreate.exe
4.4.1.10 %SystemRoot%\system32\eventtriggers.exe
%SystemRoot%\system32\eventvwr.msc
%SystemRoot%\system32\fsmgmt.msc
4.4.1.11 %SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\gpedit.msc
%SystemRoot%\system32\Group Policy
?
?
?
%SystemRoot%\system32\ias
%SystemRoot%\system32\lusrmgr.msg
%SystemRoot%\system32\MSDTC
%SystemRoot%\system32\nbstat.exe
4.4.1.12 %SystemRoot%\system32\net.exe
4.4.1.13 %SystemRoot%\system32\net1.exe
%SystemRoot%\system32\netsh.exe
4.4.1.14 %SystemRoot%\system32\netsh.exe
%SystemRoot%\system32\netstat.exe
%SystemRoot%\system32\nslookup.exe
%SystemRoot%\system32\Ntbackup.exe
%SystemRoot%\system32\NTMSData
%SystemRoot%\system32\ntmsoprq.msc
%SystemRoot%\system32\ntmsmgr.msc
%SystemRoot%\system32\perfmon.msc
%SystemRoot%\system32\rcp.exe
4.4.1.15 %SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\reg.exe
4.4.1.16 %SystemRoot%\system32\reg.exe
%SystemRoot%\system32\regedt32.exe
4.4.1.18 %SystemRoot%\system32\regedt32.exe
?
?
?
%SystemRoot%\system32\regini.exe
4.4.1.19 %SystemRoot%\system32\regsvr32.exe
%SystemRoot%\system32\rexec.exe
4.4.1.20 %SystemRoot%\system32\rexec.exe
%SystemRoot%\system32\route.exe
%SystemRoot%\system32\rsh.exe
4.4.1.21 %SystemRoot%\system32\rsh.exe
%SystemRoot%\system32\RSoP.msc
4.4.1.22 %SystemRoot%\system32\runas.exe
4.4.1.23 %SystemRoot%\system32\sc.exe
%SystemRoot%\system32\secedit.exe
%SystemRoot%\system32\secpol.msc
?
?
?
%SystemRoot%\Tasks
%SystemRoot%\system32\services.msc
%SystemRoot%\system32\Setup
%SystemRoot%\system32\spool\Printers
4.4.1.24 %SystemRoot%\system32\subst.exe
%SystemRoot%\system32\systeminfo.exe
4.4.1.25 %SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
4.4.1.26 %SystemRoot%\system32\tftp.exe
4.4.1.27 %SystemRoot%\system32\tlntsvr.exe
%SystemRoot%\system32\wmimgmt.msc
4.4.2.1 HKLM\SoftwareHKEY_LOCAL_MACHINE\SOFTWARE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC
4.4.2.9 HKLM\Software\Microsoft\MSDTC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\Security\XAKey
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetDDE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UPnP Device Host
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Asr\Commands
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
4.4.2.4 HKLM\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit
4.4.2.11 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SeCEdit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer
4.4.2.2 HKLM\Software\Microsoft\Windows\CurrentVersion\Installer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
4.4.2.3 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings
4.4.2.8 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony
HKEY_LOCAL_MACHINE\SYSTEM
HKEY_LOCAL_MACHINE\SYSTEM\clone
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Wmi\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum
4.4.2.5 HKLM\System\CurrentControlSet\Enum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppMgmt\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClipSrv\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CryptSvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ersvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IRENUM\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netbt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netdde\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netddedsdm\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rpcss\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Samss\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scarddrv\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Scardsvr\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
4.4.2.6 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities
4.4.2.7 HKLM\System\CurrentControlSet\Services\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Stisvc\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tapisrv\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32time\Security
HKEY_USER\.DEFAULT
4.2.8 Change the system time
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Wmi\Security
HKEY_USER\.DEFAULT\Software\Microsoft\NetDDE
HKEY_USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
4.4.2.10 HKEY_USER\.Default\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
Deny access to this computer from the network: Not Defined
4.2.13 Deny access to this computer from the network
Access this computer from a network: Administrators, Users
4.2.1 Access this computer from the network
Act as part of the operating system
4.2.2 Act as part of the operating system
Back up files and directories: Administrators
4.2.6 Back up files and directories
Bypass traverse checking: Users
4.2.7 Bypass traverse checking
Change the system time: Administrators
4.2.9 Create a pagefile
4.2.10 Create a token object
Debug programs: No One 4.2.12 Debug Programs
4.2.23 Lock pages in memory
4.2.24 Log on as a batch job
4.2.25 Log on as a service
Create a pagefile: Administrators
Create a token object: No One
Create permanent shared objects: No One
4.2.11 Create permanent shared objects
Force shutdown from a remote system: Administrators
4.2.19 Force shutdown from a remote system
Generate security audits: LOCAL SERVICE, NETWORK SERVICE
4.2.20 Generate security audits
Adjust memory quotas for a process: Administrators,NETWORK SERVICE, LOCAL SERVICE
4.2.4 Adjust memory quotas for a process
Increase scheduling priority: Administrators
4.2.21 Increase scheduling priority
Load and unload device drivers: Administrators
4.2.22 Load and unload device drivers
Lock pages in memory: No One
Log on as a batch job: No One
Log on as a service: Network Service
4.2.26 Log on locally
4.2.30 Profile single process
4.2.35 Shut down the system
Log on locally: Administrators, Users
Manage auditing and security log: Administrators
4.2.27 Manage auditing and security log
Modify firmware environment variables: Administrators
4.2.28 Modify firmware environment values
Profile single process: Administrators
Profile system performance: Administrators
4.2.31 Profile system performance
Remove computer from docking station: Administrators, Users
4.2.32 Remove computer from docking station
Replace a process level token: LOCAL SERVICE, NETWORK SERVICE
4.2.33 Replace a process level token
Restore files and directories: Administrators
4.2.34 Restore files and directories
Shut down the system: Administrators, Users
Take ownership of files or other objects: Administrators
4.2.37 Take ownership of file or other objects
Synchronize directory service data: No One
4.2.36 Synchronize directory service data
4.2.16 Deny logon locally
4.2.15 Deny logon as a service
Deny logon locally: Not Defined
Enable computer and user accounts to be trusted for delegation: No One
4.2.18 Enable computer and user accounts to be trusted for delegation
Add workstations to domain
4.2.3 Add workstations to domain
Allow logon through Terminal Services: No One
4.2.5 Allow logon through terminal services
Deny logon as a batch job: No One
4.2.14 Deny logon as a batch job
Deny logon as a service: No One
Deny logon through Terminal Services: Everyone
4.2.17 Deny logon through Terminal Service
Perform volume maintenance tasks: Administrators
4.2.29 Perform volume maintenance tasks
Reset account lockout counter after (15 min.)
2.2.3.3 Reset Account Lockout After
Account lockout duration (15 minutes)
2.2.3.1 Account Lockout Duration
Account lockout threshold (3 invalid attempts)
2.2.3.2 Account Lockout Threshold
Audit account logon events (Success, Failure)
2.2.1.1 Audit Account Logon Events
2.2.1.4 Audit Logon Events
2.2.1.4 Audit Logon Events
2.2.1.5 Audit Object Access
2.2.1.5 Audit Object Access
2.2.1.6 Audit Policy Change
2.2.1.6 Audit Policy Change
Audit account logon events (Success, Failure)
2.2.1.1 Audit Account Logon Events
Audit account management (Success, Failure)
2.2.1.2 Audit Account Management
Audit account management (Success, Failure)
2.2.1.2 Audit Account Management
Audit directory service access (No auditing)
2.2.1.3 Audit Directory Service Access
Audit directory service access (No auditing)
2.2.1.3 Audit Directory Service Access
Audit logon events (Success, Failure)
Audit logon events (Success, Failure)
Audit object access (Failure)
Audit object access (Failure)
Audit policy change (Success, Failure)
Audit policy change (Success, Failure)
2.2.1.7 Audit Privilege Use
2.2.1.7 Audit Privilege Use
2.2.1.8 Audit Process Tracking
2.2.1.8 Audit Process Tracking
2.2.1.9 Audit System Events
2.2.1.9 Audit System Events
Retain application log 2.2.4.1.4 Log Retention
Audit privilege use (Failure)
Audit privilege use (Failure)
Audit process tracking (No Auditing)
Audit process tracking (No Auditing)
Audit system events (Success, Failure)
Audit system events (Success, Failure)
Restrict guest access to application Log
2.2.4.1.2 Restrict Guest Access
Maximum application log size
2.2.4.1.1 Maximum Event Log Size
Retention method for application Log
2.2.4.1.3 Log Retention Method
Maximum security log size
Retain security log 2.2.4.2.4 Log Retention
Maximum system log size
Retain system log 2.2.4.3.4 Log Retention
Restrict guest access to security Log
2.2.4.2.2 Restrict Guest Access
2.2.4.2.1 Maximum Event Log Size
Retention method for security log
2.2.4.2.3 Log Retention Method
Restrict guest access to system Log
2.2.4.3.2 Restrict Guest Access
2.2.4.3.1 Maximum Event Log Size
Retention method for system log
2.2.4.3.3 Log Retention Method
Maximum Password Age (90)
2.1.2 Maximum Password Age, 2.2.2.2 Maximum Password Age
Minimum Password Age (1)
2.2.2.1 Minimum Password Age
2.2.2.4 Password Complexity
2.2.2.5 Password History
?
4.1.1 Alerter?
4.1.2 Automatic Updates?
?
4.1.4 Clipbook?
4.1.5 Computer Browser?
4.1.6 Fax Service
Minimum Password Length (12)
2.1.1 Minimum Password Length, 2.2.2.3 Minimum Password Length
Passwords must meet complexity requirements (Enabled)
Enforce password history (24 passwords)
Store password using reversible encryption for all users in the domain (Disabled)
2.2.2.6 Store Passwords using Reversible Encryption
4.1.3 Background Intelligent Transfer Service
?
?
4.1.7 FTP Publishing Service?
4.1.8 IIS Admin Service?
4.1.9 Indexing Service?
4.1.10 Messenger?
?
4.1.11 Net Logon?
?
?
?
4.1.12 NetMeeting Remote Desktop Sharing
4.1.13 Remote Desktop Help Session Manager
?
?
?
?
?
?
?
?
?
4.1.19 Task Scheduler
4.1.14 Remote Registry Service
4.1.15 Routing and Remote Access
4.1.16 Simple Mail Transfer Protocol (SMTP)
4.1.17 Simple Network Management Protocol (SNMP) Service
4.1.18 Simple Network Management Protocol (SNMP) Trap
?
4.1.20 Telnet?
4.1.21 Terminal Services?
?
?
?
?
?
