diff --git a/HardeningKitty.psd1 b/HardeningKitty.psd1 new file mode 100644 index 0000000..f61f427 --- /dev/null +++ b/HardeningKitty.psd1 @@ -0,0 +1,294 @@ +# +# Module manifest for module 'HardeningKitty' +# Generated by: Michael Schneider +# Generated on: 2022-09-04 +# + +@{ + + # Script module or binary module file associated with this manifest. + RootModule = 'HardeningKitty.psm1' + + # Version number of this module. + ModuleVersion = '0.9.0' + + # Supported PSEditions + # CompatiblePSEditions = @() + + # ID used to uniquely identify this module + GUID = 'f58b04df-72f5-48e0-889e-a1348eec94b2' + + # Author of this module + Author = 'Michael Schneider' + + # Company or vendor of this module + CompanyName = 'scip ag' + + # Copyright statement for this module + Copyright = 'MIT License, Copyright (c) 2022 Michael Schneider' + + # Description of the functionality provided by this module + Description = 'Module to audit and harden Windows machines based on various guidelines' + + # Minimum version of the Windows PowerShell engine required by this module + # PowerShellVersion = '' + + # Name of the Windows PowerShell host required by this module + # PowerShellHostName = '' + + # Minimum version of the Windows PowerShell host required by this module + # PowerShellHostVersion = '' + + # Minimum version of Microsoft .NET Framework required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # DotNetFrameworkVersion = '' + + # Minimum version of the common language runtime (CLR) required by this module. This prerequisite is valid for the PowerShell Desktop edition only. + # CLRVersion = '' + + # Processor architecture (None, X86, Amd64) required by this module + # ProcessorArchitecture = '' + + # Modules that must be imported into the global environment prior to importing this module + # RequiredModules = @() + + # Assemblies that must be loaded prior to importing this module + # RequiredAssemblies = @() + + # Script files (.ps1) that are run in the caller's environment prior to importing this module. + # ScriptsToProcess = @() + + # Type files (.ps1xml) to be loaded when importing this module + # TypesToProcess = @() + + # Format files (.ps1xml) to be loaded when importing this module + # FormatsToProcess = @() + + # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess + # NestedModules = @() + + # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. + FunctionsToExport = 'Invoke-HardeningKitty' + + # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. + CmdletsToExport = @() + + # Variables to export from this module + VariablesToExport = '*' + + # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. + AliasesToExport = @() + + # DSC resources to export from this module + # DscResourcesToExport = @() + + # List of all modules packaged with this module + # ModuleList = @() + + # List of all files packaged with this module + # FileList = @() + + # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. + PrivateData = @{ + + PSData = @{ + + # Tags applied to this module. These help with module discovery in online galleries. + Tags = @("Windows Hardening", "Audit", "Security Baseline", "Security", "Windows", "Defense") + + # A URL to the license for this module. + LicenseUri = 'https://github.com/0x6d69636b/windows_hardening/blob/master/LICENSE' + + # A URL to the main website for this project. + ProjectUri = 'https://github.com/0x6d69636b/windows_hardening' + + # A URL to an icon representing this module. + # IconUri = '' + + # ReleaseNotes of this module + # ReleaseNotes = '' + + } # End of PSData hashtable + + } # End of PrivateData hashtable + + # HelpInfo URI of this module + # HelpInfoURI = '' + + # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. + # DefaultCommandPrefix = '' +} + +# SIG # Begin signature block +# MIIgIgYJKoZIhvcNAQcCoIIgEzCCIA8CAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB +# gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR +# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUuGsnVBGRrEdEj3A6h7TyFUgW +# 3NSgghn0MIIF4DCCBMigAwIBAgIQeO1YDfU4t32dWmgwBkYSEDANBgkqhkiG9w0B +# AQsFADCBkTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl +# cjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx +# NzA1BgNVBAMTLkNPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNp +# Z25pbmcgQ0EwHhcNMjAwODA3MDAwMDAwWhcNMjMwODA3MjM1OTU5WjCBzzEYMBYG +# A1UEBRMPQ0hFLTEwOS44MDQuMzgyMRMwEQYLKwYBBAGCNzwCAQMTAkNIMR0wGwYD +# VQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjELMAkGA1UEBhMCQ0gxDTALBgNVBBEM +# BDgwNDgxEDAOBgNVBAgMB1rDvHJpY2gxEDAOBgNVBAcMB1rDvHJpY2gxGzAZBgNV +# BAkMEkJhZGVuZXJzdHJhc3NlIDYyMzEQMA4GA1UECgwHU2NpcCBBRzEQMA4GA1UE +# AwwHU2NpcCBBRzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIvjKOZT +# ryv6pmIKN6ep8UVCcm+a5wTAt27yUUh4JyZhQjhMRk1SJZy5lLXimBQhmNlWAOWL +# yz5Gyecx3wBbaRYKQHIVH0LDBLDL2WU803JfTUi7TbsZCatq57oI/TAVoDClragI +# 0aPK/kbhREN1UN/mBKY3MLQmtJONeQawsEhLI1kwU+xmcllWu/VvO9Ld/K7rEvBi +# Pl+MR2vjc/Ns0h/gAizGxo6BlzD22XwyQWxPL8NTpTWSX+ZKrgh3AT+5iN/Q3mRV +# ewNR06W7TaKknwI8+wNrz2h/wNDAAO5BZmJ9aMvbJiJMF6IRx8907SoC2W+an0sX +# apQ12yFH6lCOm0MCAwEAAaOCAfIwggHuMB8GA1UdIwQYMBaAFN+P8yAM6cqmBNhb +# WDcqPatG3INJMB0GA1UdDgQWBBTRzSa1SEaHkraxCoNENvT8MuEWHTAOBgNVHQ8B +# Af8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzARBglg +# hkgBhvhCAQEEBAMCBBAwSQYDVR0gBEIwQDA1BgwrBgEEAbIxAQIBBgEwJTAjBggr +# BgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwBwYFZ4EMAQMwVQYDVR0f +# BE4wTDBKoEigRoZEaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBRXh0 +# ZW5kZWRWYWxpZGF0aW9uQ29kZVNpZ25pbmdDQS5jcmwwgYYGCCsGAQUFBwEBBHow +# eDBQBggrBgEFBQcwAoZEaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNB +# RXh0ZW5kZWRWYWxpZGF0aW9uQ29kZVNpZ25pbmdDQS5jcnQwJAYIKwYBBQUHMAGG +# GGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA7BgNVHREENDAyoCIGCCsGAQUFBwgD +# oBYwFAwSQ0gtQ0hFLTEwOS44MDQuMzgygQxpbmZvQHNjaXAuY2gwDQYJKoZIhvcN +# AQELBQADggEBACT7DLCxFVqNzRaCA/6PeNy1jJrCiCLLJsRM9Da7pkp7IJsVeKTC +# 4pF3YaiWf9/ZFwuBKorzoXZwH+P2EHi4fqjOlwBOxonnM6JxuMts5llladNiacoB +# dTiYe7xrkM/31vRauAuIj8zBNiNqfllmA3UJMHDObix9OAIbtDjZPli0IpAPDKKb +# pPTgoTjgyc33dVtF7rMZMPok/2iHsXJVzKBuYfwktZXTIQVKvHuwkG4+Vdw40/c9 +# eBpPRpDvjrtXjoVcDy5eEYo4j2rxSkmfvOgLcoLBtjuqWw44+AAdfoCgNa2kfJ1j +# Xb7NDzGQS1hgiUuTOiTYtvKbUOuJoFXxDW8wggYiMIIECqADAgECAhBt1HLrAq4E +# BuPdhD9f4UXhMA0GCSqGSIb3DQEBDAUAMIGFMQswCQYDVQQGEwJHQjEbMBkGA1UE +# CBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRowGAYDVQQK +# ExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMiQ09NT0RPIFJTQSBDZXJ0aWZp +# Y2F0aW9uIEF1dGhvcml0eTAeFw0xNDEyMDMwMDAwMDBaFw0yOTEyMDIyMzU5NTla +# MIGRMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAw +# DgYDVQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE3MDUG +# A1UEAxMuQ09NT0RPIFJTQSBFeHRlbmRlZCBWYWxpZGF0aW9uIENvZGUgU2lnbmlu +# ZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIr9vUPwPchVH/NZ +# ivBatNyT0WQVSoqEpS3LJvjgRTijuQHFTxMIWdAxVMrNkGGjPizyTRVc1O7DaiKX +# SNEGQzQJmcnPMMSfRP1WnO7M54O5gc3I2gscEkj/b6LsxHXLCXDPUeW7i5+qvXgG +# fZXWYYH22lPHrJ2zALoe1L5AYgmZgz1F3U1llQTM/PrHW3riLgw9VTVXNUiJifK5 +# VqVLUBsc3piQvfMu3Iip8XWbqD6iBdlBte93rRfAWvWj202f0cSxe4O17hCUKy5y +# rr7vlSmcUmLFLG0i931EehBfY5NpTdl9spqxTrVZv/+F+72s7OErpuMsLOjZbttf +# TRd4y1MCAwEAAaOCAX4wggF6MB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZ +# MjLUMB0GA1UdDgQWBBTfj/MgDOnKpgTYW1g3Kj2rRtyDSTAOBgNVHQ8BAf8EBAMC +# AYYwEgYDVR0TAQH/BAgwBgEB/wIBADATBgNVHSUEDDAKBggrBgEFBQcDAzA+BgNV +# HSAENzA1MDMGBFUdIAAwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29t +# b2RvLmNvbS9DUFMwTAYDVR0fBEUwQzBBoD+gPYY7aHR0cDovL2NybC5jb21vZG9j +# YS5jb20vQ09NT0RPUlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwcQYIKwYB +# BQUHAQEEZTBjMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2NhLmNvbS9D +# T01PRE9SU0FBZGRUcnVzdENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au +# Y29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBmTuy3FndvEegbXWpO2fKL +# bLFWKECLwDHEmUgjPfgO6ICX720gCx8TxIb7FzQV4Y5U98K4AHMV4CjZ2rr6glTC +# 9+u/wzbQMJ/loRyU3+986PYseKKszyZqFaEVMdYxNJi9U0/EhIOjxJZcPdj+1vlU +# /2eTbfg+K2ssogh8VkiBMhiybqyQwdvk3jmLhuXHGEBZpN+WR7qyf7H4Vw+FgHQ4 +# DjpYYh7+UuPmrlMJhv6Pm9tWVswHsInBBPFTC2xvd+yyH+z2W0BDYA8bqxhUtBAE +# jvgO6cuDsXryNE5qVEzpgyrpsDAlHM5ijg7rheYp/rFK4/KuPJH1TKG+yBcOXLtC +# TeMaipLNPiB+3el1seofdFyeVMKUN7Jh3QcWWX+WgBbgmbXSbrDJIwYVrNEj9DOL +# znXwwYbT/+Eu+pBP/kb5u9tPu7f+0Q0rBPHS0ZWFLIouuIVW8sOEUqHpM7HrUMih +# sJ/jw4s6h57nVdPTbTQXMA1oIgvVue1zNXLD7ac3zeNDrkXNNL8oyodi7UOkr/rL +# McshWGFGXrbGeqYeUyqo+FxRHzpaEA8owOR0i3TGBKr4SyYoCjKJ250qYHFqw5ZO +# Frljv2GVZ4xLLruwToPpTTHljici9Twme0SR09Ra8NN89Di+FJqZDouxW+rkiw8R +# nXdCghxcOtTaq4gvjVcwVDCCBuwwggTUoAMCAQICEDAPb6zdZph0fKlGNqd4Lbkw +# DQYJKoZIhvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVy +# c2V5MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVT +# VCBOZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24g +# QXV0aG9yaXR5MB4XDTE5MDUwMjAwMDAwMFoXDTM4MDExODIzNTk1OVowfTELMAkG +# A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH +# U2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSUwIwYDVQQDExxTZWN0 +# aWdvIFJTQSBUaW1lIFN0YW1waW5nIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A +# MIICCgKCAgEAyBsBr9ksfoiZfQGYPyCQvZyAIVSTuc+gPlPvs1rAdtYaBKXOR4O1 +# 68TMSTTL80VlufmnZBYmCfvVMlJ5LsljwhObtoY/AQWSZm8hq9VxEHmH9EYqzcRa +# ydvXXUlNclYP3MnjU5g6Kh78zlhJ07/zObu5pCNCrNAVw3+eolzXOPEWsnDTo8Tf +# s8VyrC4Kd/wNlFK3/B+VcyQ9ASi8Dw1Ps5EBjm6dJ3VV0Rc7NCF7lwGUr3+Az9ER +# CleEyX9W4L1GnIK+lJ2/tCCwYH64TfUNP9vQ6oWMilZx0S2UTMiMPNMUopy9Jv/T +# UyDHYGmbWApU9AXn/TGs+ciFF8e4KRmkKS9G493bkV+fPzY+DjBnK0a3Na+WvtpM +# YMyou58NFNQYxDCYdIIhz2JWtSFzEh79qsoIWId3pBXrGVX/0DlULSbuRRo6b83X +# hPDX8CjFT2SDAtT74t7xvAIo9G3aJ4oG0paH3uhrDvBbfel2aZMgHEqXLHcZK5OV +# mJyXnuuOwXhWxkQl3wYSmgYtnwNe/YOiU2fKsfqNoWTJiJJZy6hGwMnypv99V9sS +# dvqKQSTUG/xypRSi1K1DHKRJi0E5FAMeKfobpSKupcNNgtCN2mu32/cYQFdz8HGj +# +0p9RTbB942C+rnJDVOAffq2OVgy728YUInXT50zvRq1naHelUF6p4MCAwEAAaOC +# AVowggFWMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bLMB0GA1UdDgQW +# BBQaofhhGSAPw0F3RSiO0TVfBhIEVTAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/ +# BAgwBgEB/wIBADATBgNVHSUEDDAKBggrBgEFBQcDCDARBgNVHSAECjAIMAYGBFUd +# IAAwUAYDVR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VT +# RVJUcnVzdFJTQUNlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUFBwEB +# BGowaDA/BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJU +# cnVzdFJTQUFkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51 +# c2VydHJ1c3QuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQBtVIGlM10W4bVTgZF13wN6 +# MgstJYQRsrDbKn0qBfW8Oyf0WqC5SVmQKWxhy7VQ2+J9+Z8A70DDrdPi5Fb5WEHP +# 8ULlEH3/sHQfj8ZcCfkzXuqgHCZYXPO0EQ/V1cPivNVYeL9IduFEZ22PsEMQD43k +# +ThivxMBxYWjTMXMslMwlaTW9JZWCLjNXH8Blr5yUmo7Qjd8Fng5k5OUm7Hcsm1B +# bWfNyW+QPX9FcsEbI9bCVYRm5LPFZgb289ZLXq2jK0KKIZL+qG9aJXBigXNjXqC7 +# 2NzXStM9r4MGOBIdJIct5PwC1j53BLwENrXnd8ucLo0jGLmjwkcd8F3WoXNXBWia +# p8k3ZR2+6rzYQoNDBaWLpgn/0aGUpk6qPQn1BWy30mRa2Coiwkud8TleTN5IPZs0 +# lpoJX47997FSkc4/ifYcobWpdR9xv1tDXWU9UIFuq/DQ0/yysx+2mZYm9Dx5i1xk +# zM3uJ5rloMAMcofBbk1a0x7q8ETmMm8c6xdOlMN4ZSA7D0GqH+mhQZ3+sbigZSo0 +# 4N6o+TzmwTC7wKBjLPxcFgCo0MR/6hGdHgbGpm0yXbQ4CStJB6r97DDa8acvz7f9 +# +tCjhNknnvsBZne5VhDhIG7GrrH5trrINV0zdo7xfCAMKneutaIChrop7rRaALGM +# q+P5CslUXdS5anSevUiumDCCBvYwggTeoAMCAQICEQCQOX+a0ko6E/K9kV8IOKlD +# MA0GCSqGSIb3DQEBDAUAMH0xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy +# IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28g +# TGltaXRlZDElMCMGA1UEAxMcU2VjdGlnbyBSU0EgVGltZSBTdGFtcGluZyBDQTAe +# Fw0yMjA1MTEwMDAwMDBaFw0zMzA4MTAyMzU5NTlaMGoxCzAJBgNVBAYTAkdCMRMw +# EQYDVQQIEwpNYW5jaGVzdGVyMRgwFgYDVQQKEw9TZWN0aWdvIExpbWl0ZWQxLDAq +# BgNVBAMMI1NlY3RpZ28gUlNBIFRpbWUgU3RhbXBpbmcgU2lnbmVyICMzMIICIjAN +# BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkLJxP3nh1LmKF8zDl8KQlHLtWjpv +# AUN/c1oonyR8oDVABvqUrwqhg7YT5EsVBl5qiiA0cXu7Ja0/WwqkHy9sfS5hUdCM +# WTc+pl3xHl2AttgfYOPNEmqIH8b+GMuTQ1Z6x84D1gBkKFYisUsZ0vCWyUQfOV2c +# sJbtWkmNfnLkQ2t/yaA/bEqt1QBPvQq4g8W9mCwHdgFwRd7D8EJp6v8mzANEHxYo +# 4Wp0tpxF+rY6zpTRH72MZar9/MM86A2cOGbV/H0em1mMkVpCV1VQFg1LdHLuoCox +# /CYCNPlkG1n94zrU6LhBKXQBPw3gE3crETz7Pc3Q5+GXW1X3KgNt1c1i2s6cHvzq +# cH3mfUtozlopYdOgXCWzpSdoo1j99S1ryl9kx2soDNqseEHeku8Pxeyr3y1vGlRR +# bDOzjVlg59/oFyKjeUFiz/x785LaruA8Tw9azG7fH7wir7c4EJo0pwv//h1epPPu +# FjgrP6x2lEGdZB36gP0A4f74OtTDXrtpTXKZ5fEyLVH6Ya1N6iaObfypSJg+8kYN +# abG3bvQF20EFxhjAUOT4rf6sY2FHkbxGtUZTbMX04YYnk4Q5bHXgHQx6WYsuy/Rk +# LEJH9FRYhTflx2mn0iWLlr/GreC9sTf3H99Ce6rrHOnrPVrd+NKQ1UmaOh2DGld/ +# HAHCzhx9zPuWFcUCAwEAAaOCAYIwggF+MB8GA1UdIwQYMBaAFBqh+GEZIA/DQXdF +# KI7RNV8GEgRVMB0GA1UdDgQWBBQlLmg8a5orJBSpH6LfJjrPFKbx4DAOBgNVHQ8B +# Af8EBAMCBsAwDAYDVR0TAQH/BAIwADAWBgNVHSUBAf8EDDAKBggrBgEFBQcDCDBK +# BgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDCDAlMCMGCCsGAQUFBwIBFhdodHRwczov +# L3NlY3RpZ28uY29tL0NQUzAIBgZngQwBBAIwRAYDVR0fBD0wOzA5oDegNYYzaHR0 +# cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBVGltZVN0YW1waW5nQ0EuY3Js +# MHQGCCsGAQUFBwEBBGgwZjA/BggrBgEFBQcwAoYzaHR0cDovL2NydC5zZWN0aWdv +# LmNvbS9TZWN0aWdvUlNBVGltZVN0YW1waW5nQ0EuY3J0MCMGCCsGAQUFBzABhhdo +# dHRwOi8vb2NzcC5zZWN0aWdvLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAc9rtaHLL +# wrlAoTG7tAOjLRR7JOe0WxV9qOn9rdGSDXw9NqBp2fOaMNqsadZ0VyQ/fg882fXD +# eSVsJuiNaJPO8XeJOX+oBAXaNMMU6p8IVKv/xH6WbCvTlOu0bOBFTSyy9zs7WrXB +# +9eJdW2YcnL29wco89Oy0OsZvhUseO/NRaAA5PgEdrtXxZC+d1SQdJ4LT03EqhOP +# l68BNSvLmxF46fL5iQQ8TuOCEmLrtEQMdUHCDzS4iJ3IIvETatsYL254rcQFtOiE +# CJMH+X2D/miYNOR35bHOjJRs2wNtKAVHfpsu8GT726QDMRB8Gvs8GYDRC3C5VV9H +# vjlkzrfaI1Qy40ayMtjSKYbJFV2Ala8C+7TRLp04fDXgDxztG0dInCJqVYLZ8roI +# ZQPl8SnzSIoJAUymefKithqZlOuXKOG+fRuhfO1WgKb0IjOQ5IRT/Cr6wKeXqOq1 +# jXrO5OBLoTOrC3ag1WkWt45mv1/6H8Sof6ehSBSRDYL8vU2Z7cnmbDb+d0OZuGkt +# fGEv7aOwSf5bvmkkkf+T/FdpkkvZBT9thnLTotDAZNI6QsEaA/vQ7ZohuD+vprJR +# VNVMxcofEo1XxjntXP/snyZ2rWRmZ+iqMODSrbd9sWpBJ24DiqN04IoJgm6/4/a3 +# vJ4LKRhogaGcP24WWUsUCQma5q6/YBXdhvUxggWYMIIFlAIBATCBpjCBkTELMAkG +# A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH +# U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNzA1BgNVBAMTLkNP +# TU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNpZ25pbmcgQ0ECEHjt +# WA31OLd9nVpoMAZGEhAwCQYFKw4DAhoFAKB4MBgGCisGAQQBgjcCAQwxCjAIoAKA +# AKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO +# MAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFL6iS+7PmageAJzWM3bR1jYh +# 7JAaMA0GCSqGSIb3DQEBAQUABIIBAHT4Y9oo9YuPWDmpKa22vsrGdM20pYPBVG8s +# at0sNn4RpoG5XQQX80gcVk8sa0imvapZQH1Wrzb4LYO2Nzswt2Ljh4IqemQx0yEe +# 9S47KrmgOqBkCLs+1P6Vmc4nUinZGlqVej3MvCDWEA2x1Hk5+wYkIB3gJXc4x4om +# yPduaR8+CbZjx3K6KlJek51eKXAL7lNpE+hL20wPZI+3yAXrgzAu9+5sShpzyRKS +# KhWUR/u68Xvs3WU4BH5/Q0kfS5QDVahO4wOf5XwplAQlrZJR+4IfgPkI1QPbZvKR +# 99OZz6afAm7kGm4XcaByDnPNga9lcG0i0H3gkjaL3bL+BxDg1CChggNMMIIDSAYJ +# KoZIhvcNAQkGMYIDOTCCAzUCAQEwgZIwfTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT +# EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMP +# U2VjdGlnbyBMaW1pdGVkMSUwIwYDVQQDExxTZWN0aWdvIFJTQSBUaW1lIFN0YW1w +# aW5nIENBAhEAkDl/mtJKOhPyvZFfCDipQzANBglghkgBZQMEAgIFAKB5MBgGCSqG +# SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMTIyOTA2MzIz +# OVowPwYJKoZIhvcNAQkEMTIEMOtKtgw5zZ1ho99VbBtLFqz6REnus6tL2nD+e0Xa +# WST7p6gbTT8Vz3UpUGr6kHYBXjANBgkqhkiG9w0BAQEFAASCAgBs5fLX+sx0A+Fy +# TTymLdkNtNCtUt3XPwbOd7kG4Cqc7he88hnthMScUaONhTxsGI134qml+DHP1/Q1 +# qAa5J1cwZ46a9SElMBl8fAInHAkyTV2HfJaacj0s1QoMbR2lpoClV6Hws13iSCRi +# vH7NvSjwZowDiZyu8MizsBwwJrptl58f4d7az87ArAm13o0v9w9XLSkDyrhn0Vdb +# BHOjjRy8bEa6ef+s0D0qk0470QYK63tffFtsP3UgQoINWZVZ8aJJorxyDblEGD8d +# aT44Rr7xkhOrlsK4ni3ZVC03XiJcV1C4ivqhHo3LbXP+vsnu1bE9UipnxACJrqkv +# A/MusTk9tUeZ6G4lmd17d2+y1q4zQpAZ3oaX9Yvg9QrfOYRP5tMpcbZ1fqdeRyTD +# ihlwz6Q5dkjiV3Gw7/xxu5fKr+XxHX6AkwZ1t+dFuEZ/ykIVI4QlpLfvcZdTq7NP +# 5H4h2JG+3+evWTEHREK5Nnvxg8ms7En70aGSJ0GMuebn6wQOAvMscRYVvJbCIOM3 +# t50TE7neqmttPGUENpWwTCFDj0AthRYr9ors+UzPNI1ctKyeJSdZSWCfLrcFq0BF +# y70O7UUyX4DCe6rAN2ql/KGIwKpZN6PphmEMmw6Sc8BlLERUIeII8Ma+6sHfgMUQ +# hWvbMRhiZ7PPV/vSKl2/7Laf13yqlQ== +# SIG # End signature block diff --git a/Invoke-HardeningKitty.ps1 b/HardeningKitty.psm1 similarity index 80% rename from Invoke-HardeningKitty.ps1 rename to HardeningKitty.psm1 index 0ade372..69c75c5 100644 --- a/Invoke-HardeningKitty.ps1 +++ b/HardeningKitty.psm1 @@ -71,24 +71,51 @@ Information about the system is not queried and displayed. This may be useful while debugging or using multiple lists on the same system. - .EXAMPLE + .PARAMETER SkipUserInformation + + Information about the user is not queried and displayed. This may be useful while debugging or + using multiple lists on the same system. + + .PARAMETER SkipLanguageWarning + + Do not show the language warning on an no-english Windows system. - Description: HardeningKitty performs an audit, saves the results and creates a log file: + .PARAMETER SkipRestorePoint + + Do not create a System Restore Point in HailMary mode. HardeningKitty strongly recommends to backup your system before running Hail Mary. However, + creating can be skipped, for example, if HailMary is executed several times in a row. By default, Windows allows a restore point every 24 hours. + Another reason is when HardeningKitty is run as a user and thus lacks privileges. + + .PARAMETER Filter + + The Filter parameter can be used to filter the hardening list. For this purpose the PowerShell ScriptBlock syntax must be used, for example { $_.ID -eq 4505 }. + The following elements are useful for filtering: ID, Category, Name, Method, and Severity. + + .EXAMPLE Invoke-HardeningKitty -Mode Audit -Log -Report - Description: HardeningKitty performs an audit with a specific list and does not show machine information: - Invoke-HardeningKitty -FileFindingList .\lists\finding_list_0x6d69636b_user.csv -SkipMachineInformation + HardeningKitty performs an audit, saves the results and creates a log file - Description: HardeningKitty ready only the setting with the default list, and saves the results in a specific file: - Invoke-HardeningKitty -Mode Config -Report -Report C:\tmp\my_hardeningkitty_report.csv + .EXAMPLE + Invoke-HardeningKitty -FileFindingList finding_list_0x6d69636b_user.csv -SkipMachineInformation + + HardeningKitty performs an audit with a specific list and does not show machine information + + .EXAMPLE + Invoke-HardeningKitty -Mode Config -Report -ReportFile C:\tmp\my_hardeningkitty_report.csv + + HardeningKitty uses the default list, and saves the results in a specific file + .EXAMPLE + Invoke-HardeningKitty -Filter { $_.Severity -eq "Medium" } + + HardeningKitty uses the default list, and checks only tests with the severity Medium #> [CmdletBinding()] Param ( # Definition of the finding list, default is machine setting list - [ValidateScript({ Test-Path $_ })] [String] $FileFindingList, @@ -109,10 +136,18 @@ [Switch] $SkipMachineInformation, + # Skip user information, useful when debugging + [Switch] + $SkipUserInformation, + # Skip language warning, if you understand the risk [Switch] $SkipLanguageWarning, + # Skip creating a System Restore Point during Hail Mary mode + [Switch] + $SkipRestorePoint, + # Define name and path of the log file [String] $LogFile, @@ -131,7 +166,11 @@ # Define name and path of the backup file [String] - $BackupFile + $BackupFile, + + # Use PowerShell ScriptBlock syntax to filter the finding list + [scriptblock] + $Filter ) Function Write-ProtocolEntry { @@ -538,7 +577,7 @@ # # Start Main # - $HardeningKittyVersion = "0.8.0-1660481591" + $HardeningKittyVersion = "0.9.0-1670934249" # # Log, report and backup file @@ -560,17 +599,11 @@ If ($Report -and $ReportFile.Length -eq 0) { $ReportFile = "hardeningkitty_report_" + $Hostname + "_" + $ListName + "-$FileDate.csv" } - If ($Report) { - $Message = '"ID","Name","Severity","Result","Recommended","TestResult","SeverityFinding"' - Add-MessageToFile -Text $Message -File $ReportFile - } If ($Backup -and $BackupFile.Length -eq 0) { $BackupFile = "hardeningkitty_backup_" + $Hostname + "_" + $ListName + "-$FileDate.csv" } - If ($Backup) { - $Message = '"ID","Category","Name","Method","MethodArgument","RegistryPath","RegistryItem","ClassName","Namespace","Property","DefaultValue","RecommendedValue","Operator","Severity"' - Add-MessageToFile -Text $Message -File $BackupFile - } + $ReportAllResults = @() + $BackupAllResults = @() # # Statistics @@ -659,7 +692,7 @@ Write-ProtocolEntry -Text $Message -LogLevel "Notime" $Message = "Uptime: " + $MachineInformation.OsUptime Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $Message = "Windows: " + $MachineInformation.WindowsProductName + $Message = "Windows: " + $MachineInformation.OsName Write-ProtocolEntry -Text $Message -LogLevel "Notime" $Message = "Windows edition: " + $MachineInformation.WindowsEditionId Write-ProtocolEntry -Text $Message -LogLevel "Notime" @@ -687,14 +720,18 @@ # # User information # - Write-Output "`n" - Write-ProtocolEntry -Text "Getting user information" -LogLevel "Info" + If (-not($SkipUserInformation)) { + Write-Output "`n" + Write-ProtocolEntry -Text "Getting user information" -LogLevel "Info" - $Message = "Username: " + [Security.Principal.WindowsIdentity]::GetCurrent().Name - Write-ProtocolEntry -Text $Message -LogLevel "Notime" - $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") - $Message = "Is Admin: " + $IsAdmin - Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $Message = "Username: " + [Security.Principal.WindowsIdentity]::GetCurrent().Name + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") + $Message = "Is Admin: " + $IsAdmin + Write-ProtocolEntry -Text $Message -LogLevel "Notime" + } Else { + $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator") + } # # Start Config/Audit mode @@ -706,7 +743,7 @@ # A CSV finding list is imported. HardeningKitty has one machine and one user list. If ($FileFindingList.Length -eq 0) { - $CurrentLocation = Get-Location + $CurrentLocation = $PSScriptRoot $DefaultList = "$CurrentLocation\lists\finding_list_0x6d69636b_machine.csv" If (Test-Path -Path $DefaultList) { @@ -719,6 +756,14 @@ } $FindingList = Import-Csv -Path $FileFindingList -Delimiter "," + If ($Filter) { + $FindingList = $FindingList | Where-Object -FilterScript $Filter + If ($FindingList.Length -eq 0) { + $Message = "Your filter did not return any results, please adjust the filter so that HardeningKitty has something to work with." + Write-ProtocolEntry -Text $Message -LogLevel "Error" + Break + } + } $LastCategory = "" ForEach ($Finding in $FindingList) { @@ -1056,7 +1101,7 @@ try { - $ResultOutput = Get-BitLockerVolume -MountPoint C: + $ResultOutput = Get-BitLockerVolume -MountPoint $Env:SystemDrive If ($ResultOutput.VolumeType -eq 'OperatingSystem') { $ResultArgument = $Finding.MethodArgument $Result = $ResultOutput.$ResultArgument @@ -1273,6 +1318,22 @@ } } + # + # Scheduled Task + # Check the status of a scheduled task + # + ElseIf ($Finding.Method -eq 'ScheduledTask') { + + try { + + $ResultOutput = Get-ScheduledTask -TaskName $Finding.MethodArgument 2> $null + $Result = $ResultOutput.State + + } catch { + $Result = $Finding.DefaultValue + } + } + # # Compare result value and recommendation # The finding list specifies the test, as well as the recommended values. @@ -1327,6 +1388,23 @@ $Finding.RecommendedValue = $Finding.RecommendedValue.Replace(" ", "") } + # + # Handling for registry keys with an "advanced" format + # + If ($Finding.Method -eq 'Registry' -and $Finding.RegistryItem -eq "ASRRules") { + + $ResultAsr = $Result.Split("|") + ForEach ($AsrRow in $ResultAsr) { + $AsrRule = $AsrRow.Split("=") + If ($AsrRule[0] -eq $Finding.MethodArgument) { + $Result = $AsrRule[1] + Break + } Else { + $Result = $Finding.DefaultValue + } + } + } + $ResultPassed = $false Switch ($Finding.Operator) { @@ -1372,8 +1450,17 @@ } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","Passed","' + $Result + '","' + $Finding.RecommendedValue + '","' + $TestResult + '","' + $Finding.Severity + '"' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = "Passed" + Result = $Result + Recommended = $Finding.RecommendedValue + TestResult = $TestResult + SeverityFinding = $Finding.Severity + } + $ReportAllResults += $ReportResult } # Increment Counter @@ -1396,8 +1483,17 @@ } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $Finding.Severity + '","' + $Result + '","' + $Finding.RecommendedValue + '","' + $TestResult + '","' + $Finding.Severity + '"' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $Finding.Severity + Result = $Result + Recommended = $Finding.RecommendedValue + TestResult = $TestResult + SeverityFinding = $Finding.Severity + } + $ReportAllResults += $ReportResult } # Increment Counter @@ -1421,12 +1517,36 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '",,"' + $Result + '",' + $Finding.RecommendedValue + ',,' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = "" + Result = $Result + Recommended = $Finding.RecommendedValue + TestResult = "" + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } If ($Backup) { - $Message = '"' + $Finding.ID + '","' + $Finding.Category + '","' + $Finding.Name + '","' + $Finding.Method + '","' + $Finding.MethodArgument + '","' + $Finding.RegistryPath + '","' + $Finding.RegistryItem + '","' + $Finding.ClassName + '","' + $Finding.Namespace + '","' + $Finding.Property + '","' + $Finding.DefaultValue + '","' + $Result + '","' + $Finding.Operator + '","' + $Finding.Severity + '",' - Add-MessageToFile -Text $Message -File $BackupFile + $BackupResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Method = $Finding.Method + MethodArgument = $Finding.MethodArgument + RegistryPath = $Finding.RegistryPath + RegistryItem = $Finding.RegistryItem + ClassName =$Finding.ClassName + Namespace = $Finding.Namespace + Property = $Finding.Property + DefaultValue = $Finding.DefaultValue + RecommendedValue = $Result + Operator = $Finding.Operator + Severity = $Finding.Severity + } + $BackupAllResults += $BackupResult } } } @@ -1443,7 +1563,7 @@ # A CSV finding list is imported If ($FileFindingList.Length -eq 0) { - $CurrentLocation = Get-Location + $CurrentLocation = $PSScriptRoot $DefaultList = "$CurrentLocation\lists\finding_list_0x6d69636b_machine.csv" If (Test-Path -Path $DefaultList) { @@ -1460,6 +1580,41 @@ $ProcessmitigationEnableArray = @() $ProcessmitigationDisableArray = @() + # + # Create a System Restore Point + # + + If (-not($SkipRestorePoint)) { + + $Message = "Creating a system restore point" + Write-Output "`n" + Write-ProtocolEntry -Text $Message -LogLevel "Info" + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError -FindingID "42" -FindingName "System Restore Point" -FindingMethod "Checkpoint-Computer" + Continue + } + + Try { + Checkpoint-Computer -Description 'HardeningKitty' -RestorePointType 'MODIFY_SETTINGS' -ErrorAction Stop -WarningAction Stop + } catch { + + $Message = "Creating a system restore point failed. Use -SkipRestorePoint to run HailMary anyway. Be careful!" + Write-ResultEntry -Text $Message -SeverityLevel "High" + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + Break + } + + $Message = "Creating a system restore point was successful" + Write-ResultEntry -Text $Message -SeverityLevel "Passed" + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + } + ForEach ($Finding in $FindingList) { # @@ -1523,8 +1678,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } Else { @@ -1537,8 +1701,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } Continue } @@ -1591,8 +1764,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } @@ -1644,8 +1826,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } Remove-Item $TempFileName Remove-Item $TempDbFileName @@ -1662,8 +1853,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } &$BinarySecedit /configure /db $TempDbFileName /overwrite /areas SECURITYPOLICY /quiet | Out-Null @@ -1678,8 +1878,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } Remove-Item $TempFileName Remove-Item $TempDbFileName @@ -1696,8 +1905,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } Remove-Item $TempFileName @@ -1746,8 +1964,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } @@ -1801,8 +2028,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } @@ -1879,8 +2115,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } &$BinarySecedit /configure /db $TempDbFileName /overwrite /areas USER_RIGHTS /quiet | Out-Null @@ -1895,8 +2140,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } Remove-Item $TempFileName Remove-Item $TempDbFileName @@ -1913,8 +2167,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } Remove-Item $TempFileName @@ -1950,8 +2213,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } Continue } @@ -1971,8 +2243,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } Continue } @@ -2002,8 +2283,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } Continue } @@ -2026,8 +2316,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } @@ -2075,8 +2374,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } @@ -2126,8 +2434,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } @@ -2175,8 +2492,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } @@ -2244,8 +2570,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } @@ -2286,7 +2621,6 @@ If (-Not $Result) { If ($FwProgram -eq "") { - $ResultRule = New-NetFirewallRule -DisplayName $FwDisplayName -Profile $FwProfile -Direction $FwDirection -Action $FwAction -Protocol $FwProtocol -LocalPort $FwLocalPort } Else { $ResultRule = New-NetFirewallRule -DisplayName $FwDisplayName -Profile $FwProfile -Direction $FwDirection -Action $FwAction -Program "$FwProgram" @@ -2321,8 +2655,90 @@ } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult + } + } + + # + # Scheduled Task + # Edit a scheduled task. First it will be checked if a modification is required + # + If ($Finding.Method -eq 'ScheduledTask') { + + # Check if the user has admin rights, skip test if not + If (-not($IsAdmin)) { + Write-NotAdminError -FindingID $Finding.ID -FindingName $Finding.Name -FindingMethod $Finding.Method + Continue + } + + # Check the state of the scheduled task + try { + $ResultOutput = Get-ScheduledTask -TaskName $Finding.MethodArgument 2> $null + $Result = $ResultOutput.State + + } catch { + $Result = $Finding.DefaultValue + } + + # Check if a modification is requried + If ($Result -eq $Finding.RecommendedValue) { + + # Excellent + $ResultText = "Scheduled Task has alredy the recommended state" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText + $MessageSeverity = "Passed" + $TestResult = "Passed" + + } Else { + + If ($Finding.RecommendedValue -eq "Disabled") { + + $Result = Get-ScheduledTask -TaskName $Finding.MethodArgument | Disable-ScheduledTask + + $ResultText = "Scheduled Task was disabled" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText + $MessageSeverity = "Passed" + $TestResult = "Passed" + + } ElseIf ($Finding.RecommendedValue -eq "Ready") { + + $Result = Get-ScheduledTask -TaskName $Finding.MethodArgument | Enable-ScheduledTask + + $ResultText = "Scheduled Task was enabled" + $Message = "ID " + $Finding.ID + ", " + $Finding.Name + ", " + $ResultText + $MessageSeverity = "Passed" + $TestResult = "Passed" + } + } + + Write-ResultEntry -Text $Message -SeverityLevel $MessageSeverity + + If ($Log) { + Add-MessageToFile -Text $Message -File $LogFile + } + + If ($Report) { + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } } @@ -2354,8 +2770,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } ElseIf ($ProcessmitigationEnableArray.Count -gt 0 -and $ProcessmitigationDisableArray.Count -eq 0) { $ResultText = "Process mitigation settings set" @@ -2380,8 +2805,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } ElseIf ($ProcessmitigationEnableArray.Count -eq 0 -and $ProcessmitigationDisableArray.Count -gt 0) { $ResultText = "Process mitigation settings set" @@ -2406,8 +2840,17 @@ Add-MessageToFile -Text $Message -File $LogFile } If ($Report) { - $Message = '"' + $Finding.ID + '","' + $Finding.Name + '","' + $MessageSeverity + '","' + $ResultText + '",,"' + $TestResult + '",' - Add-MessageToFile -Text $Message -File $ReportFile + $ReportResult = [ordered] @{ + ID = $Finding.ID + Category = $Finding.Category + Name = $Finding.Name + Severity = $MessageSeverity + Result = $ResultText + Recommended = "" + TestResult = $TestResult + SeverityFinding = "" + } + $ReportAllResults += $ReportResult } } } @@ -2415,6 +2858,22 @@ Write-Output "`n" Write-ProtocolEntry -Text "HardeningKitty is done" -LogLevel "Info" + # Write report file + If ($Report) { + ForEach ($ReportResult in $ReportAllResults) { + $ResultObject = [pscustomobject] $ReportResult + $ResultObject | Export-Csv -Path $ReportFile -Delimiter "," -NoTypeInformation -Append + } + } + + # Write backup file + If ($Backup) { + ForEach ($BackupResult in $BackupAllResults) { + $BackupObject = [pscustomobject] $BackupResult + $BackupObject | Export-Csv -Path $BackupFile -Delimiter "," -NoTypeInformation -Append + } + } + If ($Mode -eq "Audit") { # HardeningKitty Score @@ -2439,12 +2898,14 @@ } Write-Output "`n" } + +Export-ModuleMember -Function Invoke-HardeningKitty # SIG # Begin signature block # MIIgIgYJKoZIhvcNAQcCoIIgEzCCIA8CAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR -# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUj8G/FpvpEYGAVC8JUvlKOoIa -# ZQygghn0MIIF4DCCBMigAwIBAgIQeO1YDfU4t32dWmgwBkYSEDANBgkqhkiG9w0B +# AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQU2HMRijCLsnIkXXggS/333pxI +# uV6gghn0MIIF4DCCBMigAwIBAgIQeO1YDfU4t32dWmgwBkYSEDANBgkqhkiG9w0B # AQsFADCBkTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl # cjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx # NzA1BgNVBAMTLkNPTU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNp @@ -2588,29 +3049,29 @@ # TU9ETyBSU0EgRXh0ZW5kZWQgVmFsaWRhdGlvbiBDb2RlIFNpZ25pbmcgQ0ECEHjt # WA31OLd9nVpoMAZGEhAwCQYFKw4DAhoFAKB4MBgGCisGAQQBgjcCAQwxCjAIoAKA # AKECgAAwGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEO -# MAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFH0PnhwfakDEsZAD7N4w8zpW -# zpalMA0GCSqGSIb3DQEBAQUABIIBAFf/MXcHYElXShM/Y78RQK9VLHM4FVFMN0sE -# 9vbrU1qEEBCPlYL5wvq5A7dYFSquzZ0B7Vl4BA8q4D6E77NsaD30v21CZlAZT9xw -# 0xpgEeavEBr3/Og1j+1/kP50LsEjfMo9eKSrwN8TWR3ml/m7BRS2M+XrwJVWNOYh -# qRCclFmRpgCxP3pVz7e5GIFXpk1YgTSdqLiPWO7g/n4lI8lC6+JxL0Jg3RTnIk/q -# 6cHGq0ZctDNWfoT5lBi2G5HAjsexv9lBKb4CNjjWI37rm5MqNW7rNGl0QUu39vDt -# ZQ/rl5ECA7MX1xXniLUDj2v54Za9JDD6WXa/67ga5O3/EzPkq/qhggNMMIIDSAYJ +# MAwGCisGAQQBgjcCARUwIwYJKoZIhvcNAQkEMRYEFFPsuEjlxP+s0mw3oYLGwXZI +# UwmpMA0GCSqGSIb3DQEBAQUABIIBAHCTpEmA+oTUt5FWzkKz9yR8byhEfAJ5dPGU +# AeXsXfhefic33SZTxrDgPMtZtE4sekfMJxBFPEIfSJ4vevMyfBDOrfsqWUM80smO +# IqewVJaAg4p8txM4so2hzSPUZDubMJ5A40SlRoEfaZP76HWs3jOImH0vDWpxdGDo +# AV1tEzKVZN2HU4rAcNBasEeuZoEgdDyyRIdnBvcx3a0dIu4J1fLeO/U/XSzZvEpE +# sJ3ELEbhswBsqrMbbAMU3kQCrHgVsNKAys5I7h1hPvJHwfo/mp8MYXPFHtJCZ8I+ +# rHzp6I0I4aE1hrQQKxReWnMvR8qaVbDj4LzVSLDphtCgcJHe+O2hggNMMIIDSAYJ # KoZIhvcNAQkGMYIDOTCCAzUCAQEwgZIwfTELMAkGA1UEBhMCR0IxGzAZBgNVBAgT # EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMP # U2VjdGlnbyBMaW1pdGVkMSUwIwYDVQQDExxTZWN0aWdvIFJTQSBUaW1lIFN0YW1w # aW5nIENBAhEAkDl/mtJKOhPyvZFfCDipQzANBglghkgBZQMEAgIFAKB5MBgGCSqG -# SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMDgzMTA1MTE0 -# N1owPwYJKoZIhvcNAQkEMTIEMB5zlCu07ibMxSz5RLRuMt5abDCmf8BafavXyJVy -# QklxZx5xXTuJa7mlwN0+ZpR0cTANBgkqhkiG9w0BAQEFAASCAgAChDNq5KDqR0SA -# ZtY2FzbdvMVa1lz9V3afkIJ1Cr4qHuUn1UI91zbns1McJL9cf4DRv2WOlaaUzWrS -# SPFlC5qT9sK20BOgRDcyDpPKAJaFrbSERiByh8Nm1niGgJHhibBbMQUIRt1bltTf -# MC90KvZwvtFQ557Oydcz8sbCV0xUSd5VxFfysyYIOQRZ4yeI4nJX1Txbv8KUr+oz -# 4L59YLg+ZSmfP5pu1IT48QGeOscOAJaVlxQX5B9aCYEnXgRjuhxCEWG1rygSRsqz -# P2sviMRtc+irWxYSA4KK5E0ba8DNi7ANhJtEJ4EFdOoVw2cf+pAqMbNhv1Hqug9q -# k6xum1b7yi23hfIz67xCF/1EueNCc4x6zBKAMsEb0SbcSvMHGGA1lTw37JRsGbmS -# pz2DQFZ7X/cwUvdQMn947/8QqDbhQLzRmx7USHyYk4UxKl10tGyHZeanQ2rzBtxj -# 4jp9oC6/m7nd9NLHvtZVLDmShSS5DcFqtwBg1euNCPE2bqlgSiBTfj49qseCdvuh -# TzSY8WfIYPIqis6e3/deIoPKd8dlpXPWxPAnQa33TxHv2VWa/1951ITTHxi/08n4 -# +W6uvj8wWt7bd2Gb/saFi9qqF6odQ8p6hsgi/dIxW8pdeQkTOUNI6pYKrWt972WK -# wBC8hjyZ7IQJdHf2JBqkG8dWWKtCWQ== +# SIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTIyMTIyOTA2MzA0 +# NVowPwYJKoZIhvcNAQkEMTIEMCwwQoSjHjvq0Y44/ytS0hYDbu2hYSvSLAZcUQrw +# JQhUbgerotT9WpnUqpboCXcaITANBgkqhkiG9w0BAQEFAASCAgANmGAdjWb4CvaV +# vmIv9njNrdzHYyr62Ib5JGo6G8xadWw5qVOXQMxkaloMszr2mV5Wpp18iSyeqMyf +# j/qGw19tqWHDVMEQO1NSNPkKA6EU54xNWIhiEEtqvGB4s5oXNZC7rDb4Rn5ZDzS1 +# urJmb0x+fTvZgfxsudoEh+h1o+C2DesseJA+9IvLzcecGzm8ancev7EI7q3NdBsJ +# /PvdnGCoaQ6ItclFdQu8JyCPqvtvXUGK44X5Eic2kCM1XzVsBGoUW0Kv5uHRhI8Z +# Sr4aaWfcSB4Ak791TSEgM0bewPv3EhXv8d1WT0Bj4/Dg2j1kmIYkzeVc1Edwsd8o +# sdzWR1mz3GQIslh0AVGL2N+oC8wLbATtvYmSRWRn1WPgUPJG4W9gXxIN7U0MuvXq +# wcxu/U444O0CAaMVmHC2Glo4MzeT531SlyaJOf+KPxu8DMT08VNSv0St4zlR7DQZ +# 96TEGQcRXeVXVFN9rBJpwxE5iQJjh/fe/T0Vk9xyek3sV9I1R+YzgFcCsB9o/E1P +# Zn0VBbQ2xtl5VsDZnrXLrxMdUuqlcvJDmC+cIYUkMb8KpCJRs32UZKTal3cxURaD +# ycsTt5WnU/Ed55ZupBiZ/oTQq5f01zr7eZdN7gLeqhFNqMRPsfomWspn0YTmXrks +# TRgBqkK23Pb9c6DmE1g4HrQO+WBt8w== # SIG # End signature block diff --git a/README.md b/README.md index 080f97e..21c0940 100644 --- a/README.md +++ b/README.md @@ -6,63 +6,79 @@ _HardeningKitty_ supports hardening of a Windows system. The configuration of th The script was developed for English systems. It is possible that in other languages the analysis is incorrect. Please create an issue if this occurs. -## How to run +## How to Run Run the script with administrative privileges to access machine settings. For the user settings it is better to execute them with a normal user account. Ideally, the user account is used for daily work. -Download _HardeningKitty_ and copy it to the target system (script and lists). After that HardeningKitty can be imported and executed: +Download _HardeningKitty_ and copy it to the target system (script and lists). Then HardeningKitty can be imported and executed: ```powershell -PS C:\tmp> Import-Module .