diff --git a/announcements.md b/announcements.md index a4cfc88a..729af1f5 100644 --- a/announcements.md +++ b/announcements.md @@ -2,6 +2,7 @@ |
Date
| Announcement | | --- | --- | +| 02 June 2025 | **SEED onboarding issue**

Please note that we are aware of the issue where users are encountering errors while onboarding devices to SEED.

The SEED support team is actively investigating and working towards resolving the issue. We will provide timely updates as progress is made.

**Impact:**
- Users may experience failures or errors during the onboarding process.

For assistance or to report issues, please contact **enquiries_seed@tech.gov.sg**. | | 21 May 2025 | SEED team will be conducting scheduled server maintenance on **21 May 2025, Wednesday, from 6:00 PM SGT onwards**.

This was previously announced via email broadcast on 8 May and published on the documentation portal.

**Impact:**
- Users onboarding to SEED may experience intermittent errors or delays.
- Users are advised not to onboard during this window or within 30 minutes prior.

For more assistance:
Please contact us at enquiries_seed@tech.gov.sg for any issues or concerns. | | 08 May 2025 | **Scheduled maintenance for Tanium servers**
We will be upgrading the Tanium servers to ensure continued performance and reliability.

**Maintenance schedule**:
The upgrading will be conducted from **6pm to 8pm, Wednesday, 21st May 2025**.

**Impact**:
- Onboarding may experience intermittent errors. Users are strongly advised to refrain from onboarding during this time and preferably avoid starting onboarding **30 minutes before the maintenance begins**.
- Access to SGTS for onboarded users should not be affected.

- If you encounter issues following the maintenance, please create an [incident support request](https://go.gov.sg/seed-techpass-support).| | 21 March 2025 | **Intermittent access issues with SGTS and GCC services**
We are aware that some users are experiencing access issues with SGTS and GCC services. Our team is actively investigating the cause and working on a resolution.

**Key details:**
- Some users may encounter difficulties accessing SGTS and GCC services.
- Other functionalities remain unaffected.