?
?
4.1.22 Universal Plug and Play Device Host
4.1.23 World Wide Web Publishing Services
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
?
?
?
?
?
?
?
?
?
?
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
?
?
?
?
?
?
?
?
?
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
4.1 Available Services (Permissions on services listed here: Administrators: Full Control; System: Read, Start, Stop, and Pause)
?
?
?
?
Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
3.1.3 Network Access: Do not allow Anonymous Enumeration of SAM Accounts and Shares
Network access: Do not allow anonymous enumeration of SAM accounts: Enabled
3.1.2 Network Access: Do not allow Anonymous Enumeration of SAM Accounts
Network access: Allow anonymous SID/Name translation: Disabled
3.1.1 Network Access: Allow Anonymous SID/Name Translation
Accounts: Guest account status: Disabled
3.2.1.2 Accounts: Guest Account Status
Accounts: Administrator account status: Enabled
3.2.1.1 Accounts: Administrator Account Status
Interactive logon: Message title for users attempting to log on
3.2.1.27 Interactive Logon: Message Title for Users Attempting to Log On
Interactive logon: Message test for users attempting to log on: <Configure Locally>
3.2.1.26 Interactive Logon: Message Text for Users Attempting to Log On
3.2.2.9 Remove administrative shares on workstation (Professional)
?
?
?
?
?
?
?
?
3.2.2.2 Disable Automatic Execution of the System Debugger
Interactive logon: Allow Automatic Administator Logon - HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = 0
3.2.2.6 Disable Automatic Logon
3.2.2.7 Disable automatic reboots after a Blue Screen of Death
3.2.2.3 Disable autoplay from any disk type, regardless of application
3.2.2.4 Disable autoplay for current user
3.2.2.5 Disable autoplay for the default profile3.2.2.8 Disable CD Autorun: HKLM\System\CurrentControlSet\Services\Cdrom\Autorun (REG_DWORD)
3.2.2.10 Protect against Computer Browser Spoofing Attacks
3.2.2.13 Ensure ICMP Routing via shortest path first
?
?
?
?
?
?
?
?
3.2.2.11 Protect against source-routing spoofing
3.2.2.17 Ensure Router Discovery is Disabled
3.2.2.21 Enable IPSec to protect Kerberos RSVP Traffic
3.2.2.1 Suppress Dr. Watson Crash Dumps
Interactive logon: Do no display last user name - Enabled
3.2.1.24 Interactive Logon: Do Not Display Last User Name
3.2.2.22 Hide workstation from Network Browser listing: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\Hidden
3.2.2.12 Protect the Default Gateway network setting: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableDeadGWDetect
3.2.2.15 Manage Keep-alive times: HKEY_LOCAL_MACHINE\System\CurrentControlSEt\Services\Tcpip\Parameters\KeepAliveTime
3.2.2.19 SYN Attack protection – Manage TCP Maximum half-open sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpen
?
?
?
?
?
3.2.2.20 SYN Attack protection – Manage TCP Maximum half-open retired sockets: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\TcpMaxHalfOpenRetried
3.2.2.16 Protect Against Malicious Name-Release Attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
3.2.2.14 Help protect against packet fragmentation: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
3.2.2.18 Protect against SYN Flood attacks: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\SynAttackProtect
System objects: Set safe search path for DLLs
3.2.2.23 Enable Safe DLL Search Mode: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
?
?
?
?
?
?
Domain controller: Allow server operators to schedule tasks: Not Defined
3.2.1.15 Domain Controller: Allow Server Operators to Schedule Tasks
Accounts: Rename administrator account: Administrator
3.2.1.4 Accounts: Rename Administrator Account
Accounts: Rename guest account: <Configure locally>
3.2.1.5 Accounts: Rename Guest Account
Microsoft network server: Amount of idle time required before suspending session
3.2.1.35 Microsoft Network Server: Amount of Idle Time Required Before Disconnecting Session
Audit: Audit the access of global system objects: Not Defined
3.2.1.6 Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege: Not Defined
3.2.1.7 Audit: Audit the use of backup and restore privilege
Interactive logon: Do not require CTRL+ALT+DEL: Disabled
3.2.1.25 Interactive Logon: Do not require CTRL+ALT+DEL
Network security: LAN Manager authentication level: Send LM & NTLM - use NTLMv2 session security if negotiated
3.2.1.47 Network Security: LAN Manager Authentication Level
Devices: Prevent users from installing printer drivers: Enabled
3.2.1.11 Devices: Prevent users from installing printer drivers
Recovery console: Allow automatic administrative logon: Disabled
3.2.1.51 Recovery Console: Allow Automatic Administrative Logon
Recovery console: Allow floppy copy and access to all drives and all folders: Disabled
3.2.1.52 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders
Devices: Restrict CD-ROM access to locally logged-on user only: Enabled
3.2.1.12 Devices: Restrict CD-ROM Access to Locally Logged-On User Only
Devices: Restrict floppy access to locally logged-on user only: Enabled
3.2.1.13 Devices: Restrict Floppy Access to Locally Logged-On User Only
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links): Enabled
3.2.1.58 System objects: Strengthen default permissions of internal system objects
Domain member: Require strong (Windows 2000 or later) session key: Enabled
3.2.1.23 Domain Member: Require Strong (Windows 2000 or later) Session Key
Microsoft network client: Send unencrypted password to third-party SMB servers
3.2.1.34 Microsoft Network Client: Send Unencrypted Password to Connect to Third-Party SMB Server
Devices: Unsigned driver installation behavior: Warn but allow installation
3.2.1.14 Devices: Unsigned Driver Installation Behavior
Interactive logon: Prompt user to change password before expiration: 14 days
3.2.1.29 Interactive Logon: Prompt User to Change Password Before Expiration
Audit: Shut down system immediately if unable to log security audits: Disabled
3.2.1.8 Audit: Shut Down system immediately if unable to log security alerts
Shutdown: Allow system to be shut down without having to log on: Enabled
3.2.1.53 Shutdown: Allow System to be Shut Down Without Having to Log On
Shutdown: Clear virtual memory pagefile: Disabled
3.2.1.54 Shutdown: Clear Virtual Memory Pagefile
Microsoft network client: Digitally sign communications (always)
3.2.1.32 Microsoft Network Client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
3.2.1.33 Microsoft Network Client: Digitally sign communications (if server agrees)
Microsoft network server: Digitally sign communications (always)
3.2.1.36 Microsoft Network Server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees): Enabled
3.2.1.37 Microsoft Network Server: Digitally sign communications (if client agrees)
Interactive logon: Number of previous logons to cache (in case domain controller is not available): 0 logons
3.2.1.28 Interactive Logon: Number of Previous Logons to Cache
Devices: Allowed to format and eject removable media: Administrators
3.2.1.10 Devices: Allowed to format and eject removable media
Domain member: Digitally encrypt or sign secure channel data (always): Not Defined
3.2.1.18 Domain Member: Digitally Encrypt or Sign Secure Channel Data (Always)
Domain member: Digitally encrypt secure channel data (when possible): Enabled
3.2.1.19 Domain Member: Digitally Encrypt Secure Channel Data (When Possible)
Domain member: Digitally sign secure channel data (when possible): Enabled
3.2.1.20 Domain Member: Digitally Sign Secure Channel Data (When Possible)
Interactive logon: Smart card removal behavior: Lock Workstation
3.2.1.31 Interactive Logon: Smart Card Removal Behavior
Domain member: Disable machine account password changes:Disabled
3.2.1.21 Domain Member: Disable Machine Account Password Changes
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing: Enabled
3.2.1.55 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Default owner for objects created by members of the Administrators group: Object Creator
3.2.1.56 System objects: Default owner for objects created by members of the Administrators group
System objects: Require case insensitivity for non-Windows subsystems: Enabled
3.2.1.57 System objects: Require case insensitivity for non-Windows subsystems
Accounts: Limit local account user of blank passwords to console logon only: Enabled
3.2.1.3 Accounts: Limit local account use of blank passwords to console logon only
Devices: Allow undock without having to log on: Disabled
3.2.1.9 Devices: Allow undock without having to log on
Domain controller: LDAP server signing requirements: Not Defined
3.2.1.16 Domain Controller: LDAP Server Signing Requirements
Network security: LDAP client signing requirements
3.2.1.48 Network Security: LDAP client signing requirements
Domain controller: Refuse machine account password changes: Not Defined
3.2.1.19(note: different enumeration) Domain Controller: Refuse machine account password changes
Domain member: Maximum machine account password age: 7 Days
3.2.1.22 Domain Member: Maximum Machine Account Password Age
Interactive logon: Require Domain Controller authentication to unlock workstation: Enabled
3.2.1.30 Interactive Logon: Require Domain Controller authentication to unlock workstation
Microsoft network server: Disconnect clients when logon hours expire: Enabled
3.2.1.38 Microsoft Network Server: Disconnect clients when logon hours expire
Network access: Do not allow storage of credentials or .NET Passports: Enabled
3.2.1.39 Network Access: Do not allow storage of credentials or .NET passports for network authentication
Network access: Let Everyone permissions apply to anonymous users: Disabled
3.2.1.40 Network Access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously: Not Defined
3.2.1.41 Network Access: Named pipes that can be accessed anonymously
Network access: Remotely accessible registry paths: Classic - local users authenticate as themselves
3.2.1.42 Network Access: Remotely accessible registry paths
Network access: Shares that can be accessed anonymously: Not Defined
3.2.1.43 Network Access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts: Classic - local users authenticate as themselves
3.2.1.44 Network Access: Sharing and security model for local accounts
Network security: Do not store LAN Manager hash value on next password change: Enabled
3.2.1.45 Network Security: Do not store LAN Manager password hash value on next password change
Network security: Force logoff when logon hours expire: Enabled
3.2.1.46 Network Security: Force logoff when logon hours expire
?
?
?
?
?
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients: Require NTLMv2 session security, Require 128-bit encryption
3.2.1.49 Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers: Require NTLMv2 session security, Require 128-bit encryption
3.2.1.50 Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers
Chapter 10: Modifying File System Security Settings with Security Templates
4.3.1 Ensure volumes are using the NTFS file system
?
?
?
?
Remote control settings
Limit users to one remote session
Limit number of connections
Do not allow new client connections
Do not allow local administrator to customize permissions
Always prompt client for password upon connection
?
?
?
Set client connection encryption level
Do not use temp folders per session
Do not delete temp folder upon exit
Set time limit for disconnected sessions
Set time limit for idle sessions
Allow reconnection from original client only
Terminate session when time limits are reached
?