\Invoke-HardeningKitty.ps1 +PS C:\tmp> Import-Module .\HardeningKitty.psm1 PS C:\tmp> Invoke-HardeningKitty -EmojiSupport =^._.^= - _( )/ HardeningKitty 0.6.1-1628003775 + _( )/ HardeningKitty 0.9.0-1662273740 -[*] 8/7/2021 7:27:04 AM - Starting HardeningKitty +[*] 9/4/2022 8:54:12 AM - Starting HardeningKitty -[*] 8/7/2021 7:27:04 AM - Getting machine information +[*] 9/4/2022 8:54:12 AM - Getting user information [*] Hostname: DESKTOP-DG83TOD [*] Domain: WORKGROUP ... -[*] 8/7/2021 7:27:09 AM - Starting Category Account Policies +[*] [*] 9/4/2022 8:54:12 AM - Starting Category Account Policies [😺] ID 1103, Store passwords using reversible encryption, Result=0, Severity=Passed [😺] ID 1100, Account lockout threshold, Result=10, Severity=Passed [😺] ID 1101, Account lockout duration, Result=30, Severity=Passed ... -[*] 8/7/2021 7:27:09 AM - Starting Category User Rights Assignment +[*] 9/4/2022 8:54:12 AM - Starting Category User Rights Assignment [😿] ID 1200, Access this computer from the network, Result=BUILTIN\Administrators;BUILTIN\Users, Recommended=BUILTIN\Administrators, Severity=Medium ... -[*] 8/7/2021 7:27:12 AM - Starting Category Administrative Templates: Printer +[*] 9/4/2022 8:54:14 AM - Starting Category Administrative Templates: Printer [🙀] ID 1764, Point and Print Restrictions: When installing drivers for a new connection (CVE-2021-34527), Result=1, Recommended=0, Severity=High [🙀] ID 1765, Point and Print Restrictions: When updating drivers for an existing connection (CVE-2021-34527), Result=2, Recommended=0, Severity=High ... -[*] 8/7/2021 7:27:19 AM - Starting Category MS Security Guide +[*] 9/4/2022 8:54:19 AM - Starting Category MS Security Guide [😿] ID 2200, LSA Protection, Result=, Recommended=1, Severity=Medium [😼] ID 2201, Lsass.exe audit mode, Result=, Recommended=8, Severity=Low ... -[*] 8/7/2021 7:27:48 AM - HardeningKitty is done -[*] 8/7/2021 7:27:48 AM - Your HardeningKitty score is: 4.82. HardeningKitty Statistics: Total checks: 325 - Passed: 213, Low: 33, Medium: 76, High: 3. +[*] 9/4/2022 8:54:25 AM - HardeningKitty is done +[*] 9/4/2022 8:54:25 AM - Your HardeningKitty score is: 4.82. HardeningKitty Statistics: Total checks: 325 - Passed: 213, Low: 33, Medium: 76, High: 3. ``` +## How To Install + +First create the directory *HardeningKitty* and for every version a sub directory like *0.9.0* in a path listed in the *PSModulePath* environment variable. + +Copy the module *HardeningKitty.psm1*, *HardeningKitty.psd1*, and the *lists* directory to this new directory. + +```powershell +PS C:\tmp> $Version = "0.9.0" +PS C:\tmp> New-Item -Path $Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty\$Version -ItemType Directory +PS C:\tmp> Copy-Item -Path .\HardeningKitty.psd1,.\HardeningKitty.psm1,.\lists\ -Destination $Env:ProgramFiles\WindowsPowerShell\Modules\HardeningKitty\$Version\ -Recurse +``` + +For more information see Microsoft's article [Installing a PowerShell Module](https://docs.microsoft.com/en-us/powershell/scripting/developer/module/installing-a-powershell-module). + ## Examples ### Audit -HardeningKitty performs an audit, saves the results in a CSV file and creates a log file. The files are automatically named and receive a timestamp. Using the parameters _ReportFile_ or _LogFile_, it is also possible to assign your own name and path. +HardeningKitty performs an audit, saves the results in a CSV file and creates a log file. The files are automatically named and receive a timestamp. Using the parameters _ReportFile_ or _LogFile_, it is also possible to assign your own name and path. + +The _Filter_ parameter can be used to filter the hardening list. For this purpose the PowerShell ScriptBlock syntax must be used, for example `{ $_.ID -eq 4505 }`. The following elements are useful for filtering: ID, Category, Name, Method, and Severity. ```powershell Invoke-HardeningKitty -Mode Audit -Log -Report @@ -74,10 +90,16 @@ HardeningKitty can be executed with a specific list defined by the parameter _Fi Invoke-HardeningKitty -FileFindingList .\lists\finding_list_0x6d69636b_user.csv -SkipMachineInformation ``` -HardeningKitty ready only the setting with the default list, and saves the results in a specific file +HardeningKitty uses the default list, and saves the results in a specific file. + +```powershell +Invoke-HardeningKitty -Mode Config -Report -ReportFile C:\tmp\my_hardeningkitty_report.csv +``` + +HardeningKitty uses the default list, and checks only tests with the severity Medium. ```powershell -Invoke-HardeningKitty -Mode Config -Report -ReportFile C:\tmp\my_hardeningkitty_report.log +Invoke-HardeningKitty -Filter { $_.Severity -eq "Medium" } ``` ### Backup @@ -176,11 +198,16 @@ HardeningKitty can be used to audit systems against the following baselines / be | Microsoft Security baseline for Microsoft Edge | 95 | Final | | Microsoft Security baseline for Microsoft Edge | 96 | Final | | Microsoft Security baseline for Microsoft Edge | 97 | Final | -| Microsoft Security baseline for Microsoft Edge | 98, 99, 100, 101, 102, 103, 104 | Final | +| Microsoft Security baseline for Microsoft Edge | 98, 99, 100, 101, 102, 103, 104, 105, 106 | Final | +| Microsoft Security baseline for Microsoft Edge | 107, 108 | Final | | Microsoft Security baseline for Windows 10 | 2004 | Final | | Microsoft Security baseline for Windows 10 | 20H2, 21H1 | Final | | Microsoft Security baseline for Windows 10 | 21H2 | Final | +| Microsoft Security baseline for Windows 10 (Machine) | 22H2 | Final | +| Microsoft Security baseline for Windows 10 (User) | 22H2 | Final | | Microsoft Security baseline for Windows 11 | 21H2 | Final | +| Microsoft Security baseline for Windows 11 (Machine) | 22H2 | Final | +| Microsoft Security baseline for Windows 11 (User) | 22H2 | Final | | Microsoft Security baseline for Windows Server (DC) | 2004 | Final | | Microsoft Security baseline for Windows Server (Member) | 2004 | Final | | Microsoft Security baseline for Windows Server (DC) | 20H2 | Final | diff --git a/lists/finding_list_0x6d69636b_machine.csv b/lists/finding_list_0x6d69636b_machine.csv index a77171f..1dd61da 100644 --- a/lists/finding_list_0x6d69636b_machine.csv +++ b/lists/finding_list_0x6d69636b_machine.csv @@ -12,7 +12,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1205,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium 1206,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium 1300,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low -1301,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +1301,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 1302,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low 1303,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low 1304,"Security Options","Interactive logon: Don't display username at sign-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayUserName,,,,0,1,=,Low @@ -119,7 +119,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1610,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 1611,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium 1612,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium -1613,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +1613,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 1614,"Administrative Templates: System","Device Guard: Virtualization Based Security Status",CimInstance,,,,Win32_DeviceGuard,root\Microsoft\Windows\DeviceGuard,VirtualizationBasedSecurityStatus,"Not available",2,=,Medium 1615,"Administrative Templates: System","Device Guard: Available Security Properties: Secure Boot",CimInstance,,,,Win32_DeviceGuard,root\Microsoft\Windows\DeviceGuard,AvailableSecurityProperties,2,2,=,Medium 1616,"Administrative Templates: System","Device Guard: Available Security Properties: DMA protection",CimInstance,,,,Win32_DeviceGuard,root\Microsoft\Windows\DeviceGuard,AvailableSecurityProperties,3,3,=,Medium @@ -195,47 +195,67 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1800,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 1801,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 1806,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions",Exclusions_Extensions,,,,,,=,Medium -1807,"Microsoft Defender Antivirus","Exclusions: List Extension Exclusions",MpPreferenceExclusion,ExclusionExtension,,,,,,,,=,Medium +1813,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions (Intune)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager",ExcludedExtensions,,,,,,=,Medium +1807,"Microsoft Defender Antivirus","Exclusions: Extension Exclusions",MpPreferenceExclusion,ExclusionExtension,,,,,,,,=,Medium 1808,"Microsoft Defender Antivirus","Exclusions: Path Exclusions (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions",Exclusions_Paths,,,,,,=,Medium -1809,"Microsoft Defender Antivirus","Exclusions: List Path Exclusions",MpPreferenceExclusion,ExclusionPath,,,,,,,,=,Medium +1814,"Microsoft Defender Antivirus","Exclusions: Path Exclusions (Intune)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager",ExcludedPaths,,,,,,=,Medium +1809,"Microsoft Defender Antivirus","Exclusions: Path Exclusions",MpPreferenceExclusion,ExclusionPath,,,,,,,,=,Medium 1810,"Microsoft Defender Antivirus","Exclusions: Process Exclusions (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions",Exclusions_Processes,,,,,,=,Medium -1811,"Microsoft Defender Antivirus","Exclusions: List Process Exclusions",MpPreferenceExclusion,ExclusionProcess,,,,,,,,=,Medium +1815,"Microsoft Defender Antivirus","Exclusions: Process Exclusions (Intune)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager",ExcludedProcesses,,,,,,=,Medium +1811,"Microsoft Defender Antivirus","Exclusions: Process Exclusions",MpPreferenceExclusion,ExclusionProcess,,,,,,,,=,Medium 1812,"Microsoft Defender Antivirus","Enable sandboxing for Microsoft Defender Antivirus",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment",MP_FORCE_USE_SANDBOX,,,,0,1,=,Medium 1900,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 1901,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 1916,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +1933,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Intune)",Registry,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1902,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 1917,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +1934,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Intune)",Registry,d4f940ab-401b-4efc-aadc-ad5f3c50688a,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1903,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium 1918,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +1935,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Intune)",Registry,3b576869-a4ec-4529-8536-b80a7769e899,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1904,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium 1919,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +1936,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Intune)",Registry,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1905,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium 1920,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +1937,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Intune)",Registry,d3e037e1-3eb8-44c8-a917-57927947596d,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1906,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium 1921,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +1938,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Intune)",Registry,5beb7efe-fd9a-4556-801d-275e5ffc04cc,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1907,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium 1922,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +1939,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Intune)",Registry,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1908,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",01443614-cd74-433a-b99e-2ecdc07bfc25,,,,0,1,=,Medium 1923,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion",MpPreferenceAsr,01443614-cd74-433a-b99e-2ecdc07bfc25,,,,,,0,1,=,Medium +1940,"Microsoft Defender Exploit Guard","ASR: Block executable files from running unless they meet a prevalence, age, or trusted list criterion (Intune)",Registry,01443614-cd74-433a-b99e-2ecdc07bfc25,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1909,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium 1924,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium +1941,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Intune)",Registry,c1db55ab-c21a-4637-bb3f-a12568109d35,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1910,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium 1925,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +1942,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Intune)",Registry,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1911,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,0,1,=,Medium 1926,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands",MpPreferenceAsr,d1e49aac-8f56-4280-b9ba-993a6d77406c,,,,,,0,1,=,Medium +1943,"Microsoft Defender Exploit Guard","ASR: Block process creations originating from PSExec and WMI commands (Intune)",Registry,d1e49aac-8f56-4280-b9ba-993a6d77406c,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1912,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium 1927,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +1944,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Intune)",Registry,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1913,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium 1928,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +1945,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Intune)",Registry,26190899-1602-49e8-8b27-eb1d0a1ce869,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1914,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium 1929,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +1946,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Intune)",Registry,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1915,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium 1930,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +1947,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Intune)",Registry,e6db77e5-3df2-4cf1-b95a-636979351e5b,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1931,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",56a863a9-875e-4185-98a7-b882c64b5ce5,,,,0,1,=,Medium 1932,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers",MpPreferenceAsr,56a863a9-875e-4185-98a7-b882c64b5ce5,,,,,,0,1,=,Medium +1948,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers (Intune)",Registry,56a863a9-875e-4185-98a7-b882c64b5ce5,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASRRules,,,,0,1,=,Medium 1966,"Microsoft Defender Exploit Guard","ASR: Exclude files and paths from Attack Surface Reduction Rules (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_ASROnlyExclusions,,,,,,=,Medium -1967,"Microsoft Defender Exploit Guard","ASR: List of excluded files and paths from Attack Surface Reduction Rules",MpPreferenceExclusion,AttackSurfaceReductionOnlyExclusions,,,,,,,,=,Medium +1967,"Microsoft Defender Exploit Guard","ASR: Exclude files and paths from Attack Surface Reduction Rules",MpPreferenceExclusion,AttackSurfaceReductionOnlyExclusions,,,,,,,,=,Medium +1968,"Microsoft Defender Exploit Guard","ASR: Exclude files and paths from Attack Surface Reduction Rules (Intune)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Policy Manager",ASROnlyExclusions,,,,,,=,Medium 1965,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 1980,"Microsoft Defender Application Guard","Support for Microsoft Defender Application Guard",WindowsOptionalFeature,Windows-Defender-ApplicationGuard,,,,,,Disabled,Enabled,=,Medium 1981,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,3,=,Medium @@ -265,7 +285,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1753,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium 1754,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 1755,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium -1756,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +1756,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 1757,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium 1758,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 1759,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium @@ -282,9 +302,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2202,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 2203,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 2204,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium -2205,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -2206,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -2207,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +2205,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +2206,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +2207,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 2208,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 1802,"Microsoft Defender Antivirus","Cloud-delivered protection",MpPreference,MAPSReporting,,,,,,2,2,=,Medium 1803,"Microsoft Defender Antivirus","Automatic sample submission",MpPreference,SubmitSamplesConsent,,,,,,1,2,=,Medium diff --git a/lists/finding_list_bsi_sisyphus_windows_10_hd_machine.csv b/lists/finding_list_bsi_sisyphus_windows_10_hd_machine.csv index 1fabd4f..36a9688 100644 --- a/lists/finding_list_bsi_sisyphus_windows_10_hd_machine.csv +++ b/lists/finding_list_bsi_sisyphus_windows_10_hd_machine.csv @@ -107,23 +107,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 130,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium 132,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium 133,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium -140,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium -141,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +140,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=,Medium +141,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium 144,"Administrative Templates: Windows Components","Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDenyTSConnections,,,,0,1,=,Medium -150,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +150,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 151,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium 156,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 154,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium 155,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium -166,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +166,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 176,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium 179,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium 184,PowerShell,"Turn on Script Execution (Execution Policy)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,ExecutionPolicy,,,,,AllSigned,=,Medium 184,PowerShell,"Turn on Script Execution",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,EnableScripts,,,,,1,=,Medium 190,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium -195,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +195,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 11,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium -13,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium -15,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +13,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium +15,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium 19,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium diff --git a/lists/finding_list_bsi_sisyphus_windows_10_nd_machine.csv b/lists/finding_list_bsi_sisyphus_windows_10_nd_machine.csv index 8ca2aa0..c313b10 100644 --- a/lists/finding_list_bsi_sisyphus_windows_10_nd_machine.csv +++ b/lists/finding_list_bsi_sisyphus_windows_10_nd_machine.csv @@ -60,7 +60,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 222,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 223,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium 224,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium -226,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +226,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 227,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 227,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low 229,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium @@ -85,11 +85,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 247,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium 248,"Security Options","Microsoft network server: Server SPN target name validation level",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium 249,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low -252,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +252,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 253,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 254,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,3,=,Medium 255,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -256,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +256,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 257,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 258,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 259,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium @@ -106,7 +106,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 270,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 271,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium 272,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium -275,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +275,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 276,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 320,"System Services","Computer Browser (Browser)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Browser,Start,,,,,4,=|0,Medium 320,"System Services","Computer Browser (Browser) (Service Startup type) (!Check for false positive for service ""bowser""!)",service,Browser,,,,,,Manual,Disabled,=|0,Medium @@ -172,7 +172,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 26,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium 27,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium 33,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,1,=,Medium -34,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +34,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 35,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 39,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium 40,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium @@ -183,7 +183,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 45,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium 46,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium 50,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -51,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +51,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 52,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium 53,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium 54,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium @@ -194,7 +194,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 59,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 59,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -219,14 +219,14 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 100,"Administrative Templates: Control Panel","Regional and Language Options: Handwriting personalization: Turn off automatic learning (RestrictImplicitInkCollection)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,RestrictImplicitInkCollection,,,,,1,=,Medium 100,"Administrative Templates: Control Panel","Regional and Language Options: Handwriting personalization: Turn off automatic learning (RestrictImplicitTextCollection)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,RestrictImplicitTextCollection,,,,,1,=,Medium 101,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium -105,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +105,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 106,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium 107,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 109,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium 113,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium -115,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -116,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium -117,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +115,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +116,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium +117,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium 118,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 119,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 120,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium @@ -235,18 +235,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 127,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium 131,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 134,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium -135,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +135,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 136,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 137,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium 138,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium 139,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: End session when time limits are reached",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fResetBroken,,,,,1,=,Medium -142,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -143,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +142,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +143,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium 145,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium 146,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 147,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium 148,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium -149,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +149,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 152,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium 153,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium 157,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium @@ -256,11 +256,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 161,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium 162,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 163,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium -164,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +164,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium 165,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 167,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -168,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium -169,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +168,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium +169,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 170,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 171,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium @@ -294,10 +294,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 180,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium 183,PowerShell,"Turn on Script Execution (Execution Policy)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,ExecutionPolicy,,,,,RemoteSigned,=,Medium 183,PowerShell,"Turn on Script Execution",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,EnableScripts,,,,,1,=,Medium -185,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +185,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 185,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Configure automatic updating",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,AUOptions,,,,,4,=,Medium 186,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -187,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +187,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium 188,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium 189,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium 191,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium @@ -309,17 +309,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 198,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium 199,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium 1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 5,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 21,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 6,"MS Security Guide","LSA Protection",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,RunAsPPL,,,,,1,=,Medium 7,"MSS (Legacy)","MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableDeadGWDetect,,,,,0,=,Medium 8,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -9,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -12,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +9,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +12,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 14,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 16,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 17,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium diff --git a/lists/finding_list_bsi_sisyphus_windows_10_ne_machine.csv b/lists/finding_list_bsi_sisyphus_windows_10_ne_machine.csv index bfa394d..1a651a3 100644 --- a/lists/finding_list_bsi_sisyphus_windows_10_ne_machine.csv +++ b/lists/finding_list_bsi_sisyphus_windows_10_ne_machine.csv @@ -50,7 +50,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 216,"Security Options","User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableUIADesktopToggle,,,,,0,=,Medium 217,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium 218,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,1,=,Medium -226,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +226,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 227,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 227,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low 229,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium @@ -71,11 +71,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 245,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 246,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium 247,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium -252,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +252,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 253,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 254,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,3,=,Medium 255,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -256,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +256,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 257,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 258,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 259,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium @@ -92,7 +92,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 270,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers;System\CurrentControlSet\Services\Eventlog;Software\Microsoft\OLAP Server;Software\Microsoft\Windows NT\CurrentVersion\Print;Software\Microsoft\Windows NT\CurrentVersion\Windows;System\CurrentControlSet\Control\ContentIndex;System\CurrentControlSet\Control\Terminal Server;System\CurrentControlSet\Control\Terminal Server\UserConfig;System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration;Software\Microsoft\Windows NT\CurrentVersion\Perflib;System\CurrentControlSet\Services\SysmonLog",=,Medium 271,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions;System\CurrentControlSet\Control\Server Applications;Software\Microsoft\Windows NT\CurrentVersion",=,Medium 272,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium -275,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +275,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 276,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 320,"System Services","Computer Browser (Browser)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Browser,Start,,,,,4,=|0,Medium 320,"System Services","Computer Browser (Browser) (Service Startup type) (!Check for false positive for service ""bowser""!)",service,Browser,,,,,,Manual,Disabled,=|0,Medium @@ -149,7 +149,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 20,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 22,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 33,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,1,=,Medium -34,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +34,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 35,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 39,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium 40,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium @@ -167,7 +167,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 59,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 59,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 60,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -192,9 +192,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 107,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium 109,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium 113,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium -115,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -116,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium -117,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +115,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +116,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium +117,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium 118,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 119,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 120,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Diagnostic Data",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium @@ -203,18 +203,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 127,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium 131,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 134,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium -135,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +135,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 136,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 137,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium 138,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium 139,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: End session when time limits are reached",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fResetBroken,,,,,1,=,Medium -142,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -143,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +142,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +143,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium 145,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium 146,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 147,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium 148,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium -149,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +149,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 152,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium 153,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium 157,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium @@ -224,11 +224,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 161,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium 162,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 163,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium -164,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +164,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium 165,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 167,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -168,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium -169,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +168,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium +169,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 170,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 171,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 172,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium @@ -262,10 +262,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 180,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium 183,PowerShell,"Turn on Script Execution (Execution Policy)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,ExecutionPolicy,,,,,RemoteSigned,=,Medium 183,PowerShell,"Turn on Script Execution",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell,EnableScripts,,,,,1,=,Medium -185,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +185,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 185,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Configure automatic updating",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,AUOptions,,,,,4,=,Medium 186,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -187,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +187,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium 188,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium 189,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium 191,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium @@ -277,17 +277,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 198,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium 199,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium 1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 5,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 21,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 6,"MS Security Guide","LSA Protection",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,RunAsPPL,,,,,1,=,Medium 7,"MSS (Legacy)","MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableDeadGWDetect,,,,,0,=,Medium 8,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -9,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -12,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +9,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +12,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 14,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 16,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 17,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv index d340115..b6f0378 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv @@ -55,9 +55,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium @@ -95,10 +95,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -106,7 +106,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -232,7 +232,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low 17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.2.3,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.4,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low @@ -263,24 +263,24 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium 18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium 18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium -18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -312,12 +312,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -328,7 +328,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -382,7 +382,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.50.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.50.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium @@ -453,17 +453,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium 18.9.39.2,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium @@ -491,30 +491,30 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.59.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.59.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.59.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.59.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium -18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=,Medium +18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.61.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium 18.9.61.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium 18.9.61.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 18.9.61.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium -18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.69.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium 18.9.69.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium 18.9.69.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium 18.9.69.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium 18.9.69.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium 18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -566,7 +566,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -578,7 +578,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium 18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv index c414e08..299da7c 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv @@ -55,9 +55,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium @@ -95,10 +95,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -106,7 +106,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -262,25 +262,25 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium 18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium 18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium -18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -311,12 +311,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -327,7 +327,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -382,7 +382,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium 18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium @@ -455,17 +455,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium 18.9.39.2,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium @@ -493,30 +493,30 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.59.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.59.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.59.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.59.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium -18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=,Medium +18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.61.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium 18.9.61.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium 18.9.61.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 18.9.61.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium -18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.69.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium 18.9.69.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium 18.9.69.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium 18.9.69.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium 18.9.69.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium 18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -568,7 +568,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -580,7 +580,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium 18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv index c414e08..299da7c 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv @@ -55,9 +55,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium @@ -95,10 +95,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -106,7 +106,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -262,25 +262,25 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium 18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium 18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium -18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -311,12 +311,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -327,7 +327,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -382,7 +382,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium 18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium @@ -455,17 +455,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium 18.9.39.2,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium @@ -493,30 +493,30 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.59.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.59.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.59.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.59.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium -18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=,Medium +18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.61.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium 18.9.61.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium 18.9.61.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 18.9.61.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium -18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.69.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium 18.9.69.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium 18.9.69.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium 18.9.69.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium 18.9.69.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium 18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -568,7 +568,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -580,7 +580,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium 18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv index 25e609b..99767b6 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv @@ -56,9 +56,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium @@ -96,10 +96,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -107,7 +107,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -263,25 +263,25 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium 18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium 18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium -18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -312,12 +312,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -328,7 +328,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -384,7 +384,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium 18.9.4.2,"Administrative Templates: Windows Components","App Package Deployment: Prevent non-admin users from installing packaged Windows apps",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Appx,BlockNonAdminUserInstall,,,,0,1,=,Medium 18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium @@ -453,23 +453,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium 18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -496,9 +496,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 18.9.45.5.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium 18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.46.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium @@ -531,18 +531,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.62.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.62.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.62.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.62.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.62.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.62.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.62.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium -18.9.62.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.62.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.63.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.62.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=,Medium +18.9.62.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.62.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.63.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.64.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.64.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium 18.9.64.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium 18.9.64.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 18.9.64.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium -18.9.69.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.69.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.72.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium 18.9.72.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium 18.9.72.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium @@ -565,7 +565,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -577,7 +577,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium 18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_machine.csv index 99e7161..d935ca2 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_20h2_machine.csv @@ -56,9 +56,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium @@ -96,10 +96,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -107,7 +107,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -263,25 +263,25 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium 18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium 18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium -18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -312,12 +312,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -328,7 +328,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -384,7 +384,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium 18.9.4.2,"Administrative Templates: Windows Components","App Package Deployment: Prevent non-admin users from installing packaged Windows apps",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Appx,BlockNonAdminUserInstall,,,,0,1,=,Medium 18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium @@ -454,23 +454,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium 18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -501,9 +501,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium 18.9.45.8.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 18.9.45.8.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.46.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium @@ -536,18 +536,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.62.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.62.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.62.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.62.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.62.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.62.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.62.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium -18.9.62.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.62.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.63.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.62.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=!0,Medium +18.9.62.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.62.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.63.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.64.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.64.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium 18.9.64.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium 18.9.64.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 18.9.64.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium -18.9.69.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.69.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.72.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium 18.9.72.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium 18.9.72.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium @@ -570,7 +570,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -582,7 +582,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium 18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_machine.csv index 9dfb37f..56e8a67 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h1_machine.csv @@ -56,9 +56,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium @@ -96,10 +96,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -107,7 +107,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -263,25 +263,25 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium 18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium 18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium -18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -312,12 +312,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -328,7 +328,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -384,7 +384,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium 18.9.4.2,"Administrative Templates: Windows Components","App Package Deployment: Prevent non-admin users from installing packaged Windows apps",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Appx,BlockNonAdminUserInstall,,,,0,1,=,Medium 18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium @@ -445,23 +445,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium 18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -492,9 +492,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium 18.9.45.8.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 18.9.45.8.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.46.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium @@ -515,18 +515,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.63.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.63.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.63.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.63.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.63.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.63.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.63.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium -18.9.63.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.63.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.64.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.63.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=!0,Medium +18.9.63.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.63.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.64.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.65.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.65.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium 18.9.65.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium 18.9.65.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 18.9.65.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium -18.9.70.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.70.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.73.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium 18.9.73.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium 18.9.73.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium @@ -549,7 +549,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.98.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.98.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.98.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.98.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.98.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.98.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.98.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.99.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -561,7 +561,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.103.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.103.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.103.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.103.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.103.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.103.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.103.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.103.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium 18.9.103.5,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv index d62f932..34c7e22 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_21h2_machine.csv @@ -56,9 +56,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium @@ -96,10 +96,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -107,7 +107,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -265,26 +265,26 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium 18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium 18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium 18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium -18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -316,7 +316,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 18.6.1,"Administrative Templates","Printers: Allow Print Spooler to accept client connections",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",RegisterSpoolerRemoteRpcEndPoint,,,,1,2,=,Medium 18.6.2,"Administrative Templates","Printers: Point and Print Restrictions: When installing drivers for a new connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",NoWarningNoElevationOnInstall,,,,0,0,=,Medium @@ -324,7 +324,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,1,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -335,7 +335,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -392,7 +392,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium 18.9.4.2,"Administrative Templates: Windows Components","App Package Deployment: Prevent non-admin users from installing packaged Windows apps",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Appx,BlockNonAdminUserInstall,,,,0,1,=,Medium 18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium @@ -458,23 +458,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.17.7,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Dump Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDumpCollection,,,,,1,=,Medium 18.9.17.8,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.18.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -18.9.27.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.27.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.27.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.27.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.27.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.27.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.27.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.27.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.27.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.27.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.27.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.27.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.31.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.31.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.31.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.31.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.31.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.31.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.36.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium 18.9.41.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.45.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.46.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.47.4.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.47.4.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.47.4.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.47.5.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.47.5.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.47.5.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -506,9 +506,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.47.9.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 18.9.47.9.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 18.9.47.9.4,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium -18.9.47.11.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.47.12.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.47.12.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.47.11.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.47.12.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.47.12.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.47.15,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 18.9.47.16,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.48.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium @@ -531,18 +531,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.65.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.65.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.65.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.65.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.65.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.65.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.65.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium -18.9.65.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.65.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.66.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.65.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=!0,Medium +18.9.65.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.65.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.67.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.67.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium 18.9.67.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium 18.9.67.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 18.9.67.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium -18.9.72.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.72.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.75.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium 18.9.75.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium 18.9.75.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium @@ -566,15 +566,15 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.102.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.102.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.102.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.102.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.102.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.102.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.103.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.104.1,"Administrative Templates: Windows Components","Windows Sandbox: Allow clipboard sharing with Windows Sandbox",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox,AllowClipboardRedirection,,,,,0,=,Medium 18.9.104.2,"Administrative Templates: Windows Components","Windows Sandbox: Allow networking in Windows Sandbox",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox,AllowNetworking,,,,,0,=,Medium 18.9.105.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.108.1.1,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -18.9.108.2.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.108.1.1,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium +18.9.108.2.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.108.2.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium 18.9.108.2.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium 18.9.108.4.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_machine.csv b/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_machine.csv index c1e58d8..c6087ca 100644 --- a/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_11_enterprise_21h2_machine.csv @@ -56,9 +56,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium @@ -96,10 +96,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -107,7 +107,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -265,26 +265,26 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium 18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium 18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium 18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium -18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.9,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -316,7 +316,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 18.6.1,"Administrative Templates","Printers: Allow Print Spooler to accept client connections",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",RegisterSpoolerRemoteRpcEndPoint,,,,1,2,=,Medium 18.6.2,"Administrative Templates","Printers: Point and Print Restrictions: When installing drivers for a new connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",NoWarningNoElevationOnInstall,,,,0,0,=,Medium @@ -324,7 +324,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,1,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -335,7 +335,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.7.1.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium 18.8.7.1.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium 18.8.7.1.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium -18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium 18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium 18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium @@ -392,7 +392,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium 18.9.4.2,"Administrative Templates: Windows Components","App Package Deployment: Prevent non-admin users from installing packaged Windows apps",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Appx,BlockNonAdminUserInstall,,,,0,1,=,Medium 18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium @@ -458,23 +458,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.17.7,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Dump Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDumpCollection,,,,,1,=,Medium 18.9.17.8,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium 18.9.18.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,1,2,=,Medium -18.9.27.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.27.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.27.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.27.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.27.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.27.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.27.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.27.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.27.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.27.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.27.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.27.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.31.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.31.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.31.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.31.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.31.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.31.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.36.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium 18.9.41.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.45.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.46.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.47.4.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.47.4.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.47.4.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.47.5.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.47.5.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.47.5.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -506,9 +506,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.47.9.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 18.9.47.9.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 18.9.47.9.4,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium -18.9.47.11.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.47.12.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.47.12.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.47.11.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.47.12.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.47.12.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.47.15,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 18.9.47.16,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.48.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium @@ -531,18 +531,18 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.65.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.65.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.65.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.65.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.65.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.65.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.65.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium -18.9.65.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.65.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.66.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.65.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=!0,Medium +18.9.65.