CIS_WIN10_DISCREPANCIES_TITLE.html

------------------------------Captured stdout call------------------------------
The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password.

------------------------------Captured stdout call------------------------------
The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user has authorized access.

------------------------------Captured stdout call------------------------------
Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual's user account, with foreknowledge of data about that user, reuse of old passwords can cause a security breach. To address password reuse a combination of security settings is required. Using this policy setting with the Enforce password history setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history setting to ensure that users cannot reuse any of their last 12 passwords, they could change their password 13 times in a few minutes and reuse the password they started with, unless you also configure the Minimum password age setting to a number that is greater than 0. You must configure this policy setting to a number that is greater than 0 for the Enforce password history setting to be effective.

------------------------------Captured stdout call------------------------------
Types of password attacks include dictionary attacks (which attempt to use common words 'and phrases) and brute force attacks (which try every possible combination of characters). 'Also, attackers sometimes try to obtain the account database so they can use tools to 'discover the accounts and passwords.

------------------------------Captured stdout call------------------------------
Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools.

------------------------------Captured stdout call------------------------------
This setting will enable the enforcement of longer and generally stronger passwords or passphrases where MFA is not in use.

------------------------------Captured stdout call------------------------------
Setting an account lockout threshold reduces the likelihood that an online password brute force attack will be successful. Setting the account lockout threshold too low introduces risk of increased accidental lockouts and/or a malicious actor intentionally locking out accounts.

------------------------------Captured stdout call------------------------------
Users can accidentally lock themselves out of their accounts if they mistype their password multiple times. To reduce the chance of such accidental lockouts, the Reset account lockout counter after setting determines the number of minutes that must elapse before the counter that tracks failed logon attempts and triggers lockouts is reset to 0.

------------------------------Captured stdout call------------------------------
In some organizations, it can be a daunting management challenge to maintain a regular schedule for periodic password changes for local accounts. Therefore, you may want to disable the built-in Administrator account instead of relying on regular password changes to protect it from attack. Another reason to disable this built-in account is that it cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID) and there are third-party tools that allow authentication by using the SID rather than the account name. This capability means that even if you rename the Administrator account, an attacker could launch a brute force attack by using the SID to log on.

------------------------------Captured stdout call------------------------------
Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used to log onto their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems.

------------------------------Captured stdout call------------------------------
The default Guest account allows unauthenticated network users to log on as Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any network shares with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network, which could lead to the exposure or corruption of data.

------------------------------Captured stdout call------------------------------
Blank passwords are a serious threat to computer security and should be forbidden through both organizational policy and suitable technical measures. In fact, the default settings for Active Directory domains require complex passwords of at least seven characters. However, if users with the ability to create new accounts bypass your domainbased password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on.

------------------------------Captured stdout call------------------------------
The Administrator account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination.

------------------------------Captured stdout call------------------------------
The Guest account exists on all computers that run the Windows 2000 or newer operating systems. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination.

------------------------------Captured stdout call------------------------------
Prior to the introduction of auditing subcategories in Windows Vista, it was difficult to track events at a per-system or per-user level. The larger event categories created too many events and the key information that needed to be audited was difficult to find.

------------------------------Captured stdout call------------------------------
If the computer is unable to record events to the Security log, critical evidence or important troubleshooting information may not be available for review after a security incident. Also, an attacker could potentially generate a large volume of Security log events to purposely force a computer shutdown.

------------------------------Captured stdout call------------------------------
It may be appropriate in some organizations to allow users to install printer drivers on their own workstations. However, in a high security environment, you should allow only Administrators, not users, to do this, because printer driver installation may unintentionally cause the computer to become less stable. A malicious user could install inappropriate printer drivers in a deliberate attempt to damage the computer, or a user might accidentally install malicious software that masquerades as a printer driver. It is feasible for an attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network.

------------------------------Captured stdout call------------------------------
When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller.

------------------------------Captured stdout call------------------------------
When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller.

------------------------------Captured stdout call------------------------------
When a computer joins a domain, a computer account is created. After it joins the domain, the computer uses the password for that account to create a secure channel with the Domain Controller for its domain every time that it restarts. Requests that are sent on the secure channel are authenticated-and sensitive information such as passwords are encrypted-but the channel is not integrity-checked, and not all information is encrypted. Digital encryption and signing of the secure channel is a good idea where it is supported. The secure channel protects domain credentials as they are sent to the Domain Controller.

------------------------------Captured stdout call------------------------------
The default configuration for Windows Server 2003-based computers that belong to a domain is that they are automatically required to change the passwords for their accounts every 30 days. If you disable this policy setting, computers that run Windows Server 2003 will retain the same passwords as their computer accounts. Computers that are no longer able to automatically change their account password are at risk from an attacker who could determine the password for the computer's domain account.

------------------------------Captured stdout call------------------------------
In Active Directory-based domains, each computer has an account and password just like every user. By default, the domain members automatically change their domain password every 30 days. If you increase this interval significantly, or set it to 0 so that the computers no longer change their passwords, an attacker will have more time to undertake a brute force attack to guess the password of one or more computer accounts.

------------------------------Captured stdout call------------------------------
Session keys that are used to establish secure channel communications between Domain Controllers and member computers are much stronger in Windows 2000 than they were in previous Microsoft operating systems. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from attacks that attempt to hijack network sessions and eavesdropping. (Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the sender, or be redirected.)

------------------------------Captured stdout call------------------------------
Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to computers that run Windows. If users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path.

------------------------------Captured stdout call------------------------------
An attacker with access to the console (for example, someone with physical access or someone who is able to connect to the server through Remote Desktop Services) could view the name of the last user who logged on to the server. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try and log on.

------------------------------Captured stdout call------------------------------
If a machine is lost or stolen, or if an insider threat attempts a brute force password attack against the computer, it is important to ensure that BitLocker will lock the computer and therefore prevent a successful attack.

------------------------------Captured stdout call------------------------------
If a user forgets to lock their computer when they walk away it's possible that a passerby will hijack it.

------------------------------Captured stdout call------------------------------
Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited.

------------------------------Captured stdout call------------------------------
Displaying a warning message before logon may help prevent an attack by warning the attacker about the consequences of their misconduct before it happens. It may also help to reinforce corporate policy by notifying employees of the appropriate policy during the logon process.

------------------------------Captured stdout call------------------------------
The number that is assigned to this policy setting indicates the number of users whose logon information the computer will cache locally. If the number is set to 4, then the computer caches logon information for 4 users. When a 5th user logs on to the computer, the server overwrites the oldest cached logon session. Users who access the computer console will have their logon credentials cached on that computer. An attacker who is able to access the file system of the computer could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location.