We apologise for any inconvenience caused. If you need further assistance, please contact us at **enquiries_seed@tech.gov.sg**. | diff --git a/support/hardening-list.md b/support/hardening-list.md new file mode 100644 index 00000000..eabc0b8f --- /dev/null +++ b/support/hardening-list.md @@ -0,0 +1,435 @@ +# Security hardening list + +This list outlines recommended **Level 1 (L1) security configurations** for Windows and macOS systems. These settings help secure devices by enforcing best practices around authentication, remote access, auditing, and system behaviour. + +# Security Hardening List + +This document outlines recommended **Level 1 (L1) security configurations** for Windows and macOS systems. + +## Windows + +| Title | Description | Impact | +| --- | --- | --- | +| (L1) Ensure **Enforce password history** is set to **24 or more password(s)** (Automated) | Set password history to 3 or more passwords(s) to prevent users from reusing old passwords which could lead to account compromise | No impact | +| (L1) Ensure **Maximum password age** is set to **365 or fewer days, but not 0** (Automated) | Password will expire after 365 days | No impact | +| (L1) Ensure **Minimum password age** is set to **1 or more day(s)** (Automated) | Setting to ensure that users cannot reuse any of their last 3 passwords | No impact | +| (L1) Ensure **Minimum password length** is set to **14 or more character(s)** (Automated) | Users login password require to have mininum of 12 characters in accordance with im8 | No impact | +| (L1) Ensure **Password must meet complexity requirements** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Relax minimum password length limits** is set to **Enabled** (Automated) | Enable the enforcement of longer and generally stronger passwords or
passphrases where mfa is not in use. | No impact | +| (L1) Ensure **Store passwords using reversible encryption** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Account lockout duration** is set to **15 or more minute(s)** (Automated) | Account remains locked for 15 minutes after reaching the defined threshold of failed login attempts | No impact | +| (L1) Ensure **Account lockout threshold** is set to **5 or fewer invalid logon attempt(s), but not 0** (Automated) | Account is temporarily locked out after 10 failed attempts as per im8 | No impact | +| (L1) Ensure **Reset account lockout counter after** is set to **15 or more minute(s)** (Automated) | 15 minutes must elapse before the counter that tracks failed logon attempts and triggers lockouts is reset to 0 | No impact | +| (L1) Ensure **Access Credential Manager as a trusted caller** is set to **No One** (Automated) | Ensure no one can access to credential manager | No impact | +| (L1) Ensure **Access this computer from the network** is set to **Administrators, Remote Desktop Users** (Automated) | Setting this to only "administrators" and "remote desktop users" ensures that only this group of users can remotely access the system | No impact | +| (L1) Ensure **Act as part of the operating system** is set to **No One** (Automated) | Setting this to "no one" ensures that no user or service can act with localsystem privileges | No impact | +| (L1) Ensure **Adjust memory quotas for a process** is set to **Administrators, LOCAL SERVICE, NETWORK SERVICE** (Automated) | | No impact | +| (L1) Ensure **Allow log on locally** is set to **Administrators, Users** (Automated) | Restricting local logon rights ensures that only approved users and administrator can access the system directly | No impact | +| (L1) Ensure **Allow log on through Remote Desktop Services** is set to **Administrators, Remote Desktop Users** (Automated) | Restricting this setting to administrators and remote desktop users ensures that these groups of users can access the system remotely | No impact | +| (L1) Ensure **Back up files and directories** is set to **Administrators** (Automated) | | No impact | +| (L1) Ensure **Change the system time** is set to **Administrators, LOCAL SERVICE** (Automated) | | No impact | +| (L1) Ensure **Change the time zone** is set to **Administrators, LOCAL SERVICE, Users** (Automated) | Setting this privilege to only these group of users to be able to change time zone of their device | No impact | +| (L1) Ensure **Create a pagefile** is set to **Administrators** (Automated) | | No impact | +| (L1) Ensure **Create a token object** is set to **No One** (Automated) | | No impact | +| (L1) Ensure **Create global objects** is set to **Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE** (Automated) | Only these groups of users can create global objects | No impact | +| (L1) Ensure **Create permanent shared objects** is set to **No One** (Automated) | No one is allow to create permanent shared objects in the system | No impact | +| (L1) Configure **Create symbolic links** (Automated) | Restrict to only administrator can create symbolic links | No impact | +| (L1) Ensure **Debug programs** is set to **Administrators** (Automated) | Restrict to only administrator can debug programs | No impact | +| (L1) Ensure **Deny access to this computer from the network** to include **Guests** (Automated) | Deny guests from accessing the computer via network | No impact | +| (L1) Ensure **Deny log on as a batch job** to include **Guests** (Automated) | Restricting members of the guests group from running batch jobs | No impact | +| (L1) Ensure **Deny log on as a service** to include **Guests** (Automated) | Preventing any members of the guests group from running services | No impact | +| (L1) Ensure **Deny log on locally** to include **Guests** (Automated) | Preventing any guest accounts from logging into the system locally | No impact | +| (L1) Ensure **Deny log on through Remote Desktop Services** to include **Guests** (Automated) | Preventing any guest accounts from using remote desktop service | No impact | +| (L1) Ensure **Enable computer and user accounts to be trusted for delegation** is set to **No One** (Automated) | No computer or user account can act as a trusted delegate for other accounts | No impact | +| (L1) Ensure **Force shutdown from a remote system** is set to **Administrators** (Automated) | Restrict to only administrator can perform force shutdown from a remote system | No impact | +| (L1) Ensure **Generate security audits** is set to **LOCAL SERVICE, NETWORK SERVICE** (Automated) | Restrict to only local service and network service can generate security audits | No impact | +| (L1) Ensure **Impersonate a client after authentication** is set to **Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE** (Automated) | | No impact | +| (L1) Ensure **Increase scheduling priority** is set to **Administrators, Window Manager\Window Manager Group** (Automated) | Restrict to only the listed groups or accounts have the ability to increase the scheduling priority of processes running on windows | No impact | +| (L1) Ensure **Load and unload device drivers** is set to **Administrators** (Automated) | Restrict to only administrator can load and unload device drivers | No impact | +| (L1) Ensure **Lock pages in memory** is set to **No One** (Automated) | Setting to no one ensure only operating system have full control on memory management | No impact | +| (L1) Ensure **Manage auditing and security log** is set to **Administrators** (Automated) | Restrict to only administrator have the rights to manage auditing and security log | No impact | +| (L1) Ensure **Modify an object label** is set to **No One** (Automated) | | No impact | +| (L1) Ensure **Modify firmware environment values** is set to **Administrators** (Automated) | Restrict to only administrator can modify firmware environment values stored in the uefi/bios or boot configuration data (bcd) | No impact | +| (L1) Ensure **Perform volume maintenance tasks** is set to **Administrators** (Automated) | | No impact | +| (L1) Ensure **Profile single process** is set to **Administrators** (Automated) | | No impact | +| (L1) Ensure **Profile system performance** is set to **Administrators, NT SERVICE\WdiServiceHost** (Automated) | | No impact | +| (L1) Ensure **Replace a process level token** is set to **LOCAL SERVICE, NETWORK SERVICE** (Automated) | Restrict to only the listed user/group to allows a process to assign a different security token to a running process. this is essential for services that need to change user contexts during execution such as: scheduled tasks and windows services that run under local service or network service | No impact | +| (L1) Ensure **Restore files and directories** is set to **Administrators** (Automated) | Restrict to only administrator can restore older version of system files or replace files | No impact | +| (L1) Ensure **Shut down the system** is set to **Administrators, Users** (Automated) | Restrict to only allows administrator to shut down or restart the computer system | No impact | +| (L1) Ensure **Take ownership of files or other objects** is set to **Administrators** (Automated) | | No impact | +| (L1) Ensure **Accounts: Administrator account status** is set to **Disabled** (Automated) | Built-in administrator account is set to disabled | No impact | +| (L1) Ensure **Accounts: Guest account status** is set to **Disabled** (Automated) | Built-in guest account is set to disabled | No impact | +| (L1) Ensure **Accounts: Limit local account use of blank passwords to console logon only** is set to **Enabled** (Automated) | | No impact | +| (L1) Configure **Accounts: Rename administrator account** (Automated) | Built-in administrator account is renamed for example from administrator to deepadmin | No impact | +| (L1) Configure **Accounts: Rename guest account** (Automated) | Built-in guest account is renamed for example from guest to deepguest | No impact | +| (L1) Ensure **Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Audit: Shut down system immediately if unable to log security audits** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Interactive logon: Do not require CTRL+ALT+DEL** is set to **Disabled** (Automated) | Users are required to press ctrl+alt+del before they can log in | No impact | +| (BL) Ensure **Interactive logon: Machine account lockout threshold** is set to **10 or fewer invalid logon attempts, but not 0 ** (Automated) | User account will lockout after 10 failed login attempts | No impact | +| (L1) Ensure **Interactive logon: Machine inactivity limit** is set to **900 or fewer second(s), but not ** (Automated) | User's device will lock after 900 seconds of idle time | No impact | +| (L1) Configure **Interactive logon: Message text for users attempting to log on** (Automated) | Login message appear when user login to their device | No impact | +| (L1) Configure **Interactive logon: Message title for users attempting to log on** (Automated) | Custom title appears before users