Enforce user logon restrictions (Enabled)Maximum lifetime for service ticket (600 minutes)
Maximum lifetime for user ticket (10 hours)
Maximum lifetime for user ticket renewal (7 days)
Maximum tolerance for computer clock synchronization (5 minutes)
5.1.1.1 RPC Endpiont Mapper Client Authentication (SP2 only)
5.1.1.2 Restrictions for Unauthenticated RPC clients (SP2 only)5.2.1.1.1.1 Protect all network connections (SP2 only)5.2.1.1.1.2 Do not allow exceptions (SP2 only)
5.2.1.1.1.3 Allow local program exceptions
5.2.1.1.1.4 Allow remote administration
5.2.1.1.1.5 Allow file and printer sharing exception (SP2 only)5.2.1.1.1.6 Allow ICMP exceptions (SP2 only)
5.2.1.1.1.7 Allow Remote Desktop exception (SP2 only)
5.2.1.1.1.8 Allow UPnP framework exception (SP2 only)5.2.1.1.1.9 Prohibit notifications
5.2.1.1.1.10 Log dropped packets (SP2 only)
5.2.1.1.1.11 Log file path and name (SP2 only)
5.2.1.1.1.12 Log file size limit (SP2 only)
5.2.1.1.1.13 Log successful connections (SP2 only)
5.2.1.1.1.14 Prohibit unicast response to multicast or broadcast (SP2 only)
5.2.1.1.1.15 Define port exceptions (SP2 only)
5.2.1.1.16 Allow local port exceptions (SP2 only)5.2.1.1.2.1 Protect all network connections (SP2 only)5.2.1.1.2.2 Do not allow exceptions (SP2 only)
5.2.1.1.2.3 Allow local program exceptions (SP2 only)5.2.1.1.2.4 Allow remote administration exception (SP2 only)5.2.1.1.2.4 Allow file and printer sharing exception (SP2 only)5.2.1.1.2.6 Allow ICMP exceptions (SP2 only)
5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)5.2.1.1.2.8 Allow UPnP framework exception (SP2 only)5.2.1.1.2.9 Prohibit notifications (SP2 only)
5.2.1.1.2.10 Log Dropped Packets (SP2 only)
5.2.1.1.2.11 Log file path and name (SP2 only)
5.2.1.1.2.12 Log file size limit (SP2 only)
5.2.1.1.2.13 Log Successful Connections (SP2 only)
5.2.1.1.2.14 Prohibit unicast response to multicast or broadcast (SP2 only)
5.2.1.1.2.15 Define port exceptions (SP2 only)
5.2.1.1.2.16 Allow local port exceptions (SP2 only)5.2.1.1. Windows Firewall
CIS WXP Pro Benchmark v2.01 OVAL (cis-winxp-
oval.xml)
NIST 800-68 Windows XPPDF
(SP800-68-20051102.pdf)
NIST 800-68 Windows XP XCCDF (NIST-800-68-53-
WinXPPro_XCCDF_10102006.xml)
regedit.exePermissions
arp.exePermissions
at.exePermissions
attrib.exePermissions
cacls.exePermissions
%SystemRoot%\system32\regedit.exe Table: 9.19 Value: Administrators: Full System: Full
%SystemRoot%\system32\arp.exe Table: 9.1 Value: Administrators: Full System: Full
%SystemRoot%\system32\at.exe Table: 9.2 Value: Administrators: Full System: Full
%SystemRoot%\system32\attrib.exe Table: 9.3 Value: Administrators: Full System: Full
%SystemRoot%\System32\cacls.exe Table: 9.4 Value: Administrators: Full System: Full
oval:gov.nist.1:def:132
%SystemRoot%\System32\debug.exe Table: 9.5 Value: Administrators: Full System: Full
edlin.exePermissions
eventcreate.exePermissions
eventtriggers.exePermissions
%SystemRoot%\system32\edlin.exe Table: 9.6 Value: Administrators: Full System: Full
%SystemRoot%\system32\eventcreate.exe Table: 9.7 Value: Administrators: Full System: Full
%SystemRoot%\System32\eventtriggers.exe Table: 9.8 Value: 9.8
%SystemRoot%\system32\ftp.exe Table: 9.9 Value: Administrators: Full System: Full ftp.exePermissions
nbtstat.exePermissions
net.exePermissions
net1.exePermissions
netsh.exePermissions
netstat.exePermissions
%SystemRoot%\system32\nbtstat.exe Table: 9.10 Value: Administrators: Full System: Full
%SystemRoot%\system32\net.exe Table: 9.11 Value: Administrators: Full System: Full
%SystemRoot%\system32\net1.exe Table: 9.12 Value: Administrators: Full System: Full
%SystemRoot%\system32\netsh.exe Table: 9.13 Value: Administrators: Full System: Full
%SystemRoot%\system32\netstat.exe Table: 9.14 Value: Administrators: Full System: Full
nslookup.exePermissions
ntbackup.exePermissions
rcp.exePermissions
reg.exePermissions
regedt32.exePermissions
%SystemRoot%\system32\nslookup.exe Table: 9.15 Value: Administrators: Full System: Full
%SystemRoot%\system32\Ntbackup.exe Table: 9.16 Value: Administrators: Full System: Full
%SystemRoot%\system32\rcp.exe Table: 9.17 Value: Administrators: Full System: Full
%SystemRoot%\system32\reg.exe Table: 9.18 Value: Administrators: Full System: Full
%SystemRoot%\system32\Regedt32.exe Table: 9.20 Value: Administrators: Full System: Full
regini.exePermissions
regsvr32.exePermissions
rexec.exePermissions
route.exePermissions
rsh.exePermissions
sc.exePermissions
secedit.exePermissions
%SystemRoot%\system32\regini.exe Table: 9.21 Value: Administrators: Full System: Full
%SystemRoot%\system32\regsvr32.exe Table: 9.22 Value: Administrators: Full System: Full
%SystemRoot%\system32\rexec.exe Table: 9.23 Value: Administrators: Full System: Full
%SystemRoot%\system32\route.exe Table: 9.24 Value: Administrators: Full System: Full
%SystemRoot%\system32\rsh.exe Table: 9.25 Value: Administrators: Full System: Full
%SystemRoot%\system32\sc.exe Table: 9.26 Value: Administrators: Full System: Full
%SystemRoot%\system32\secedit.exe Table: 9.27 Value: Administrators: Full System: Full
subst.exePermissions
systeminfo.exePermissions
telnet.exePermissions
tftp.exePermissions
tlntsvr.exePermissions
%SystemRoot%\system32\subst.exe Table: 9.28 Value: Administrators: Full System: Full
%SystemRoot%\system32\systeminfo.exe Table: 9.29 Value: Administrators: Full System: Full
%SystemRoot%\system32\telnet.exe Table: 9.30 Value: Administrators: Full System: Full
%SystemRoot%\system32\tftp.exe Table: 9.31 Value: Administrators: Full System: Full
%SystemRoot%\system32\tlntsvr.exe Table: 9.32 Value: Administrators: Full System: Full
DenyAccessFromNetwork
ActAsPartOfOperatingSystem
BypassTraverseChecking
ChangeSystemTime
Deny access to this computer from the network Table: 4.15 Value: Guests, SUPPORT
Access this computer from the network Table: 4.1 Value: Administrators, not defined
AccessComputerFromNetwork, AccessComputerFromNetworkUsers
Act as part of the operating system Table: 4.2 Value:
none
Back up files and directories Table: 4.7 Value: Administrators, not defined
BackUpFilesAndDirectories, BackUpFilesAndDirectoriesOperators
Bypass traverse checking Table: 4.8 Value: Administrators, Users, not defined
Change the system time Table: 4.9 Value: Administrators
CreatePagefile
CreateTokenObject
CreatePermanentSharedObjects
DebugPrograms
ShutdownFromRemoteSystem
GenerateSecurityAudits
AdjustMemoryQuotas
IncreaseSchedulingPriority
LoadAndUnloadDeviceDrivers
LockPagesInMemory
LogOnAsBatchJob
LogOnAsService
Create pagefile Table: 4.10 Value: Administrators
Create a token object Table: 4.11 Value: None, not defined
Create permanent share objects Table: 4.13 Value: None, not defined
Debug programs Table: 4.14 value: None, Administrators
Force shutdown from a remote system Table: 4.21 Value: Administrators
Generate security audits Table: 4.22 Value: LOCAL SERVICE, NETWORK SERVICE
Adjust memory quotas for a process Table: 4.4 Value: Administrators, LOCAL SERVICE, NETWORK SERVICE
Increase scheduling priority Table: 4.24 Value: Administrators
Load and unload device drivers Table: 4.25 Value: Administrators
Lock pages in memory Table: 4.26 Value: none
Log on as a batch job Table: 4.27 Value: none, not defined
Log on as a service Table: 4.28 Value: LOCAL SERVICE, NETWORK SERVICE
ModifyFirmwareEnvironmentValues
ProfileSingleProcess
ProfileSystemPerformance
ReplaceProcessLevelToken
RestoreFilesAndDirectories
ShutDownSystem
TakeOwnershipOfFiles
SynchronizeDirectoryServiceData
Allow log on locally Table: 4.5 Value: Users, Administrators
AllowLogOnLocally, AllowLogOnLocallyAuthenticatedUsers
Manage auditing and security log Table: 4.29 Value: Administrators
ManageAuditingAndSecurityLog, ManageAuditingAndSecurityLogNone
Modify firmware environment values Table: 4.30 Value: Administrators
Profile single process Table: 4.32 Value: Administrators
Profile system performance Table: 4.33 Value: Administrators
Remove computer from docking station Table: 4.34 Value: Users, Administrators
RemoveComputerFromDockingStation, RemoveComputerFromDockingStationNone
Replace a process-level token Table: 4.35 Value: LOCAL SERVICE, NETWORK SERVICE
Restore files and directories Table: 4.36 Value: Administrators
Shut down the system Table: 4.37 Value: Users, Administrators
Take ownership of files and other objects Table: 4.39 Value: Administrators
Syncronize directory service data Table: 4.38 Value: not defined
DenyLogonLocally
AccountsTrustedForDelegation
DenyLogonAsBatchJob
***
PerformVolumeMaintenanceTasks
AccountLockoutReset
AccountLockoutDuration
AccountLockoutThreshold
AuditAccountLogin
Deny logon locally Table: 4.18 Value: Guests, SUPPORT_388945a0, any service accounts