------------------------------Captured stdout call------------------------------
Users will need to be warned that their passwords are going to expire, or they may inadvertently be locked out of the computer when their passwords expire. This condition could lead to confusion for users who access the network locally, or make it impossible for users to access your organization's network through dial-up or virtual private network (VPN) connections.

------------------------------Captured stdout call------------------------------
Users sometimes forget to lock their workstations when they are away from them, allowing the possibility for malicious users to access their computers. If smart cards are used for authentication, the computer should automatically lock itself when the card is removed to ensure that only the user with the smart card is accessing resources using those credentials.

------------------------------Captured stdout call------------------------------
Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place.

------------------------------Captured stdout call------------------------------
Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place.

------------------------------Captured stdout call------------------------------
If you enable this policy setting, the server can transmit passwords in plaintext across the network to other computers that offer SMB services, which is a significant security risk. These other computers may not use any of the SMB security mechanisms that are included with Windows Server 2003.

------------------------------Captured stdout call------------------------------
Each SMB session consumes server resources, and numerous null sessions will slow the server or possibly cause it to fail. An attacker could repeatedly establish SMB sessions until the server's SMB services become slow or unresponsive.

------------------------------Captured stdout call------------------------------
Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place.

------------------------------Captured stdout call------------------------------
Session hijacking uses tools that allow attackers who have access to the same network as the client or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data. SMB is the resource sharing protocol that is supported by many Windows operating systems. It is the basis of NetBIOS and many other protocols. SMB signatures authenticate both users and the servers that host the data. If either side fails the authentication process, data transmission will not take place.

------------------------------Captured stdout call------------------------------
If your organization configures logon hours for users, then it makes sense to enable this policy setting. Otherwise, users who should not have access to network resources outside of their logon hours may actually be able to continue to use those resources with sessions that were established during allowed hours.

------------------------------Captured stdout call------------------------------
The identity of a computer can be spoofed to gain unauthorized access to network resources.

------------------------------Captured stdout call------------------------------
An unauthorized user could anonymously list account names and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)

------------------------------Captured stdout call------------------------------
An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)

------------------------------Captured stdout call------------------------------
Passwords that are cached can be accessed by the user when logged on to the computer. Although this information may sound obvious, a problem can arise if the user unknowingly executes hostile code that reads the passwords and forwards them to another, unauthorized user.

------------------------------Captured stdout call------------------------------
An unauthorized user could anonymously list account names and shared resources and use the information to attempt to guess passwords, perform social engineering attacks, or launch DoS attacks.

------------------------------Captured stdout call------------------------------
Limiting named pipes that can be accessed anonymously will reduce the attack surface of the system.

------------------------------Captured stdout call------------------------------
The registry is a database that contains computer configuration information, and much of the information is sensitive. An attacker could use this information to facilitate unauthorized activities. To reduce the risk of such an attack, suitable ACLs are assigned throughout the registry to help protect it from access by unauthorized users.

------------------------------Captured stdout call------------------------------
The registry contains sensitive computer configuration information that could be used by an attacker to facilitate unauthorized activities. The fact that the default ACLs assigned throughout the registry are fairly restrictive and help to protect the registry from access by unauthorized users reduces the risk of such an attack.

------------------------------Captured stdout call------------------------------
Null sessions are a weakness that can be exploited through shares (including the default shares) on computers in your environment.

------------------------------Captured stdout call------------------------------
To ensure that an unauthorized user cannot anonymously list local account names or groups and use the information to attempt to guess passwords or perform social engineering attacks. (Social engineering attacks try to deceive users in some way to obtain passwords or some form of security information.)

------------------------------Captured stdout call------------------------------
It is very dangerous to allow any values in this setting. Any shares that are listed can be accessed by any network user, which could lead to the exposure or corruption of sensitive data.

------------------------------Captured stdout call------------------------------
With the Guest only model, any user who can authenticate to your computer over the network does so with guest privileges, which probably means that they will not have write access to shared resources on that computer. Although this restriction does increase security, it makes it more difficult for authorized users to access shared resources on those computers because ACLs on those resources must include access control entries (ACEs) for the Guest account. With the Classic model, local accounts should be password protected. Otherwise, if Guest access is enabled, anyone can use those user accounts to access shared system resources.

------------------------------Captured stdout call------------------------------
When connecting to computers running versions of Windows earlier than Windows Vista or Windows Server 2008 (non-R2), services running as Local System and using SPNEGO (Negotiate) that revert to NTLM use the computer identity. In Windows 7, if you are connecting to a computer running Windows Server 2008 or Windows Vista, then a system service uses either the computer identity or a NULL session. When connecting with a NULL session, a system-generated session key is created, which provides no protection but allows applications to sign and encrypt data without errors. When connecting with the computer identity, both signing and encryption is supported in order to provide data protection.

------------------------------Captured stdout call------------------------------
NULL sessions are less secure because by definition they are unauthenticated.

------------------------------Captured stdout call------------------------------
The PKU2U protocol is a peer-to-peer authentication protocol - authentication should be managed centrally in most managed networks.

------------------------------Captured stdout call------------------------------
The strength of each encryption algorithm varies from one to the next, choosing stronger algorithms will reduce the risk of compromise however doing so may cause issues when the computer attempts to authenticate with systems that do not support them.

------------------------------Captured stdout call------------------------------
The SAM file can be targeted by attackers who seek access to username and password hashes. Such attacks use special tools to crack passwords, which can then be used to impersonate users and gain access to resources on your network. These types of attacks will not be prevented if you enable this policy setting, but it will be much more difficult for these types of attacks to succeed.

------------------------------Captured stdout call------------------------------
Windows 2000 and Windows XP clients were configured by default to send LM and NTLM authentication responses (Windows 95-based and Windows 98-based clients only send LM). The default settings in OSes predating Windows Vista / Windows Server 2008 (non- R2) allowed all clients to authenticate with servers and use their resources. However, this meant that LM responses - the weakest form of authentication response - were sent over the network, and it was potentially possible for attackers to sniff that traffic to more easily reproduce the user's password. The Windows 95, Windows 98, and Windows NT operating systems cannot use the Kerberos version 5 protocol for authentication. For this reason, in a Windows Server 2003 domain, these computers authenticate by default with both the LM and NTLM protocols for network authentication. You can enforce a more secure authentication protocol for Windows 95, Windows 98, and Windows NT by using NTLMv2. For the logon process, NTLMv2 uses a secure channel to protect the authentication process. Even if you use NTLMv2 for older clients and servers, Windows-based clients and servers that are members of the domain will use the Kerberos authentication protocol to authenticate with Windows Server 2003 or newer Domain Controllers. For these reasons, it is strongly preferred to restrict the use of LM & NTLM (non-v2) as much as possible.