enter their credentials on the windows login screen. | No impact | +| (L1) Ensure **Interactive logon: Prompt user to change password before expiration** is set to **between 5 and 14 days** (Automated) | Prompt user to change password 14 days upon password expire | No impact | +| (L1) Ensure **Interactive logon: Smart card removal behavior** is set to **Lock Workstation** or higher (Automated) | Computer will automatically lock itself when smart card is removed | No impact | +| (L1) Ensure **Microsoft network client: Digitally sign communications (always)** is set to **Enabled** (Automated) | Ensures that all smb (server message block) communication between windows clients and servers is digitally signed | No impact | +| (L1) Ensure **Microsoft network client: Digitally sign communications (if server agrees)** is set to **Enabled** (Automated) | To ensure that server agree to digital signing is enabled | No impact | +| (L1) Ensure **Microsoft network client: Send unencrypted password to third-party SMB servers** is set to **Disabled** (Automated) | Preventing window smb client from sending plain-text (unencrypted) passwords when authenticating to third-party smb servers | No impact | +| (L1) Ensure **Microsoft network server: Amount of idle time required before suspending session** is set to **15 or fewer minute(s)** (Automated) | Set 15 minutes idle session timeout for smb (server message block) connections on windows servers before automatically disconnected by the server | User will need to re-establish the connection when the session is disconnected after 15minutes if idle time | +| (L1) Ensure **Microsoft network server: Digitally sign communications (always)** is set to **Enabled** (Automated) | | Custom applications or scripts that use unsigned smb communication will fail unless they are updated to support signing | +| (L1) Ensure **Microsoft network server: Digitally sign communications (if client agrees)** is set to **Enabled** (Automated) | The server will digitally sign smb communication only if the client supports smb signing | No impact | +| (L1) Ensure **Microsoft network server: Disconnect clients when logon hours expire** is set to **Enabled** (Automated) | The server forces disconnection of users whose logon hours have expired | User need to finish their work within their permitted hours | +| (L1) Ensure **Microsoft network server: Server SPN target name validation level** is set to **Accept if provided by client** or higher (Automated) | To ensure that a client is connecting to the correct server and not a malicious impersonator. | Applications using anonymous smb authentication may experience failures. | +| (L1) Ensure **Network access: Allow anonymous SID/Name translation** is set to **Disabled** (Automated) | Prevent anonymous users requesting sid-to-name translations | Services that require anonymous access to resolve sids (e.g., certain file-sharing or remote admin tools) may stop working. | +| (L1) Ensure **Network access: Do not allow anonymous enumeration of SAM accounts** is set to **Enabled** (Automated) | Prevent unauthorised user query the system and obtain a list of local user accounts. | Some older applications or scripts that rely on anonymous sam enumeration may fail. | +| (L1) Ensure **Network access: Do not allow anonymous enumeration of SAM accounts and shares** is set to **Enabled** (Automated) | Users who are not logged in cannot retrieve a list of local user accounts from the security account manager (sam) database. | Older applications or scripts that rely on anonymous sam enumeration may fail when trying to list local users. | +| (L1) Ensure **Network access: Let Everyone permissions apply to anonymous users** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Network access: Named Pipes that can be accessed anonymously** is set to **None** (Automated) | Prevent unauthenticated users from connecting to system services or applications that expose named pipes | Older applications or services that require anonymous named pipe access might fail to work. | +| (L1) Ensure **Network access: Remotely accessible registry paths** is configured (Automated) | Determines which registry paths on a machine can be accessed remotely over the network by authenticated users | Some third-party applications or legacy systems may need access to specific registry paths for proper operation. restricting access might cause them to malfunction. | +| (L1) Ensure **Network access: Remotely accessible registry paths and sub-paths** is configured (Automated) | | No impact | +| (L1) Ensure **Network access: Restrict anonymous access to Named Pipes and Shares** is set to **Enabled** (Automated) | Restricts anonymous (unauthenticated) users from accessing named pipes and shares | Some older applications or legacy systems may depend on anonymous access to named pipes or shares. enabling this restriction might break functionality or cause compatibility issues with older software that does not use authenticated access | +| (L1) Ensure **Network access: Restrict clients allowed to make remote calls to SAM** is set to **Administrators: Remote Access: Allow** (Automated) | Restricts remote calls to the sam database to only those clients that have been granted administrator privileges | Some older remote administration tools or custom scripts that previously relied on non-administrative access to sam may fail or experience issues after this policy is enabled | +| (L1) Ensure **Network access: Shares that can be accessed anonymously** is set to **None** (Automated) | | After enforcing this setting, users will need to authenticate (i.e., provide credentials) whenever accessing shared resources | +| (L1) Ensure **Network access: Sharing and security model for local accounts** is set to **Classic - local users authenticate as themselves** (Automated) | Local user accounts will authenticate using their own credentials (username and password) when accessing shared resources over the network | No impact | +| (L1) Ensure **Network security: Allow Local System to use computer identity for NTLM** is set to **Enabled** (Automated) | The local system account can authenticate using the computer’s machine account credentials when communicating with other systems using ntlm authentication. | No impact | +| (L1) Ensure **Network security: Allow LocalSystem NULL session fallback** is set to **Disabled** (Automated) | | Older applications or services that rely on null sessions for authentication may fail to connect or function improperly. | +| (L1) Ensure **Network Security: Allow PKU2U authentication requests to this computer to use online identities** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Network security: Configure encryption types allowed for Kerberos** is set to **AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types** (Automated) | | Some applications may require rc4-hmac and fail authentication. | +| (L1) Ensure **Network security: Do not store LAN Manager hash value on next password change** is set to **Enabled** (Automated) | | Some legacy applications or services that require lm hashes may stop authenticating correctly. | +| (L1) Ensure **Network security: Force logoff when logon hours expire** is set to **Enabled** (Manual) | | | +| (L1) Ensure **Network security: LAN Manager authentication level** is set to **Send NTLMv2 response only. Refuse LM & NTLM** (Automated) | | Some legacy applications that rely on ntlm or lm may not function, requiring updates or replacements. | +| (L1) Ensure **Network security: LDAP client signing requirements** is set to **Negotiate signing** or higher (Automated) | This setting instructs the client to use the most secure method available for signing the communication. | No impact | +| (L1) Ensure **Network security: Minimum session security for NTLM SSP based (including secure RPC) clients** is set to **Require NTLMv2 session security, Require 128-bit encryption** (Automated) | | | +| (L1) Ensure **Network security: Minimum session security for NTLM SSP based (including secure RPC) servers** is set to **Require NTLMv2 session security, Require 128-bit encryption** (Automated) | | | +| (L1) Ensure **System objects: Require case insensitivity for non-Windows subsystems** is set to **Enabled** (Automated) | It enforces case insensitivity for system objects in non-windows subsystems. | No impact | +| (L1) Ensure **User Account Control: Virtualize file and registry write failures to per-user locations** is set to **Enabled** (Automated) | Windows virtualizes (or redirects) file and registry write operations from applications that try to modify system locations (which typically require administrator privileges) to user-specific locations. | No impact | +| (L1) Ensure **Internet Connection Sharing (ICS) (SharedAccess)** is set to **Disabled** (Automated) | The computer will not offer its internet connection to other devices. | No impact | +| (L1) Ensure **Remote Procedure Call (RPC) Locator (RpcLocator)** is set to **Disabled** (Automated) | | Applications or systems that rely on rpc locator for discovering services across a network may no longer function as expected | +| (L1) Ensure **Routing and Remote Access (RemoteAccess)** is set to **Disabled** (Automated) | Prevent remotely access to system through vpns or dial-up connections using rras | Disabling rras prevents remote users or systems from connecting to the network through vpn | +| (L1) Ensure **Simple TCP/IP Services (simptcp)** is set to **Disabled** or **Not Installed** (Automated) | Disabling legacy service in windows operating systems that provides basic network functionality and services based on the tcp/ip protocol | If the system needs to communicate with older devices or software that rely on these legacy services, disabling simptcp might break compatibility with such systems. | +| (L1) Ensure **Special Administration Console Helper (sacsvr)** is set to **Disabled** or **Not Installed** (Automated) | Disabling sacsvr services on services.msc | No impact | +| (L1) Ensure **SSDP Discovery (SSDPSRV)** is set to **Disabled** (Automated) | Prevent devices from discover each other and establish communication based on the ssdp protocol. | Could cause impact on upnp devices as upnp, often associated with ssdp | +| (L1) Ensure **UPnP Device Host (upnphost)** is set to **Disabled** (Automated) | | Users may face inconvenience in networks that rely on upnp for easy device setup and communication. | +| (L1) Ensure **Windows Media Player Network Sharing Service (WMPNetworkSvc)** is set to **Disabled** or **Not Installed** (Automated) | Prevent windows media player from sharing media files with other devices over the network. | No impact | +| (L1) Ensure **Windows Mobile Hotspot Service (icssvc)** is set to **Disabled** (Automated) | Preventing the device from sharing its internet connection with other