Enable computer and user accounts to be trusted for delegation Table: 4.20 Value: none, not defined
Add workstations to domain Table: 4.3 Value: Administrators
AddWorkstationsToDomain, AddWorkstationsToDomainNone
Allow logon through Terminal Services Table: 4.6 Value: none, not defined
AllowLogOnThroughTerminalServices
Deny logon as a batch job Table: 4.16 Value: Guests, SUPPORT_388945a0
Deny logon as a service Table: 4.17 Value: not defined
Deny logon through Terminal Services Table: 4.19 Value: Everyone, not defined
DenyLogonThroughTerminalServices
Profile volume maintenance tasks Table: 4.31 Value: Administrators
Reset account lockout counter after Table: 2.3 value: 15
Account lockout duration Table: 2.1 Value: 15
Account lockout threshold Table: 2.2 Value: 10, 50
Audit account logon events Table: 3.1 Value: success, success and failure
AuditAccountLogin
AuditAccountManagement
AuditAccountManagement
Not applicable
Not applicable
AuditLogonEvents
AuditLogonEvents
AuditObjectAccess
AuditObjectAccess
AuditPolicyChangesSuccessOnly
AuditPolicyChangesSuccessOnly
Audit account logon events Table: 3.1 Value: success, success and failure
Audit account management Table: 3.2 Value success, failure
Audit account management Table: 3.2 Value success, failure
Audit directory service acces Table: 3.3 Value: not defined
Audit directory service acces Table: 3.3 Value: not defined
Audit logon events Table: 3.4 Value: success, success and failure
Audit logon events Table: 3.4 Value: success, success and failure
Audit object access Table: 3.5 Value: failure, no auditing
Audit object access Table: 3.5 Value: failure, no auditing
Audit policy change Table: 3.6 Value: success
Audit policy change Table: 3.6 Value: success
AuditPrivilegeUse
AuditPrivilegeUse
AuditProcessTracking
AuditProcessTracking
AuditSystemEventsSuccessOnly
AuditSystemEventsSuccessOnly
PreventGuestApplicationLogAccess
MaximumApplicationLogSize
ApplicationLogRetentionMethod
Audit privilege use Table: 3.7 Value: failure, no auditing
Audit privilege use Table: 3.7 Value: failure, no auditing
Audit process tracking Table: 3.8 Value: no auditing
Audit process tracking Table: 3.8 Value: no auditing
Audit system events Table: 3.9 Value: success
Audit system events Table: 3.9 Value: success
Prevent local guestsgroup from accessingapplication log Table: 6.4 Value: enabled
Maximum Application log size Table: 6.1 Value: 16384 kilobytes
Retain application log Table: 6.7 Value: not defined
Retention method for application log Table: 6.10 Value: as needed
PreventGuestSecurityLogAccess
MaximumSecurityLogSize
SecurityLogRetentionMethod
PreventGuestSystemLogAccess
MaximumSystemLogSize
SystemLogRetentionMethod
MaximumPasswordAge
MinimumPasswordAge
Prevent local guestsgroup from accessingsecurity log Table: 6.5 Value: enabled
Maxium security log size Table: 6.2 Value: 81920 kilobytes
Retain security log Table: 6.8 Value: not defined
Retention method forsystem log Table: 6.11 Value: as needed
Prevent local guestsgroup from accessingsystem log Table: 6.6 Value: enabled
Maximum system log size Table: 6.3 Value: 16384 kilobytes
Retain system log Table: 6.9 Value: not defined
Retention method for system log Table: 6.12 Value: not defined
Maximum password age Table: 1.2 Value: 90
Minimum password age Table: 1.3 Value: 1
MinimumPasswordLength
PasswordComplexity
PasswordHistoryEnforcement
AlerterService
***
***
ClipBookService
BrowserService
Minimum password length Table: 1.4 Value: 12, 8
Password must meet complexity requirements Table: 1.5 Value: enabled
Enforce password history Table: 1.1 Value: 24
Store passwrd using reversible encryptin for all users in the domain Table: 1.6 Value: disabled
PasswordStorageReversibleEncryption
Alerter Service Table: 8.1 Value: disabled
Automatic update service Table: 8.4 Value: not defined
Background Intelligent Transfer Service Table: 8.5 Value: not defined
ClipBook service Table: 8.6 Value: disabled
Computer Browswer Service Table: 8.9 Value: disabled
Fast User SwitchingCompatibility Table: 8.17 Value: not defined
FaxService
FTPPublishingService
IISAdminService
IndexingService
MessengerService
Fax Servce Table: 8.18 Value: disabled
FTP Publishing Service Table: 8.19 Value: disabled
IIS Admin service Table: 8.22 Value: disabled
Indexing Service Table: 8.24 Value: disabled
Messenger service Table: 8.30 Value: disabled
Net Logon service Table: 8.32 Value: not defined
Net meeting Remote Desktop Sharing Table: 8.33 Value: disabled
NetMeetingRemoteDesktopSharingService
Remote Access Auto Connection Manager Table: 8.45 Value: not defined
Remote Desktop Help Session Manager Table: 8.47 Value: disabled
RemoteDesktopHelpSessionManagerService
RoutingAndRemoteAccessService
SMTPService
SNMPService
SNMPTrap
SSDPService
TaskSchedulerService
Internet ConnectionFirewall (ICF)/InternetConnection Sharing(ICS) Table: 8.26 Value: not defined
Remote Registery service Table: 8.50 Value: not defined
Routing and Remote Access service Table: 8.52 Value: disabled
Simple Mail TransferProtocol (SMTP) Table: 8.59 Value: disabled
Simple NetworkManagement Protocol(SNMP) Service Table: 8.60 Value: disabled
Simple NetworkManagement Protocol(SNMP) Trap Table: 8.61 Value: disabled
Simple ServiceDiscovery Protocol(SSDP) DiscoveryService Table: 8.62 Value: disabled
Task Scheduler service Table: 8.65 Value: disabled
TelnetService
TerminalServicesService
WWWPublishingServicesService
Telnet service Table: 8.68 Value: disabled
Terminal Services service Table: 8.69 Value: disabled
Universal Plug and Play Device Host Disabled Table: 8.73 Value: Not defined
UniversalPlugAndPlayDeviceHostService
World Wide Web Publishing Services Table: 8.85 Value: Disabled
AnonymousEnumerationOfAccounts
GuestAccountStatus
AdministratorAccountStatus
LogonMessageTitle
LogonMessageText
Network access: Do notallow anonymousenumeration of SAMaccounts and shares Table: 5.45 Value: enabled
AnonymousEnumerationOfAccountsAndShares
Network access: Do notallow anonymousenumeration of SAMaccounts Table: 5.44 Value: enabled
Network access: Allowanonymous SID/Nametranslation Table: 5.43 Value: disabled
Accounts: Guestaccount status Table: 5.2 Value: disabled
Accounts: Administratoraccount status Table: 5.1 Value: enabled
Interactive logon: Messagetitle for users attempting tolog on Table: 5.30 Value: <DoJ Approved>
Interactive logon: Messagetext for users attempting tolog on Table: 5.29 Value: <DoJ approved>
MSS: (AutoShareWks)Enable AdministrativeShares Table: 5.72 Value: not defined
AutomaticLogonDisabled
DisableAutorunForAllDrives
AllowICMPRedirectsDisabled
MSS: (AutoAdminLogon)Enable Automatic Logon Table: 5.70 Value: disabled
MSS: (AutoReboot) AllowWindows to automaticallyrestart after a system crash Table: 5.71 Value: not defined
MSS:(NoDriveTypeAutoRun)Disable Autorun for alldrives Table: 5.80 Value: 255
MSS:(EnableICMPRedirect)Allow ICMP redirects tooverride OSPF generatedroutes Table: 5.76 Value: disabled
IPSourceRoutingProtectionLevel
RouterDiscovery
NoDefaultExemptForIPSecFiltering
HideFromBrowseList
AutomaticDetectionOfDeadGWs
KeepAliveTime
MSS:(DisableIPSourceRouting)IP source routing protectionlevel Table: 5.73 Value: Highestprotection,source routingis completelydisabledMSS:(PerformRouterDiscovery)Allow IRDP to detect andconfigure DefaultGatewayaddresses Table: 5.83 Value: enabled
MSS: (NoDefaultExempt)Enable NoDefaultExemptfor IPSec Filtering Table: 5.79 Value: Multicast, broadcast, and ISAKMP are exempt
Interactive logon: Do notdisplay last user name Table: 5.27 Value: enabled
LastUserNameNotDisplayedForLogon
MSS: (Hidden) HideComputer From the BrowseList Table: 5.77 Value: enabled
MSS:(EnableDeadGWDetect)Allow automatic detectionof dead network gateways Table: 5.75 Value: disabled
MSS: (KeepAliveTime)How often keep-alivepackets are sent inmilliseconds Table: 5.78 Value: 300,000ms (5 minutes)
NameReleaseRequests
SynAttackProtectionLevel
EventLogThresholdWarning
SafeDLLSearchMode
MSS:(NoNameReleaseOnDemand) Allow the computer toignore NetBIOS namerelease requests exceptfrom WINS servers Table: 5.81 Value: enabled
MSS: (SynAttackProtect) Syn attact protection level Table: 5.86 Value: Connections time out sooner if attack is detected (1)
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Table: 5.89 Value: 90
MSS:(DisableSavePassword)Prevent the dial-uppassword from being saved Table: 5.74 Value: not defined
MSS: (SafeDllSearchMode)Enable Safe DLL searchmode Table: 5.84 value: enabled
SessionTimeout
AuditAccessToGlobalObjects
Domain controller: Allow server operators to schedule tasks Table: 5.17 Value: not defined
Accounts: Rename administrator account Table: 5.4 Value: not defined