------------------------------Captured stdout call------------------------------
Unsigned network traffic is susceptible to man-in-the-middle attacks in which an intruder captures the packets between the client and server, modifies them, and then forwards them to the server. For an LDAP server, this susceptibility means that an attacker could cause a server to make decisions that are based on false or altered data from the LDAP queries. To lower this risk in your network, you can implement strong physical security measures to protect the network infrastructure. Also, you can make all types of man-in-the-middle attacks extremely difficult if you require digital signatures on all network packets by means of IPsec authentication headers.

------------------------------Captured stdout call------------------------------
You can enable both options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. In other words, these options help protect against man-in-the-middle attacks.

------------------------------Captured stdout call------------------------------
You can enable all of the options for this policy setting to help protect network traffic that uses the NTLM Security Support Provider (NTLM SSP) from being exposed or tampered with by an attacker who has gained access to the same network. That is, these options help protect against man-in-the-middle attacks.

------------------------------Captured stdout call------------------------------
If a user's account is compromised or their computer is inadvertently left unsecured the malicious user can use the keys stored for the user to access protected resources. You can configure this policy setting so that users must provide a password that is distinct from their domain password every time they use a key. This configuration makes it more difficult for an attacker to access locally stored user keys, even if the attacker takes control of the user's computer and determines their logon password.

------------------------------Captured stdout call------------------------------
This setting determines the strength of the default DACL for objects. Windows maintains a global list of shared computer resources so that objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and with what permissions.

------------------------------Captured stdout call------------------------------
One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. An attack vector for these programs was to discover the password of the account named 'Administrator' because that user account was created for all installations of Windows. To address this risk, in Windows Vista and newer, the built-in Administrator account is now disabled by default. In a default installation of a new computer, accounts with administrative control over the computer are initially set up in one of two ways: - If the computer is not joined to a domain, the first user account you create has the equivalent permissions as a local administrator. - If the computer is joined to a domain, no local administrator accounts are created. The Enterprise or Domain Administrator must log on to the computer and create one if a local administrator account is warranted. Once Windows is installed, the built-in Administrator account may be manually enabled, but we strongly recommend that this account remain disabled.

------------------------------Captured stdout call------------------------------
One of the risks that the UAC feature introduced with Windows Vista is trying to mitigate is that of malicious software running under elevated credentials without the user or administrator being aware of its activity. This setting raises awareness to the administrator of elevated privilege operations and permits the administrator to prevent a malicious program from elevating its privilege when the program attempts to do so.

------------------------------Captured stdout call------------------------------
One of the risks that the User Account Control feature introduced with Windows Vista is trying to mitigate is that of malicious programs running under elevated credentials without the user or administrator being aware of their activity. This setting raises awareness to the user that a program requires the use of elevated privilege operations and requires that the user be able to supply administrative credentials in order for the program to run.

------------------------------Captured stdout call------------------------------
Some malicious software will attempt to install itself after being given permission to run. For example, malicious software with a trusted application shell. The user may have given permission for the program to run because the program is trusted, but if they are then prompted for installation of an unknown component this provides another way of trapping the software before it can do damage.

------------------------------Captured stdout call------------------------------
UIAccess Integrity allows an application to bypass User Interface Privilege Isolation (UIPI) restrictions when an application is elevated in privilege from a standard user to an administrator. This is required to support accessibility features such as screen readers that are transmitting user interfaces to alternative forms. A process that is started with UIAccess rights has the following abilities: - To set the foreground window. - To drive any application window using SendInput function. - To use read input for all integrity levels using low-level hooks, raw input, GetKeyState, GetAsyncKeyState, and GetKeyboardInput. - To set journal hooks. - To uses AttachThreadInput to attach a thread to a higher integrity input queue.

------------------------------Captured stdout call------------------------------
This is the setting that turns on or off UAC. If this setting is disabled, UAC will not be used and any security benefits and risk mitigations that are dependent on UAC will not be present on the system.

------------------------------Captured stdout call------------------------------
Standard elevation prompt dialog boxes can be spoofed, which may cause users to disclose their passwords to malicious software. The secure desktop presents a very distinct appearance when prompting for elevation, where the user desktop dims, and the elevation prompt UI is more prominent. This increases the likelihood that users who become accustomed to the secure desktop will recognize a spoofed elevation prompt dialog box and not fall for the trick.

------------------------------Captured stdout call------------------------------
This setting reduces vulnerabilities by ensuring that legacy applications only write data to permitted locations.

------------------------------Captured stdout call------------------------------
Bluetooth technology has inherent security risks - especially prior to the v2.1 standard. Wireless Bluetooth traffic is not well encrypted (if at all), so in a high-security environment, it should not be permitted, in spite of the added inconvenience of not being able to use Bluetooth devices.

------------------------------Captured stdout call------------------------------
Mapping technologies can unwillingly reveal your location to attackers and other software that picks up the information. In addition, automatic downloads of data from 3rd-party sources should be minimized when not needed. Therefore this service should not be needed in high security environments.

------------------------------Captured stdout call------------------------------
This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it’s not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments.

------------------------------Captured stdout call------------------------------
Infrared connections can potentially be a source of data compromise - especially via the automatic file transfer application functionality. Enterprise-managed systems should utilize a more secure method of connection than infrared.

------------------------------Captured stdout call------------------------------
The feature that this service enables could potentially be used for unauthorized discovery and connection to network devices. Disabling the service helps to prevent responses to requests for network topology discovery in high security environments.

------------------------------Captured stdout call------------------------------
Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff.

------------------------------Captured stdout call------------------------------
Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff.

------------------------------Captured stdout call------------------------------
Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff.

------------------------------Captured stdout call------------------------------
Peer Name Resolution Protocol is a distributed and (mostly) serverless way to handle name resolution of clients with each other. In a high security environment, it is more secure to rely on centralized name resolution methods maintained by authorized staff.

------------------------------Captured stdout call------------------------------
In a high security environment, unnecessary services especially those with known vulnerabilities should be disabled. Disabling the Print Spooler (Spooler) service mitigates the PrintNightmare vulnerability (CVE-2021-34527) and other attacks against the service.

------------------------------Captured stdout call------------------------------
In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted.

------------------------------Captured stdout call------------------------------
In a high security environment, Remote Desktop access is an increased security risk. For these environments, only local console access should be permitted.

------------------------------Captured stdout call------------------------------
This is a legacy service that has no value or purpose other than application compatibility for very old software. It should be disabled unless there is a specific old application still in use on the system that requires it.

------------------------------Captured stdout call------------------------------
In a high security environment, exposing the registry to remote access is an increased security risk.

------------------------------Captured stdout call------------------------------
This service's main purpose is to provide Windows router functionality - this is not an appropriate use of workstations in an enterprise managed environment.