devices | No impact | +| (L1) Ensure **World Wide Web Publishing Service (W3SVC)** is set to **Disabled** or **Not Installed** (Automated) | The machine will not be able to act as a web server and will not respond to http requests. | If the device is intended to serve websites or web applications, disabling w3svc will prevent it from performing this role. | +| (L1) Ensure **Xbox Accessory Management Service (XboxGipSvc)** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Xbox Live Auth Manager (XblAuthManager)** is set to **Disabled** (Automated) | Prevent windows service from managing authentication processes related to xbox live accounts | No impact | +| (L1) Ensure **Xbox Live Game Save (XblGameSave)** is set to **Disabled** (Automated) | Disallow users from storing their game data in the cloud through xbox live | No impact | +| (L1) Ensure **Xbox Live Networking Service (XboxNetApiSvc)** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Windows Firewall: Private: Firewall state** is set to **On (recommended)** (Automated) | Firewall is enabled for private networks | No impact | +| (L1) Ensure **Windows Firewall: Private: Logging: Size limit (KB)** is set to **16,384 KB or greater** (Automated) | | No impact | +| (L1) Ensure **Windows Firewall: Private: Logging: Log dropped packets** is set to **Yes** (Automated) | | No impact | +| (L1) Ensure **Windows Firewall: Private: Logging: Log successful connections** is set to **Yes** (Automated) | Windows records log successful connections in the firewall log file (pfirewall.log). | No impact | +| (L1) Ensure **Windows Firewall: Public: Firewall state** is set to **On (recommended)** (Automated) | This setting enables the windows firewall when the system is connected to a public network | Applications requiring inbound connections (e.g., remote desktop, file sharing) may be blocked unless allowed manually | +| (L1) Ensure **Audit Credential Validation** is set to **Success and Failure** (Automated) | Windows logs events when authentication requests are processed for both user fails and successful authentication | No impact | +| (L1) Ensure **Audit Application Group Management** is set to **Success and Failure** (Automated) | Windows logs events when changes are made to application groups in local systems | No impact | +| (L1) Ensure **Audit Security Group Management** is set to include **Success** (Automated) | The system logs all successful modifications to security groups such as creating and deleting | No impact | +| (L1) Ensure **Audit User Account Management** is set to **Success and Failure** (Automated) | | No impact | +| (L1) Ensure **Audit PNP Activity** is set to include **Success** (Automated) | Windows logs an event whenever a device is successfully installed or configured using plug and play (pnp) | No impact | +| (L1) Ensure **Audit Process Creation** is set to include **Success** (Automated) | Windows records details about every successfully launched process such as process name and process id | No impact | +| (L1) Ensure **Audit Account Lockout** is set to include **Failure** (Automated) | | No impact | +| (L1) Ensure **Audit Group Membership** is set to include **Success** (Automated) | Logs successful changes to the group memberships of user accounts | No impact | +| (L1) Ensure **Audit Logoff** is set to include **Success** (Automated) | Successful logoff events will be recorded and logged into the security event log | No impact | +| (L1) Ensure **Audit Logon** is set to **Success and Failure** (Automated) | | No impact | +| (L1) Ensure **Audit Other Logon/Logoff Events** is set to **Success and Failure** (Automated) | | No impact | +| (L1) Ensure **Audit Special Logon** is set to include **Success** (Automated) | Log events whenever a user successfully logs on with special privileges. these special logons typically involve actions such as: administrator account logins and logins that trigger elevated access levels | No impact | +| (L1) Ensure **Audit Detailed File Share** is set to include **Failure** (Automated) | Log an event whenever an access attempt to a file share fails | No impact | +| (L1) Ensure **Audit File Share** is set to **Success and Failure** (Automated) | Logs both successful and failed attempts to access files or directories shared on the network such as reading files from shared folders and writing to files | No impact | +| (L1) Ensure **Audit Other Object Access Events** is set to **Success and Failure** (Automated) | | No impact | +| (L1) Ensure **Audit Removable Storage** is set to **Success and Failure** (Automated) | Logging both successful and failed attempts to access removable storage devices such as plugging in a usb drive and copying files to or from removable storage | No impact | +| (L1) Ensure **Audit Audit Policy Change** is set to include **Success** (Automated) | Logging successful modifications to auditing settings such as modifying advanced audit policy settings and enabling or disabling audit policies | No impact | +| (L1) Ensure **Audit Authentication Policy Change** is set to include **Success** (Automated) | Logging successful changes to authentication policies on a system such as kerberos policy changes and changes to user password policies | No impact | +| (L1) Ensure **Audit Authorization Policy Change** is set to include **Success** (Automated) | System records events where policies that determine user access permissions are changed such as changes to object access control lists (acls) and adjustments to role-based access control (rbac) policies | No impact | +| (L1) Ensure **Audit MPSSVC Rule-Level Policy Change** is set to **Success and Failure** (Automated) | System records events when there are successful changes to firewall rules and failed attempts to modify firewall rules | No impact | +| (L1) Ensure **Audit Other Policy Change Events** is set to include **Failure** (Automated) | | No impact | +| (L1) Ensure **Audit Sensitive Privilege Use** is set to **Success and Failure** (Automated) | Logging both successful and failed privileged operations such as debugging programs and backing up/restoring files and directories | No impact | +| (L1) Ensure **Audit IPsec Driver** is set to **Success and Failure** (Automated) | | No impact | +| (L1) Ensure **Audit Security State Change** is set to include **Success** (Automated) | | No impact | +| (L1) Ensure **Audit Security System Extension** is set to include **Success** (Automated) | Logging successful events related to the installation and loading of system extensions that could impact security such as loading of authentication packages and changes to system security components | No impact | +| (L1) Ensure **Audit System Integrity** is set to **Success and Failure** (Automated) | Logging both successful and failed attempts to alter the system’s core structure or integrity such as modification of protected system files and changes to system security settings. | No impact | +| (L1) Ensure **Prevent enabling lock screen camera** is set to **Enabled** (Automated) | | Legitimate users may want to use the camera on the lock screen for activities such as quick video calls. this setting prevents that functionality. | +| (L1) Ensure **Prevent enabling lock screen slide show** is set to **Enabled** (Automated) | It disables the ability to use a slideshow on the lock screen. | No impact | +| (L1) Ensure **Allow users to enable online speech recognition services** is set to **Disabled** (Automated) | | Inconvenience for users who rely on online speech recognition for tasks like voice-to-text or using voice commands in applications | +| (L1) Ensure **Configure SMB v1 client driver** is set to **Enabled: Disable driver (recommended)** (Automated) | It disables the smb v1 client driver on the system. this means that the system will not use smb v1 for file sharing or network communication. | If a network relies heavily on smb v1 (perhaps due to legacy hardware or software), disabling smb v1 could disrupt operations | +| (L1) Ensure **Configure SMB v1 server** is set to **Disabled** (Automated) | Preventing smb v1 from being used on the system as a server | Devices and clients will not be able to connect to this system using the insecure smb v1 protocol. | +| (L1) Ensure **NetBT NodeType configuration** is set to **Enabled: P-node (recommended)** (Automated) | Resolves names through a wins (windows internet name service) server. | Some older applications or systems may still rely on broadcast name resolution (b-node) or may not be compatible with wins | +| (L1) Ensure **WDigest Authentication** is set to **Disabled** (Automated) | Disabled so that wdigest won't be able to storesuser credentials (passwords) in a way that is generally considered insecure compared to modern methods | Disabling wdigest might cause disruption if any third-party software or scripts depend on this authentication method for logging into systems or services. | +| (L1) Ensure **MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)** is set to **Disabled** (Automated) | Prevent user's password is stored in the system registry in plain text and to prevent auto logon into the system | No impact | +| (L1) Ensure **MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)** is set to **Enabled: Highest protection, source routing is completely disabled** (Automated) | | No impact | +| (L1) Ensure **MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes** is set to **Disabled** (Automated) | Prevents icmp redirects from overriding ospf-generated routes | No impact | +| (L1) Ensure **MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers** is set to **Enabled** (Automated) | | Older systems and applications that rely on netbios name resolution may experience issues if name releases are blocked. | +| (L1) Ensure **MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)** is set to **Enabled** (Automated) | This setting ensures that windows prioritizes safer locations when searching for dynamic link libraries (dlls) that applications request | Some legacy applications (especially custom or poorly coded ones) might expect dlls to load from the current working directory first | +| (L1) Ensure **MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)** is set to **Enabled: 5 or fewer seconds** (Automated) | Setting grace period to 5 seconds or less after the screen saver activated during which a user can move the mouse or press a key to return to the session without re-entering their credentials. | No impact | +| (L1) Ensure **Turn off multicast name resolution** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Enable insecure guest logons** is set to **Disabled** (Automated) | Windows will not allow users to access shared resources using a guest account. | No impact | +| (L1) Ensure **Prohibit installation and configuration of Network Bridge on your DNS domain network** is set to **Enabled** (Automated) | Prevents users from creating or configuring a network bridge on computers that are part of a dns domain network | No impact | +| (L1) Ensure **Prohibit use of Internet Connection Sharing on your DNS domain network** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Hardened UNC Paths** is set to **Enabled, with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares** (Automated) | Secure authentication (kerberos or ntlmv2) is required before accessing netlogon/sysvol and data integrity checks are enforced | No impact | +| (L1) Ensure **Minimize the number of simultaneous connections to the Internet or a Windows Domain** is set to **Enabled: 3 = Prevent Wi-Fi when on Ethernet** (Automated) | | No impact | +| (L1) Ensure **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Point and Print Restrictions: When installing drivers for a new connection** is set to **Enabled: Show warning and elevation prompt** (Automated) | | No impact | +| (L1) Ensure **Point and Print Restrictions: When updating drivers for an existing connection** is set to **Enabled: Show warning and elevation prompt** (Automated) | | No impact | +| (L1) Ensure **Include command line in process creation events** is set to **Enabled** (Automated) | Windows ensures that command-line arguments used during the creation of a process are logged in event logs | No impact | +| (L1) Ensure **Encryption Oracle Remediation** is set to **Enabled: Force Updated Clients** (Automated) | | Older devices, browsers, or software that only support weak or outdated encryption may no longer be able to establish connections | +| (L1) Ensure **Remote host allows delegation of non-exportable credentials** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Boot-Start Driver Initialization Policy** is set to **Enabled: Good, unknown and bad but critical** (Automated) | It allows the system to initialize:
good drivers (trusted and verified).
unknown drivers (drivers that are unsigned or have unknown origins).
bad but critical drivers (drivers that may be problematic but are required for booting or for critical system functions). | No impact | +| (L1) Ensure **Continue experiences on this device** is set to **Disabled** (Automated) | It prevents the device from syncing or continuing experiences across multiple devices | No impact | +| (L1) Ensure **Turn off Internet download for Web publishing and online ordering wizards** is set to **Enabled** (Automated) | It disables the ability of windows internet explorer and microsoft office tools to automatically download content from the internet during the use of their wizards such as web publishing and online ordering feature. | No impact | +| (L1) Ensure **Do not display network selection UI** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Turn off app notifications on the lock screen** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Turn on convenience PIN sign-in** is set to **Disabled** (Automated) | Windows blocks users from setting up and using a convenience pin for authentication | No impact | +| (L1) Ensure **Allow network connectivity during connected-standby (on battery)** is set to **Disabled** (Automated) | Device automatically disconnects from all networks when entering modern standby mode while on battery power. | No impact | +| (L1) Ensure **Allow network connectivity during connected-standby (plugged in)** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Require a password when a computer wakes (on battery)** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Require a password when a computer wakes (plugged in)** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Configure Offer Remote Assistance** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Configure Solicited Remote Assistance** is set to **Disabled** (Automated) | It administrators or support personnel cannot connect to assist users remotely using this built-in tool. | No impact | +| (L1) Ensure **Enable RPC Endpoint Mapper Client Authentication** is set to **Enabled** (Automated) | The rpc endpoint mapper requires authentication before allowing clients to connect. | Legacy applications that require unauthenticated rpc connections | +| (L1) Ensure **Restrict Unauthenticated RPC clients** is set to **Enabled: Authenticated** (Automated) | Only authenticated rpc clients can establish connections. | Older applications or legacy systems that rely on anonymous rpc connections may fail. | +| (L1) Ensure **Prevent non-admin users from installing packaged Windows apps** is set to **Enabled** (Automated) | Only allow admin users installing packaged windows apps from sources like microsoft store and downloaded app packages | No impact | +| (L1) Ensure **Let Windows apps activate with voice while the system is locked** is set to **Enabled: Force Deny** (Automated) | Completely blocks voice activation when the system is locked. | Users who rely on voice control for accessibility may experience difficulty. | +| (L1) Ensure **Allow Microsoft accounts to be optional** is set to **Enabled** (Automated) | Users can use a local account instead of being forced to use a microsoft account. | No impact | +| (L1) Ensure **Disallow Autoplay for non-volume devices** is set to **Enabled** (Automated) | Prevents autoplay from activating for non-volume devices. | Users may need to manually access media devices instead of having them launch automatically. | +| (L1) Ensure **Set the default behavior for AutoRun** is set to **Enabled: Do not execute any autorun commands** (Automated) | | Software or installers that rely on autorun (e.g., cd/dvd-based installers, external software launchers) will not start automatically. | +| (L1) Ensure **Turn off Autoplay** is set to **Enabled: All drives** (Automated) | | No impact | +| (L1) Ensure **Configure enhanced anti-spoofing** is set to **Enabled** (Automated) | Windows enhances the anti-spoofing capabilities for biometric systems (like face recognition or fingerprints) by verifying that the biometric data is genuine and not spoofed or manipulated. | No impact | +| (L1) Ensure **Turn off Microsoft consumer experiences** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Require pin for pairing** is set to **Enabled: First Time** OR **Enabled: Always** (Automated) | | No impact | +| (L1) Ensure **Do not display the password reveal button** is set to **Enabled** (Automated) | This setting disables the visibility of the password reveal button (the eye icon) in password input fields across windows | No impact | +| (L1) Ensure **Enumerate administrator accounts on elevation** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Prevent the use of security questions for local accounts** is set to **Enabled** (Automated) | It prevents users from setting or using security questions to recover or reset the passwords for their local accounts in windows. | User will not have an additional fallback option for password recovery through security questions. | +| (L1) Ensure **Do not show feedback notifications** is set to **Enabled** (Automated) | It disables the feedback notifications that windows typically displays to users such as prompts users to send feedback or take part in the windows insider program or surveys about the operating system | No impact | +| (L1) Ensure **Download Mode** is NOT set to **Enabled: Internet** (Automated) | Updates are not downloaded directly from microsoft’s servers over the internet. | No impact | +| (L1) Ensure **Application: Control Event Log behavior when the log file reaches its maximum size** is set to **Disabled** (Automated) | System does not enforce any specific behavior or restrictions regarding the size limit of event log files | No impact | +| (L1) Ensure **Application: Specify the maximum log file size (KB)** is set to **Enabled: 32,768 or greater** (Automated) | | No impact | + +## macOS + +| Title | Description | Impact | +| --- | --- | --- | +| (L1) Ensure **Security: Specify the maximum log file size (KB)** is set to **Enabled: 196,608 or greater** (Automated) | | No impact | +| (L1) Ensure **Setup: Control Event Log behavior when the log file reaches its maximum size** is set to **Disabled** (Automated) | System does not enforce any specific behavior regarding the maximum size of the setup event log file | No impact | +| (L1) Ensure **Setup: Specify the maximum log file size (KB)** is set to **Enabled: 32,768 or greater** (Automated) | Max log size for setup event is set to 32,768 kb | No impact | +| (L1) Ensure **System: Control Event Log behavior when the log file reaches its maximum size** is set to **Disabled** (Automated) | System does not enforce any specific behavior regarding the maximum size of the control event log file | No impact | +| (L1) Ensure **System: Specify the maximum log file size (KB)** is set to **Enabled: 32,768 or greater** (Automated) | Max log size for system event is set to 32,768 kb | No impact | +| (L1) Ensure **Turn off Data Execution Prevention for Explorer** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Turn off heap termination on corruption** is set to **Disabled** (Automated) | | Some older or poorly written applications may have minor heap corruption issues | +| (L1) Ensure **Turn off shell protocol protected mode** is set to **Disabled** (Automated) | | Older or custom enterprise applications that rely on unrestricted shell protocol execution may stop working or experience issues. | +| (L1) Ensure **Prevent the computer from joining a homegroup** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Configure local setting override for reporting to Microsoft MAPS** is set to **Disabled** (Automated) | Users cannot enable or disable maps reporting manually from windows security settings. | No impact | +| (L1) Ensure **Prevent users and apps from accessing dangerous websites** is set to **Enabled: Block** (Automated) | | Some users may find that harmless websites get flagged due to false positives. | +| (L1) Ensure **Scan all downloaded files and attachments** is set to **Enabled** (Automated) | All downloaded files and email attachments are automatically scanned for malware and security threats before they can be accessed | No impact | +| (L1) Ensure **Turn off real-time protection** is set to **Disabled** (Automated) | Real-time protection is enabled and cannot be turned off by users | No impact | +| (L1) Ensure **Turn on behavior monitoring** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Scan removable drives** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Turn on e-mail scanning** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Configure detection for potentially unwanted applications** is set to **Enabled: Block** (Automated) | Microsoft defender antivirus actively detects and blocks puas before they can be installed or executed on the system. | No impact | +| (L1) Ensure **Turn off Microsoft