Accounts: Rename guest account Table: 5.5 Value: not defined
Microsoft network server:Amount of idle timerequired before suspendingsession Table: 5.39 Value: 15 minutes
Audit: Audit the access of global system objects Table: 5.6 Value: disabled
RequireCTRL_ALT_DEL
RecoveryConsoleAutoLogon
RecoveryConsoleFullSystemAccess
RecoveryConsoleFullSystemAccess
RestrictFloppyAccessDisabled
InternalSystemObjectsPermissions
Audit: Audit the use of backup and restore privilege Table: 5.7 Value: disabled
AuditBackupAndRestorePrivilegeDisabled
Interactive logon: Do notrequire CTRL+ALT+DEL Table: 5.28 Value: diabled
Network security: LANManager authenticationlevel Table: 5.55 Value: Send NTLMv2responseonly\refuse LM& NTLM or Send NTLMv2 response only\refuse LM
LANManagerAuthenticationRefuseLM, LANManagerAuthenticationRefuseLM_NTLM
Devices: Prevent users from installing priter drivers Table: 5.13 Value: enabled or disabled
PreventUsersFromInstallingPrinterDrivers
Recovery console: Allowautomatic administrativelogon Table: 5.59 Value: disabled
Recovery console: Allowfloppy copy and access toall drives and all folders Table: 5.60 Value: disabled
Devices: Restrict CD-ROM access to locally logged-on user only Table: 5.14 Value: disabled
Devices: Restrict floppy access to locally logged-on user only Table: 5.15 Value: disabled
System objects: Strengthendefault permissions ofinternal system objects(e.g. Symbolic Links) Table: 5.67 Value: enabled
RequireStrongSessionKey
UnencryptedSMBPasswords
UnsignedDriverInstallationWarning
PasswordExpirationPrompt
ShutdownWithoutLogon
ClearPagefileOnShutdown
ClientAlwaysSignCommunications
SignCommunicationsIfServerAgrees
ServerAlwaysSignCommunications
Domain member: Requirestrong (Windows 2000 orlater) session key Table: 5.25 Value: enabled
Microsoft network client:Send unencryptedpassword to third-partySMB servers Table: 5.38 Value: disabled
Devices: Unsigned driver installation behavior Table: 5.16 Value: warn but allow isntallation
Interactive logon: Promptuser to change passwordbefore expiration Table: 5.32 Value: 14 days
Audit: Shut down system immediately if unable to log security audits Table: 5.8 Value: not defined
Shutdown: Allow system tobe shut down withouthaving to log on Table: 5.61 Value: disabled
Shutdown: Clear virtualmemory pagefile Table: 5.62 Value: enabled
Microsoft network client:Digitally signcommunications (always) Table: 5.36 Value: enabled
Microsoft network client:Digitally signcommunications (if serveragrees) Table: 5.37 Value: enabled
Microsoft network server:Digitally signcommunications (always) Table: 5.40 Value: enabled
SignCommunicationsIfClientAgrees
PreviousLogonsCached
SmartCardRemoval
MachineAccountPasswordChanges
FIPSCompliantEncryption
Microsoft network server:Digitally signcommunications (if clientagrees) Table: 5.41 Value: enabled
Interactive logon: Numberof previous logons to cache(in case domain controlleris not available) Table: 5.31 Value: 0 logons or 2 logons
Devices: Allowed to format and eject removeable media Table: 5.12 Value: Administrators or Administrators and interactive users
RestrictAccessToFormatAndEjectRemovableMediaAdministrators, RestrictAccessToFormatAndEjectRemovableMedia
Domain member: Digitallyencrypt or sign securechannel data (always) Table: 5.20 Value: enabled
AlwaysDigitallyEncryptSecureChannelData
Domain member: Digitallyencrypt secure channeldata (when possible) Table: 5.21 Value: enabled
WhenPossibleDigitallyEncryptSecureChannelData
Domain member: Digitallysign secure channel data(when possible) Table: 5.22 Value: enabled
WhenPossibleDigitallySignSecureChannelData
Interactive logon: Smart card removal behavior Table: 5.35 Value: lock workstation
Domain member: Disablemachine account passwordchanges Table: 5.23 Value: disabled
System cryptography: UseFIPS compliant algorithmsfor encryption, hashing,and signing Table: 5.64 Value enabled
RequireCaseInsensitivity
LimitBlankPasswordUse
AllowUndockWithoutLoginDisabled
LDAPClientSigningRequirements
LogonTimeExpiration
System objects: Defaultowner for objects createdby members of theAdministrators group Table: 5.65 Value: Object creator
AdministratorsGroupObjectCreatorOwner
System objects: Requirecase insensitivity for non-Windows subsystems Table: 5.66 Value: enabled
Accounts: Limit local account use of blank passwords to console logon only Table: 5.3 Value: enabled
Devices: Allow undock without having to logon Table: 5.11 Value: disabled
Domain controller: LDAP server signin requirements Table: 5.18 Value: not defined
Network security: LDAPclient signing requirements Table: 5.56 Value: Negotiate signing
Domain controller: Refuse machine account password changes Table: 5.19 Value: not defined
Domain member: Maximummachine account passwordage Table: 5.24 Value:30 days
MaximumMachineAccountPasswordAge
Interactive logon: RequireDomain Controllerauthentication to unlockworkstation Table: 5.33 Value: enabled or disabled
DomainControllerAuthenticationRequired
Microsoft network server:Disconnect clients whenlogon hours expire Table: 5.42 Value: enabled
CredentialsStorage
AnonymousUsersPermissions
AnonymouslyAccessedNamedPipes
RemotelyAccessibleRegistryPaths
AnonymouslyAccessedShares
LocalAccountsSecurityModel
LANManagerHashStorage
ForceLogoff
Network access: Do notallow storage of credentialsor .NET Passports fornetwork authentication Table: 5.46 Value: enabled
Network access: LetEveryone permissionsapply to anonymous users Table: 5.47 Value: disabled
Network access: NamedPipes that can be accessedanonymously Table: 5.48 Value: COMNAPCOMNODESQL\QUERYSPOOLSSLLSRPCbrowserNetwork access: Remotelyaccessible registry paths Table: 5.49 Value: System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Print\Printers,System\CurrentControlSet\Control\Server Applications, System\CurrentControlSet\Services\
Network access: Sharesthat can be accessedanonymously Table: 5.51 Value: COMCFGDFS$
Network access: Sharingand security model for localaccounts Table: 5.52 Value: Classic - local users authenticate as themselves
Network security: Do notstore LAN Manager hashvalue on next passwordchange Table: 5.53 Value: enabled`
Network security: Forcelogoff when logon hoursexpire Table: 5.54 Value: enabled
ScreenSaverGracePeriod
Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) clients Table: 5.57 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption
NTLM_SSP_BasedClientsSessionSecurity
Network security: Minimumsession security for NTLMSSP based (includingsecure RPC) servers Table: 5.58 Value: Require message integrityRequire message confidentialityRequire NTLMv2 session securityRequire 128-bit encryption
NTLM_SSP_BasedServersSessionSecurity
MSS:(ScreenSaverGracePeriod)The time in seconds beforethe screen saver graceperiod expires Table: 5.85 Value: 0
Create global objects Table: 4.12 Value: not defined
Impersonate a client after authentication Table: 4.23 Value: not defined
DCOM: Machine access of the global system objects Table: 5.9 Value: disabled
DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax Table: 5.10 Value: not defined
Interactive logon: Display user information when the session is locked Table: 5.26 Value: not defined
Interactive logon: Requre smart card Table: 5.34 Value: not defined
TCPConnectionResponses
TCPMaxDataRetransmissions
BackupOperators
PowerUsers
RemoteDesktopUsers
Network access: Restrict anonymous access to named pipes and shares Table: 5.50 Value: not defined
System cryptography: Force strong key protection for user keys stored on the computer Table: 5.63 Value: not defined
System settings: optional subsystems Table: 5.68 Value: not defined
System settings: Use Certificate Rules on Windows Executables for Software Restriction Polices Table: 5.69 Value: not defined
MSS:(TCPMaxConnectResponseRetransmission) SYN-ACK retansmissions when a connection request is not acknowledged Table: 5.87 Value: 3 and 6 sec, half open connections dropped after 21 secMSS:(TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted Table: 5.88 Value: 3
Backup Operators Table: 7.1 Value: none
Power Users Table: 7.2 Value: none
Remote Desktop Users Table: 7.3 Value: none
Application Layer Gateway Service Table: 8.2 Value: not defined
Application Management Table: 8.3 Value: not defined
Cryptographic Services Table: 8.10 Value: not defined
DHCP Client Table: 8.11 Value: not defined
Distributed Link Tracking Client Table: 8.12 Value: not defined
Distributed Transaction Coordinator Table: 8.13 Value: not defined
DNS Client Table: 8.14 Value: not defined
Error Reporting Service Table: 8.15 Value: not defined
Event Log Table: 8.16 Value: not defined