------------------------------Captured stdout call------------------------------
In a high security environment, a secure workstation should only be a client, not a server. Sharing workstation resources for remote access increases security risk as the attack surface is notably higher.

------------------------------Captured stdout call------------------------------
Features that enable inbound network connections increase the attack surface. In a high security environment, management of secure workstations should be handled locally.

------------------------------Captured stdout call------------------------------
If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error.

------------------------------Captured stdout call------------------------------
In a high security environment, remote connections to secure workstations should be minimized, and management functions should be done locally.

------------------------------Captured stdout call------------------------------
The capability to run a mobile hotspot from a domain-connected computer could easily expose the internal network to wardrivers or other hackers.

------------------------------Captured stdout call------------------------------
Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company).

------------------------------Captured stdout call------------------------------
Xbox Live is a gaming service and has no place in an enterprise managed environment (perhaps unless it is a gaming company).

------------------------------Captured stdout call------------------------------
If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service.

------------------------------Captured stdout call------------------------------
If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service.

------------------------------Captured stdout call------------------------------
Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway.

------------------------------Captured stdout call------------------------------
Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service.

------------------------------Captured stdout call------------------------------
If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service.

------------------------------Captured stdout call------------------------------
Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway.

------------------------------Captured stdout call------------------------------
Firewall notifications can be complex and may confuse the end users, who would not be able to address the alert.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If the firewall is turned off all traffic will be able to access the system and an attacker may be more easily able to remotely exploit a weakness in a network service

------------------------------Captured stdout call------------------------------
If the firewall allows all traffic to access the system then an attacker may be more easily able to remotely exploit a weakness in a network service.

------------------------------Captured stdout call------------------------------
Some people believe that it is prudent to block all outbound connections except those specifically approved by the user or administrator. Microsoft disagrees with this opinion, blocking outbound connections by default will force users to deal with a large number of dialog boxes prompting them to authorize or block applications such as their web browser or instant messaging software. Additionally, blocking outbound traffic has little value because if an attacker has compromised the system they can reconfigure the firewall anyway.

------------------------------Captured stdout call------------------------------
Some organizations may prefer to avoid alarming users when firewall rules block certain types of network activity. However, notifications can be helpful when troubleshooting network issues involving the firewall.

------------------------------Captured stdout call------------------------------
When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy.

------------------------------Captured stdout call------------------------------
Users with administrative privileges might create firewall rules that expose the system to remote attack.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident

------------------------------Captured stdout call------------------------------
Auditing events in this category may be useful when investigating an incident.

------------------------------Captured stdout call------------------------------
Auditing events in this category may be useful when investigating an incident.

------------------------------Captured stdout call------------------------------
Enabling this setting will allow a user to audit events when a device is plugged into a system. This can help alert IT staff if unapproved devices are plugged in.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
In an enterprise managed environment, workstations should have limited file sharing activity, as file servers would normally handle the overall burden of file sharing activities. Any unusual file sharing activity on workstations may therefore be useful in an investigation of potentially malicious activity.

------------------------------Captured stdout call------------------------------
Auditing removable storage may be useful when investigating an incident. For example, if an individual is suspected of copying sensitive information onto a USB drive.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.

------------------------------Captured stdout call------------------------------
This setting can help detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Capturing these audit events may be useful for identifying when the Windows Firewall is not performing as expected.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Auditing these events may be useful when investigating a security incident.

------------------------------Captured stdout call------------------------------
Disabling the lock screen camera extends the protection afforded by the lock screen to camera features.

------------------------------Captured stdout call------------------------------
Disabling the lock screen slide show extends the protection afforded by the lock screen to slide show contents.

------------------------------Captured stdout call------------------------------
If this setting is Enabled sensitive information could be stored in the cloud or sent to Microsoft.

------------------------------Captured stdout call------------------------------
Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information.

------------------------------Captured stdout call------------------------------
Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

------------------------------Captured stdout call------------------------------
Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

------------------------------Captured stdout call------------------------------
Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

------------------------------Captured stdout call------------------------------
Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

------------------------------Captured stdout call------------------------------
Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

------------------------------Captured stdout call------------------------------
Due to the difficulty in managing local Administrator passwords, many organizations choose to use the same password on all workstations and/or Member Servers when deploying them. This creates a serious attack surface security risk because if an attacker manages to compromise one system and learn the password to its local Administrator account, then they can leverage that account to instantly gain access to all other computers that also use that password for their local Administrator account.

------------------------------Captured stdout call------------------------------
Local accounts are at high risk for credential theft when the same account and password is configured on multiple systems. Ensuring this policy is Enabled significantly reduces that risk.

------------------------------Captured stdout call------------------------------
Since September 2016, Microsoft has strongly encouraged that SMBv1 be disabled and no longer used on modern networks, as it is a 30 year old design that is much more vulnerable to attacks then much newer designs such as SMBv2 and SMBv3.

------------------------------Captured stdout call------------------------------
This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option.

------------------------------Captured stdout call------------------------------
Restricting the installation of print drives to Administrators can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks

------------------------------Captured stdout call------------------------------
Preventing the plaintext storage of credentials in memory may reduce opportunity for credential theft.

------------------------------Captured stdout call------------------------------
If you configure a computer for automatic logon, anyone who can physically gain access to the computer can also gain access to everything that is on the computer, including any network or networks that the computer is connected to. Also, if you enable automatic logon, the password is stored in the registry in plaintext. The specific registry key that stores this setting is remotely readable by the Authenticated Users group. As a result, this entry is appropriate only if the computer is physically secured and if you ensure that untrusted users cannot remotely see the registry.

------------------------------Captured stdout call------------------------------
An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes

------------------------------Captured stdout call------------------------------
An attacker could use source routed packets to obscure their identity and location. Source routing allows a computer that sends a packet to specify the route that the packet takes.

------------------------------Captured stdout call------------------------------
An attacker who steals a mobile user's computer could automatically connect to the organization's network if the Save This Password check box is selected for the dial-up or VPN networking entry used to connect to your organization's network.

------------------------------Captured stdout call------------------------------
This behavior is expected. The problem is that the 10 minute time-out period for the ICMP redirect-plumbed routes temporarily creates a network situation in which traffic will no longer be routed properly for the affected host. Ignoring such ICMP redirects will limit the system's exposure to attacks that will impact its ability to participate on the network.

------------------------------Captured stdout call------------------------------
An attacker who is able to connect to network applications could establish numerous connections to cause a DoS condition.