Defender AntiVirus** is set to **Disabled** (Automated) | Microsoft defender not allow to be turn off | No impact | +| (L1) Ensure **Do not allow passwords to be saved** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Do not allow drive redirection** is set to **Enabled** (Automated) | Users are prevented from redirecting their local drives while using remote desktop protocol (rdp) to connect to another system. | Admins may need alternative ways to upload/download files when managing remote systems. | +| (L1) Ensure **Always prompt for password upon connection** is set to **Enabled** (Automated) | | Requires manual password entry for every rdp session, which can slow down workflows. | +| (L1) Ensure **Require secure RPC communication** is set to **Enabled** (Automated) | All remote procedure call (rpc) communications must use secure authentication and encryption to prevent unauthorized access and data tampering. | No impact | +| (L1) Ensure **Require user authentication for remote connections by using Network Level Authentication** is set to **Enabled** (Automated) | All remote desktop protocol (rdp) connections must authenticate the user before establishing a full session with the remote computer. | No impact | +| (L1) Ensure **Set client connection encryption level** is set to **Enabled: High Level** (Automated) | All remote desktop protocol (rdp) connections must use strong encryption (128-bit) to secure data transmitted between the client and server. | No impact | +| (L1) Ensure **Do not delete temp folders upon exit** is set to **Disabled** (Automated) | Temporary folders created during a remote desktop services (rds) session are automatically deleted when the session ends. | No impact | +| (L1) Ensure **Prevent downloading of enclosures** is set to **Enabled** (Automated) | Users are blocked from downloading enclosures (attachments) in rss feeds in supported applications like microsoft outlook or internet explorer (legacy). | Users cannot download podcast episodes, newsletters, or media files linked in feeds. | +| (L1) Ensure **Allow Cortana** is set to **Disabled** (Automated) | | Users lose the ability to use voice commands or cortana to set reminders, check the weather, or quickly access search results. | +| (L1) Ensure **Allow Cortana above lock screen** is set to **Disabled** (Automated) | Cortana is prevented from being accessed or used on the lock screen of the windows device | Users can no longer use cortana for quick access to information like weather updates or reminders while the device is locked, | +| (L1) Ensure **Allow indexing of encrypted files** is set to **Disabled** (Automated) | | Users will not be able to search the contents of encrypted files via windows search, reducing convenience for those who regularly access encrypted documents. | +| (L1) Ensure **Allow search and Cortana to use location** is set to **Disabled** (Automated) | Both windows search and cortana are prevented from accessing and using the device's location to provide location-based results or services. | No impact | +| (L1) Ensure **Turn off Automatic Download and Install of updates** is set to **Disabled** (Automated) | Windows update is allowed to automatically download and install updates without any user intervention | No impact | +| (L1) Ensure **Configure Windows Defender SmartScreen** is set to **Enabled: Warn and prevent bypass** (Automated) | | No impact | +| (L1) Ensure **Configure Windows Defender SmartScreen** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Prevent bypassing Windows Defender SmartScreen prompts for sites** is set to **Enabled** (Automated) | Windows defender smartscreen will block users from bypassing the security prompts that appear when they visit potentially unsafe websites. | Some legitimate websites may be flagged as unsafe by mistake, causing inconvenience for users who need to access those sites | +| (L1) Ensure **Enables or disables Windows Game Recording and Broadcasting** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Allow Windows Ink Workspace** is set to **Enabled: On, but disallow access above lock** OR **Disabled** but not **Enabled: On** (Automated) | | No impact | +| (L1) Ensure **Allow user control over installs** is set to **Disabled** (Automated) | Users are prevented from changing installation settings and cannot manually install or modify software on the system but users with admin privilege will not be affected | No impact | +| (L1) Ensure **Always install with elevated privileges** is set to **Disabled** (Automated) | Windows does not grant elevated (admin-level) privileges to windows installer-based installations for non-administrator users | No impact | +| (L1) Ensure **Sign-in and lock last interactive user automatically after a restart** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Turn on PowerShell Script Block Logging** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Turn on PowerShell Transcription** is set to **Enabled**' (Automated) | | No impact | +| (L1) Ensure **Allow Basic authentication** is set to **Disabled** - WinRM Client (Automated) | System prevents the use of basic authentication when connecting to remote systems using winrm. | Basic authentication is often used when connecting to non-domain-joined machines or third-party services. if disabled, these connections may fail. | +| (L1) Ensure **Allow unencrypted traffic** is set to **Disabled** - WinRM Client (Automated) | Prevents the use of unencrypted http connections for remote management or powershell remoting | Some legacy or third-party applications may need to be updated to use encrypted winrm connections. | +| (L1) Ensure **Disallow Digest authentication** is set to **Enabled** (Automated) | Digest authentication is explicitly disabled for all winrm communications. this setting ensures that winrm will not use the digest authentication method | If older systems or services rely on digest authentication, those systems may fail to connect or function correctly when this setting is enabled. | +| (L1) Ensure **Allow Basic authentication** is set to **Disabled** - WinRM Service (Automated) | Winrm service will block any attempts to use basic authentication for remote connections. | Some systems or applications that rely on basic authentication (such as certain third-party tools or legacy systems) may experience connection failures if they cannot use kerberos or ntlm. | +| (L1) Ensure **Allow unencrypted traffic** is set to **Disabled** WinRM Service (Automated) | The service rejects all incoming winrm connections that are not encrypted | If legacy systems or scripts rely on http (unencrypted) winrm connections, they will stop working. | +| (L1) Ensure **Disallow WinRM from storing RunAs credentials** is set to **Enabled** (Automated) | Prevents windows remote management (winrm) from caching or storing credentials when using "runas" authentication | Users must re-enter credentials for each new remote session. | +| (L1) Ensure **Prevent users from modifying settings** is set to **Enabled** (Automated | Local users can not make changes in the exploit protection settings area. | No impact | +| (L1) Ensure **No auto-restart with logged on users for scheduled automatic updates installations** is set to **Disabled** (Automated) | | If a user is logged in and working, they may lose unsaved work when the system restarts unexpectedly. | +| (L1) Ensure **Configure Automatic Updates** is set to **Enabled** (Automated) | Windows will automatically download and install updates based on the specific configuration set by the administrator | Users may experience unexpected restarts after updates. | +| (L1) Ensure **Configure Automatic Updates: Scheduled install day** is set to ** - Every day** (Automated) | Windows will attempt to install updates daily at 9:00am. | No impact | +| (L1) Ensure **Remove access to “Pause updates” feature** is set to **Enabled** (Automated) | Users will not be able to pause windows updates through the windows update settings. | Users cannot temporarily pause updates when they are working on important work | +| (L1) Ensure **Manage preview builds** is set to **Disabled** (Automated) | | Users and testers will not have early access to upcoming features and improvements available in preview builds. | +| (L1) Ensure **Select when Preview Builds and Feature Updates are received** is set to **Enabled: 180 or more days** (Automated) | | Users will not have immediate access to the latest features and improvements, as updates are postponed for six months. | +| (L1) Ensure **Select when Quality Updates are received** is set to **Enabled: 0 days** (Automated) | | Rapid deployment of updates may lead to compatibility issues with existing software or hardware. | +| (L1) Ensure **Do not preserve zone information in file attachments** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Notify antivirus programs when opening attachments** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Configure Windows spotlight on lock screen** is set to Disabled' (Automated) | | No impact | +| (L1) Ensure **Do not suggest third-party content in Windows spotlight** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Turn off Spotlight collection on Desktop** is set to **Enabled** (Automated) | Windows spotlight's dynamic desktop background feature is disabled. this means that the desktop will no longer display daily changing images provided by microsoft | No impact | +| (L1) Ensure **Prevent users from sharing files within their profile.** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Always install with elevated privileges** is set to **Disabled** (Automated) | Windows installer operates with the current user's privilege level during application installations. this means that users can only install applications that their account permissions allow and installations requiring elevated privileges will prompt for administrative credentials or fail if the user lacks the necessary rights. | No impact | +| (L1) Ensure **Remove access to “Pause updates” feature** is set to **Enabled** (Automated) | Users will not be able to pause windows updates through the windows update settings. | Users cannot temporarily pause updates when they are working on important work | +| (L1) Ensure **Manage preview builds** is set to **Disabled** (Automated) | | Users and testers will not have early access to upcoming features and improvements available in preview builds. | +| (L1) Ensure **Select when Preview Builds and Feature Updates are received** is set to **Enabled: 180 or more days** (Automated) | | Users will not have immediate access to the latest features and improvements, as updates are postponed for six months. | +| (L1) Ensure **Select when Quality Updates are received** is set to **Enabled: 0 days** (Automated) | | Rapid deployment of updates may lead to compatibility issues with existing software or hardware. | +| (L1) Ensure **Do not preserve zone information in file attachments** is set to **Disabled** (Automated) | | No impact | +| (L1) Ensure **Notify antivirus programs when opening attachments** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Configure Windows spotlight on lock screen** is set to Disabled' (Automated) | | No impact | +| (L1) Ensure **Do not suggest third-party content in Windows spotlight** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Turn off Spotlight collection on Desktop** is set to **Enabled** (Automated) | Windows spotlight's dynamic desktop background feature is disabled. this means that the desktop will no longer display daily changing images provided by microsoft | No impact | +| (L1) Ensure **Prevent users from sharing files within their profile.