Help and Support Table: 8.20 Value: not defined
Human Interface Device Access Table: 8.21 Value: not defined
IMAPI CD-Burning COM Service Table: 8.23 Value: not defined
Infrared Monitor Table: 8.25 Value: not defined
DDEService
DDEdsdmService
IPSEC Services Table: 8.27 Value: not defined
Logical Disk Manager Table: 8.28 Value: not defined
Logical Disk Manager Administrative Service Table: 8.29 Value: not defined
MS Software Shadow Copy Provider Table: 8.31 Value: not defined
Network Connections Table: 8.34 Value: not defined
Network Dynamic Data Exchange (DDE) Table: 8.35 Value: not defined
Network DDE DDE Share Database Manager (DSDM) Table: 8.36 Value: not defined
Network Location Awareness (NLA) Table: 8.37 Value: not defined
NT LM Security Support Provider Table: 8.38 Value: not defined
Performance Logs and Alerts Table: 8.39 Value: not defined
Portable Media Serial Number Service Table: 8.41 Value: not defined
Protected Storage Table: 8.43 Value: not defined
RasManService
QoS RSVP Table: 8.44 Value: not defined
Remote Access Connection Manager Table: 8.46 Value: not defined
Remote Procedure Call (RPC) Table: 8.48 Value: not defined
Remote Procedure Call (RPC) Locator Table: 8.49 Value: not defined
Removable Storage Table: 8.51 Value: not defined
Secondary Logon Table: 8.53 Value: not defined
Security Accounts Manager Table: 8.54 Value: not defined
Server Table: 8.55 Value: not defined
Smart Card Table: 8.57 Value: not defined
Smart Card Helper Table: 8.58 Value: not defined
System Event Notification Table: 8.63 Value: not defined
System Restore Service Table: 8.64 Value: not defined
TCP/IP NetBIOS Helper Table: 8.66 Value: not defined
Telephony Table: 8.67 Value: not defined
Themes Table: 8.70 Value: not defined
Uninterruptable Power Supply Table: 8.71 Value: not defined
Upload Manager Table: 8.72 Value: not defined
Volume Shadow Copy Table: 8.74 Value: not defined
Webclient Table: 8.75 Value: not defined
Windows Audio Table: 8.76 Value: not defined
Windows Image Acquisition (WIA) Table: 8.77 Value: not defined
Windows Installer Table: 8.78 Value: not defined
Windows Management Instrumentation Table: 8.79 Value: not defined
Windows Management Instrumentation Driver Extensions Table: 8.80 Value: not defined
Windows Time Table: 8.81 Value: not defined
Disable8Dot3NameCreation
Wireless Zero Configuration Table: 8.82 Value: not defined
WMI Performance Adapter Table: 8.83 Value: not defined
Workstation Table: 8.84 Value: not defined
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames. Table: 5.82 Value: enabled
5.2.1.1.2.4 Allow remote administration exception (SP2 only)
5.2.1.1.2.7 Allow Remote Desktop exception (SP2 only)
NIST 800-68 Windows XP OVAL (NIST-800-
68-53-WinXPPro_OVAL_101
02006.xml)
FDCC Windows XP XCCDF (fdcc-accepted-content-20080110\fdcc-
winxp-xccdf.xml)
FDCC Windows XP OVAL (fdcc-accepted-
content-20080110\fdcc-winxp-oval.xml)
oval:gov.nist.1:def:146 regedit.exePermissions oval:gov.nist.fdcc.xp:def:146
oval:gov.nist.1:def:128 arp.exePermissions oval:gov.nist.fdcc.xp:def:128
oval:gov.nist.1:def:129 at.exePermissions oval:gov.nist.fdcc.xp:def:129
oval:gov.nist.1:def:130 attrib.exePermissions oval:gov.nist.fdcc.xp:def:130
oval:gov.nist.1:def:131 cacls.exePermissions oval:gov.nist.fdcc.xp:def:131
oval:gov.nist.1:def:133 edlin.exePermissions oval:gov.nist.fdcc.xp:def:133
oval:gov.nist.1:def:134 eventcreate.exePermissions oval:gov.nist.fdcc.xp:def:134
oval:gov.nist.1:def:135 eventtriggers.exePermissions oval:gov.nist.fdcc.xp:def:135
oval:gov.nist.1:def:136
oval:gov.nist.1:def:137
oval:gov.nist.1:def:138 net.exePermissions oval:gov.nist.fdcc.xp:def:138
oval:gov.nist.1:def:139 net1.exePermissions oval:gov.nist.fdcc.xp:def:139
oval:gov.nist.1:def:140 netsh.exePermissions oval:gov.nist.fdcc.xp:def:140
oval:gov.nist.1:def:141
oval:gov.nist.1:def:142
oval:gov.nist.1:def:143
oval:gov.nist.1:def:144 rcp.exePermissions oval:gov.nist.fdcc.xp:def:144
oval:gov.nist.1:def:145 reg.exePermissions oval:gov.nist.fdcc.xp:def:145
oval:gov.nist.1:def:147 regedt32.exePermissions oval:gov.nist.fdcc.xp:def:147
oval:gov.nist.1:def:148 regini.exePermissions oval:gov.nist.fdcc.xp:def:148
oval:gov.nist.1:def:149 regsvr32.exePermissions oval:gov.nist.fdcc.xp:def:149
oval:gov.nist.1:def:150 rexec.exePermissions oval:gov.nist.fdcc.xp:def:150
oval:gov.nist.1:def:151 route.exePermissions oval:gov.nist.fdcc.xp:def:151
oval:gov.nist.1:def:152 rsh.exePermissions oval:gov.nist.fdcc.xp:def:152
oval:gov.nist.1:def:153 sc.exePermissions oval:gov.nist.fdcc.xp:def:153
oval:gov.nist.1:def:154 secedit.exePermissions oval:gov.nist.fdcc.xp:def:154
oval:gov.nist.1:def:155 subst.exePermissions oval:gov.nist.fdcc.xp:def:155
oval:gov.nist.1:def:156 systeminfo.exePermissions oval:gov.nist.fdcc.xp:def:156
oval:gov.nist.1:def:157
oval:gov.nist.1:def:158 tftp.exePermissions oval:gov.nist.fdcc.xp:def:158
oval:gov.nist.1:def:159 tlntsvr.exePermissions oval:gov.nist.fdcc.xp:def:159
oval:gov.nist.1:def:175 oval:gov.nist.fdcc.xp:def:175
oval:gov.nist.fdcc.xp:def:161
oval:gov.nist.1:def:162 oval:gov.nist.fdcc.xp:def:162
oval:gov.nist.fdcc.xp:def:167
oval:gov.nist.1:def:168 oval:gov.nist.fdcc.xp:def:168
oval:gov.nist.1:def:169 oval:gov.nist.fdcc.xp:def:169
DenyAccessFromNetwork-Guests-SUPPORT_388945a0
oval:gov.nist.1:def:161, oval:gov.nist.1:def:231
AccessComputerFromNetwork_Administrators
ActAsPartOfOperatingSystem_None
oval:gov.nist.1:def:167, oval:gov.nist.1:def:234
BackUpFilesAndDirectories_Administrators
BypassTraverseChecking_Administrators_Users
ChangeSystemTime_Administrators
oval:gov.nist.1:def:170 CreatePagefile_Administrators oval:gov.nist.fdcc.xp:def:170
oval:gov.nist.1:def:171 CreateTokenObject_None oval:gov.nist.fdcc.xp:def:171
oval:gov.nist.1:def:172 oval:gov.nist.fdcc.xp:def:172
oval:gov.nist.1:def:173 oval:gov.nist.fdcc.xp:def:174
oval:gov.nist.1:def:180 oval:gov.nist.fdcc.xp:def:180
oval:gov.nist.1:def:181 oval:gov.nist.fdcc.xp:def:181
oval:gov.nist.1:def:164 oval:gov.nist.fdcc.xp:def:164
oval:gov.nist.1:def:182 oval:gov.nist.fdcc.xp:def:182
oval:gov.nist.1:def:183 oval:gov.nist.fdcc.xp:def:183
oval:gov.nist.1:def:184 LockPagesInMemory_None oval:gov.nist.fdcc.xp:def:184
oval:gov.nist.1:def:185 LogOnAsBatchJob_None oval:gov.nist.fdcc.xp:def:185
oval:gov.nist.1:def:186 oval:gov.nist.fdcc.xp:def:186
CreatePermanentSharedObjects_None
DebugPrograms_Administrators
ShutdownFromRemoteSystem_Administrators
GenerateSecurityAudits-LOCAL_SERVICE-NETWORK_SERVICE
AdjustMemoryQuotas_Administrators-LOCAL_SERVICE-NETWORK_SERVICE
IncreaseSchedulingPriority_Administrators
LoadAndUnloadDeviceDrivers_Administrators
LogOnAsService-LOGON_SERVICE-NETWORK_SERVICE
oval:gov.nist.fdcc.xp:def:165
oval:gov.nist.fdcc.xp:def:187
oval:gov.nist.1:def:188 oval:gov.nist.fdcc.xp:def:188
oval:gov.nist.1:def:190 oval:gov.nist.fdcc.xp:def:190
oval:gov.nist.1:def:191 oval:gov.nist.fdcc.xp:def:191
oval:gov.nist.fdcc.xp:def:192
oval:gov.nist.1:def:193 oval:gov.nist.fdcc.xp:def:193
oval:gov.nist.1:def:194 oval:gov.nist.fdcc.xp:def:194
oval:gov.nist.1:def:195 oval:gov.nist.fdcc.xp:def:195
oval:gov.nist.1:def:196 oval:gov.nist.fdcc.xp:def:196
oval:gov.nist.1:def:238 oval:gov.nist.fdcc.xp:def:238
oval:gov.nist.1:def:165, oval:gov.nist.1:def:233
LogOnLocally_Administrators_Users
oval:gov.nist.1:def:187, oval:gov.nist.1:def:235
ManageAuditingAndSecurityLog_Administrators
ModifyFirmwareEnvironmentValues_Administrators
ProfileSingleProcess_Administrators
ProfileSystemPerformance_Administrators
oval:gov.nist.1:def:192, oval:gov.nist.1:def:236
RemoveComputerFromDockingStation_Administrators_Users
ReplaceProcessLevelToken-LOGON_SERVICE-NETWORK_SERVICE
RestoreFilesAndDirectories_Administrators
ShutDownSystem_Administrators_Users
TakeOwnershipOfFiles_Administrators
SynchronizeDirectoryServiceData_None
oval:gov.nist.1:def:177 oval:gov.nist.fdcc.xp:def:177
oval:gov.nist.1:def:179
oval:gov.nist.1:def:166 oval:gov.nist.fdcc.xp:def:1662
oval:gov.nist.1:def:176 oval:gov.nist.fdcc.xp:def:176
*** deny_logon_as_service_none oval:gov.nist.fdcc.xp:def:677
oval:gov.nist.1:def:178 oval:gov.nist.fdcc.xp:def:1781
oval:gov.nist.1:def:189 oval:gov.nist.fdcc.xp:def:189
oval:gov.nist.1:def:26 account_lockout_reset oval:gov.nist.fdcc.xp:def:26
oval:gov.nist.1:def:23 account_lockout_duration oval:gov.nist.fdcc.xp:def:23
oval:gov.nist.1:def:24 account_lockout_threshold oval:gov.nist.fdcc.xp:def:24
oval:gov.nist.1:def:27 AuditAccountLogonEvents oval:gov.nist.fdcc.xp:def:27
DenyLogonLocally-Guests-SUPPORT_388945a0
oval:gov.nist.1:def:163, oval:gov.nist.1:def:232
AllowLogOnThroughTerminalServices_Administrators-RemoteDesktopUsers
DenyLogonAsBatchJob-Guests-SUPPORT_388945a0
DenyLogonThroughTerminalServices-Guests