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.65.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.67.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.67.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium 18.9.67.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium 18.9.67.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 18.9.67.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium -18.9.72.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.72.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.75.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium 18.9.75.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium 18.9.75.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium @@ -566,15 +566,15 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.102.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.102.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.102.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.102.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.102.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.102.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.103.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.104.1,"Administrative Templates: Windows Components","Windows Sandbox: Allow clipboard sharing with Windows Sandbox",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox,AllowClipboardRedirection,,,,,0,=,Medium 18.9.104.2,"Administrative Templates: Windows Components","Windows Sandbox: Allow networking in Windows Sandbox",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox,AllowNetworking,,,,,0,=,Medium 18.9.105.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.108.1.1,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -18.9.108.2.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.108.1.1,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium +18.9.108.2.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.108.2.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium 18.9.108.2.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium 18.9.108.4.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2012_r2_2.4.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2012_r2_2.4.0_machine.csv index 4f46c54..68f4631 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2012_r2_2.4.0_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2012_r2_2.4.0_machine.csv @@ -64,11 +64,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium -2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium +2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,0,0,=,Medium 2.3.5.2,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium 2.3.5.3,"Security Options","Domain controller: Refuse machine account password changes (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,RefusePasswordChange,,,,1,0,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium @@ -85,7 +85,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium 2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low -2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,,1,=,Medium +2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,0,1,=,Medium 2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium 2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium @@ -94,7 +94,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium 2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium -2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,0,1,>=,Medium 2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium 2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium 2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium @@ -107,10 +107,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.10,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium 2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -118,7 +118,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -155,16 +155,16 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium 9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low -17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.3,"Advanced Audit Policy Configuration","Distribution Group Management",auditpol,{0CCE9238-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.4,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.5,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.6,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.3.1,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low -17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.4.2,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.5.2,"Advanced Audit Policy Configuration",Logoff,auditpol,{0CCE9216-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low @@ -189,25 +189,25 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium -18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium -18.3.5,"MS Security Guide","Extended Protection for LDAP Authentication (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,,2,=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,0,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium +18.3.5,"MS Security Guide","Extended Protection for LDAP Authentication (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium 18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.6,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.8,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.9,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.10,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -235,11 +235,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium 18.8.21.1,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium 18.8.21.2,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium @@ -277,7 +277,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -293,23 +293,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.24.6,"Administrative Templates: Windows Components","EMET: System ASLR",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\EMET\SysSettings,ASLR,,,,,3,=,Medium 18.9.24.7,"Administrative Templates: Windows Components","EMET: System DEP",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\EMET\SysSettings,DEP,,,,,2,=,Medium 18.9.24.8,"Administrative Templates: Windows Components","EMET: System SEHOP",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\EMET\SysSettings,SEHOP,,,,,2,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium -18.9.39.1.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off Windows Location Provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableWindowsLocationProvider,,,,,1,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium +18.9.39.1.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off Windows Location Provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableWindowsLocationProvider,,,,0,1,=,Medium 18.9.39.2,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.52.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium -18.9.52.2,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage on Windows 8.1",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSync,,,,,1,=,Medium +18.9.52.2,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage on Windows 8.1",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSync,,,,0,1,=,Medium 18.9.59.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium -18.9.59.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium +18.9.59.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,1,1,=,Medium 18.9.59.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium 18.9.59.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 18.9.59.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium @@ -317,28 +317,28 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.59.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.59.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.59.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.59.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium -18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=,Medium +18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.61.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium -18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.77.13.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 18.9.77.14,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium -18.9.81.2.1,"Administrative Templates: Windows Components","Windows Error Reporting: Consent: Configure Default consent",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent",DefaultConsent,,,,,3,=,Medium -18.9.81.3,"Administrative Templates: Windows Components","Windows Error Reporting: Automatically send memory dumps for OS-generated error reports",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting",AutoApproveOSDumps,,,,,0,=,Medium +18.9.81.2.1,"Administrative Templates: Windows Components","Windows Error Reporting: Consent: Configure Default consent",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent",DefaultConsent,,,,0,3,=,Medium +18.9.81.3,"Administrative Templates: Windows Components","Windows Error Reporting: Automatically send memory dumps for OS-generated error reports",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting",AutoApproveOSDumps,,,,1,0,=,Medium 18.9.85.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium 18.9.85.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium 18.9.85.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium @@ -349,10 +349,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium -18.9.102.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv index 3e501eb..301c83e 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.2.0_machine.csv @@ -64,11 +64,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium -2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium +2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,0,0,=,Medium 2.3.5.2,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium 2.3.5.3,"Security Options","Domain controller: Refuse machine account password changes (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,RefusePasswordChange,,,,1,0,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium @@ -85,7 +85,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium 2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low -2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,,1,=,Medium +2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,0,1,=,Medium 2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium 2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium @@ -94,7 +94,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium 2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium -2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,0,1,>=,Medium 2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium 2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium 2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium @@ -108,10 +108,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.13,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -119,7 +119,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -156,17 +156,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium 9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low -17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.3,"Advanced Audit Policy Configuration","Distribution Group Management",auditpol,{0CCE9238-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.4,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.5,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.6,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low -17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.4.2,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low @@ -194,24 +194,24 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium -18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,0,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.6,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.8,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.9,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.10,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -242,11 +242,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -299,7 +299,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -314,23 +314,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.52.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium 18.9.59.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium -18.9.59.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium +18.9.59.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,1,1,=,Medium 18.9.59.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium 18.9.59.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 18.9.59.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium @@ -338,22 +338,22 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.59.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.59.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.59.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.59.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium -18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=,Medium +18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.61.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium -18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.77.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 18.9.77.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium @@ -370,7 +370,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -382,6 +382,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_machine.csv index c1e6352..0d49cd4 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2016_1607_1.3.0_machine.csv @@ -64,11 +64,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium -2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium +2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,0,0,=,Medium 2.3.5.2,"Security Options","Domain controller: Allow vulnerable Netlogon secure channel connections",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,VulnerableChannelAllowList,,,,,,=,Medium 2.3.5.3,"Security Options","Domain controller: LDAP server channel binding token requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium 2.3.5.4,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium @@ -87,7 +87,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium 2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low -2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,,1,=,Medium +2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,0,1,=,Medium 2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium 2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium @@ -96,7 +96,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium 2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium -2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,0,1,>=,Medium 2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium 2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium 2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium @@ -110,10 +110,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.13,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -121,7 +121,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -158,17 +158,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium 9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low -17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.3,"Advanced Audit Policy Configuration","Distribution Group Management",auditpol,{0CCE9238-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.4,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.5,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.6,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low -17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.4.2,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low @@ -196,24 +196,24 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium -18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,0,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.6,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.8,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.9,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.10,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -244,11 +244,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -299,7 +299,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -313,36 +313,36 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium 18.9.45.5.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium 18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium 18.9.45.8.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 18.9.45.8.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.56.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium 18.9.62.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium 18.9.63.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium -18.9.63.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium +18.9.63.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,1,1,=,Medium 18.9.63.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium 18.9.63.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 18.9.63.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium @@ -350,16 +350,16 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.63.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.63.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.63.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.63.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.63.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.63.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.63.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium -18.9.63.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.63.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.63.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -18.9.64.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.63.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=!0,Medium +18.9.63.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.63.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.63.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +18.9.64.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.65.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.65.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium -18.9.70.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.70.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.81.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 18.9.81.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 18.9.85.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium @@ -374,7 +374,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.98.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.98.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.98.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.98.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.98.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.98.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.98.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.99.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -386,6 +386,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.103.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.103.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.103.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.103.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.103.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.103.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.103.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.103.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv index ef8ca79..32dc78c 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv @@ -64,11 +64,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium -2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium +2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,0,0,=,Medium 2.3.5.2,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium 2.3.5.3,"Security Options","Domain controller: Refuse machine account password changes (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,RefusePasswordChange,,,,1,0,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium @@ -85,7 +85,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium 2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low -2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,,1,=,Medium +2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,0,1,=,Medium 2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium 2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium @@ -94,7 +94,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium 2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium -2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,0,1,>=,Medium 2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium 2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium 2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium @@ -108,10 +108,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.13,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -119,7 +119,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -156,17 +156,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium 9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low -17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.3,"Advanced Audit Policy Configuration","Distribution Group Management",auditpol,{0CCE9238-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.4,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.5,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.6,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low -17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.4.2,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low @@ -194,25 +194,25 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium -18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium -18.3.5,"MS Security Guide","Extended Protection for LDAP Authentication (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,,2,=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,0,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium +18.3.5,"MS Security Guide","Extended Protection for LDAP Authentication (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium 18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.6,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.8,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.9,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.10,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -243,11 +243,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -301,7 +301,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -315,23 +315,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.52.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium 18.9.59.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium -18.9.59.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium +18.9.59.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,1,1,=,Medium 18.9.59.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium 18.9.59.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 18.9.59.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium @@ -339,22 +339,22 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.59.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.59.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.59.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.59.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium -18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=,Medium +18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.61.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium -18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -395,7 +395,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -407,6 +407,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_machine.csv index afadebf..2307e33 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.1_machine.csv @@ -64,11 +64,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium -2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium +2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,0,0,=,Medium 2.3.5.2,"Security Options","Domain controller: Allow vulnerable Netlogon secure channel connections",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,VulnerableChannelAllowList,,,,,,=,Medium 2.3.5.3,"Security Options","Domain controller: LDAP server channel binding token requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium 2.3.5.4,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium @@ -87,7 +87,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium 2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low -2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,,1,=,Medium +2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,0,1,=,Medium 2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium 2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium @@ -96,7 +96,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium 2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium -2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,0,1,>=,Medium 2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium 2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium 2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium @@ -110,10 +110,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.13,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -121,7 +121,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -158,17 +158,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium 9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low -17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.3,"Advanced Audit Policy Configuration","Distribution Group Management",auditpol,{0CCE9238-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.4,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.5,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.6,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low -17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.4.2,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low @@ -196,24 +196,24 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium -18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,0,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.6,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.8,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.9,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.10,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -244,11 +244,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -302,7 +302,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -317,22 +317,22 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium 18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium 18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium -18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -363,14 +363,14 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium 18.9.45.8.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 18.9.45.8.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 18.9.45.15,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.55.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium 18.9.62.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium -18.9.62.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium +18.9.62.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,1,1,=,Medium 18.9.62.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium 18.9.62.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 18.9.62.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium @@ -378,16 +378,16 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.62.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.62.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.62.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.62.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.62.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.62.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.62.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium -18.9.62.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.62.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.62.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -18.9.63.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.62.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=,Medium +18.9.62.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.62.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.62.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +18.9.63.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.64.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.64.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium -18.9.69.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.69.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium @@ -402,7 +402,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium @@ -414,6 +414,6 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium 18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium 18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium -18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium -18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine.csv index fcccbd9..03eefed 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2022_21h1_1.0.0_machine.csv @@ -65,11 +65,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium 2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low 2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low -2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low -2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,2,2,=,Medium 2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium -2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium +2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,0,0,=,Medium 2.3.5.2,"Security Options","Domain controller: Allow vulnerable Netlogon secure channel connections",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,VulnerableChannelAllowList,,,,,,=,Medium 2.3.5.3,"Security Options","Domain controller: LDAP server channel binding token requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium 2.3.5.4,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium @@ -88,7 +88,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",CachedLogonsCount,,,,10,4,<=,Medium 2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low -2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,,1,=,Medium +2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,0,1,=,Medium 2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium 2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium @@ -97,7 +97,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium 2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium 2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium -2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,0,1,>=,Medium 2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium 2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium 2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium @@ -111,10 +111,10 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium 2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium 2.3.10.13,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium -2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium 2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -122,7 +122,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,1,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium @@ -163,17 +163,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium 9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low -17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low +17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,{0CCE9239-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low -17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.3,"Advanced Audit Policy Configuration","Distribution Group Management",auditpol,{0CCE9238-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.4,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.2.5,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 17.2.6,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low 17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low -17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.4.2,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low @@ -201,25 +201,25 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium 18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium 18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}",DllName,,,,,"C:\Program Files\LAPS\CSE\AdmPwd.dll",=,Medium -18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium -18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium -18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium -18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium -18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium -18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,0,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,4,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,14,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordAgeDays,,,,30,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,0,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 18.3.5,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium 18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium -18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium -18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,7200000,300000,<=,Medium 18.4.6,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium -18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,0,0,=,Medium 18.4.8,"MSS (Legacy)","MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium 18.4.9,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium 18.4.10,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium @@ -251,14 +251,14 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium -18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 18.6.1,"Administrative Templates","Printers: Allow Print Spooler to accept client connections",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",RegisterSpoolerRemoteRpcEndPoint,,,,1,2,=,Medium 18.6.2,"Administrative Templates","Printers: Point and Print Restrictions: When installing drivers for a new connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",NoWarningNoElevationOnInstall,,,,0,0,=,Medium 18.6.3,"Administrative Templates","Printers: Point and Print Restrictions: When updating drivers for an existing connection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",UpdatePromptSettings,,,,0,0,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,1,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium @@ -314,7 +314,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.53.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium 18.8.53.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium 18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium -18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -333,22 +333,22 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.17.6,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Diagnostic Log Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDiagnosticLogCollection,,,,,1,=,Medium 18.9.17.7,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Limit Dump Collection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,LimitDumpCollection,,,,,1,=,Medium 18.9.17.8,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium -18.9.27.