** is set to **Enabled** (Automated) | | No impact | +| (L1) Ensure **Always install with elevated privileges** is set to **Disabled** (Automated) | Windows installer operates with the current user's privilege level during application installations. this means that users can only install applications that their account permissions allow and installations requiring elevated privileges will prompt for administrative credentials or fail if the user lacks the necessary rights. | No impact | +| Description | Remediation (for control cannot be automatically harden) | Impact | +| Records detailed logs of system events for security monitoring and forensic analysis | | No impact | +| Involves specifying which system events are recorded for security auditing purposes +Audit Flag: +pc -Audit All Failed Program Execution on the System +fa- System to Audit All Deletions of Object Attributes +fm- System to Audit All Deletions of Object Attributes and System to Audit All Failed Change of Object Attributes +fr- System to Audit All Failed Read Actions on the System +fw- System to Audit All Failed Write Actions on the System +fa- System to Audit All Changes of Object Attributes +ex- System to Audit All Failed Program Execution on the System | | No impact | +| Helps in filtering out routine or non-critical entries, allowing analysts to focus on significant events that may indicate security incidents or policy violations. ​ | | No impact | +| Audit retention to maintain at least sixty days of records or up to five gigabytes | | No impact | +| Involves assigning each executing process its own distinct address space, preventing one process from accessing or modifying the memory and code of another | | No impact | +| Prevent system from broadcasting its presence and available services over network interfaces | | It may disrupt several features and applications that rely on it for service discovery, such as shared disks, screen sharing, printing, and airdrop | +| Only allow administrators can change various system settings, including those related to security and privacy. | | No impact | +| Audit logs are protected against tampering | | No impact | +| Ensuring that only authorized users and applications can access specific resources | | No impact | +| Ensuring that error messages on macOS applications do not expose exploitable information | | No impact | +| Disable facetime.app to prevent unwanted calls and maintain privacy | | No impact | +| Ensuring that your macOS system transitions to a known safe state during initialization, shutdown, or in the event of an abort is crucial for maintaining system integrity and protecting data | | No impact | +| FileVault ensures that unauthorized users cannot access your information without proper credentials | | No impact | +| Enabling firewall logging on macOS to monitor and analyze incoming connection attempts | Open terminal
sudo /usr/libexec/applicationfirewall/socketfilterfw --setloggingopt detail | No impact | +| Enabling gatekeeper security feature in macOS to ensure that only trusted software can runs on the device | Navigate to system setting > privacy & security > security > allow applications from
select "app store & known developers | It may limit the installation of certain legitimate applications from unidentified developers | +| Gatekeeper automatically re-enables after 30 days if it has been disabled | | No impact | +| Only Administrator accounts possess elevated privileges that allow users to manage system-wide settings, install applications, and oversee other user accounts | | No impact | +| Disable the transfer of data between devices | | No impact | +| Disable built-in web server (Apache HTTP Server) on macOS | | No impact | +| Enforce the use of validated cryptographic modules and algorithms | | Some applications or services that rely on non-fips-approved cryptographic methods may experience compatibility issues | +| Protecting system memory from unauthorized code execution | | No impact | +| Prevent unintended interactions with nearby IR devices, such as remote controls from other Macs or Apple TVs. | | No impact | +| Ensuring that user activities do not interfere with critical system operations, and vice versa to prevent compromise of system integrity | | No impact | +| Only authorized users can select auditable events on macOS to prevent unauthorized modifications | | No impact | +| Only authenticated and authorized users can access specific system resources and information | | No impact | +| Providing a clear logoff capability and displaying messages upon logoff help prevent unauthorized access and exploitation. | | No impact | +| Ensuring that macOS systems implement effective malicious code protection mechanisms to safeguard against malware and other security threats | | No impact | +| Disable systems from sharing files over a network | | No impact | +| Masking password input during authentication, preventing unauthorized individuals from viewing sensitive information | | No impact | +| Ensuring that macOS uniquely identifies peripherals before establishing a connection such as before allowing access to USB drives, external hard disks, or other storage media, the system should verify the device's identity | | No impact | +| Users will be seeing the following message before they login to the system: +"This computer system is managed by the Government of Singapore and/or Government Technology Agency of Singapore (GovTech), and computer and network usage may be monitored. Any unauthorised access or use of this computer system is prohibited and may be subject to disciplinary action and/or criminal prosecution. By proceeding to use this computer system, you acknowledge the above and agree to abide by the applicable security policies." | | No impact | +| When macOS encounters invalid inputs, it will respond in a consistent and documented way, such as displaying an appropriate error message or rejecting the input without causing system instability. | | No impact | +| Ensuring that software on macOS does not execute with higher privileges than those of the invoking user is crucial for maintaining system security and integrity | | No impact | +| Ensure that only authorized personnel have administrative privileges. Standard users should not have the ability to execute commands or perform actions that can alter system configurations or security settings. | | No impact | +| Only authorized individuals have access to shared resources | | No impact | +| To ensure that collaborative computing devices such as cameras and microphones cannot be activated remotely without user consent, thereby protecting against eavesdropping or unauthorized recordings. | | No impact | +| Ensuring that macOS provides the ability to disconnect or disable remote access | | No impact | +| Requiring users to reauthenticate for privilege escalation on macOS enhances security by ensuring that elevated permissions are granted only after explicit user verification | | No impact | +| Whenever a user attempts to modify their authentication method—such as setting up or altering Touch ID, changing passwords, or configuring other security settings—a reauthentication prompt should be enforced. | | No impact | +| Controlling remote access methods on macOS is essential for maintaining system security and ensuring that only authorized users can connect to your Mac such as disabling of screen sharing , bluetooth sharing, internal sharing and remote management | | No impact | +| All software components are fully removed after installing updated versions on macOS | | No impact | +| Ensuring compliance with federal laws, executive orders, directives, policies, regulations, standards, and guidance for authentication to cryptographic modules on macOS involves adhering to established security frameworks and leveraging Apple's validated cryptographic modules. | | No impact | +| Mac's Secure Boot level is set to "Full Security" | | No impact | +| Ensuring the protected storage of cryptographic keys is a fundamental aspect of securing macOS systems such as disable iCloud Keychain | | No impact | +| Separating user and system functionality on macOS enhances security by ensuring that user activities do not interfere with critical system operations. | | No impact | +| Enable of filename extension for example mac.exe and mac.txt | | No impact | +| Prevent the use of logging to the terminal using root credential | | No impact | +| On macOS, passwords and other sensitive data are securely stored and encrypted using the Keychain system | | No impact | +| By default the system volume is mounted as read-only, meaning that critical system files are protected from accidental or malicious modifications | | No impact | +| Terminating all sessions and network connections upon completing maintenance on macOS is a crucial security measure to prevent unauthorized access and ensure system integrity | | No impact | +| Disable Trivial File Transfer Protocol Service on macOS as it transmits data in clear text without authentication, making it susceptible to interception and unauthorized access | | No impact | +| Enabling the Time Synchronization Daemon (timed) on macOS ensures that the system maintains accurate time by synchronizing with authorized time servers. | | No impact | +| Default setting on macOS to employs specific identifiers and tools to distinguish between different users and the processes they initiate | | No impact | +| By default, macOS disables the UUCP service at startup by preventing unauthorized connections and data transfers | | No impact | +| By default, macOS disables verify that all remote connections have been effectively terminated | | No impact | +| By default, macOS automatically remove or disable emergency accounts within 72 hours | | No impact | +| Requires user to change their password the next time they log in | | No impact | +| Prevents users from recycling any of their last 5 used passwords. | | No impact | +| Enforces the inclusion of at least one lowercase letter (a–z) in every user password | | No impact | +| Password policy that mandates all user passwords on macOS must be at least 15 characters long | | No impact | +| Prevents users from creating weak and easily guessable passwords by disallowing patterns such as: +*Repeating characters: aaaaaa, 111111, zzzzzz +*Ascending sequences: 123456, abcdef, abcd1234 +*Descending sequences: 654321, zyxwvu, 4321dcba | | No impact | +| Password policy that enforces inclusion of at least one non-alphanumeric character (such as !, @, #, $, %, ^, etc.) in every user password. | | No impact | +| Password policy that ensures all user passwords include at least one capital letter (A–Z) | | No impact | +| Prevents the system from automatically sending analytics, crash reports, and usage patterns to Apple | | No impact | +| Activates the built-in firewall on macOS to control incoming network traffic based on specific application rules | Open terminal