------------------------------Captured stdout call------------------------------
The NetBT protocol is designed not to use authentication, and is therefore vulnerable to spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. A malicious user could exploit the unauthenticated nature of the protocol to send a name-conflict datagram to a target computer, which would cause the computer to relinquish its name and not respond to queries. An attacker could send a request over the network and query a computer to release its NetBIOS name. As with any change that could affect applications, it is recommended that you test this change in a non-production environment before you change the production environment. The result of such an attack could be to cause intermittent connectivity issues on the target computer, or even to prevent the use of Network Neighborhood, domain logons, the NET SEND command, or additional NetBIOS name resolution.

------------------------------Captured stdout call------------------------------
An attacker who has gained control of a computer on the same network segment could configure a computer on the network to impersonate a router. Other computers with IRDP enabled would then attempt to route their traffic through the already compromised computer.

------------------------------Captured stdout call------------------------------
If a user unknowingly executes hostile code that was packaged with additional files that include modified versions of system DLLs, the hostile code could load its own versions of those DLLs and potentially increase the type and degree of damage the code can render.

------------------------------Captured stdout call------------------------------
The default grace period that is allowed for user movement before the screen saver lock takes effect is five seconds. If you leave the default grace period configuration, your computer is vulnerable to a potential attack from someone who could approach the console and attempt to log on to the computer before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period.

------------------------------Captured stdout call------------------------------
A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer.

------------------------------Captured stdout call------------------------------
A malicious user could exhaust a target computer's resources if it never sent any acknowledgment messages for data that was transmitted by the target computer.

------------------------------Captured stdout call------------------------------
If the Security log reaches 90 percent of its capacity and the computer has not been configured to overwrite events as needed, more recent events will not be written to the log. If the log reaches its capacity and the computer has been configured to shut down when it can no longer record events to the Security log, the computer will shut down and will no longer be available to provide network services.

------------------------------Captured stdout call------------------------------
DNS over HTTPS (DoH) helps protect against DNS spoofing. Spoofing makes a transmission appear to come from a user other than the user who performed the action. It can also help prevent man-in-the-middle (MitM) attacks because the session in-between is encrypted

------------------------------Captured stdout call------------------------------
An attacker can listen on a network for these LLMNR (UDP/5355) or NBT-NS (UDP/137) broadcasts and respond to them, tricking the host into thinking that it knows the location of the requested system.

------------------------------Captured stdout call------------------------------
In an enterprise managed environment the IT department should be managing the changes to the system configuration, to ensure all changes are tested and approved.

------------------------------Captured stdout call------------------------------
Insecure guest logons are used by file servers to allow unauthenticated access to shared folders.

------------------------------Captured stdout call------------------------------
To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery.

------------------------------Captured stdout call------------------------------
To help protect from potentially discovering and connecting to unauthorized devices, this setting should be disabled to prevent responding to network traffic for network topology discovery.

------------------------------Captured stdout call------------------------------
This setting enhances the security of the environment and reduces the overall risk exposure related to peer-to-peer networking.

------------------------------Captured stdout call------------------------------
The Network Bridge setting, if enabled, allows users to create a Layer 2 Media Access Control (MAC) bridge, enabling them to connect two or more physical network segments together. A Network Bridge thus allows a computer that has connections to two different networks to share data between those networks. In an enterprise managed environment, where there is a need to control network traffic to only authorized paths, allowing users to create a Network Bridge increases the risk and attack surface from the bridged network.

------------------------------Captured stdout call------------------------------
Non-administrators should not be able to turn on the Mobile Hotspot feature and open their Internet connectivity up to nearby mobile devices.

------------------------------Captured stdout call------------------------------
Allowing regular users to set a network location increases the risk and attack surface.

------------------------------Captured stdout call------------------------------
In February 2015, Microsoft released a new control mechanism to mitigate a security risk in Group Policy as part of the MS15-011 / MSKB 3000483 security update. This mechanism requires both the installation of the new security update and also the deployment of specific group policy settings to all computers on the domain from Windows Vista / Server 2008 (non-R2) or newer (the associated security patch to enable this feature was not released for Server 2003). A new group policy template (NetworkProvider.admx/adml) was also provided with the security update. Once the new GPO template is in place, the following are the minimum requirements to remediate the Group Policy security risk: \*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1 \*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1 Note: A reboot may be required after the setting is applied to a client machine to access the above paths.

------------------------------Captured stdout call------------------------------
Since the vast majority of private enterprise managed networks have no need to utilize IPv6 (because they have access to private IPv4 addressing), disabling IPv6 components reduces a possible attack surface that is also harder to monitor the traffic on. As a result, we recommend configuring IPv6 to a Disabled state when it is not needed.

------------------------------Captured stdout call------------------------------
This setting enhances the security of the environment and reduces the overall risk exposure related to user configuration of wireless settings.

------------------------------Captured stdout call------------------------------
Allowing standard users to access the Windows Connect Now wizard increases the risk and attack surface.

------------------------------Captured stdout call------------------------------
Preventing bridged network connections can help prevent a user unknowingly allowing traffic to route between internal and external networks, which risks exposure to sensitive internal data.

------------------------------Captured stdout call------------------------------
The potential concern is that a user would unknowingly allow network traffic to flow between the insecure public network and the enterprise managed network.

------------------------------Captured stdout call------------------------------
Automatically connecting to an open hotspot or network can introduce the system to a rogue network with malicious intent.

------------------------------Captured stdout call------------------------------
Disabling the ability for the Print Spooler service to accept client connections mitigates remote attacks against the PrintNightmare vulnerability (CVE-2021-34527) and other remote Print Spooler attacks. However, this recommendation does not mitigate against local attacks on the Print Spooler service.

------------------------------Captured stdout call------------------------------
Enabling Windows User Account Control (UAC) for the installation of new print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks.

------------------------------Captured stdout call------------------------------
Enabling Windows User Account Control (UAC) for updating existing print drivers can help mitigate the PrintNightmare vulnerability (CVE-2021-34527) and other Print Spooler attacks.

------------------------------Captured stdout call------------------------------
Windows Push Notification Services (WNS) is a mechanism to receive 3rd-party notifications and updates from the cloud/Internet. In a high security environment, external systems, especially those hosted outside the organization, should be prevented from having an impact on the secure workstations.

------------------------------Captured stdout call------------------------------
This setting is important to mitigate the CredSSP encryption oracle vulnerability, for which information was published by Microsoft on 03/13/2018 in CVE-2018-0886 | CredSSP Remote Code Execution Vulnerability. All versions of Windows from Windows Vista onwards are affected by this vulnerability, and will be compatible with this recommendation provided that they have been patched at least through May 2018 (or later).

------------------------------Captured stdout call------------------------------
Restricted Admin Mode was designed to help protect administrator accounts by ensuring that reusable credentials are not stored in memory on remote devices that could potentially be compromised. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that is requesting the connection. Both features should be enabled and supported, as they reduce the chance of credential theft.