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.27.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,0,0,=,Medium 18.9.27.1.2,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium -18.9.27.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.27.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,0,0,=,Medium 18.9.27.2.2,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium -18.9.27.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.27.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,0,0,=,Medium 18.9.27.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium -18.9.27.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.27.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,0,0,=,Medium 18.9.27.4.2,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium -18.9.31.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium -18.9.31.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium -18.9.31.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.31.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,0,0,=,Medium +18.9.31.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,0,0,=,Medium +18.9.31.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,0,0,=,Medium 18.9.41.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.45.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.46.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium 18.9.47.4.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium -18.9.47.4.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=|0,Medium +18.9.47.4.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,0,=|0,Medium 18.9.47.5.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.47.5.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium 18.9.47.5.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium @@ -380,15 +380,15 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.47.9.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 18.9.47.9.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 18.9.47.9.4,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium -18.9.47.11.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium -18.9.47.12.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium -18.9.47.12.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.47.11.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,0,1,=,Medium +18.9.47.12.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +18.9.47.12.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium 18.9.47.15,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium 18.9.47.16,"Microsoft Defender Antivirus","Turn off Microsoft Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium 18.9.58.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium 18.9.64.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium 18.9.65.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium -18.9.65.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium +18.9.65.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,1,1,=,Medium 18.9.65.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Allow UI Automation redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",EnableUiaRedirection,,,,,0,=,Medium 18.9.65.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium 18.9.65.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium @@ -398,16 +398,16 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.65.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 18.9.65.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 18.9.65.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium -18.9.65.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.65.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,0,1,=,Medium 18.9.65.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -18.9.65.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium -18.9.65.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium -18.9.65.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.65.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium -18.9.66.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.65.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,0,900000,<=!0,Medium +18.9.65.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,0,60000,=,Medium +18.9.65.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,1,1,=,Medium +18.9.65.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,1,1,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 18.9.67.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.67.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium -18.9.72.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.72.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,0,1,=,Medium 18.9.85.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 18.9.85.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 18.9.89.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium @@ -422,13 +422,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.102.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium 18.9.102.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium -18.9.102.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.102.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium 18.9.102.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium 18.9.102.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium 18.9.103.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium 18.9.105.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium -18.9.108.1.1,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -18.9.108.2.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.108.1.1,"Administrative Templates: Windows Components","Windows Update: Legacy Policies: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,0,0,>=,Medium +18.9.108.2.1,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,0,0,>=,Medium 18.9.108.2.2,"Administrative Templates: Windows Components","Windows Update: Manage end user experience: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium 18.9.108.4.1.1,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium 18.9.108.4.1.2,"Administrative Templates: Windows Components","Windows Update: Manage updates offered from Windows Update: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv b/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv index 7dfbbba..b78f943 100644 --- a/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv +++ b/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv @@ -41,7 +41,7 @@ V-63611,"Security Options","Accounts: Guest account status",localaccount,501,,,, V-63617,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium V-63619,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,X_Admin,=,Medium V-63625,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Visitor,=,Medium -V-71761,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Medium +V-71761,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Medium V-63639,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium V-63643,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium V-63647,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -64,7 +64,7 @@ V-63759,"Security Options","Network access: Restrict anonymous access to Named P V-71769,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium V-63765,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium V-63767,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -V-63795,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,=,Medium +V-63795,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,=,Medium V-63797,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High V-63801,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,High V-63803,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium @@ -110,27 +110,27 @@ V-63513,"Advanced Audit Policy Configuration","Security System Extension",auditp V-63545,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Medium V-63549,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low V-63597,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -V-74725,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -V-74723,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -V-68849,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,High +V-74725,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +V-74723,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +V-68849,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,High V-72329,"MS Security Guide","Remove ""Run As Different User"" from context menus (batfile)",Registry,,HKLM:\SOFTWARE\Classes\batfile\shell\runasuser," SuppressionPolicy",,,,,1000,=,Medium V-72329,"MS Security Guide","Remove ""Run As Different User"" from context menus (cmdfile)",Registry,,HKLM:\SOFTWARE\Classes\cmdfile\shell\runasuser," SuppressionPolicy",,,,,1000,=,Medium V-72329,"MS Security Guide","Remove ""Run As Different User"" from context menus (exefile)",Registry,,HKLM:\SOFTWARE\Classes\exefile\shell\runasuser," SuppressionPolicy",,,,,1000,=,Medium V-72329,"MS Security Guide","Remove ""Run As Different User"" from context menus (mscfile)",Registry,,HKLM:\SOFTWARE\Classes\mscfile\shell\runasuser," SuppressionPolicy",,,,,1000,=,Medium V-71763,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,Medium -V-63555,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -V-63559,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -V-63563,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Low +V-63555,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +V-63559,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +V-63563,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Low V-63567,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Low V-63569,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium V-71765,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium V-63577,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium V-63577,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium V-74413,"Administrative Templates: Network","SSL Configuration Settings: ECC Curve Order",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,EccCurves,,,,,"NistP384 NistP256",=,Medium -V-71765,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +V-71765,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium V-63591,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium V-68817,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium -V-74699,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +V-74699,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium V-63595,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Low V-63595,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Low V-63603,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Low @@ -152,7 +152,7 @@ V-63649,"Administrative Templates: System","Sleep Settings: Require a password w V-63651,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,High V-63657,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium V-94719,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -V-63659,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +V-63659,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium V-63663,"Administrative Templates: Windows Components","Application Compatibility: Turn off Inventory Collector",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat,DisableInventory,,,,0,1,=,Low V-63667,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,High V-63671,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,High @@ -181,7 +181,7 @@ V-63731,"Administrative Templates: Windows Components","Remote Desktop Session H V-63733,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium V-63737,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium V-63741,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -V-63743,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +V-63743,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium V-63751,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium V-77235,"Microsoft Defender Exploit Guard","Use a common set of exploit protection settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection",ExploitProtectionSettings,,,,,,!=,Medium V-77235,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv b/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv index 9d19829..d05e9c5 100644 --- a/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv +++ b/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv @@ -45,7 +45,7 @@ V-93281,"Security Options","Accounts: Rename administrator account",localaccount V-93283,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Visitor,=,Medium V-93545,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium V-93273,"Security Options","Domain controller: Refuse machine account password changes (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,RefusePasswordChange,,,,1,0,=,Medium -V-93151,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Medium +V-93151,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Medium V-93547,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium V-93549,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium V-93551,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -67,10 +67,10 @@ V-93537,"Security Options","Network access: Do not allow anonymous enumeration o V-93293,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium V-93539,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,High V-93045,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium -V-93295,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +V-93295,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium V-93297,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium V-93299,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -V-93495,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,=,Medium +V-93495,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,=,Medium V-93467,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High V-93301,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,High V-93303,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium @@ -88,13 +88,13 @@ V-93527,"Security Options","User Account Control: Only elevate UIAccess applicat V-93435,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium V-93529,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium "V-93153 / V-93155","Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Medium -V-92985,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Medium +V-92985,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Medium V-93089,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Medium V-92979,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Medium "V-92981 / V-92983","Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Medium V-93157,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Medium V-93091,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Medium -"V-93133 / V-93135","Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Medium +"V-93133 / V-93135","Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Medium "V-93137 / V-93139","Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Medium V-92989,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Medium V-93159,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Medium @@ -113,18 +113,18 @@ V-93113,"Advanced Audit Policy Configuration","Security State Change",auditpol,{ V-93115,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Medium "V-93117 / V-93119","Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Medium V-93399,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -V-93395,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -V-93393,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +V-93395,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +V-93393,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium V-93401,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,Medium -V-93233,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Low -V-93235,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Low -V-93237,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Low +V-93233,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Low +V-93235,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Low +V-93237,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Low V-93541,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Low V-93239,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium V-93241,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium V-93241,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium V-93173,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium -V-93243,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +V-93243,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium V-93245,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Low V-93245,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Low V-93245,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Low @@ -152,7 +152,7 @@ V-93533,"Administrative Templates: Windows Components","Remote Desktop Session H V-93427,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium V-92971,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium V-92973,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -V-93265,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +V-93265,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium V-93415,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium V-93349,"Microsoft Defender Exploit Guard","Use a common set of exploit protection settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection",ExploitProtectionSettings,,,,,,!=,Medium V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv b/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv index 2cfb928..8e8ae46 100644 --- a/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv +++ b/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv @@ -41,7 +41,7 @@ V-93497,"Security Options","Accounts: Guest account status",localaccount,501,,,, V-93279,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,High V-93281,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,X_Admin,=,Medium V-93283,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Visitor,=,Medium -V-93151,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Medium +V-93151,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Medium V-93547,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium V-93549,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium V-93551,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -63,10 +63,10 @@ V-93537,"Security Options","Network access: Do not allow anonymous enumeration o V-93293,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium V-93539,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,High V-93045,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium -V-93295,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +V-93295,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,0,1,=,Medium V-93297,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium V-93299,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -V-93495,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,=,Medium +V-93495,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,2147483644,2147483640,=,Medium V-93467,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High V-93301,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,High V-93303,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium @@ -84,7 +84,7 @@ V-93527,"Security Options","User Account Control: Only elevate UIAccess applicat V-93435,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium V-93529,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium "V-93153 / V-93155","Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Medium -V-92985,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Medium +V-92985,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Medium V-92979,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Medium "V-92981 / V-92983","Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Medium V-93157,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Medium @@ -106,19 +106,19 @@ V-93113,"Advanced Audit Policy Configuration","Security State Change",auditpol,{ V-93115,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Medium "V-93117 / V-93119","Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Medium V-93399,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -V-93519,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -V-93395,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -V-93393,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +V-93519,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,0,0,=,Medium +V-93395,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +V-93393,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium V-93401,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,Medium -V-93233,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Low -V-93235,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Low -V-93237,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Low +V-93233,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Low +V-93235,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Low +V-93237,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Low V-93541,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Low V-93239,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium V-93241,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium V-93241,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium V-93173,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium -V-93243,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +V-93243,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium V-93245,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Low V-93245,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Low V-93245,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Low @@ -148,7 +148,7 @@ V-93533,"Administrative Templates: Windows Components","Remote Desktop Session H V-93427,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium V-92971,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium V-92973,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -V-93265,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +V-93265,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium V-93415,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium V-93349,"Microsoft Defender Exploit Guard","Use a common set of exploit protection settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection",ExploitProtectionSettings,,,,,,!=,Medium V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium diff --git a/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv b/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv index a236140..e1f4264 100644 --- a/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv +++ b/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv @@ -2,11 +2,11 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names V-75147,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,High V-75159,"Microsoft Defender Antivirus","Exclusions: Turn off Auto Exclusions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Exclusions",DisableAutoExclusions,,,,,0,=,Medium V-75163,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,=,Medium -V-75167,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +V-75167,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium V-75207,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium -V-75235,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +V-75235,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium V-75237,"Microsoft Defender Antivirus","Scan: Specify the day of the week to run a scheduled scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",ScheduleDay,,,,,0,=,Medium -V-75239,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +V-75239,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,1,0,=,Medium V-75241,"Microsoft Defender Antivirus","Security Intelligence Updates: Define the number of days before spyware security intelligence is considered out of date",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Signature Updates",ASSignatureDue,,,,,7,=,High V-75243,"Microsoft Defender Antivirus","Security Intelligence Updates: Define the number of days before virus security intelligence is considered out of date",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Signature Updates",AVSignatureDue,,,,,7,=,High V-75245,"Microsoft Defender Antivirus","Security Intelligence Updates: Specify the day of the week to check for security intelligence updates",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Signature Updates",ScheduleDay,,,,,0,=,Medium diff --git a/lists/finding_list_microsoft_windows_tls.csv b/lists/finding_list_microsoft_windows_tls.csv index 990f8b0..9f69fe2 100644 --- a/lists/finding_list_microsoft_windows_tls.csv +++ b/lists/finding_list_microsoft_windows_tls.csv @@ -1,8 +1,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity 1000,"Schannel: TLS Settings: Protocols","Server: Multi-Protocol Unified Hello",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server",Enabled,,,,,0,=,High 1001,"Schannel: TLS Settings: Protocols","Server: Multi-Protocol Unified Hello (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server",Disabledbydefault,,,,,1,=,High -1002,"Schannel: TLS Settings: Protocols","Client: Multi-Protocol Unified Hello",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server",Enabled,,,,,0,=,High -1003,"Schannel: TLS Settings: Protocols","Client: Multi-Protocol Unified Hello (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server",Disabledbydefault,,,,,1,=,High +1002,"Schannel: TLS Settings: Protocols","Client: Multi-Protocol Unified Hello",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client",Enabled,,,,,0,=,High +1003,"Schannel: TLS Settings: Protocols","Client: Multi-Protocol Unified Hello (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client",Disabledbydefault,,,,,1,=,High 1004,"Schannel: TLS Settings: Protocols","Server: PCT",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server",Enabled,,,,,0,=,High 1005,"Schannel: TLS Settings: Protocols","Server: PCT (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server",Disabledbydefault,,,,,1,=,High 1006,"Schannel: TLS Settings: Protocols","Client: PCT",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client",Enabled,,,,,0,=,High diff --git a/lists/finding_list_microsoft_windows_tls_future.csv b/lists/finding_list_microsoft_windows_tls_future.csv index 74d3f84..d34f450 100644 --- a/lists/finding_list_microsoft_windows_tls_future.csv +++ b/lists/finding_list_microsoft_windows_tls_future.csv @@ -1,8 +1,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity 1000,"Schannel: TLS Settings: Protocols","Server: Multi-Protocol Unified Hello",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server",Enabled,,,,,0,=,High 1001,"Schannel: TLS Settings: Protocols","Server: Multi-Protocol Unified Hello (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server",Disabledbydefault,,,,,1,=,High -1002,"Schannel: TLS Settings: Protocols","Client: Multi-Protocol Unified Hello",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server",Enabled,,,,,0,=,High -1003,"Schannel: TLS Settings: Protocols","Client: Multi-Protocol Unified Hello (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server",Disabledbydefault,,,,,1,=,High +1002,"Schannel: TLS Settings: Protocols","Client: Multi-Protocol Unified Hello",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client",Enabled,,,,,0,=,High +1003,"Schannel: TLS Settings: Protocols","Client: Multi-Protocol Unified Hello (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client",Disabledbydefault,,,,,1,=,High 1004,"Schannel: TLS Settings: Protocols","Server: PCT",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server",Enabled,,,,,0,=,High 1005,"Schannel: TLS Settings: Protocols","Server: PCT (Disabledbydefault)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server",Disabledbydefault,,,,,1,=,High 1006,"Schannel: TLS Settings: Protocols","Client: PCT",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client",Enabled,,,,,0,=,High diff --git a/lists/finding_list_msft_security_baseline_edge_107_machine.csv b/lists/finding_list_msft_security_baseline_edge_107_machine.csv new file mode 100644 index 0000000..56fc510 --- /dev/null +++ b/lists/finding_list_msft_security_baseline_edge_107_machine.csv @@ -0,0 +1,24 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1015,"Microsoft Edge","Allow unconfigured sites to be reloaded in Internet Explorer mode",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InternetExplorerIntegrationReloadInIEModeAllowed,,,,,0,=,Low +1000,"Microsoft Edge","Allow users to proceed from the HTTPS warning page",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SSLErrorOverrideAllowed,,,,1,0,=,Low +1024,"Microsoft Edge","Allow using the deprecated U2F Security Key API (deprecated)",Registry,,HKLM:\Software\Policies\Microsoft\Edge,U2fSecurityKeyApiEnabled,,,,,0,=,Low +1018,"Microsoft Edge","Enable 3DES cipher suites in TLS",Registry,,HKLM:\Software\Policies\Microsoft\Edge,TripleDESEnabled,,,,,0,=,Low +1019,"Microsoft Edge","Enable browser legacy extension point blocking",Registry,,HKLM:\Software\Policies\Microsoft\Edge,BrowserLegacyExtensionPointsBlockingEnabled,,,,,1,=,Low +1001,"Microsoft Edge","Enable site isolation for every site",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SitePerProcess,,,,0,1,=,Low +1023,"Microsoft Edge","Enhance images enabled",Registry,,HKLM:\Software\Policies\Microsoft\Edge,EdgeEnhanceImagesEnabled,,,,,0,=,Low +1025,"Microsoft Edge","Force WebSQL to be enabled",Registry,,HKLM:\Software\Policies\Microsoft\Edge,WebSQLAccess,,,,,0,=,Low +1002,"Microsoft Edge","Minimum TLS version enabled",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SSLVersionMin,,,,0,tls1.2,=,Medium +1021,"Microsoft Edge","Show the Reload in Internet Explorer mode button in the toolbar",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InternetExplorerModeToolbarButtonEnabled,,,,,0,=,Low +1017,"Microsoft Edge","Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SharedArrayBufferUnrestrictedAccessAllowed,,,,,0,=,Low +1020,"Microsoft Edge","Specifies whether the display-capture permissions-policy is checked or skipped",Registry,,HKLM:\Software\Policies\Microsoft\Edge,DisplayCapturePermissionsPolicyEnabled,,,,,1,=,Low +1004,"Microsoft Edge","Control which extensions cannot be installed",Registry,,HKLM:\Software\Policies\Microsoft\Edge\ExtensionInstallBlocklist,1,,,,0,*,=,Low +1012,"Microsoft Edge","Allow Basic authentication for HTTP",Registry,,HKLM:\Software\Policies\Microsoft\Edge,BasicAuthOverHttpEnabled,,,,,0,=,Low +1005,"Microsoft Edge","Supported authentication schemes",Registry,,HKLM:\Software\Policies\Microsoft\Edge,AuthSchemes,,,,0,"ntlm,negotiate",=,Low +1006,"Microsoft Edge","Allow user-level native messaging hosts (installed without admin permissions)",Registry,,HKLM:\Software\Policies\Microsoft\Edge,NativeMessagingUserLevelHosts,,,,1,0,=,Low +1007,"Microsoft Edge","Enable saving passwords to the password manager",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PasswordManagerEnabled,,,,1,0,=,Low +1016,"Microsoft Edge","Specifies whether to allow insecure websites to make requests to more-private network endpoints",Registry,,HKLM:\Software\Policies\Microsoft\Edge,InsecurePrivateNetworkRequestsAllowed,,,,,0,=,Low +1008,"Microsoft Edge","Configure Microsoft Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenEnabled,,,,0,1,=,Low +1009,"Microsoft Edge","Configure Microsoft Defender SmartScreen to block potentially unwanted apps",Registry,,HKLM:\Software\Policies\Microsoft\Edge,SmartScreenPuaEnabled,,,,0,1,=,Low +1010,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverride,,,,,1,=,Low +1011,"Microsoft Edge","Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads",Registry,,HKLM:\Software\Policies\Microsoft\Edge,PreventSmartScreenPromptOverrideForFiles,,,,0,1,=,Low +1022,"Microsoft Edge","Configure Edge TyposquattingChecker",Registry,,HKLM:\Software\Policies\Microsoft\Edge,TyposquattingCheckerEnabled,,,,,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv b/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv index a963db5..4394db7 100644 --- a/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 10203,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium 10204,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -129,26 +129,26 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10652,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium -10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 10656,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium @@ -156,7 +156,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10676,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium 10677,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,0,=,Medium 10678,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium -10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 10680,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium 10681,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Low 10682,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Low @@ -176,7 +176,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10696,"Administrative Templates: System","Remote Assistance: Permit remote control of this computer",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowFullControl,,,,,,=,Medium 10697,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 10750,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 10752,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -318,7 +318,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -334,12 +334,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv b/lists/finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv index a8bc5a5..24e18fd 100644 --- a/lists/finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_10_20h2_21h1_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 10203,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium 10204,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -129,26 +129,26 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10652,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium -10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 10656,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium @@ -156,7 +156,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10676,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium 10677,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium 10678,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium -10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 10680,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium 10681,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Low 10682,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Low @@ -176,7 +176,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10696,"Administrative Templates: System","Remote Assistance: Permit remote control of this computer",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowFullControl,,,,,,=,Medium 10697,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 10750,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 10752,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -318,7 +318,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -334,17 +334,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10999,"Microsoft Defender Antivirus","MpEngine: Select cloud protection level",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine",MpCloudBlockLevel,,,,,2,>=,Medium 11013,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium 11014,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 11015,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_10_21h2_machine.csv b/lists/finding_list_msft_security_baseline_windows_10_21h2_machine.csv index 8f2a74a..dd7c16c 100644 --- a/lists/finding_list_msft_security_baseline_windows_10_21h2_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_10_21h2_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 10203,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium 10204,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -130,27 +130,27 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10626,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10652,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium -10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 10656,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium @@ -158,7 +158,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10676,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium 10677,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium 10678,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium -10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 10680,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium 10681,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Low 10682,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Low @@ -178,7 +178,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10696,"Administrative Templates: System","Remote Assistance: Permit remote control of this computer",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowFullControl,,,,,,=,Medium 10697,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 10750,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 10752,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -320,7 +320,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -328,13 +328,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10931,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",(Reserved),,,,,1,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10999,"Microsoft Defender Antivirus","MpEngine: Select cloud protection level",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine",MpCloudBlockLevel,,,,,2,>=,Medium 11013,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium 11014,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 11015,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium @@ -377,7 +377,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 11000,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Low 11001,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_windows_10_22h2_machine.csv b/lists/finding_list_msft_security_baseline_windows_10_22h2_machine.csv new file mode 100644 index 0000000..ad826b5 --- /dev/null +++ b/lists/finding_list_msft_security_baseline_windows_10_22h2_machine.csv @@ -0,0 +1,410 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +10000,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,10,>=,Low +10001,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=,Low +10003,"Account Policies","Allow Administrator account lockout",secedit,"System Access\AllowAdministratorLockout",,,,,,1,1,=,Medium +10002,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,10,>=,Low +10100,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +10101,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low +10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +10203,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +10204,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +10205,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +10207,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +10208,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,=,Low +10209,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Low +10210,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +10211,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +10212,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +10213,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +10214,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +10215,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +10216,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +10217,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +10218,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +10219,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +10220,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +10221,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +10222,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +10223,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +10224,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +10225,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +10226,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium +10227,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +10228,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +10229,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +10230,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +10231,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +10301,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +10302,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +10303,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +10304,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +10305,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +10306,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10307,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +10308,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +10309,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +10310,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10311,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"NT AUTHORITY\Local account",=,Medium +10312,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"NT AUTHORITY\Local account",=,Medium +10313,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +10314,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10315,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +10316,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10317,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +10318,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10319,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10320,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10321,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10322,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +10323,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10400,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10401,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10402,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +10403,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +10404,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +10405,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +10406,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +10407,"Advanced Audit Policy Configuration",Logon,auditpol,{0CCE9215-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +10408,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,{0CCE921C-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10409,"Advanced Audit Policy Configuration","Special Logon",auditpol,{0CCE921B-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10410,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,{0CCE9244-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +10411,"Advanced Audit Policy Configuration","File Share",auditpol,{0CCE9224-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10412,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,{0CCE9227-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10413,"Advanced Audit Policy Configuration","Removable Storage",auditpol,{0CCE9245-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10414,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,{0CCE922F-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10415,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,{0CCE9230-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10416,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,{0CCE9232-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10417,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,{0CCE9234-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +10418,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,{0CCE9228-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10419,"Advanced Audit Policy Configuration","Other System Events",auditpol,{0CCE9214-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +10420,"Advanced Audit Policy Configuration","Security State Change",auditpol,{0CCE9210-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10421,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +10422,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +10501,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +10502,"Windows Firewall","EnableFirewall (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile,EnableFirewall,,,,1,1,=,Medium +10503,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +10504,"Windows Firewall","Inbound Connections (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +10505,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +10506,"Windows Firewall","Outbound Connections (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +10507,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +10508,"Windows Firewall","Display a notification (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile,DisableNotifications,,,,0,1,=,Low +10509,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10510,"Windows Firewall","Log size limit (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10511,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10512,"Windows Firewall","Log dropped packets (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10513,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10514,"Windows Firewall","Log successful connections (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10515,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +10516,"Windows Firewall","EnableFirewall (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile,EnableFirewall,,,,1,1,=,Medium +10517,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +10518,"Windows Firewall","Inbound Connections (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile,DefaultInboundAction,,,,1,1,=,Medium +10519,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +10520,"Windows Firewall","Outbound Connections (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile,DefaultOutboundAction,,,,0,0,=,Medium +10521,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +10522,"Windows Firewall","Display a notification (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile,DisableNotifications,,,,0,1,=,Low +10523,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10524,"Windows Firewall","Log size limit (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10525,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10526,"Windows Firewall","Log dropped packets (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10527,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10528,"Windows Firewall","Log successful connections (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10529,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +10530,"Windows Firewall","EnableFirewall (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,EnableFirewall,,,,1,1,=,Medium +10531,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +10532,"Windows Firewall","Inbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +10533,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +10535,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +10536,"Windows Firewall","Display a notification (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DisableNotifications,,,,0,1,=,Low +10537,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +10538,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +10539,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10540,"Windows Firewall","Log size limit (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10541,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10542,"Windows Firewall","Log dropped packets (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10543,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +10627,"MS Security Guide","Configure RPC packet level privacy setting for incoming connections",Registry,,HKLM:\System\CurrentControlSet\Control\Print,RpcAuthnLevelPrivacyEnabled,,,,,1,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium +10626,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium +10627,"MS Security Guide","LSA Protection",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,RunAsPPL,,,,,1,=,Medium +10628,"MS Security Guide","Manage processing of Queue-specific files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",CopyFilesPolicy,,,,,1,=,Medium +10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +10652,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium +10656,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +10660,"Administrative Templates: Printers","Configure Redirection Guard",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",RedirectionGuardPolicy,,,,,1,=,Medium +10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium +10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +10675,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Medium +10676,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +10677,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +10678,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium +10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +10680,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +10681,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Low +10682,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Low +10683,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +10684,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +10685,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +10686,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +10687,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +10688,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,,,,1,0,=,Medium +10689,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,,,,1,0,=,Medium +10690,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +10691,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +10692,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +10693,"Administrative Templates: System","Remote Assistance: Maximum ticket time (value)",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",MaxTicketExpiry,,,,,,=,Medium +10694,"Administrative Templates: System","Remote Assistance: Maximum ticket time (units)",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",MaxTicketExpiryUnits,,,,,,=,Medium +10695,"Administrative Templates: System","Remote Assistance: Method for sending email invitations",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fUseMailto,,,,,,=,Medium +10696,"Administrative Templates: System","Remote Assistance: Permit remote control of this computer",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowFullControl,,,,,,=,Medium +10697,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +10750,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium +10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium +10752,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +10755,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +10756,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Disable new DMA devices when this computer is locked",Registry,,HKLM:\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,,,,0,1,=,Medium +10757,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium +10758,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Deny write access to removable drives not protected by BitLocker",Registry,,HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE,RDVDenyWriteAccess,,,,,1,=,Medium +10759,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium +10760,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +10762,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium +10801,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverrideAppRepUnknown,,,,,1,=,Medium +10802,"Internet Explorer","Prevent managing SmartScreen Filter",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",EnabledV9,,,,,1,=,Medium +10803,"Internet Explorer","Prevent per-user installation of ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX",BlockNonAdminActiveXInstall,,,,,1,=,Medium +10804,"Internet Explorer","Security Zones: Do not allow users to add/delete sites",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",Security_zones_map_edit,,,,,1,=,Medium +10805,"Internet Explorer","Security Zones: Do not allow users to change policies",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",Security_options_edit,,,,,1,=,Medium +10806,"Internet Explorer","Security Zones: Use only machine settings",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",Security_HKLM_only,,,,,1,=,Medium +10807,"Internet Explorer","Specify use of ActiveX Installer Service for installation of ActiveX controls",Registry,,HKLM:\Software\Policies\Microsoft\Windows\AxInstaller,OnlyUseAXISForActiveXInstall,,,,,1,=,Medium +10808,"Internet Explorer","Turn off Crash Detection",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Restrictions",NoCrashDetection,,,,,1,=,Medium +10809,"Internet Explorer","Turn off the Security Settings Check feature",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Security",DisableSecuritySettingsCheck,,,,,0,=,Medium +10810,"Internet Explorer","Internet Control Panel: Prevent ignoring certificate errors",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",PreventIgnoreCertErrors,,,,,1,=,Medium +10811,"Internet Explorer","Internet Control Panel: Advanced Page: Allow software to run or install even if the signature is invalid",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Download",RunInvalidSignatures,,,,,0,=,Medium +10812,"Internet Explorer","Internet Control Panel: Advanced Page: Check for server certificate revocation",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",CertificateRevocation,,,,,1,=,Medium +10813,"Internet Explorer","Internet Control Panel: Advanced Page: Check for signatures on downloaded programs",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Download",CheckExeSignatures,,,,,yes,=,Medium +10814,"Internet Explorer","Internet Control Panel: Advanced Page: Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main",DisableEPMCompat,,,,,1,=,Medium +10815,"Internet Explorer","Internet Control Panel: Advanced Page: Turn off encryption support",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",SecureProtocols,,,,,2560,=,Medium +10816,"Internet Explorer","Internet Control Panel: Advanced Page: Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main",Isolation64Bit,,,,,1,=,Medium +10817,"Internet Explorer","Internet Control Panel: Advanced Page: Turn on Enhanced Protected Mode",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main",Isolation,,,,,PMEM,=,Medium +10818,"Internet Explorer","Internet Control Panel: Security Page: Intranet Sites: Include all network paths (UNCs)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap",UNCAsIntranet,,,,,0,=,Medium +10819,"Internet Explorer","Internet Control Panel: Security Page: Turn on certificate address mismatch warning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",WarnOnBadCertRecving,,,,,1,=,Medium +10820,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Access data sources across domains",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1406,,,,,3,=,Medium +10821,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow cut, copy or paste operations from the clipboard via script",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1407,,,,,3,=,Medium +10822,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow drag and drop or copy and paste files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1802,,,,,3,=,Medium +10823,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow loading of XAML files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2402,,,,,3,=,Medium +10824,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow only approved domains to use ActiveX controls without prompt",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",120b,,,,,3,=,Medium +10825,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow only approved domains to use the TDC ActiveX control",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",120c,,,,,3,=,Medium +10826,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow scripting of Internet Explorer WebBrowser controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1206,,,,,3,=,Medium +10827,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow script-initiated windows without size or position constraints",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2102,,,,,3,=,Medium +10828,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow scriptlets",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1209,,,,,3,=,Medium +10829,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow updates to status bar via script",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2103,,,,,3,=,Medium +10830,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow VBScript to run in Internet Explorer",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",140C,,,,,3,=,Medium +10831,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Automatic prompting for file downloads",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2200,,,,,3,=,Medium +10832,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",270C,,,,,0,=,Medium +10833,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Download signed ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1001,,,,,3,=,Medium +10834,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Download unsigned ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1004,,,,,3,=,Medium +10835,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Enable dragging of content from different domains across windows",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2709,,,,,3,=,Medium +10836,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Enable dragging of content from different domains within a window",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2708,,,,,3,=,Medium +10837,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Include local path when user is uploading files to a server",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",160A,,,,,3,=,Medium +10838,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Initialize and script ActiveX controls not marked as safe",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1201,,,,,3,=,Medium +10839,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1C00,,,,,0,=,Medium +10840,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Launching applications and files in an IFRAME",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1804,,,,,3,=,Medium +10841,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Logon options",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1A00,,,,,65536,=,Medium +10842,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Navigate windows and frames across different domains",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1607,,,,,3,=,Medium +10843,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Run .NET Framework-reliant components not signed with Authenticode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2004,,,,,3,=,Medium +10844,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Run .NET Framework-reliant components signed with Authenticode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2001,,,,,3,=,Medium +10845,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Show security warning for potentially unsafe files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1806,,,,,1,=,Medium +10846,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Turn on Cross-Site Scripting Filter",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1409,,,,,0,=,Medium +10847,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Turn on Protected Mode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2500,,,,,0,=,Medium +10848,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Turn on SmartScreen Filter scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2301,,,,,0,=,Medium +10849,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Use Pop-up Blocker",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1809,,,,,0,=,Medium +10850,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Userdata persistence",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1606,,,,,3,=,Medium +10851,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Web sites in less privileged Web content zones can navigate into this zone",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2101,,,,,3,=,Medium +10852,"Internet Explorer","Internet Control Panel: Security Page: Intranet Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1",270C,,,,,0,=,Medium +10853,"Internet Explorer","Internet Control Panel: Security Page: Intranet Zone: Initialize and script ActiveX controls not marked as safe",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1",1201,,,,,3,=,Medium +10854,"Internet Explorer","Internet Control Panel: Security Page: Intranet Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1",1C00,,,,,65536,=,Medium +10855,"Internet Explorer","Internet Control Panel: Security Page: Local Machine Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0",270C,,,,,0,=,Medium +10856,"Internet Explorer","Internet Control Panel: Security Page: Local Machine Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0",1C00,,,,,0,=,Medium +10857,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Internet Zone: Turn on SmartScreen Filter scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3",2301,,,,,0,=,Medium +10858,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Intranet Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1",1C00,,,,,0,=,Medium +10859,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Local Machine Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0",1C00,,,,,0,=,Medium +10860,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Restricted Sites Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4",1C00,,,,,0,=,Medium +10861,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Restricted Sites Zone: Turn on SmartScreen Filter scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4",2301,,,,,0,=,Medium +10862,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Trusted Sites Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2",1C00,,,,,0,=,Medium +10863,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Access data sources across domains",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1406,,,,,3,=,Medium +10864,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow active scripting",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1400,,,,,3,=,Medium +10865,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow binary and script behaviors",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2000,,,,,3,=,Medium +10866,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow cut, copy or paste operations from the clipboard via script",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1407,,,,,3,=,Medium +10867,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow drag and drop or copy and paste files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1802,,,,,3,=,Medium +10868,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow file downloads",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1803,,,,,3,=,Medium +10869,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow loading of XAML files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2402,,,,,3,=,Medium +10870,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow META REFRESH",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1608,,,,,3,=,Medium +10871,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow only approved domains to use ActiveX controls without prompt",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",120b,,,,,3,=,Medium +10872,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow only approved domains to use the TDC ActiveX control",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",120c,,,,,3,=,Medium +10873,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow scripting of Internet Explorer WebBrowser controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1206,,,,,3,=,Medium +10874,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow script-initiated windows without size or position constraints",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2102,,,,,3,=,Medium +10875,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow scriptlets",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1209,,,,,3,=,Medium +10876,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow updates to status bar via script",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2103,,,,,3,=,Medium +10877,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow VBScript to run in Internet Explorer",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",140C,,,,,3,=,Medium +10878,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Automatic prompting for file downloads",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2200,,,,,3,=,Medium +10879,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",270C,,,,,0,=,Medium +10880,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Download signed ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1001,,,,,3,=,Medium +10881,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Download unsigned ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1004,,,,,3,=,Medium +10882,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Enable dragging of content from different domains across windows",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2709,,,,,3,=,Medium +10883,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Enable dragging of content from different domains within a window",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2708,,,,,3,=,Medium +10884,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Include local path when user is uploading files to a server",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",160A,,,,,3,=,Medium +10885,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Initialize and script ActiveX controls not marked as safe",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1201,,,,,3,=,Medium +10886,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1C00,,,,,0,=,Medium +10887,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Launching applications and files in an IFRAME",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1804,,,,,3,=,Medium +10888,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Logon options",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1A00,,,,,196608,=,Medium +10889,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Navigate windows and frames across different domains",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1607,,,,,3,=,Medium +10890,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Run .NET Framework-reliant components not signed with Authenticode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2004,,,,,3,=,Medium +10891,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Run .NET Framework-reliant components signed with Authenticode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2001,,,,,3,=,Medium +10892,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Run ActiveX controls and plugins",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1200,,,,,3,=,Medium +10893,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Script ActiveX controls marked safe for scripting",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1405,,,,,3,=,Medium +10894,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Scripting of Java applets",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1402,,,,,3,=,Medium +10895,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Show security warning for potentially unsafe files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1806,,,,,3,=,Medium +10896,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Turn on Cross-Site Scripting Filter",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1409,,,,,0,=,Medium +10897,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Turn on Protected Mode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2500,,,,,0,=,Medium +10898,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Turn on SmartScreen Filter scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2301,,,,,0,=,Medium +10899,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Use Pop-up Blocker",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1809,,,,,0,=,Medium +10900,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Userdata persistence",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1606,,,,,3,=,Medium +10901,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Web sites in less privileged Web content zones can navigate into this zone",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2101,,,,,3,=,Medium +10902,"Internet Explorer","Internet Control Panel: Security Page: Trusted Sites Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2",270C,,,,,0,=,Medium +10903,"Internet Explorer","Internet Control Panel: Security Page: Trusted Sites Zone: Initialize and script ActiveX controls not marked as safe",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2",1201,,,,,3,=,Medium +10904,"Internet Explorer","Internet Control Panel: Security Page: Trusted Sites Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2",1C00,,,,,65536,=,Medium +10905,"Internet Explorer","Security Features: Allow fallback to SSL 3.0 (Internet Explorer)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",EnableSSL3Fallback,,,,,0,=,Medium +10906,"Internet Explorer","Security Features: Add-on Management: Remove 'Run this time' button for outdated ActiveX controls in Internet Explorer",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Ext,RunThisTimeEnabled,,,,,0,=,Medium +10907,"Internet Explorer","Security Features: Add-on Management: Turn off blocking of outdated ActiveX controls for Internet Explorer",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Ext,VersionCheckEnabled,,,,,1,=,Medium +10908,"Internet Explorer","Security Features: Consistent Mime Handling: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING",iexplore.exe,,,,,1,=,Medium +10909,"Internet Explorer","Security Features: Consistent Mime Handling: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING",explorer.exe,,,,,1,=,Medium +10910,"Internet Explorer","Security Features: Consistent Mime Handling: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING",(Reserved),,,,,1,=,Medium +10911,"Internet Explorer","Security Features: Mime Sniffing