PerformVolumeMaintenanceTasks_Administrators
oval:gov.nist.1:def:27 AuditAccountLogonEvents oval:gov.nist.fdcc.xp:def:27
oval:gov.nist.1:def:29 AuditAccountManagement oval:gov.nist.fdcc.xp:def:29
oval:gov.nist.1:def:29 AuditAccountManagement oval:gov.nist.fdcc.xp:def:29
Not applicable AuditDirectoryServiceAccess oval:gov.nist.fdcc.xp:def:30
Not applicable AuditDirectoryServiceAccess oval:gov.nist.fdcc.xp:def:30
oval:gov.nist.1:def:32 AuditLogonEvents oval:gov.nist.fdcc.xp:def:32
oval:gov.nist.1:def:32 AuditLogonEvents oval:gov.nist.fdcc.xp:def:32
oval:gov.nist.1:def:34 AuditObjectAccess oval:gov.nist.fdcc.xp:def:34
oval:gov.nist.1:def:34 AuditObjectAccess oval:gov.nist.fdcc.xp:def:34
oval:gov.nist.1:def:35 AuditPolicyChange oval:gov.nist.fdcc.xp:def:35
oval:gov.nist.1:def:35 AuditPolicyChange oval:gov.nist.fdcc.xp:def:35
oval:gov.nist.1:def:36 AuditPrivilegeUse oval:gov.nist.fdcc.xp:def:36
oval:gov.nist.1:def:36 AuditPrivilegeUse oval:gov.nist.fdcc.xp:def:36
oval:gov.nist.1:def:40 AuditProcessTracking oval:gov.nist.fdcc.xp:def:40
oval:gov.nist.1:def:40 AuditProcessTracking oval:gov.nist.fdcc.xp:def:40
oval:gov.nist.1:def:37 AuditSystemEvents oval:gov.nist.fdcc.xp:def:37
oval:gov.nist.1:def:37 AuditSystemEvents oval:gov.nist.fdcc.xp:def:37
oval:gov.nist.1:def:200 oval:gov.nist.fdcc.xp:def:200
oval:gov.nist.1:def:197 oval:gov.nist.fdcc.xp:def:197
retention_application_log oval:gov.nist.fdcc.xp:def:203
oval:gov.nist.1:def:203
prevent_guest_application_log_access
maximum_application_log_size
oval:gov.nist.1:def:201 oval:gov.nist.fdcc.xp:def:201
oval:gov.nist.1:def:198 maximum_security_log_size oval:gov.nist.fdcc.xp:def:198
retention_security_log oval:gov.nist.fdcc.xp:def:204
oval:gov.nist.1:def:204
oval:gov.nist.1:def:202 oval:gov.nist.fdcc.xp:def:202
oval:gov.nist.1:def:199 maximum_system_log_size oval:gov.nist.fdcc.xp:def:199
retention_system_log oval:gov.nist.fdcc.xp:def:205
oval:gov.nist.1:def:205
oval:gov.nist.1:def:17 maximum_password_age oval:gov.nist.fdcc.xp:def:17
oval:gov.nist.1:def:18 minimum_password_age oval:gov.nist.fdcc.xp:def:18
prevent_guest_security_log_access
prevent_guest_system_log_access
oval:gov.nist.1:def:19 minimum_password_length oval:gov.nist.fdcc.xp:def:19
oval:gov.nist.1:def:21 password_complexity oval:gov.nist.fdcc.xp:def:21
oval:gov.nist.1:def:16 oval:gov.nist.fdcc.xp:def:16
oval:gov.nist.1:def:22 oval:gov.nist.fdcc.xp:def:22
oval:gov.nist.1:def:209 AlerterService oval:gov.nist.fdcc.xp:def:209
***
*** BITSService oval:gov.nist.fdcc.xp:def:6132
oval:gov.nist.1:def:210 ClipBookService oval:gov.nist.fdcc.xp:def:210
oval:gov.nist.1:def:211 ComputerBrowserService oval:gov.nist.fdcc.xp:def:211
oval:gov.nist.fdcc.xp:def:2121
password_history_enforcement
PasswordStorageReversibleEncryption
FastUserSwitchingCompatibilityService
oval:gov.nist.1:def:212 FaxService oval:gov.nist.fdcc.xp:def:212
oval:gov.nist.1:def:213 FTPPublishingService oval:gov.nist.fdcc.xp:def:213
oval:gov.nist.1:def:214
oval:gov.nist.1:def:215 IndexingService oval:gov.nist.fdcc.xp:def:215
oval:gov.nist.1:def:216 oval:gov.nist.fdcc.xp:def:6601
oval:gov.nist.1:def:217 oval:gov.nist.fdcc.xp:def:6595
oval:gov.nist.1:def:218
Do-not-allow-Windows-Messenger-to-be-run
disable_remote_desktop_sharing
oval:gov.nist.1:def:219 oval:gov.nist.fdcc.xp:def:219
oval:gov.nist.1:def:220
oval:gov.nist.1:def:221
oval:gov.nist.1:def:222
oval:gov.nist.1:def:223 SSDPService oval:gov.nist.fdcc.xp:def:223
oval:gov.nist.1:def:224 TaskSchedulerService oval:gov.nist.fdcc.xp:def:224
prohibit_internet_connection_sharing
oval:gov.nist.fdcc.xp:def:3366993
RoutingAndRemoteAccessService
oval:gov.nist.1:def:225 TelnetService oval:gov.nist.fdcc.xp:def:225
oval:gov.nist.1:def:226 TerminalServicesService oval:gov.nist.fdcc.xp:def:226
oval:gov.nist.1:def:227 oval:gov.nist.fdcc.xp:def:227
oval:gov.nist.1:def:228 oval:gov.nist.fdcc.xp:def:228
UniversalPlugAndPlayDeviceHostService
WWWPublishingServicesService
oval:gov.nist.1:def:88 oval:gov.nist.fdcc.xp:def:88
oval:gov.nist.1:def:87 oval:gov.nist.fdcc.xp:def:87
oval:gov.nist.fdcc.xp:def:77
oval:gov.nist.1:def:243 GuestAccountStatus oval:gov.nist.fdcc.xp:def:243
oval:gov.nist.1:def:242
oval:gov.nist.1:def:71 LogonMessageTitle oval:gov.nist.fdcc.xp:def:71
oval:gov.nist.1:def:70 LogonMessageText oval:gov.nist.fdcc.xp:def:70
AnonymousEnumerationOfAccountsAndShares
AnonymousEnumerationOfAccounts
anonymous_sid_name_translation
oval:gov.nist.1:def:110 AutomaticLogonDisabled oval:gov.nist.fdcc.xp:def:110
DisableAutorunForAllDrives oval:gov.nist.fdcc.xp:def:117
oval:gov.nist.1:def:113 AllowICMPRedirectsDisabled oval:gov.nist.fdcc.xp:def:113
oval:gov.nist.1:def:111 oval:gov.nist.fdcc.xp:def:111
oval:gov.nist.1:def:121 RouterDiscovery oval:gov.nist.fdcc.xp:def:121
oval:gov.nist.1:def:116 oval:gov.nist.fdcc.xp:def:116
oval:gov.nist.1:def:117
oval:gov.nist.1:def:68 oval:gov.nist.fdcc.xp:def:68
oval:gov.nist.1:def:114 HideFromBrowseList oval:gov.nist.fdcc.xp:def:114
oval:gov.nist.1:def:112 oval:gov.nist.fdcc.xp:def:112
oval:gov.nist.1:def:115 KeepAliveTime oval:gov.nist.fdcc.xp:def:115
IPSourceRoutingProtectionLevel
NoDefaultExemptForIPSecFiltering
LastUserNameNotDisplayedForLogon
AutomaticDetectionOfDeadGWs
oval:gov.nist.1:def:118 NameReleaseRequests oval:gov.nist.fdcc.xp:def:118
EnablePMTUDiscovery oval:gov.nist.fdcc.xp:def:407
oval:gov.nist.1:def:124 SynAttackProtectionLevel oval:gov.nist.fdcc.xp:def:124
oval:gov.nist.1:def:127 EventLogThresholdWarning oval:gov.nist.fdcc.xp:def:127
oval:gov.nist.1:def:122 SafeDLLSearchMode oval:gov.nist.fdcc.xp:def:122
Always-Use-Classic-Logon oval:gov.nist.fdcc.xp:def:6686
RenameAdministrator oval:gov.nist.fdcc.xp:def:6022
RenameGuest oval:gov.nist.fdcc.xp:def:6023
oval:gov.nist.1:def:83 session_timeout oval:gov.nist.fdcc.xp:def:83
oval:gov.nist.1:def:45 AuditAccessToGlobalObjects oval:gov.nist.fdcc.xp:def:45
prohibit_installation_network_bridge
oval:gov.nist.fdcc.xp:def:3366991
AllowServerOperatorsToScheduleTasks
oval:gov.nist.fdcc.xp:def:608240
oval:gov.nist.1:def:52 oval:gov.nist.fdcc.xp:def:52
oval:gov.nist.1:def:69 RequireCTRL_ALT_DEL oval:gov.nist.fdcc.xp:def:69
oval:gov.nist.fdcc.xp:def:96
oval:gov.nist.1:def:56 oval:gov.nist.fdcc.xp:def:56
oval:gov.nist.1:def:101 RecoveryConsoleAutoLogon oval:gov.nist.fdcc.xp:def:101
oval:gov.nist.1:def:102 oval:gov.nist.fdcc.xp:def:102
oval:gov.nist.1:def:102 RestrictCDROMAccess oval:gov.nist.fdcc.xp:def:58
oval:gov.nist.1:def:59 RestrictFloppyAccess oval:gov.nist.fdcc.xp:def:59
oval:gov.nist.1:def:109 oval:gov.nist.fdcc.xp:def:109
AuditBackupAndRestorePrivilege
oval:gov.nist.1:def:97, oval:gov.nist.1:def:96
LANManagerAuthenticationLevel-RefuseLM_NTLM
PreventUsersFromInstallingPrinterDrivers
RecoveryConsoleFullSystemAccess
InternalSystemObjectsPermissions
oval:gov.nist.1:def:66 require_strong_session_key oval:gov.nist.fdcc.xp:def:66
oval:gov.nist.1:def:82 unencrypted_smb_passwords oval:gov.nist.fdcc.xp:def:82
oval:gov.nist.1:def:60 oval:gov.nist.fdcc.xp:def:60
oval:gov.nist.1:def:74 password_expiration_prompt oval:gov.nist.fdcc.xp:def:74
oval:gov.nist.fdcc.xp:def:6027
oval:gov.nist.1:def:103 shutdown_without_logon oval:gov.nist.fdcc.xp:def:103
oval:gov.nist.1:def:104 ClearPagefileOnShutdown oval:gov.nist.fdcc.xp:def:104
oval:gov.nist.1:def:79 oval:gov.nist.fdcc.xp:def:79
oval:gov.nist.1:def:81 oval:gov.nist.fdcc.xp:def:81
oval:gov.nist.1:def:84 oval:gov.nist.fdcc.xp:def:84
UnsignedDriverInstallationBehavior
ShutDownIfUnableToLogSecurityAudits
client_always_sign_communications
SignCommunicationsIfServerAgrees
server_always_sign_communications
oval:gov.nist.1:def:85 oval:gov.nist.fdcc.xp:def:85
oval:gov.nist.1:def:72 previous_logons_cached oval:gov.nist.fdcc.xp:def:72
oval:gov.nist.1:def:61 oval:gov.nist.fdcc.xp:def:61
oval:gov.nist.1:def:62 oval:gov.nist.fdcc.xp:def:62
oval:gov.nist.1:def:63 oval:gov.nist.fdcc.xp:def:63
oval:gov.nist.1:def:78 smart_card_removal oval:gov.nist.fdcc.xp:def:78
oval:gov.nist.1:def:64 oval:gov.nist.fdcc.xp:def:64
oval:gov.nist.1:def:105 FIPSCompliantEncryption oval:gov.nist.fdcc.xp:def:105
SignCommunicationsIfClientAgrees
oval:gov.nist.1:def:43, oval:gov.nist.1:def:44
always_digitally_encrypt_secure_channel_data
WhenPossibleDigitallyEncryptSecureChannelData
WhenPossibleDigitallySignSecureChannelData
MachineAccountPasswordChanges
oval:gov.nist.1:def:106 oval:gov.nist.fdcc.xp:def:106
oval:gov.nist.1:def:107 RequireCaseInsensitivity oval:gov.nist.fdcc.xp:def:107
oval:gov.nist.1:def:42 LimitBlankPassword oval:gov.nist.fdcc.xp:def:42
oval:gov.nist.1:def:53 AllowUndockWithoutLogin oval:gov.nist.fdcc.xp:def:53
oval:gov.nist.1:def:98 oval:gov.nist.fdcc.xp:def:98
oval:gov.nist.1:def:65 oval:gov.nist.fdcc.xp:def:65