sudo /usr/libexec/applicationfirewall/socketfilterfw --setglobalstate on | No impact | +| Prevents applications and system services from accessing the geographical location of the device | | No impact | +| Disabling the ability to share your screen or remotely control your Mac using macOS's built-in services. | | No impact | +| Turning off the built-in voice assistant, Siri | | Users will no longer be able to use siri for tasks like setting reminders, searching for files, dictating text, or controlling system functions using voice commands. | +| Ensure that macOS automatically downloads and installs updates as they become available. | | Some updates, especially major macos updates, may require the system to reboot. this could result in temporary downtime for users. | +| Disabling the SSH (Secure Shell) server on macOS to prevent remote access to the system via the command line. | | No impact | +| Only users with administrator privileges can make changes to system-wide settings and configurations | | No impact | +| Ensuring that data is regularly backed up and can be recovered in the event of system failure, data corruption, or accidental deletion | | No impact | +| Enable encryption when setting up the Time Machine backup destination on your Mac | | No impact | +| Ensuring that system has accurate and synchronized time settings | | No impact | +| Ensures your macOS system’s clock is accurate and synchronized with a trusted time source via the Network Time Protocol (NTP) | | No impact | +| SSH (Secure Shell) clients will not be able to authenticate to the server using just a username and password. Instead, SSH clients will need to use another authentication method, typically public key authentication, to establish a secure connection. | | There’s a risk of user lockout if ssh keys are not set up correctly before disabling password authentication. | +| Ensures that only the system, authorized administrators, or specific applications can access the audit logs, without granting granular permissions to individual users or groups through ACLs. | | Must ensure that the appropriate access control measures (e.g., file system permissions) are in place to secure the audit logs. | +| Prevent unauthorized modifications, access, or tampering with audit log files by removing the ability to set specific, user-based access controls for the folder that stores these logs. | | Users or processes that do not have explicit read/write permissions for the log folder may not be able to access the logs | +| Configure the audit capacity warning to 90% threshold +minsfree:10, warning is logged when disk fall below 10% free space | | No impact | +| System log event base on the following: +Authorization events refer to actions where the system grants or denies access based on user permissions and roles. For instance, a user trying to access a restricted file or a network resource may trigger an authorization event. +Authentication events refer to actions where the system verifies the identity of a user, typically by checking a password, fingerprint, or other credentials. Examples include login attempts, successful logins, failed login attempts, and account lockouts. | | No impact | +| Record activities related to privileged or administrative actions — such as sudo usage, system configuration changes, and user privilege escalation attempts | | No impact | +| System will log any attempts to run programs that fail to execute — for example, due to permissions issues, missing files, or invalid binaries | | No impact | +| Audit all deletions of object attributes, which refers to any instance where metadata or properties (such as permissions, labels, or extended attributes) associated with files or directories are removed. | | No impact | +| Audit all changes to object attributes, meaning any updates or modifications to metadata associated with files and directories (e.g., permissions, labels, ownership, timestamps). | | No impact | +| Any failed attempts to change file or directory attributes—such as ownership, permissions, or timestamps—are audited and recorded by the system. | | No impact | +| Every failed attempt to read a file or data object on the system is logged. | | No impact | +| Any attempt to write, modify, or delete a file or object that fails is recorded in macOS audit logs. | | No impact | +| All login and logout activity on whether successful or failed is captured in macOS's audit log system | | No impact | +| Notify administrators when a security event fails to be recorded +Policy:cnt +minsfree:10, warning is logged when disk fall below 10% free space | | No impact | +| macOS enforces restrictions on critical system files and directories, ensuring that only authenticated users (with root or appropriate privileges) can modify the system’s most sensitive components | | No impact | +| System will automatically remove guest folder if is present in the device | | No impact | +| No unauthorized user or application can access, modify, or delete the files contained within the Home Folder. | | No impact | +| System will retain log files for 365 days | | No impact | +| macOS will no longer prompt or accept password-sharing requests from nearby devices, regardless of trust or proximity. | | No impact | +| Prevents the system from allowing users to share saved passwords (such as Wi-Fi credentials, keychain items, or autofill data) with other Apple devices, either through AirDrop, iCloud Keychain and bluetooth | | No impact | +| when users attempt to log in remotely, typically through services like SSH (Secure Shell) or remote desktop tools. This banner provides a warning about unauthorized access, security policies, or other legal disclaimers, ensuring that users acknowledge the terms before gaining access to the system. | | No impact | +| System to show a legal notice or policy message whenever a user logs in via SSH. | | No impact | +| The server will not send keep-alive messages to the client. In other words, the server will not try to keep the connection alive by periodically sending requests to check if the client is still responsive. | | No impact | +| Set server idle time to 900 seconds | | No impact | +| Set client idle time to 900 seconds | | No impact | +| Only allow secure algorithms for encrypting and authenticating SSH traffic. +FIPS_CIPHERS="aes128-ctr,aes192-ctr,aes256-ctr" +FIPS_KEX_ALGORITHMS="diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256" +FIPS_MACS="hmac-sha1,hmac-sha2-256,hmac-sha2-512" | | Older ssh clients may not support the stricter cipher list and fail to connect. | +| Server waits for user to authenticate after the SSH connection is established. If the user does not successfully log in within the 30 seconds window, the server automatically drops the connection. | | Users must complete login within 30 seconds | +| Prevents one authenticated session from granting access to another. | | Users may need to re-authenticate more often across sessions or commands. | +| Time difference (offset) between the local system clock and NTP server does not exceed 5 minutes. | | No impact | +| Users cannot log into another active or locked user session on the macOS system | | No impact | +| Password policy that enforces inclusion of at least one numeric character (0-9) in every user password | | No impact | +| To block applications from unidentified developers (i.e., developers who have not registered with Apple and have not signed their apps), | | Third-party developers (especially smaller or independent developers) may not sign their applications or get them notarized by apple. this means their apps will be blocked by gatekeeper | +| Preventing users from bypassing Gatekeeper’s restrictions | | Cannot run apps from unidentified developers | +| Prevent guest from accessing to the shared files over the network. | | No impact | +| Prevent guest account from login into the device | | No impact | +| Preventing Apple from collecting and analyzing your voice interactions for quality improvement purposes. | | No impact | +| Disallow Mac from sharing its active internet connection with other devices via a different network interface. | | No impact | +| Disable automatically login, user will need to login into their device using their username and password | | No impact | +| Disallows files and folders to be shared with other devices on the same network. | | Users no longer can share or access files via smb | +| System regularly checks for and installs updates to built-in Apple apps and system components without user intervention | | No impact | +| macOS automatically downloads software updates — including macOS updates, security patches, and system files — in the background without requiring user action | | No impact | +| macOS to automatically check, download, and install system and security updates — without needing user action. | | No impact | +| Disallow Mac from wake up from sleep when another device on the same network sends a request | | No impact | diff --git a/support/seed-status.md b/support/seed-status.md index 5e2f7572..3b9d269e 100644 --- a/support/seed-status.md +++ b/support/seed-status.md @@ -7,9 +7,7 @@ This page provides the following Information: ## Scheduled maintenance -| Date | 21 May 2025 | -|-----------------|------------------------------| -| **Issue summary** | SEED will be performing scheduled maintenance updates on **21 May 2025, Wednesday, from 6:00 PM SGT onwards**. This maintenance was announced via email broadcast on 8 May and on the documentation portal.

**Impact**:
Users onboarding to SEED may encounter intermittent errors or delays. Users are advised **not to onboard during this period or 30 minutes prior to it**, as the maintenance will take place after office hours.

*Posted on: 21 May 2025, 9:00 AM SGT*

**What should I do if I am still having an issue?**
Create an [incident support request](https://go.gov.sg/seed-techpass-support). | +No scheduled maintenance! ## Ongoing incidents