Safety Feature: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING",iexplore.exe,,,,,1,=,Medium +10912,"Internet Explorer","Security Features: Mime Sniffing Safety Feature: Internet Explorer Processes explore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING",explorer.exe,,,,,1,=,Medium +10913,"Internet Explorer","Security Features: Mime Sniffing Safety Feature: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING",(Reserved),,,,,1,=,Medium +10914,"Internet Explorer","Security Features: MK Protocol Security Restriction: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL",iexplore.exe,,,,,1,=,Medium +10915,"Internet Explorer","Security Features: MK Protocol Security Restriction: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL",explorer.exe,,,,,1,=,Medium +10916,"Internet Explorer","Security Features: MK Protocol Security Restriction: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL",(Reserved),,,,,1,=,Medium +10917,"Internet Explorer","Security Features: Notification bar: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND",iexplore.exe,,,,,1,=,Medium +10918,"Internet Explorer","Security Features: Notification bar: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND",explorer.exe,,,,,1,=,Medium +10919,"Internet Explorer","Security Features: Notification bar: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND",(Reserved),,,,,1,=,Medium +10920,"Internet Explorer","Security Features: Protection From Zone Elevation: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION",iexplore.exe,,,,,1,=,Medium +10921,"Internet Explorer","Security Features: Protection From Zone Elevation: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION",explorer.exe,,,,,1,=,Medium +10922,"Internet Explorer","Security Features: Protection From Zone Elevation: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION",(Reserved),,,,,1,=,Medium +10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium +10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium +10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium +10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium +10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium +10930,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",explorer.exe,,,,,1,=,Medium +10931,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",(Reserved),,,,,1,=,Medium +10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium +10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium +10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium +10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11029,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +11030,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium +11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium +10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +11022,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium +11027,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +11032,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",56a863a9-875e-4185-98a7-b882c64b5ce5,,,,0,1,=,Medium +11033,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers",MpPreferenceAsr,56a863a9-875e-4185-98a7-b882c64b5ce5,,,,,,0,1,=,Medium +10993,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +10999,"Microsoft Defender Antivirus","MpEngine: Select cloud protection level",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine",MpCloudBlockLevel,,,,,2,>=,Medium +11013,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium +11014,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium +11015,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium +11031,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +10950,"Microsoft Edge","Configure Password Manager",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,"FormSuggest Passwords",,,,,no,=,Medium +10951,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +10952,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for files",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverrideAppRepUnknown,,,,,1,=,Medium +10953,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +10954,"Microsoft Edge","Prevent certificate error overrides",Registry,,"HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings",PreventCertErrorOverrides,,,,,1,=,Medium +10960,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +10961,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium +10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +10951,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +10954,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +10952,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +10953,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +11000,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Low +11001,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,=,Low +11002,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +11003,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +11004,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +11005,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,1,=,Medium +11006,PowerShell,"Turn on PowerShell Script Block Logging (Invocation)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockInvocationLogging,,,,0,0,=,Low +11007,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +11008,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +11009,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +11010,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +11011,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +11012,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +11060,"Scheduled Task","XblGameSave Standby Task",ScheduledTask,XblGameSaveTask,,,,,,Ready,Disabled,=,Medium +11050,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium +11051,"System Services","Xbox Accessory Management Service (XboxGipSvc) (Service Startup type)",service,XboxGipSvc,,,,,,Manual,Disabled,=,Medium +11052,"System Services","Xbox Live Auth Manager (XblAuthManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager,Start,,,,3,4,=,Medium +11053,"System Services","Xbox Live Auth Manager (XblAuthManager) (Service Startup type)",service,XblAuthManager,,,,,,Manual,Disabled,=,Medium +11054,"System Services","Xbox Live Game Save (XblGameSave)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave,Start,,,,3,4,=,Medium +11055,"System Services","Xbox Live Game Save (XblGameSave) (Service Startup type)",service,XblGameSave,,,,,,Manual,Disabled,=,Medium +11056,"System Services","Xbox Live Networking Service (XboxNetApiSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc,Start,,,,3,4,=,Medium +11057,"System Services","Xbox Live Networking Service (XboxNetApiSvc) (Service Startup type)",service,XboxNetApiSvc,,,,,,Manual,Disabled,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_10_22h2_user.csv b/lists/finding_list_msft_security_baseline_windows_10_22h2_user.csv new file mode 100644 index 0000000..0d9d0a9 --- /dev/null +++ b/lists/finding_list_msft_security_baseline_windows_10_22h2_user.csv @@ -0,0 +1,6 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +10000,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +10001,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +10002,"Internet Explorer","Turn on the auto-complete feature for user names and passwords on forms (Main)",Registry,,"HKCU:\Software\Policies\Microsoft\Internet Explorer\Main","FormSuggest Passwords",,,,,no,=,Medium +10003,"Internet Explorer","Turn on the auto-complete feature for user names and passwords on forms (Control Panel)",Registry,,"HKCU:\Software\Policies\Microsoft\Internet Explorer\Control Panel","FormSuggest Passwords",,,,,1,=,Medium +10004,"Internet Explorer","Turn on the auto-complete feature for user names and passwords on forms (Ask)",Registry,,"HKCU:\Software\Policies\Microsoft\Internet Explorer\Main","FormSuggest PW Ask",,,,,no,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_11_21h2_machine.csv b/lists/finding_list_msft_security_baseline_windows_11_21h2_machine.csv index 938c125..a906400 100644 --- a/lists/finding_list_msft_security_baseline_windows_11_21h2_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_11_21h2_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 10203,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium 10204,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -129,27 +129,27 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10626,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10652,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium -10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium 10656,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium @@ -157,7 +157,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10676,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium 10677,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium 10678,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium -10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium 10680,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium 10681,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Low 10682,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Low @@ -177,7 +177,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10696,"Administrative Templates: System","Remote Assistance: Permit remote control of this computer",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowFullControl,,,,,,=,Medium 10697,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium 10750,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium -10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium 10752,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium 10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium @@ -319,7 +319,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -327,7 +327,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10931,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",(Reserved),,,,,1,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium @@ -366,13 +366,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11014,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 11015,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 11031,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10960,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium 10961,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10951,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium 10952,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for files",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverrideAppRepUnknown,,,,,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_11_22h2_machine.csv b/lists/finding_list_msft_security_baseline_windows_11_22h2_machine.csv new file mode 100644 index 0000000..9749507 --- /dev/null +++ b/lists/finding_list_msft_security_baseline_windows_11_22h2_machine.csv @@ -0,0 +1,418 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +10000,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,10,>=,Low +10001,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=,Low +10003,"Account Policies","Allow Administrator account lockout",secedit,"System Access\AllowAdministratorLockout",,,,,,1,1,=,Medium +10002,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,10,>=,Low +10100,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +10101,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low +10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +10203,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +10204,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +10205,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +10207,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +10208,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,=,Low +10209,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Low +10210,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +10211,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +10212,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +10213,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +10214,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +10215,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +10216,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +10217,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +10218,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +10219,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +10220,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +10221,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +10222,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +10223,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +10224,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +10225,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +10226,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,5,2,=,Medium +10227,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +10228,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +10229,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +10230,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +10231,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +10301,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +10302,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +10303,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +10304,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +10305,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +10306,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10307,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +10308,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +10309,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +10310,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10311,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"NT AUTHORITY\Local account",=,Medium +10312,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"NT AUTHORITY\Local account",=,Medium +10313,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +10314,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10315,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +10316,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10317,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +10318,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10319,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10320,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10321,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10322,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +10323,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +10400,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10401,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10402,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +10403,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +10404,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +10405,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +10406,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low +10407,"Advanced Audit Policy Configuration",Logon,auditpol,{0CCE9215-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +10408,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,{0CCE921C-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10409,"Advanced Audit Policy Configuration","Special Logon",auditpol,{0CCE921B-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10410,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,{0CCE9244-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +10411,"Advanced Audit Policy Configuration","File Share",auditpol,{0CCE9224-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10412,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,{0CCE9227-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10413,"Advanced Audit Policy Configuration","Removable Storage",auditpol,{0CCE9245-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10414,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,{0CCE922F-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10415,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,{0CCE9230-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10416,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,{0CCE9232-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10417,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,{0CCE9234-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low +10418,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,{0CCE9228-69AE-11D9-BED3-505054503030},,,,,,"No Auditing","Success and Failure",=,Low +10419,"Advanced Audit Policy Configuration","Other System Events",auditpol,{0CCE9214-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +10420,"Advanced Audit Policy Configuration","Security State Change",auditpol,{0CCE9210-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low +10421,"Advanced Audit Policy Configuration","Security System Extension",auditpol,{0CCE9211-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low +10422,"Advanced Audit Policy Configuration","System Integrity",auditpol,{0CCE9212-69AE-11D9-BED3-505054503030},,,,,,"Success and Failure","Success and Failure",=,Low +10501,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +10502,"Windows Firewall","EnableFirewall (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile,EnableFirewall,,,,1,1,=,Medium +10503,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +10504,"Windows Firewall","Inbound Connections (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +10505,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +10506,"Windows Firewall","Outbound Connections (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +10507,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +10508,"Windows Firewall","Display a notification (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile,DisableNotifications,,,,0,1,=,Low +10509,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10510,"Windows Firewall","Log size limit (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10511,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10512,"Windows Firewall","Log dropped packets (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10513,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10514,"Windows Firewall","Log successful connections (Domain Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10515,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +10516,"Windows Firewall","EnableFirewall (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile,EnableFirewall,,,,1,1,=,Medium +10517,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +10518,"Windows Firewall","Inbound Connections (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile,DefaultInboundAction,,,,1,1,=,Medium +10519,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +10520,"Windows Firewall","Outbound Connections (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile,DefaultOutboundAction,,,,0,0,=,Medium +10521,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +10522,"Windows Firewall","Display a notification (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile,DisableNotifications,,,,0,1,=,Low +10523,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10524,"Windows Firewall","Log size limit (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10525,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10526,"Windows Firewall","Log dropped packets (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10527,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10528,"Windows Firewall","Log successful connections (Private Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10529,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +10530,"Windows Firewall","EnableFirewall (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,EnableFirewall,,,,1,1,=,Medium +10531,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +10532,"Windows Firewall","Inbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +10533,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +10535,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +10536,"Windows Firewall","Display a notification (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DisableNotifications,,,,0,1,=,Low +10537,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +10538,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +10539,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10540,"Windows Firewall","Log size limit (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +10541,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10542,"Windows Firewall","Log dropped packets (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +10543,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10544,"Windows Firewall","Log successful connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium +10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +10627,"MS Security Guide","Configure RPC packet level privacy setting for incoming connections",Registry,,HKLM:\System\CurrentControlSet\Control\Print,RpcAuthnLevelPrivacyEnabled,,,,,1,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium +10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium +10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +10657,"Administrative Templates: Network","DNS Client: Configure NetBIOS settings",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableNetbios,,,,,2,=,Medium +10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +10652,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,0,1,=,Medium +10656,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +10660,"Administrative Templates: Printers","Configure Redirection Guard",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",RedirectionGuardPolicy,,,,,1,=,Medium +10661,"Administrative Templates: Printers","Configure RPC connection settings (RpcUseNamedPipeProtocol)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC",RpcUseNamedPipeProtocol,,,,,0,=,Medium +10662,"Administrative Templates: Printers","Configure RPC connection settings (RpcAuthentication)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC",RpcAuthentication,,,,,0,=,Medium +10663,"Administrative Templates: Printers","Configure RPC listener settings (RpcProtocols)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC",RpcProtocols,,,,,5,=,Medium +10664,"Administrative Templates: Printers","Configure RPC listener settings (ForceKerberosForRpc)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC",ForceKerberosForRpc,,,,,0,=,Medium +10665,"Administrative Templates: Printers","Configure RPC over TCP port",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\RPC",RpcTcpPort,,,,,0,=,Medium +10666,"Administrative Templates: Printers","Limits print driver installation to Administrators",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium +10667,"Administrative Templates: Printers","Manage processing of Queue-specific files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",CopyFilesPolicy,,,,,1,=,Medium +10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium +10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +10698,"Administrative Templates: System","Device Guard: Kernel-mode Hardware-enforced Stack Protection (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureKernelShadowStacksLaunch,,,,,1,=,Medium +10675,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Medium +10676,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +10677,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +10678,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium +10679,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +10680,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +10681,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Low +10682,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Low +10683,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +10684,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +10685,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +10699,"Administrative Templates: System","Local Security Authority: Allow Custom SSPs and APs to be loaded into LSASS",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowCustomSSPsAPs,,,,,0,=,Medium +10700,"Administrative Templates: System","Local Security Authority: Configures LSASS to run as a protected process",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RunAsPPL,,,,,1,=,Medium +10686,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +10687,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +10688,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,,,,1,0,=,Medium +10689,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,,,,1,0,=,Medium +10690,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +10691,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +10692,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +10693,"Administrative Templates: System","Remote Assistance: Maximum ticket time (value)",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",MaxTicketExpiry,,,,,,=,Medium +10694,"Administrative Templates: System","Remote Assistance: Maximum ticket time (units)",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",MaxTicketExpiryUnits,,,,,,=,Medium +10695,"Administrative Templates: System","Remote Assistance: Method for sending email invitations",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fUseMailto,,,,,,=,Medium +10696,"Administrative Templates: System","Remote Assistance: Permit remote control of this computer",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowFullControl,,,,,,=,Medium +10697,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +10750,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium +10751,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,0,1,=,Medium +10752,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +10753,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +10754,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +10755,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +10756,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Disable new DMA devices when this computer is locked",Registry,,HKLM:\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,,,,0,1,=,Medium +10757,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium +10758,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Deny write access to removable drives not protected by BitLocker",Registry,,HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE,RDVDenyWriteAccess,,,,,1,=,Medium +10759,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium +10760,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +10762,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +10763,"Administrative Templates: Windows Components","Event Log Service: Application: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +10764,"Administrative Templates: Windows Components","Event Log Service: Security: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +10765,"Administrative Templates: Windows Components","Event Log Service: System: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +10766,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +10767,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +10800,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverride,,,,,1,=,Medium +10801,"Internet Explorer","Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",PreventOverrideAppRepUnknown,,,,,1,=,Medium +10802,"Internet Explorer","Prevent managing SmartScreen Filter",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\PhishingFilter",EnabledV9,,,,,1,=,Medium +10803,"Internet Explorer","Prevent per-user installation of ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX",BlockNonAdminActiveXInstall,,,,,1,=,Medium +10804,"Internet Explorer","Security Zones: Do not allow users to add/delete sites",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",Security_zones_map_edit,,,,,1,=,Medium +10805,"Internet Explorer","Security Zones: Do not allow users to change policies",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",Security_options_edit,,,,,1,=,Medium +10806,"Internet Explorer","Security Zones: Use only machine settings",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",Security_HKLM_only,,,,,1,=,Medium +10807,"Internet Explorer","Specify use of ActiveX Installer Service for installation of ActiveX controls",Registry,,HKLM:\Software\Policies\Microsoft\Windows\AxInstaller,OnlyUseAXISForActiveXInstall,,,,,1,=,Medium +10808,"Internet Explorer","Turn off Crash Detection",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Restrictions",NoCrashDetection,,,,,1,=,Medium +10809,"Internet Explorer","Turn off the Security Settings Check feature",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Security",DisableSecuritySettingsCheck,,,,,0,=,Medium +10810,"Internet Explorer","Internet Control Panel: Prevent ignoring certificate errors",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",PreventIgnoreCertErrors,,,,,1,=,Medium +10811,"Internet Explorer","Internet Control Panel: Advanced Page: Allow software to run or install even if the signature is invalid",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Download",RunInvalidSignatures,,,,,0,=,Medium +10812,"Internet Explorer","Internet Control Panel: Advanced Page: Check for server certificate revocation",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",CertificateRevocation,,,,,1,=,Medium +10813,"Internet Explorer","Internet Control Panel: Advanced Page: Check for signatures on downloaded programs",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Download",CheckExeSignatures,,,,,yes,=,Medium +10814,"Internet Explorer","Internet Control Panel: Advanced Page: Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main",DisableEPMCompat,,,,,1,=,Medium +10815,"Internet Explorer","Internet Control Panel: Advanced Page: Turn off encryption support",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",SecureProtocols,,,,,2560,=,Medium +10816,"Internet Explorer","Internet Control Panel: Advanced Page: Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main",Isolation64Bit,,,,,1,=,Medium +10817,"Internet Explorer","Internet Control Panel: Advanced Page: Turn on Enhanced Protected Mode",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main",Isolation,,,,,PMEM,=,Medium +10818,"Internet Explorer","Internet Control Panel: Security Page: Intranet Sites: Include all network paths (UNCs)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap",UNCAsIntranet,,,,,0,=,Medium +10819,"Internet Explorer","Internet Control Panel: Security Page: Turn on certificate address mismatch warning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",WarnOnBadCertRecving,,,,,1,=,Medium +10820,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Access data sources across domains",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1406,,,,,3,=,Medium +10821,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow cut, copy or paste operations from the clipboard via script",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1407,,,,,3,=,Medium +10822,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow drag and drop or copy and paste files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1802,,,,,3,=,Medium +10823,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow loading of XAML files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2402,,,,,3,=,Medium +10824,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow only approved domains to use ActiveX controls without prompt",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",120b,,,,,3,=,Medium +10825,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow only approved domains to use the TDC ActiveX control",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",120c,,,,,3,=,Medium +10826,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow scripting of Internet Explorer WebBrowser controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1206,,,,,3,=,Medium +10827,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow script-initiated windows without size or position constraints",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2102,,,,,3,=,Medium +10828,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow scriptlets",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1209,,,,,3,=,Medium +10829,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow updates to status bar via script",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2103,,,,,3,=,Medium +10830,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Allow VBScript to run in Internet Explorer",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",140C,,,,,3,=,Medium +10831,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Automatic prompting for file downloads",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2200,,,,,3,=,Medium +10832,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",270C,,,,,0,=,Medium +10833,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Download signed ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1001,,,,,3,=,Medium +10834,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Download unsigned ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1004,,,,,3,=,Medium +10835,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Enable dragging of content from different domains across windows",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2709,,,,,3,=,Medium +10836,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Enable dragging of content from different domains within a window",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2708,,,,,3,=,Medium +10837,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Include local path when user is uploading files to a server",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",160A,,,,,3,=,Medium +10838,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Initialize and script ActiveX controls not marked as safe",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1201,,,,,3,=,Medium +10839,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1C00,,,,,0,=,Medium +10840,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Launching applications and files in an IFRAME",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1804,,,,,3,=,Medium +10841,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Logon options",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1A00,,,,,65536,=,Medium +10842,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Navigate windows and frames across different domains",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1607,,,,,3,=,Medium +10843,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Run .NET Framework-reliant components not signed with Authenticode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2004,,,,,3,=,Medium +10844,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Run .NET Framework-reliant components signed with Authenticode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2001,,,,,3,=,Medium +10845,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Show security warning for potentially unsafe files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1806,,,,,1,=,Medium +10846,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Turn on Cross-Site Scripting Filter",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1409,,,,,0,=,Medium +10847,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Turn on Protected Mode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2500,,,,,0,=,Medium +10848,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Turn on