oval:gov.nist.1:def:75 oval:gov.nist.fdcc.xp:def:75
oval:gov.nist.1:def:86 LogonTimeExpiration oval:gov.nist.fdcc.xp:def:86
AdministratorsGroupObjectCreatorOwner
LDAPServerSigningRequirements
oval:gov.nist.fdcc.xp:def:608241
LDAPClientSigningRequirements
RefuseMachineAccountPasswordChanges
oval:gov.nist.fdcc.xp:def:608242
maximum_machine_account_password_age
domain_controller_authentication_required
oval:gov.nist.1:def:89 CredentialsStorage oval:gov.nist.fdcc.xp:def:89
oval:gov.nist.1:def:90 AnonymousUsersPermissions oval:gov.nist.fdcc.xp:def:90
oval:gov.nist.1:def:91 oval:gov.nist.fdcc.xp:def:91
oval:gov.nist.1:def:92 oval:gov.nist.fdcc.xp:def:92
oval:gov.nist.1:def:93 AnonymouslyAccessedShares oval:gov.nist.fdcc.xp:def:93
oval:gov.nist.1:def:94 LocalAccountsSecurityModel oval:gov.nist.fdcc.xp:def:94
oval:gov.nist.1:def:95 LANManagerHashStorage oval:gov.nist.fdcc.xp:def:95
oval:gov.nist.1:def:244 ForceLogoff oval:gov.nist.fdcc.xp:def:244
AnonymouslyAccessedNamedPipes
RemotelyAccessibleRegistryPaths
oval:gov.nist.1:def:99 oval:gov.nist.fdcc.xp:def:99
oval:gov.nist.1:def:100 oval:gov.nist.fdcc.xp:def:100
oval:gov.nist.1:def:123 Screen-Saver-timeout oval:gov.nist.fdcc.xp:def:6708
ntlm_ssp_based_client_session_security
ntlm_ssp_based_servers_session_security
oval:gov.nist.fdcc.xp:def:6120
oval:gov.nist.fdcc.xp:def:6121
prevent_automatic_updates
Disable-IE-security-prompt-Windows-Installer-scripts
Enable-User-Control-over-installs
oval:gov.nist.fdcc.xp:def:612261222
oval:gov.nist.fdcc.xp:def:6600
oval:gov.nist.fdcc.xp:def:6726
oval:gov.nist.fdcc.xp:def:6725
solicited_remote_assistance oval:gov.nist.fdcc.xp:def:6564
offer_remote_assistance oval:gov.nist.fdcc.xp:def:6563
set-client-connection-encryption-level
set-timelimit-for-disconnected-sessions
set-timelimit-for-active-but-idle-TerminalServices-sessions
oval:gov.nist.fdcc.xp:def:6683
oval:gov.nist.fdcc.xp:def:6626
oval:gov.nist.fdcc.xp:def:6640
MachineAccessRestrictions
MachineLaunchRestrictions
RequireSmartCard oval:gov.nist.fdcc.xp:def:6082
turn_off_windows_error_reporting
kerberos_enforce_user_logon_restrictions
oval:gov.nist.fdcc.xp:def:987651
kerberos_maximum_lifetime_service_ticket
oval:gov.nist.fdcc.xp:def:987652
kerberos_maximum_lifetime_user_ticket
oval:gov.nist.fdcc.xp:def:987653
kerberos_maximum_lifetime_user_ticket_renewal
oval:gov.nist.fdcc.xp:def:987654
kerberos_maximum_tolerance_computer_clock_synchronization
oval:gov.nist.fdcc.xp:def:987655
Create-Global-Objects_Administrators-SERVICE-LocalService-NetworkService
ImpersonateClientAfterAuthentication-SERVICE_Administrators
oval:gov.nist.fdcc.xp:def:608243
oval:gov.nist.fdcc.xp:def:608244
oval:gov.nist.1:def:125 TCPConnectionResponses oval:gov.nist.fdcc.xp:def:125
oval:gov.nist.1:def:126 TCPMaxDataRetransmissions oval:gov.nist.fdcc.xp:def:126
oval:gov.nist.1:def:206
oval:gov.nist.1:def:207
oval:gov.nist.1:def:208
oval:gov.nist.1:def:245 NetworkDDEService oval:gov.nist.fdcc.xp:def:245
oval:gov.nist.1:def:246 NetworkDDEdsdmService oval:gov.nist.fdcc.xp:def:246
Wireless-Zero-Configuration oval:gov.nist.fdcc.xp:def:2881
WMIPerformanceAdapter oval:gov.nist.fdcc.xp:def:6719
oval:gov.nist.1:def:119 Disable8Dot3NameCreation oval:gov.nist.fdcc.xp:def:119
oval:gov.nist.fdcc.xp:def:6566
oval:gov.nist.fdcc.xp:def:6565
rpc_endpoint_mapper_client_authentication
Restrictions-for-Unauthenticated-RPC-clients
mshta.exe-permissions oval:gov.nist.fdcc.xp:def:1351
oval:gov.nist.fdcc.xp:def:6662
display_error_notification
turn_off_microsoft_peer_to_peer_networking_services
prohibit_internet_connection_firewall
oval:gov.nist.fdcc.xp:def:3366992
oval:gov.nist.fdcc.xp:def:3366994
oval:gov.nist.fdcc.xp:def:6671
registry_policy_processing oval:gov.nist.fdcc.xp:def:6672
oval:gov.nist.fdcc.xp:def:6674
oval:gov.nist.fdcc.xp:def:6572
oval:gov.nist.fdcc.xp:def:6675
oval:gov.nist.fdcc.xp:def:6679
oval:gov.nist.fdcc.xp:def:6568
oval:gov.nist.fdcc.xp:def:6680
Turn-off-printing-over-HTTP oval:gov.nist.fdcc.xp:def:6571
oval:gov.nist.fdcc.xp:def:6681
internet_explorer_maintenance_policy_processing_enabled
Turn-Off-Automatic-Root-Certificates-Update
Turn-off-downloading-of-print-drivers-over-HTTP
Turn-Off-Event-Views-Events.asp-Links
Turn-Off-Internet-Connection-Wizard-if-URL-Connection-is-Referring-to-Microsoft.com
Turn-off-Internet-download-for-Web-publishing-and-online-ordering-wizards
Turn-Off-Internet-File-Association-Service
Turn-Off-Registration-if-URL-Connection-is-Referring-to-Microsoft.com
oval:gov.nist.fdcc.xp:def:6570
oval:gov.nist.fdcc.xp:def:6682
oval:gov.nist.fdcc.xp:def:6567
oval:gov.nist.fdcc.xp:def:6569
oval:gov.nist.fdcc.xp:def:6696
oval:gov.nist.fdcc.xp:def:6684
oval:gov.nist.fdcc.xp:def:6697
oval:gov.nist.fdcc.xp:def:6573
oval:gov.nist.fdcc.xp:def:6561
oval:gov.nist.fdcc.xp:def:6687
Prevent-IIS-Installation oval:gov.nist.fdcc.xp:def:6107
Turn-off-Search-Companion-content-file-updates
Turn-Off-the-Order-Prints-Picture-Task
Turn-off-the-Publish-to-Web-task-for-files-and-folders
Turn-off-the-Windows-Messenger-Customer-Experience-Improvement-Program
Turn-Off-Windows-Movies-Maker-Automatic-Codec-Downloads
Turn-Off-Windows-Movie-Maker-Online-Web-Links
turn_off_windows_movie_maker_saving_to_online_video_hosting_provider
Turn-off-Windows-Update-device-driver-searching
Do-Not-Process-Run-Once-List
Do-Not-Display-the-Getting-Started-Welcome-Screen-at-Logon
oval:gov.nist.fdcc.xp:def:6110
oval:gov.nist.fdcc.xp:def:6596
oval:gov.nist.fdcc.xp:def:6119
oval:gov.nist.fdcc.xp:def:6122
oval:gov.nist.fdcc.xp:def:6707
oval:gov.nist.fdcc.xp:def:6714
oval:gov.nist.fdcc.xp:def:6502
oval:gov.nist.fdcc.xp:def:6503
oval:gov.nist.fdcc.xp:def:6504
Turn-off-downloading-enclosures
do_not_allow_passwords_to_be_saved
turn_off_shell_protocol_protected_mode
prohibit_non_administrators_install_signed_updates
do_not_show_first_use_dialog_boxes
oval:gov.nist.fdcc.xp:def:612261221
prevent_desktop_shortcut_creation
oval:gov.nist.fdcc.xp:def:612261223
password_protect_the_screen_saver
prompt_for_password_on_resume_from_hibernate_suspend
do_not_preserve_zone_information_in_file_attachments
hide_mechanisms_to_remove_zone_information
notify_antivirus_programs_when_opening_attachments
FDCC Windows XP Firewall XCCDF (fdcc-
accepted-content-20080110\fdcc-
xpfirewall-xccdf.xml)
FDCC Windows XP Firewall OVAL (fdcc-
accepted-content-20080110\fdcc-
xpfirewall-oval.xml)
protect_all_network_connections_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5000
allow_local_program_exceptions_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5003
allow_remote_administration_exceptions_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5004
allow_file_print_sharing_exceptions_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5005
allow_icm_exceptions_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5006
allow_remote_desktop_exceptions_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5007
allow_upnp_framework_exceptions_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5008
prohibit_notifications_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5009
allow_logging_log_dropped_packets_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5014
allow_logging_log_path_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5017
allow_logging_log_size_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5016
allow_logging_log_successful_connections_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5015
prohibit_unicast_response_to_multicast_or_broadcast_requests_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5011
define_port_exceptions_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:6008
allow_local_port_exceptions_domain_profile
oval:gov.nist.fdcc.xpfirewall:def:5013
ProtectAllNetworkConnectionsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5100
DoNotAllowExceptionsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5101
AllowLocalProgramExceptionsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5103
AllowRemoteAdministrationExceptionsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:51041
AllowFilePrintSharingExceptionsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5105
AllowICMPExceptionsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5106
AllowRemoteDesktopExceptionsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5107
AllowUPnPframeworkExceptionsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5108
ProhibitNotificationsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5109
mm
ProhibitUnicastResponseToMulticastOrBroadcastRequestsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5111
AllowLocalPortExceptionsStandardProfile
oval:gov.nist.fdcc.xpfirewall:def:5113