------------------------------Captured stdout call------------------------------
Installation of software should be conducted by an authorized system administrator and not a standard user. Allowing automatic 3rd-party software installations under the context of the SYSTEM account has potential for allowing unauthorized access via backdoors or installation software bugs.

------------------------------Captured stdout call------------------------------
This policy setting helps reduce the impact of malware that has already infected your system.

------------------------------Captured stdout call------------------------------
Setting this option to false (unchecked) will ensure that domain policy changes take effect more quickly, as compared to waiting until the next user logon or system restart.

------------------------------Captured stdout call------------------------------
Setting this option to true (checked) will ensure unauthorized changes that might have been configured locally are forced to match the domain-based Group Policy settings again.

------------------------------Captured stdout call------------------------------
A cross-device experience is when a system can access app and send messages to other devices. In an enterprise managed environment only trusted systems should be communicating within the network. Access to any other system should be prohibited.

------------------------------Captured stdout call------------------------------
This setting ensures that group policy changes take effect more quickly, as compared to waiting until the next user logon or system restart.

------------------------------Captured stdout call------------------------------
The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software.

------------------------------Captured stdout call------------------------------
The Store service is a retail outlet built into Windows, primarily for consumer use. In an enterprise managed environment the IT department should be managing the installation of all applications to reduce the risk of the installation of vulnerable software.

------------------------------Captured stdout call------------------------------
A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user.

------------------------------Captured stdout call------------------------------
A person's handwriting is Personally Identifiable Information (PII), especially when it comes to your signature. As such, it is unacceptable in many environments to automatically upload PII to a website without explicit approval by the user.

------------------------------Captured stdout call------------------------------
In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data.

------------------------------Captured stdout call------------------------------
Information that is transmitted over HTTP through this capability is not protected and can be intercepted by malicious users. For this reason, it is not often used in enterprise managed environments.

------------------------------Captured stdout call------------------------------
Users in an enterprise managed environment should not be registering their own copies of Windows, providing their own PII in the process.

------------------------------Captured stdout call------------------------------
There is a small risk that users will unknowingly reveal sensitive information because of the topics they are searching for. This risk is very low because even if this setting is enabled users still must submit search queries to the desired search engine in order to perform searches.

------------------------------Captured stdout call------------------------------
In an enterprise managed environment we want to lower the risk of a user unknowingly exposing sensitive data.

------------------------------Captured stdout call------------------------------
Users may publish confidential or sensitive information to a public service outside of the control of the organization.

------------------------------Captured stdout call------------------------------
Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers.

------------------------------Captured stdout call------------------------------
Large enterprise managed environments may not want to have information collected by Microsoft from managed client computers.

------------------------------Captured stdout call------------------------------
If a Windows Error occurs in a secure, enterprise managed environment, the error should be reported directly to IT staff for troubleshooting and remediation. There is no benefit to the corporation to report these errors directly to Microsoft, and there is some risk of unknowingly exposing sensitive data as part of the error.

------------------------------Captured stdout call------------------------------
Having stronger device authentication with the use of certificates is strongly encouraged over standard username and password authentication. Having this set to Automatic will allow certificate based authentication to be used whenever possible.

------------------------------Captured stdout call------------------------------
Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unpermitted I/O, or memory access, by the peripheral.

------------------------------Captured stdout call------------------------------
This is a way to increase the security of the system account.

------------------------------Captured stdout call------------------------------
An unauthorized user could disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.

------------------------------Captured stdout call------------------------------
A malicious user could use this feature to gather account names of other users, that information could then be used in conjunction with other types of attacks such as guessing passwords or social engineering. The value of this countermeasure is small because a user with domain credentials could gather the same account information using other methods.

------------------------------Captured stdout call------------------------------
App notifications might display sensitive business or personal data.

------------------------------Captured stdout call------------------------------
Picture passwords bypass the requirement for a typed complex password. In a shared work environment, a simple shoulder surf where someone observed the on-screen gestures would allow that person to gain access to the system without the need to know the complex password. Vertical monitor screens with an image are much more visible at a distance than horizontal key strokes, increasing the likelihood of a successful observation of the mouse gestures.

------------------------------Captured stdout call------------------------------
A PIN is created from a much smaller selection of characters than a password, so in most cases a PIN will be much less robust than a password.

------------------------------Captured stdout call------------------------------
In high security environments, clipboard data should stay local to the system and not synced across devices, as it may contain very sensitive information that must be contained locally.

------------------------------Captured stdout call------------------------------
Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information.

------------------------------Captured stdout call------------------------------
System sleep states (S1-S3) keep power to the RAM which may contain secrets, such as the BitLocker volume encryption key. An attacker finding a computer in sleep states (S1-S3) could directly attack the memory of the computer and gain access to the secrets through techniques such as RAM reminisce and direct memory access (DMA).

------------------------------Captured stdout call------------------------------
Enabling this setting ensures that anyone who wakes an unattended computer from sleep state will have to provide logon credentials before they can access the system.

------------------------------Captured stdout call------------------------------
A user might be tricked and accept an unsolicited Remote Assistance offer from a malicious user.

------------------------------Captured stdout call------------------------------
There is slight risk that a rogue administrator will gain access to another user's desktop session, however, they cannot connect to a user's computer unannounced or control it without permission from the user. When an expert tries to connect, the user can still choose to deny the connection or give the expert view-only privileges. The user must explicitly click the Yes button to allow the expert to remotely control the workstation.

------------------------------Captured stdout call------------------------------
Anonymous access to RPC services could result in accidental disclosure of information to unauthenticated users.

------------------------------Captured stdout call------------------------------
Unauthenticated RPC communication can create a security vulnerability.

------------------------------Captured stdout call------------------------------
Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information.

------------------------------Captured stdout call------------------------------
When enabled the aggregated data of a given event will be transmitted to Microsoft. The option exists to restrict this feature for a specific user, set the consent level, and designate specific programs for which error reports could be sent. However, centrally restricting the ability to execute PerfTrack to limit the potential for unauthorized or undesired usage, data leakage, or unintentional communications is highly recommended.

------------------------------Captured stdout call------------------------------
Tracking user activity for advertising purposes, even anonymously, may be a privacy concern. In an enterprise managed environment, applications should not need or require tracking for targeted advertising.

------------------------------Captured stdout call------------------------------
A reliable and accurate account of time is important for a number of services and security requirements, including but not limited to distributed applications, authentication services, multi-user databases and logging services. The use of an NTP client (with secure operation) establishes functional accuracy and is a focal point when reviewing security relevant events.

------------------------------Captured stdout call------------------------------
The configuration of proper time synchronization is critically important in an enterprise managed environment both due to the sensitivity of Kerberos authentication timestamps and also to ensure accurate security logging.

------------------------------Captured stdout call------------------------------
Users of a system could accidentally share sensitive data with other users on the same system.

------------------------------Captured stdout call------------------------------
In a corporate managed environment, application installations should be managed centrally by IT staff, not by end users.

------------------------------Captured stdout call------------------------------
Access to any computer resource should not be allowed when the device is locked.

------------------------------Captured stdout call------------------------------
Enabling this setting allows an organization to use their enterprise user accounts instead of using their Microsoft accounts when accessing Windows store apps. This provides the organization with greater control over relevant credentials. Microsoft accounts cannot be centrally managed and as such enterprise credential security policies cannot be applied to them, which could put any information accessed by using Microsoft accounts at risk.

------------------------------Captured stdout call------------------------------
An attacker could use this feature to launch a program to damage a client computer or data on the computer.

------------------------------Captured stdout call------------------------------
Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.

------------------------------Captured stdout call------------------------------
An attacker could use this feature to launch a program to damage a client computer or data on the computer.

------------------------------Captured stdout call------------------------------
Enterprise managed environments are now supporting a wider range of mobile devices, increasing the security on these devices will help protect against unauthorized access on your network.

------------------------------Captured stdout call------------------------------
Cameras in a high security environment can pose serious privacy and data exfiltration risks - they should be disabled to help mitigate that risk.

------------------------------Captured stdout call------------------------------
Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information.

------------------------------Captured stdout call------------------------------
Having apps silently install in an enterprise managed environment is not good security practice - especially if the apps send data back to a 3rd party.

------------------------------Captured stdout call------------------------------
This is a useful feature when entering a long and complex password, especially when using a touchscreen. The potential risk is that someone else may see your password while surreptitiously observing your screen.

------------------------------Captured stdout call------------------------------
Users could see the list of administrator accounts, making it slightly easier for a malicious user who has logged onto a console session to try to crack the passwords of those accounts.

------------------------------Captured stdout call------------------------------
Users could establish security questions that are easily guessed or sleuthed by observing the user’s social media accounts, making it easier for a malicious actor to change the local user account password and gain access to the computer as that user account.

------------------------------Captured stdout call------------------------------
Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis.

------------------------------Captured stdout call------------------------------
Sending any data to a 3rd party vendor is a security concern and should only be done on an as needed basis.

------------------------------Captured stdout call------------------------------
Sending data to a 3rd party vendor is a security concern and should only be done on an asneeded basis.

------------------------------Captured stdout call------------------------------
Users should not be sending any feedback to 3rd party vendors in an enterprise managed environment.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
Sending data to a 3rd-party vendor is a security concern and should only be done on an asneeded basis.

------------------------------Captured stdout call------------------------------
It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds.

------------------------------Captured stdout call------------------------------
Due to privacy concerns and security risks, updates should only be downloaded directly from Microsoft, or from a trusted machine on the internal network that received its updates from a trusted source and approved by the network administrator.

------------------------------Captured stdout call------------------------------
If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If new events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
If events are not recorded it may be difficult or impossible to determine the root cause of system problems or the unauthorized activities of malicious users.

------------------------------Captured stdout call------------------------------
Data Execution Prevention is an important security feature supported by Explorer that helps to limit the impact of certain types of malware.

------------------------------Captured stdout call------------------------------
Allowing an application to function after its session has become corrupt increases the risk posture to the system.

------------------------------Captured stdout call------------------------------
Limiting the opening of files and folders to a limited set reduces the attack surface of the system.

------------------------------Captured stdout call------------------------------
While resources on a domain-joined computer cannot be shared with a HomeGroup, information from the domain-joined computer can be leaked to other computers in the HomeGroup.

------------------------------Captured stdout call------------------------------
This setting affects the location feature (e.g. GPS or other location tracking). From a security perspective, it's not a good idea to reveal your location to software in most cases, but there are legitimate uses, such as mapping software. However, they should not be used in high security environments.

------------------------------Captured stdout call------------------------------
In a high security environment, data should never be sent to any 3rd party since this data could contain sensitive information.

------------------------------Captured stdout call------------------------------
Organizations that want to effectively implement identity management policies and maintain firm control of what accounts are used on their computers will probably want to block Microsoft accounts. Organizations may also need to block Microsoft accounts in order to meet the requirements of compliance standards that apply to their information systems.

------------------------------Captured stdout call------------------------------
The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed.

------------------------------Captured stdout call------------------------------
The information that would be sent can include things like location of detected items on your computer if harmful software was removed. The information would be automatically collected and sent. In some instances personal information might unintentionally be sent to Microsoft. However, Microsoft states that it will not use this information to identify you or contact you. For privacy reasons in high security environments, it is best to prevent these data submissions altogether.

------------------------------Captured stdout call------------------------------
Attack surface reduction helps prevent actions and apps that are typically used by exploitseeking malware to infect machines.

------------------------------Captured stdout call------------------------------
This setting can help prevent employees from using any application to access dangerous domains that may host phishing scams, exploit-hosting sites, and other malicious content on the Internet.

------------------------------Captured stdout call------------------------------
When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity.

------------------------------Captured stdout call------------------------------
When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity.

------------------------------Captured stdout call------------------------------
When running an antivirus solution such as Microsoft Defender Antivirus, it is important to ensure that it is configured to heuristically monitor in real-time for suspicious and known malicious activity.

------------------------------Captured stdout call------------------------------
It is important to ensure that any present removable drives are always included in any type of scan, as removable drives are more likely to contain malicious software brought in to the enterprise managed environment from an external, unmanaged computer.

------------------------------Captured stdout call------------------------------
Incoming e-mails should be scanned by an antivirus solution such as Windows Defender Antivirus, as email attachments are a commonly used attack vector to infiltrate computers with malicious software.

------------------------------Captured stdout call------------------------------
Enabling this setting prevents users from accidentally uploading confidential or sensitive corporate information to the OneDrive cloud service using the Next Generation Sync Client.

------------------------------Captured stdout call------------------------------
In a high security managed environment, application installations should be managed centrally by IT staff, not by end users.

------------------------------Captured stdout call------------------------------
An attacker with physical access to the computer may be able to break the protection guarding saved passwords. An attacker who compromises a user's account and connects to their computer could use saved passwords to gain access to additional hosts.

------------------------------Captured stdout call------------------------------
Any account with the Allow log on through Remote Desktop Services user right can log on to the remote console of the computer. If you do not restrict access to legitimate users who need to log on to the console of the computer, unauthorized users could download and execute malicious code to elevate their privileges.

------------------------------Captured stdout call------------------------------
In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.

------------------------------Captured stdout call------------------------------
Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session.

------------------------------Captured stdout call------------------------------
In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for LPT port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.

------------------------------Captured stdout call------------------------------
In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for Plug and Play device redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.

------------------------------Captured stdout call------------------------------
Users have the option to store both their username and password when they create a new Remote Desktop Connection shortcut. If the server that runs Remote Desktop Services allows users who have used this feature to log on to the server but not enter their password, then it is possible that an attacker who has gained physical access to the user's computer could connect to a Remote Desktop Server through the Remote Desktop Connection shortcut, even though they may not know the user's password.

------------------------------Captured stdout call------------------------------
This setting helps to prevent active Remote Desktop sessions from tying up the computer for long periods of time while not in use, preventing computing resources from being consumed by large numbers of disconnected but still active sessions. In addition, old, forgotten Remote Desktop sessions that are still active can cause password lockouts if the user's password has changed but the old session is still running. For systems that limit the number of connected users (e.g. servers in the default Administrative mode - 2 sessions only), other users' old but still active sessions can prevent another user from connecting, resulting in an effective denial of service. This setting is important to ensure a disconnected session is properly terminated.

------------------------------Captured stdout call------------------------------
Sensitive information could be contained inside the temporary folders and visible to other administrators that log into the system.

------------------------------Captured stdout call------------------------------
Allowing attachments to be downloaded through the RSS feed can introduce files that could have malicious intent.

------------------------------Captured stdout call------------------------------
Due to privacy concerns, data should never be sent to any 3rd party since this data could contain sensitive information.

------------------------------Captured stdout call------------------------------
If Cortana is enabled, sensitive information could be contained in search history and sent out to Microsoft.

------------------------------Captured stdout call------------------------------
Access to any computer resource should not be allowed when the device is locked.

------------------------------Captured stdout call------------------------------
Indexing and allowing users to search encrypted files could potentially reveal confidential data stored within the encrypted files.

------------------------------Captured stdout call------------------------------
In an enterprise managed environment, allowing Cortana and Search to have access to location data is unnecessary. Organizations likely do not want this information shared out

------------------------------Captured stdout call------------------------------
Even though the KMS licensing method does not require KMS clients to connect to Microsoft, they still send KMS client activation state data to Microsoft automatically. Preventing this information from being sent can help reduce privacy concerns in high security environments.

------------------------------Captured stdout call------------------------------
Keeping your system properly patched can help protect against 0 day vulnerabilities.

------------------------------Captured stdout call------------------------------
Unplanned OS upgrades can lead to more preventable support calls. The IT department should be managing and approving all upgrades and updates.

------------------------------Captured stdout call------------------------------
Only applications approved by an IT department should be installed. Allowing users to install 3rd party applications can lead to missed patches and potential zero day vulnerabilities.

------------------------------Captured stdout call------------------------------
Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. However, due to the fact that some information is sent to Microsoft about files and programs run on PCs some organizations may prefer to disable it.

------------------------------Captured stdout call------------------------------
SmartScreen serves an important purpose as it helps to warn users of possible malicious sites and files. Allowing users to turn off this setting can make the browser become more vulnerable to compromise.

------------------------------Captured stdout call------------------------------
This Microsoft feature is designed to collect data and suggest apps based on that data collected. Disabling this setting will help ensure your data is not shared with any third party.

------------------------------Captured stdout call------------------------------
Allowing any apps to be accessed while system is locked is not recommended. If this feature is permitted, it should only be accessible once a user authenticates with the proper credentials.

------------------------------Captured stdout call------------------------------
In an enterprise managed environment, only IT staff with administrative rights should be installing or changing software on a system. Allowing users the ability to have any control over installs can risk unapproved software from being installed or removed from a system, which could cause the system to become vulnerable to compromise.

------------------------------Captured stdout call------------------------------
Users with limited privileges can exploit this feature by creating a Windows Installer installation package that creates a new local account that belongs to the local built-in Administrators group, adds their current account to the local built-in Administrators group, installs malicious software, or performs other unauthorized activities.

------------------------------Captured stdout call------------------------------
Suppressing the system warning can pose a security risk and increase the attack surface on the system.

------------------------------Captured stdout call------------------------------
Disabling this feature will prevent the caching of user's credentials and unauthorized use of the device, and also ensure the user is aware of the restart.

------------------------------Captured stdout call------------------------------
If this setting is enabled there is a risk that passwords could get stored in plain text in the PowerShell_transcript output file.

------------------------------Captured stdout call------------------------------
Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM.

------------------------------Captured stdout call------------------------------
Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network.

------------------------------Captured stdout call------------------------------
Digest authentication is less robust than other authentication methods available in WinRM, an attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM.

------------------------------Captured stdout call------------------------------
Basic authentication is less robust than other authentication methods available in WinRM because credentials including passwords are transmitted in plain text. An attacker who is able to capture packets on the network where WinRM is running may be able to determine the credentials used for accessing remote hosts via WinRM.

------------------------------Captured stdout call------------------------------
Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec.

------------------------------Captured stdout call------------------------------
Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Management (WinRM) service on trusted networks and when feasible employ additional controls such as IPsec.

------------------------------Captured stdout call------------------------------
Encrypting WinRM network traffic reduces the risk of an attacker viewing or modifying WinRM messages as they transit the network.

------------------------------Captured stdout call------------------------------
Any feature is a potential avenue of attack, those that enable inbound network connections are particularly risky. Only enable the use of the Windows Remote Shell on trusted networks and when feasible employ additional controls such as IPsec.

------------------------------Captured stdout call------------------------------
Disabling copy and paste decreases the attack surface exposed by the Windows Sandbox and possible exposure of untrusted applications to the internal network.

------------------------------Captured stdout call------------------------------
Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified.

------------------------------Captured stdout call------------------------------
Some security updates require that the computer be restarted to complete an installation. If the computer cannot restart automatically, then the most recent update will not completely install and no new updates will download to the computer until it is restarted. Without the auto-restart functionality, users who are not security-conscious may choose to indefinitely delay the restart, therefore keeping the computer in a less secure state.

------------------------------Captured stdout call------------------------------
Although each version of Windows is thoroughly tested before release, it is possible that problems will be discovered after the products are shipped. The Configure Automatic Updates setting can help you ensure that the computers in your environment will always have the most recent critical operating system updates and service packs installed.

------------------------------Captured stdout call------------------------------
It can be risky for experimental features to be allowed in an enterprise managed environment because this can introduce bugs and security holes into systems, making it easier for an attacker to gain access. It is generally preferred to only use production-ready builds.

------------------------------Captured stdout call------------------------------
Quality Updates can contain important bug fixes and/or security patches, and should be installed as soon as possible.