SmartScreen Filter scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2301,,,,,0,=,Medium +10849,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Use Pop-up Blocker",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1809,,,,,0,=,Medium +10850,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Userdata persistence",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",1606,,,,,3,=,Medium +10851,"Internet Explorer","Internet Control Panel: Security Page: Internet Zone: Web sites in less privileged Web content zones can navigate into this zone",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3",2101,,,,,3,=,Medium +10852,"Internet Explorer","Internet Control Panel: Security Page: Intranet Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1",270C,,,,,0,=,Medium +10853,"Internet Explorer","Internet Control Panel: Security Page: Intranet Zone: Initialize and script ActiveX controls not marked as safe",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1",1201,,,,,3,=,Medium +10854,"Internet Explorer","Internet Control Panel: Security Page: Intranet Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1",1C00,,,,,65536,=,Medium +10855,"Internet Explorer","Internet Control Panel: Security Page: Local Machine Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0",270C,,,,,0,=,Medium +10856,"Internet Explorer","Internet Control Panel: Security Page: Local Machine Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0",1C00,,,,,0,=,Medium +10857,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Internet Zone: Turn on SmartScreen Filter scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3",2301,,,,,0,=,Medium +10858,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Intranet Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1",1C00,,,,,0,=,Medium +10859,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Local Machine Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0",1C00,,,,,0,=,Medium +10860,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Restricted Sites Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4",1C00,,,,,0,=,Medium +10861,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Restricted Sites Zone: Turn on SmartScreen Filter scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4",2301,,,,,0,=,Medium +10862,"Internet Explorer","Internet Control Panel: Security Page: Locked-Down Trusted Sites Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2",1C00,,,,,0,=,Medium +10863,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Access data sources across domains",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1406,,,,,3,=,Medium +10864,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow active scripting",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1400,,,,,3,=,Medium +10865,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow binary and script behaviors",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2000,,,,,3,=,Medium +10866,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow cut, copy or paste operations from the clipboard via script",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1407,,,,,3,=,Medium +10867,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow drag and drop or copy and paste files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1802,,,,,3,=,Medium +10868,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow file downloads",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1803,,,,,3,=,Medium +10869,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow loading of XAML files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2402,,,,,3,=,Medium +10870,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow META REFRESH",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1608,,,,,3,=,Medium +10871,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow only approved domains to use ActiveX controls without prompt",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",120b,,,,,3,=,Medium +10872,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow only approved domains to use the TDC ActiveX control",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",120c,,,,,3,=,Medium +10873,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow scripting of Internet Explorer WebBrowser controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1206,,,,,3,=,Medium +10874,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow script-initiated windows without size or position constraints",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2102,,,,,3,=,Medium +10875,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow scriptlets",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1209,,,,,3,=,Medium +10876,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow updates to status bar via script",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2103,,,,,3,=,Medium +10877,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Allow VBScript to run in Internet Explorer",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",140C,,,,,3,=,Medium +10878,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Automatic prompting for file downloads",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2200,,,,,3,=,Medium +10879,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",270C,,,,,0,=,Medium +10880,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Download signed ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1001,,,,,3,=,Medium +10881,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Download unsigned ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1004,,,,,3,=,Medium +10882,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Enable dragging of content from different domains across windows",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2709,,,,,3,=,Medium +10883,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Enable dragging of content from different domains within a window",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2708,,,,,3,=,Medium +10884,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Include local path when user is uploading files to a server",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",160A,,,,,3,=,Medium +10885,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Initialize and script ActiveX controls not marked as safe",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1201,,,,,3,=,Medium +10886,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1C00,,,,,0,=,Medium +10887,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Launching applications and files in an IFRAME",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1804,,,,,3,=,Medium +10888,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Logon options",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1A00,,,,,196608,=,Medium +10889,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Navigate windows and frames across different domains",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1607,,,,,3,=,Medium +10890,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Run .NET Framework-reliant components not signed with Authenticode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2004,,,,,3,=,Medium +10891,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Run .NET Framework-reliant components signed with Authenticode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2001,,,,,3,=,Medium +10892,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Run ActiveX controls and plugins",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1200,,,,,3,=,Medium +10893,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Script ActiveX controls marked safe for scripting",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1405,,,,,3,=,Medium +10894,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Scripting of Java applets",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1402,,,,,3,=,Medium +10895,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Show security warning for potentially unsafe files",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1806,,,,,3,=,Medium +10896,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Turn on Cross-Site Scripting Filter",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1409,,,,,0,=,Medium +10897,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Turn on Protected Mode",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2500,,,,,0,=,Medium +10898,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Turn on SmartScreen Filter scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2301,,,,,0,=,Medium +10899,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Use Pop-up Blocker",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1809,,,,,0,=,Medium +10900,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Userdata persistence",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",1606,,,,,3,=,Medium +10901,"Internet Explorer","Internet Control Panel: Security Page: Restricted Sites Zone: Web sites in less privileged Web content zones can navigate into this zone",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4",2101,,,,,3,=,Medium +10902,"Internet Explorer","Internet Control Panel: Security Page: Trusted Sites Zone: Don't run antimalware programs against ActiveX controls",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2",270C,,,,,0,=,Medium +10903,"Internet Explorer","Internet Control Panel: Security Page: Trusted Sites Zone: Initialize and script ActiveX controls not marked as safe",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2",1201,,,,,3,=,Medium +10904,"Internet Explorer","Internet Control Panel: Security Page: Trusted Sites Zone: Java permissions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2",1C00,,,,,65536,=,Medium +10905,"Internet Explorer","Security Features: Allow fallback to SSL 3.0 (Internet Explorer)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings",EnableSSL3Fallback,,,,,0,=,Medium +10906,"Internet Explorer","Security Features: Add-on Management: Remove 'Run this time' button for outdated ActiveX controls in Internet Explorer",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Ext,RunThisTimeEnabled,,,,,0,=,Medium +10907,"Internet Explorer","Security Features: Add-on Management: Turn off blocking of outdated ActiveX controls for Internet Explorer",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Ext,VersionCheckEnabled,,,,,1,=,Medium +10908,"Internet Explorer","Security Features: Consistent Mime Handling: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING",iexplore.exe,,,,,1,=,Medium +10909,"Internet Explorer","Security Features: Consistent Mime Handling: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING",explorer.exe,,,,,1,=,Medium +10910,"Internet Explorer","Security Features: Consistent Mime Handling: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING",(Reserved),,,,,1,=,Medium +10911,"Internet Explorer","Security Features: Mime Sniffing Safety Feature: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING",iexplore.exe,,,,,1,=,Medium +10912,"Internet Explorer","Security Features: Mime Sniffing Safety Feature: Internet Explorer Processes explore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING",explorer.exe,,,,,1,=,Medium +10913,"Internet Explorer","Security Features: Mime Sniffing Safety Feature: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING",(Reserved),,,,,1,=,Medium +10914,"Internet Explorer","Security Features: MK Protocol Security Restriction: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL",iexplore.exe,,,,,1,=,Medium +10915,"Internet Explorer","Security Features: MK Protocol Security Restriction: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL",explorer.exe,,,,,1,=,Medium +10916,"Internet Explorer","Security Features: MK Protocol Security Restriction: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL",(Reserved),,,,,1,=,Medium +10917,"Internet Explorer","Security Features: Notification bar: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND",iexplore.exe,,,,,1,=,Medium +10918,"Internet Explorer","Security Features: Notification bar: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND",explorer.exe,,,,,1,=,Medium +10919,"Internet Explorer","Security Features: Notification bar: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND",(Reserved),,,,,1,=,Medium +10920,"Internet Explorer","Security Features: Protection From Zone Elevation: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION",iexplore.exe,,,,,1,=,Medium +10921,"Internet Explorer","Security Features: Protection From Zone Elevation: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION",explorer.exe,,,,,1,=,Medium +10922,"Internet Explorer","Security Features: Protection From Zone Elevation: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION",(Reserved),,,,,1,=,Medium +10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium +10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium +10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium +10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium +10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium +10930,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",explorer.exe,,,,,1,=,Medium +10931,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",(Reserved),,,,,1,=,Medium +10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium +10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium +10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium +10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +10979,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +11029,"Microsoft Defender Exploit Guard","ASR: Block all Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +10980,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +11030,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +10981,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +11016,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting code into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +10982,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +11017,"Microsoft Defender Exploit Guard","ASR: Block JavaScript or VBScript from launching downloaded executable content",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +10983,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +11018,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +10984,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +11019,"Microsoft Defender Exploit Guard","ASR: Block Win32 API calls from Office macros",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +10986,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",c1db55ab-c21a-4637-bb3f-a12568109d35,,,,0,1,=,Medium +11021,"Microsoft Defender Exploit Guard","ASR: Use advanced protection against ransomware",MpPreferenceAsr,c1db55ab-c21a-4637-bb3f-a12568109d35,,,,,,0,1,=,Medium +10987,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +11022,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +10989,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +11024,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +10990,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +11025,"Microsoft Defender Exploit Guard","ASR: Block Office communication application from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +10991,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +11026,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +10992,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium +11027,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +11032,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",56a863a9-875e-4185-98a7-b882c64b5ce5,,,,0,1,=,Medium +11033,"Microsoft Defender Exploit Guard","ASR: Block abuse of exploited vulnerable signed drivers",MpPreferenceAsr,56a863a9-875e-4185-98a7-b882c64b5ce5,,,,,,0,1,=,Medium +10993,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +10999,"Microsoft Defender Antivirus","MpEngine: Select cloud protection level",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine",MpCloudBlockLevel,,,,,2,>=,Medium +11013,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium +11014,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium +11015,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium +11031,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium +10960,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +10961,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium +10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +11040,"Administrative Templates: Windows Components","Windows Defender SmartScreen: Enhanced Phishing Protection",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components,NotifyMalicious,,,,,1,=,Medium +11041,"Administrative Templates: Windows Components","Windows Defender SmartScreen: Notify Password Reuse",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components,NotifyPasswordReuse,,,,,1,=,Medium +11042,"Administrative Templates: Windows Components","Windows Defender SmartScreen: Notify Unsafe App",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components,NotifyUnsafeApp,,,,,1,=,Medium +11043,"Administrative Templates: Windows Components","Windows Defender SmartScreen: Service Enabled",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WTDS\Components,ServiceEnabled,,,,,1,=,Medium +10951,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +10954,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +10952,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +10953,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +11000,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Low +11001,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,=,Low +11002,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +11003,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +11034,"Administrative Templates: Windows Components","Windows Logon Options: Enable MPR notifications for the system",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,EnableMPR,,,,,0,=,Medium +11004,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +11005,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,1,=,Medium +11006,PowerShell,"Turn on PowerShell Script Block Logging (Invocation)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockInvocationLogging,,,,0,0,=,Low +11007,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +11008,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +11009,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +11010,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +11011,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +11012,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +11060,"Scheduled Task","XblGameSave Standby Task",ScheduledTask,XblGameSaveTask,,,,,,Ready,Disabled,=,Medium +11050,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium +11051,"System Services","Xbox Accessory Management Service (XboxGipSvc) (Service Startup type)",service,XboxGipSvc,,,,,,Manual,Disabled,=,Medium +11052,"System Services","Xbox Live Auth Manager (XblAuthManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager,Start,,,,3,4,=,Medium +11053,"System Services","Xbox Live Auth Manager (XblAuthManager) (Service Startup type)",service,XblAuthManager,,,,,,Manual,Disabled,=,Medium +11054,"System Services","Xbox Live Game Save (XblGameSave)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave,Start,,,,3,4,=,Medium +11055,"System Services","Xbox Live Game Save (XblGameSave) (Service Startup type)",service,XblGameSave,,,,,,Manual,Disabled,=,Medium +11056,"System Services","Xbox Live Networking Service (XboxNetApiSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc,Start,,,,3,4,=,Medium +11057,"System Services","Xbox Live Networking Service (XboxNetApiSvc) (Service Startup type)",service,XboxNetApiSvc,,,,,,Manual,Disabled,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_11_22h2_user.csv b/lists/finding_list_msft_security_baseline_windows_11_22h2_user.csv new file mode 100644 index 0000000..0d9d0a9 --- /dev/null +++ b/lists/finding_list_msft_security_baseline_windows_11_22h2_user.csv @@ -0,0 +1,6 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +10000,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +10001,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +10002,"Internet Explorer","Turn on the auto-complete feature for user names and passwords on forms (Main)",Registry,,"HKCU:\Software\Policies\Microsoft\Internet Explorer\Main","FormSuggest Passwords",,,,,no,=,Medium +10003,"Internet Explorer","Turn on the auto-complete feature for user names and passwords on forms (Control Panel)",Registry,,"HKCU:\Software\Policies\Microsoft\Internet Explorer\Control Panel","FormSuggest Passwords",,,,,1,=,Medium +10004,"Internet Explorer","Turn on the auto-complete feature for user names and passwords on forms (Ask)",Registry,,"HKCU:\Software\Policies\Microsoft\Internet Explorer\Main","FormSuggest PW Ask",,,,,no,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv index ebd3585..01d9a6d 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10232,"Security Options","Domain controller: LDAP server channel binding token requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium 10233,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium @@ -59,15 +59,15 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10322,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium 10323,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium 10400,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low -10423,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low -10424,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low -10425,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +10423,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +10424,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +10425,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 10426,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 10401,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 10402,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 10403,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low 10404,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low -10427,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +10427,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 10428,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 10405,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 10406,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low @@ -107,21 +107,21 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,0,=,Medium @@ -267,7 +267,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -278,12 +278,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv index eed7e81..e9bb5e7 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 10203,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium 10204,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -103,23 +103,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium @@ -267,7 +267,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -278,12 +278,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11028,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_dc_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_dc_machine.csv index 3f09008..f5b46f3 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_dc_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_dc_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10232,"Security Options","Domain controller: LDAP server channel binding token requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium 10233,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium @@ -60,15 +60,15 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10322,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium 10323,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium 10400,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low -10423,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low -10424,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low -10425,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +10423,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +10424,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +10425,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 10426,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 10401,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 10402,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 10403,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low 10404,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low -10427,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +10427,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 10428,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 10405,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 10406,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low @@ -108,22 +108,22 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10626,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,0,=,Medium @@ -269,7 +269,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -277,7 +277,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10931,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",(Reserved),,,,,1,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium @@ -316,13 +316,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11014,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 11015,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 11031,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10960,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium 10961,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 11001,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,=,Low 11002,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv index a04c8ee..6343c25 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2022_21h2_member_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 10203,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium 10204,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -104,24 +104,24 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10626,"MS Security Guide","Limits print driver installation to Administrators",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint",RestrictDriverInstallationToAdministrators,,,,0,1,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium @@ -269,7 +269,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -277,7 +277,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10931,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",(Reserved),,,,,1,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium @@ -316,13 +316,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 11014,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 11015,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium 11031,"Microsoft Defender Antivirus","Real-time Protection: Turn on script scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableScriptScanning,,,,0,0,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10960,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium 10961,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 11001,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,=,Low 11002,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_20h2_dc_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_20h2_dc_machine.csv index 697dde3..514c7b7 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_20h2_dc_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_20h2_dc_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10232,"Security Options","Domain controller: LDAP server channel binding token requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium 10233,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium @@ -59,15 +59,15 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10322,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium 10323,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium 10400,"Advanced Audit Policy Configuration","Credential Validation",auditpol,{0CCE923F-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Failure,contains,Low -10423,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,,"Success and Failure",=,Low -10424,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low -10425,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low +10423,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,{0CCE9242-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low +10424,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,{0CCE9240-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low +10425,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,{0CCE9236-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 10426,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,{0CCE923A-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 10401,"Advanced Audit Policy Configuration","Security Group Management",auditpol,{0CCE9237-69AE-11D9-BED3-505054503030},,,,,,Success,Success,contains,Low 10402,"Advanced Audit Policy Configuration","User Account Management",auditpol,{0CCE9235-69AE-11D9-BED3-505054503030},,,,,,Success,"Success and Failure",=,Low 10403,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,{0cce9248-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low 10404,"Advanced Audit Policy Configuration","Process Creation",auditpol,{0CCE922B-69AE-11D9-BED3-505054503030},,,,,,"No Auditing",Success,contains,Low -10427,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,,Failure,contains,Low +10427,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,{0CCE923B-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 10428,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,{0CCE923C-69AE-11D9-BED3-505054503030},,,,,,,Success,contains,Low 10405,"Advanced Audit Policy Configuration","Account Lockout",auditpol,{0CCE9217-69AE-11D9-BED3-505054503030},,,,,,Success,Failure,contains,Low 10406,"Advanced Audit Policy Configuration","Group Membership",auditpol,{0cce9249-69ae-11d9-bed3-505054503030},,,,,,"No Auditing",Success,contains,Low @@ -107,21 +107,21 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,0,=,Medium @@ -267,7 +267,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -278,17 +278,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10999,"Microsoft Defender Antivirus","MpEngine: Select cloud protection level",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine",MpCloudBlockLevel,,,,,2,>=,Medium 11013,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium 11014,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 11015,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11016,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_20h2_member_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_20h2_member_machine.csv index 115ab14..ec97be8 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_20h2_member_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_20h2_member_machine.csv @@ -7,7 +7,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10102,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 10103,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 10200,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium -10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +10201,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,1,1,=,Low 10202,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 10203,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium 10204,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium @@ -103,23 +103,23 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10534,"Windows Firewall","Outbound Connections (Public Profile)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium 10600,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low 10601,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide show",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low -10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +10610,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,0,1,=,Medium 10620,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium -10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium -10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium -10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +10621,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,1,4,=,Medium +10622,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,1,0,=,Medium +10623,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,0,0,=,Medium 10624,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 10625,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,0,0,=,High -10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium -10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +10640,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,0,2,=,Medium +10641,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,1,2,=,Medium +10642,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,1,0,=,Medium 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,AllowEncryptionOracle,,,,0,0,=,Medium -10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,0,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium 10673,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 10674,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium @@ -267,7 +267,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10923,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",iexplore.exe,,,,,1,=,Medium 10924,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",explorer.exe,,,,,1,=,Medium 10925,"Internet Explorer","Security Features: Restrict ActiveX Install: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL",(Reserved),,,,,1,=,Medium -10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium +10926,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",iexplore.exe,,,,,1,=,Medium 10927,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes explorer.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",explorer.exe,,,,,1,=,Medium 10928,"Internet Explorer","Security Features: Restrict File Download: Internet Explorer Processes (Reserved)",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD",(Reserved),,,,,1,=,Medium 10929,"Internet Explorer","Security Features: Scripted Window Security Restrictions: Internet Explorer Processes iexplore.exe",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS",iexplore.exe,,,,,1,=,Medium @@ -278,17 +278,17 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10962,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium 10963,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium 10964,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium -10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,0,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium 10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium -10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,0,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10999,"Microsoft Defender Antivirus","MpEngine: Select cloud protection level",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine",MpCloudBlockLevel,,,,,2,>=,Medium 11013,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium 11014,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium 11015,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,0,0,=,Medium -10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +10976,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,1,0,=,Medium 10977,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 10978,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium 11016,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium