diff --git a/lists/finding_list_0x6d69636b_machine.csv b/lists/finding_list_0x6d69636b_machine.csv index 5a1f17b..0a7b4cc 100644 --- a/lists/finding_list_0x6d69636b_machine.csv +++ b/lists/finding_list_0x6d69636b_machine.csv @@ -135,7 +135,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 1650,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium 1660,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium 1661,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium -1662,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Low +1662,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium 1670,"Administrative Templates: System","Mitigation Options: Untrusted Font Blocking",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions",MitigationOptions_FontBocking,,,,0,1000000000000,=,Medium 1680,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium 1685,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv new file mode 100644 index 0000000..1984420 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_machine.csv @@ -0,0 +1,587 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.3,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.4,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.5,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Allow log on through Remote Desktop Services",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.7,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.9,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.10,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.12,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.14.1,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14.2,"User Rights Assignment","Create symbolic links (Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,S-1-5-83-0;BUILTIN\Administrators,=,Medium +2.2.15,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.16,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"Guest;NT AUTHORITY\Local account",=,Medium +2.2.17,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.18,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.19,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.20,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.21,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.22,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.23,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.24,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.25,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.26,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.27,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.28,"User Rights Assignment","Log on as a batch job",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.29.1,"User Rights Assignment","Log on as a service",accesschk,SeServiceLogonRight,,,,,,"NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",,=,Medium +2.2.29.2,"User Rights Assignment","Log on as a service (Hyper-V)",accesschk,SeServiceLogonRight,,,,,,"S-1-5-83-0;NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",S-1-5-83-0,=,Medium +2.2.30,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.31,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.32,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.33,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.34,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.36,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.37,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.38,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status",localaccount,500,,,,,,False,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine account lockout threshold",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,MaxDevicePasswordFailedAttempts,,,,10,10,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.5,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.7,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.8.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.8.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Low +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +5.1.1,"System Services","Bluetooth Audio Gateway Service (BTAGService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\BTAGService,Start,,,,3,4,=,Medium +5.1.2,"System Services","Bluetooth Audio Gateway Service (BTAGService) (Service Startup type)",service,BTAGService,,,,,,Manual,Disabled,=,Medium +5.2.1,"System Services","Bluetooth Support Service (bthserv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\bthserv,Start,,,,3,4,=,Medium +5.2.2,"System Services","Bluetooth Support Service (bthserv) (Service Startup type)",service,bthserv,,,,,,Manual,Disabled,=,Medium +5.3.1,"System Services","Computer Browser (Browser)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Browser,Start,,,,,4,=,Medium +5.3.2,"System Services","Computer Browser (Browser) (Service Startup type)",service,Browser,,,,,,Manual,Disabled,=,Medium +5.4.1,"System Services","Downloaded Maps Manager (MapsBroker)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MapsBroker,Start,,,,2,4,=,Medium +5.4.2,"System Services","Downloaded Maps Manager (MapsBroker) (Service Startup type)",service,MapsBroker,,,,,,Automatic,Disabled,=,Medium +5.5.1,"System Services","Geolocation Service (lfsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc,Start,,,,3,4,=,Medium +5.5.2,"System Services","Geolocation Service (lfsvc) (Service Startup type)",service,lfsvc,,,,,,Manual,Disabled,=,Medium +5.6.1,"System Services","IIS Admin Service (IISADMIN)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN,Start,,,,,4,=,Medium +5.6.2,"System Services","IIS Admin Service (IISADMIN) (Service Startup type)",service,IISADMIN,,,,,,"",Disabled,=,Medium +5.7.1,"System Services","Infrared monitor service (irmon)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\irmon,Start,,,,,4,=,Medium +5.7.2,"System Services","Infrared monitor service (irmon) (Service Startup type)",service,irmon,,,,,,,Disabled,=,Medium +5.8.1,"System Services","Internet Connection Sharing (ICS) (SharedAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess,Start,,,,3,4,=,Medium +5.8.2,"System Services","Internet Connection Sharing (ICS) (SharedAccess) (Service Startup type)",service,SharedAccess,,,,,,Manual,Disabled,=,Medium +5.9.1,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lltdsvc,Start,,,,3,4,=,Medium +5.9.2,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc) (Service Startup type)",service,lltdsvc,,,,,,Manual,Disabled,=,Medium +5.10.1,"System Services","LxssManager (LxssManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager,Start,,,,"",4,=,Medium +5.10.2,"System Services","LxssManager (LxssManager) (Service Startup type)",service,LxssManager,,,,,,,Disabled,=,Medium +5.11.1,"System Services","Microsoft FTP Service (FTPSVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC,Start,,,,,4,=,Medium +5.11.2,"System Services","Microsoft FTP Service (FTPSVC) (Service Startup type)",service,FTPSVC,,,,,,"",Disabled,=,Medium +5.12.1,"System Services","Microsoft iSCSI Initiator Service (MSiSCSI)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MSiSCSI,Start,,,,3,4,=,Medium +5.12.2,"System Services","Microsoft iSCSI Initiator Service (MsiSCSI) (Service Startup type)",service,MsiSCSI,,,,,,Manual,Disabled,=,Medium +5.13.1,"System Services","Microsoft Store Install Service (InstallService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\InstallService,Start,,,,3,4,=,Medium +5.13.2,"System Services","Microsoft Store Install Service (InstallService) (Service Startup type)",service,InstallService,,,,,,Manual,Disabled,=,Medium +5.14.1,"System Services","OpenSSH SSH Server (sshd)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sshd,Start,,,,,4,=,Medium +5.14.2,"System Services","OpenSSH SSH Server (sshd) (Service Startup type)",service,sshd,,,,,,,Disabled,=,Medium +5.15.1,"System Services","Peer Name Resolution Protocol (PNRPsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPsvc,Start,,,,3,4,=,Medium +5.15.2,"System Services","Peer Name Resolution Protocol (PNRPsvc) (Service Startup type)",service,PNRPsvc,,,,,,Manual,Disabled,=,Medium +5.16.1,"System Services","Peer Networking Grouping (p2psvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2psvc,Start,,,,3,4,=,Medium +5.16.2,"System Services","Peer Networking Grouping (p2psvc) (Service Startup type)",service,p2psvc,,,,,,Manual,Disabled,=,Medium +5.17.1,"System Services","Peer Networking Identity Manager (p2pimsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2pimsvc,Start,,,,3,4,=,Medium +5.17.2,"System Services","Peer Networking Identity Manager (p2pimsvc) (Service Startup type)",service,p2pimsvc,,,,,,Manual,Disabled,=,Medium +5.18.1,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPAutoReg,Start,,,,3,4,=,Medium +5.18.2,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg) (Service Startup type)",service,PNRPAutoReg,,,,,,Manual,Disabled,=,Medium +5.19.1,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\wercplsupport,Start,,,,3,4,=,Medium +5.19.2,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport) (Service Startup type)",service,wercplsupport,,,,,,Manual,Disabled,=,Medium +5.20.1,"System Services","Remote Access Auto Connection Manager (RasAuto)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasAuto,Start,,,,3,4,=,Medium +5.20.2,"System Services","Remote Access Auto Connection Manager (RasAuto) (Service Startup type)",service,RasAuto,,,,,,Manual,Disabled,=,Medium +5.21.1,"System Services","Remote Desktop Configuration (SessionEnv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SessionEnv,Start,,,,3,4,=,Medium +5.21.2,"System Services","Remote Desktop Configuration (SessionEnv) (Service Startup type)",service,SessionEnv,,,,,,Manual,Disabled,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TermService,Start,,,,3,4,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService) (Service Startup type)",service,TermService,,,,,,Manual,Disabled,=,Medium +5.23.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\UmRdpService,Start,,,,3,4,=,Medium +5.23.2,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService) (Service Startup type)",service,UmRdpService,,,,,,Manual,Disabled,=,Medium +5.24.1,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RpcLocator,Start,,,,3,4,=,Medium +5.24.2,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator) (Service Startup type)",service,RpcLocator,,,,,,Manual,Disabled,=,Medium +5.25.1,"System Services","Remote Registry (RemoteRegistry)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteRegistry,Start,,,,4,4,=,Medium +5.25.2,"System Services","Remote Registry (RemoteRegistry) (Service Startup type)",service,RemoteRegistry,,,,,,Disabled,Disabled,=,Medium +5.26.1,"System Services","Routing and Remote Access (RemoteAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess,Start,,,,4,4,=,Medium +5.26.2,"System Services","Routing and Remote Access (RemoteAccess) (Service Startup type)",service,RemoteAccess,,,,,,Disabled,Disabled,=,Medium +5.27.1,"System Services","Server (LanmanServer)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer,Start,,,,2,4,=,Medium +5.27.2,"System Services","Server (LanmanServer) (Service Startup type)",service,LanmanServer,,,,,,Automatic,Disabled,=,Medium +5.28.1,"System Services","Simple TCP/IP Services (simptcp)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\simptcp,Start,,,,,4,=,Medium +5.28.2,"System Services","Simple TCP/IP Services (simptcp) (Service Startup type)",service,simptcp,,,,,,"",Disabled,=,Medium +5.29.1,"System Services","SNMP Service (SNMP)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SNMP,Start,,,,,4,=,Medium +5.29.2,"System Services","SNMP Service (SNMP) (Service Startup type)",service,SNMP,,,,,,"",Disabled,=,Medium +5.30.1,"System Services","SSDP Discovery (SSDPSRV)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SSDPSRV,Start,,,,3,4,=,Medium +5.30.2,"System Services","SSDP Discovery (SSDPSRV) (Service Startup type)",service,SSDPSRV,,,,,,Manual,Disabled,=,Medium +5.31.1,"System Services","UPnP Device Host (upnphost)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\upnphost,Start,,,,3,4,=,Medium +5.31.2,"System Services","UPnP Device Host (upnphost) (Service Startup type)",service,upnphost,,,,,,Manual,Disabled,=,Medium +5.32.1,"System Services","Web Management Service (WMSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc,Start,,,,,4,=,Medium +5.32.2,"System Services","Web Management Service (WMSvc) (Service Startup type)",service,WMSvc,,,,,,"",Disabled,=,Medium +5.33.1,"System Services","Windows Error Reporting Service (WerSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WerSvc,Start,,,,3,4,=,Medium +5.33.2,"System Services","Windows Error Reporting Service (WerSvc) (Service Startup type)",service,WerSvc,,,,,,Manual,Disabled,=,Medium +5.34.1,"System Services","Windows Event Collector (Wecsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Wecsvc,Start,,,,3,4,=,Medium +5.34.2,"System Services","Windows Event Collector (Wecsvc) (Service Startup type)",service,Wecsvc,,,,,,Manual,Disabled,=,Medium +5.35.1,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc,Start,,,,3,4,=,Medium +5.35.2,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc) (Service Startup type)",service,WMPNetworkSvc,,,,,,Manual,Disabled,=,Medium +5.36.1,"System Services","Windows Mobile Hotspot Service (icssvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\icssvc,Start,,,,3,4,=,Medium +5.36.2,"System Services","Windows Mobile Hotspot Service (icssvc) (Service Startup type)",service,icssvc,,,,,,Manual,Disabled,=,Medium +5.37.1,"System Services","Windows Push Notifications System Service (WpnService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WpnService,Start,,,,2,4,=,Medium +5.37.2,"System Services","Windows Push Notifications System Service (WpnService) (Service Startup type)",service,WpnService,,,,,,Automatic,Disabled,=,Medium +5.38.1,"System Services","Windows PushToInstall Service (PushToInstall)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PushToInstall,Start,,,,3,4,=,Medium +5.38.2,"System Services","Windows PushToInstall Service (PushToInstall) (Service Startup type)",service,PushToInstall,,,,,,Manual,Disabled,=,Medium +5.39.1,"System Services","Windows Remote Management (WS-Management) (WinRM)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WinRM,Start,,,,3,4,=,Medium +5.39.2,"System Services","Windows Remote Management (WS-Management) (WinRM) (Service Startup type)",service,WinRM,,,,,,Manual,Disabled,=,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC,Start,,,,,4,=,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC) (Service Startup type)",service,W3SVC,,,,,,,Disabled,=,Medium +5.41.1,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium +5.41.2,"System Services","Xbox Accessory Management Service (XboxGipSvc) (Service Startup type)",service,XboxGipSvc,,,,,,Manual,Disabled,=,Medium +5.42.1,"System Services","Xbox Live Auth Manager (XblAuthManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager,Start,,,,3,4,=,Medium +5.42.2,"System Services","Xbox Live Auth Manager (XblAuthManager) (Service Startup type)",service,XblAuthManager,,,,,,Manual,Disabled,=,Medium +5.43.1,"System Services","Xbox Live Game Save (XblGameSave)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave,Start,,,,3,4,=,Medium +5.43.2,"System Services","Xbox Live Game Save (XblGameSave) (Service Startup type)",service,XblGameSave,,,,,,Manual,Disabled,=,Medium +5.44.1,"System Services","Xbox Live Networking Service (XboxNetApiSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc,Start,,,,3,4,=,Medium +5.44.2,"System Services","Xbox Live Networking Service (XboxNetApiSvc) (Service Startup type)",service,XboxNetApiSvc,,,,,,Manual,Disabled,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,,,,,,,,"Success and Failure",=,Low +17.2.3,"Advanced Audit Policy Configuration","Security Group Management",auditpol,,,,,,,Success,Success,contains,Low +17.2.4,"Advanced Audit Policy Configuration","User Account Management",auditpol,,,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,,,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,,,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,,,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,,,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA},DllName,,,,,"C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.5,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.9,"MSS (Legacy)","Enable Safe DLL search mode",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.13,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.5.4.2,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.7.1.1,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match an ID",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDs,,,,0,1,=,Medium +18.8.7.1.2,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium +18.8.7.1.3,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium +18.8.7.1.4,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium +18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium +18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium +18.8.7.1.6,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off access to the Store",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoUseStoreOpenWith,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.13,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.14.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.14.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.31.1,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium +18.8.31.2,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.5,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.6,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.45.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.45.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.47.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.50.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.50.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.11.1.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.1.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecovery,,,,0,1,=,Medium +18.9.11.1.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVManageDRA,,,,1,1,=,Medium +18.9.11.1.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Password",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryPassword,,,,,2,=,Medium +18.9.11.1.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Key",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryKey,,,,,2,=,Medium +18.9.11.1.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.1.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.1.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHardwareEncryption,,,,,1,=,Medium +18.9.11.1.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowSoftwareEncryptionFailover,,,,1,1,=,Medium +18.9.11.1.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRestrictHardwareEncryptionAlgorithms,,,,0,0,=,Medium +18.9.11.1.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.1.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of passwords for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVPassphrase,,,,0,0,=,Medium +18.9.11.1.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowUserCert,,,,,1,=,Medium +18.9.11.1.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVEnforceUserCert,,,,0,1,=,Medium +18.9.11.2.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium +18.9.11.2.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow Secure Boot for integrity validation",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSecureBootForIntegrity,,,,0,1,=,Medium +18.9.11.2.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecovery,,,,0,1,=,Medium +18.9.11.2.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSManageDRA,,,,1,0,=,Medium +18.9.11.2.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryPassword,,,,,1,=,Medium +18.9.11.2.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryKey,,,,1,0,=,Medium +18.9.11.2.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHideRecoveryPage,,,,0,1,=,Medium +18.9.11.2.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryInfoToStore,,,,0,1,=,Medium +18.9.11.2.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRequireActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHardwareEncryption,,,,0,1,=,Medium +18.9.11.2.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSoftwareEncryptionFailover,,,,0,1,=,Medium +18.9.11.2.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRestrictHardwareEncryptionAlgorithms,,,,0,0,=,Medium +18.9.11.2.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.2.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of passwords for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSPassphrase,,,,,0,=,Medium +18.9.11.2.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseAdvancedStartup,,,,0,1,=,Medium +18.9.11.2.17,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,,,,1,0,=,Medium +18.9.11.3.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Allow access to BitLocker-protected removable data drives from earlier versions of Windows",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.3.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecovery,,,,0,1,=,Medium +18.9.11.3.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVManageDRA,,,,,1,=,Medium +18.9.11.3.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryPassword,,,,,0,=,Medium +18.9.11.3.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryKey,,,,,0,=,Medium +18.9.11.3.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.3.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.3.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHardwareEncryption,,,,,1,=,Medium +18.9.11.3.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowSoftwareEncryptionFailover,,,,,1,=,Medium +18.9.11.3.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRestrictHardwareEncryptionAlgorithms,,,,,0,=,Medium +18.9.11.3.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.3.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of passwords for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVPassphrase,,,,,0,=,Medium +18.9.11.3.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowUserCert,,,,,1,=,Medium +18.9.11.3.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVEnforceUserCert,,,,,1,=,Medium +18.9.11.3.17,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Deny write access to removable drives not protected by BitLocker",Registry,,HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE,RDVDenyWriteAccess,,,,,1,=,Medium +18.9.11.3.18,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium +18.9.11.4.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Choose drive encryption method and cipher +strength (for operating system drives)",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsOs,,,,6,7,=,Medium +18.9.11.4.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Choose drive encryption method and cipher +strength (for fixed data drives)",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsFdv,,,,6,7,=,Medium +18.9.11.4.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Choose drive encryption method and cipher +strength (for removable data drives)",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EncryptionMethodWithXtsRdv,,,,3,4,=,Medium +18.9.11.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Disable new DMA devices when this computer is locked",Registry,,HKLM:\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,,,,0,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.13.1,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,3,2,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium +18.9.39.2,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.45.1,"Microsoft Edge","Allow Address bar drop-down list suggestions",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI,ShowOneBox,,,,1,0,=,Medium +18.9.45.2,"Microsoft Edge","Allow Adobe Flash",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons,FlashPlayerEnabled,,,,1,0,=,Medium +18.9.45.3,"Microsoft Edge","Allow InPrivate Browsing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main,AllowInPrivate,,,,1,0,=,Medium +18.9.45.4,"Microsoft Edge","Allow Sideloading of extension",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions,AllowSideloadingOfExtensions,,,,1,0,=,Medium +18.9.45.5,"Microsoft Edge","Configure cookies",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main,Cookies,,,,2,1,=,Medium +18.9.45.6,"Microsoft Edge","Configure Password Manager",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,"FormSuggest Passwords",,,,,no,=,Medium +18.9.45.7,"Microsoft Edge","Configure Pop-up Blocker",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,AllowPopups,,,,,yes,=,Medium +18.9.45.8,"Microsoft Edge","Configure search suggestions in Address bar",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\SearchScopes,ShowSearchSuggestionsGlobal,,,,,0,=,Medium +18.9.45.9,"Microsoft Edge","Configure the Adobe Flash Click-to-Run setting",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Security,FlashClickToRunMode,,,,,1,=,Medium +18.9.45.10,"Microsoft Edge","Prevent access to the about:flags page in Microsoft Edge",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,PreventAccessToAboutFlagsInMicrosoftEdge,,,,,1,=,Medium +18.9.45.11,"Microsoft Edge","Prevent certificate error overrides",Registry,,"HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings",PreventCertErrorOverrides,,,,,1,=,Medium +18.9.45.12,"Microsoft Edge","Prevent using Localhost IP address for WebRTC",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,HideLocalHostIP,,,,,1,=,Medium +18.9.52.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.58.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium +18.9.59.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.59.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDenyTSConnections,,,,0,1,=,Medium +18.9.59.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.59.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.59.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.59.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.59.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.59.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.59.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.59.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium +18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium +18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.61.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium +18.9.61.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium +18.9.61.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.61.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.69.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium +18.9.69.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium +18.9.69.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium +18.9.69.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium +18.9.69.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium +18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=,Medium +18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,,0,=,Medium +18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.77.13.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +18.9.77.13.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +18.9.77.13.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +18.9.77.13.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.77.13.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +18.9.77.13.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.77.13.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +18.9.77.13.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +18.9.77.13.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +18.9.77.13.1.2.8.2,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +18.9.77.13.1.2.9.1,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +18.9.77.13.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +18.9.77.13.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +18.9.77.13.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.77.13.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.77.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.77.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.78.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium +18.9.78.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium +18.9.78.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium +18.9.78.4,"Microsoft Defender Application Guard","Allow files to download and save to the host operating system from Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,SaveFilesToHost,,,,,0,=,Medium +18.9.78.4,"Microsoft Defender Application Guard","Allow users to trust files that open in Windows Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,FileTrustCriteria,,,,,1,!=,Medium +18.9.78.6,"Microsoft Defender Application Guard","Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AppHVSIClipboardSettings,,,,,1,=,Medium +18.9.78.7,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,1,=,Medium +18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.80.2.1,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +18.9.80.2.2,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for files",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverrideAppRepUnknown,,,,,1,=,Medium +18.9.80.2.3,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +18.9.82.1,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium +18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.84.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.85.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.85.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.85.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.86.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.95.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,0,=,Medium +18.9.95.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.97.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_user.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_user.csv new file mode 100644 index 0000000..5e6e452 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1809_user.csv @@ -0,0 +1,16 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.4,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,0,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,1,=,Medium +19.7.7.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,0,=,Medium +19.7.7.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.7.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.7.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.26.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.41.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.45.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Force specific screen saver: Screen saver executable name",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",SCRNSAVE.EXE,,,,,scrnsave.scr,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv new file mode 100644 index 0000000..d596e13 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_machine.csv @@ -0,0 +1,586 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.3,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.4,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.5,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Allow log on through Remote Desktop Services",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.7,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.9,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.10,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.12,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.14.1,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14.2,"User Rights Assignment","Create symbolic links (Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,S-1-5-83-0;BUILTIN\Administrators,=,Medium +2.2.15,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.16,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"Guest;NT AUTHORITY\Local account",=,Medium +2.2.17,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.18,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.19,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.20,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.21,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.22,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.23,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.24,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.25,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.26,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.27,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.28,"User Rights Assignment","Log on as a batch job",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.29.1,"User Rights Assignment","Log on as a service",accesschk,SeServiceLogonRight,,,,,,"NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",,=,Medium +2.2.29.2,"User Rights Assignment","Log on as a service (Hyper-V)",accesschk,SeServiceLogonRight,,,,,,"S-1-5-83-0;NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",S-1-5-83-0,=,Medium +2.2.30,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.31,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.32,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.33,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.34,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.36,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.37,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.38,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status",localaccount,500,,,,,,False,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine account lockout threshold",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,MaxDevicePasswordFailedAttempts,,,,10,10,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.5,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.7,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.8.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.8.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Low +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +5.1.1,"System Services","Bluetooth Audio Gateway Service (BTAGService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\BTAGService,Start,,,,3,4,=,Medium +5.1.2,"System Services","Bluetooth Audio Gateway Service (BTAGService) (Service Startup type)",service,BTAGService,,,,,,Manual,Disabled,=,Medium +5.2.1,"System Services","Bluetooth Support Service (bthserv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\bthserv,Start,,,,3,4,=,Medium +5.2.2,"System Services","Bluetooth Support Service (bthserv) (Service Startup type)",service,bthserv,,,,,,Manual,Disabled,=,Medium +5.3.1,"System Services","Computer Browser (Browser)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Browser,Start,,,,,4,=,Medium +5.3.2,"System Services","Computer Browser (Browser) (Service Startup type)",service,Browser,,,,,,Manual,Disabled,=,Medium +5.4.1,"System Services","Downloaded Maps Manager (MapsBroker)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MapsBroker,Start,,,,2,4,=,Medium +5.4.2,"System Services","Downloaded Maps Manager (MapsBroker) (Service Startup type)",service,MapsBroker,,,,,,Automatic,Disabled,=,Medium +5.5.1,"System Services","Geolocation Service (lfsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc,Start,,,,3,4,=,Medium +5.5.2,"System Services","Geolocation Service (lfsvc) (Service Startup type)",service,lfsvc,,,,,,Manual,Disabled,=,Medium +5.6.1,"System Services","IIS Admin Service (IISADMIN)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN,Start,,,,,4,=,Medium +5.6.2,"System Services","IIS Admin Service (IISADMIN) (Service Startup type)",service,IISADMIN,,,,,,"",Disabled,=,Medium +5.7.1,"System Services","Infrared monitor service (irmon)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\irmon,Start,,,,,4,=,Medium +5.7.2,"System Services","Infrared monitor service (irmon) (Service Startup type)",service,irmon,,,,,,,Disabled,=,Medium +5.8.1,"System Services","Internet Connection Sharing (ICS) (SharedAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess,Start,,,,3,4,=,Medium +5.8.2,"System Services","Internet Connection Sharing (ICS) (SharedAccess) (Service Startup type)",service,SharedAccess,,,,,,Manual,Disabled,=,Medium +5.9.1,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lltdsvc,Start,,,,3,4,=,Medium +5.9.2,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc) (Service Startup type)",service,lltdsvc,,,,,,Manual,Disabled,=,Medium +5.10.1,"System Services","LxssManager (LxssManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager,Start,,,,"",4,=,Medium +5.10.2,"System Services","LxssManager (LxssManager) (Service Startup type)",service,LxssManager,,,,,,,Disabled,=,Medium +5.11.1,"System Services","Microsoft FTP Service (FTPSVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC,Start,,,,,4,=,Medium +5.11.2,"System Services","Microsoft FTP Service (FTPSVC) (Service Startup type)",service,FTPSVC,,,,,,"",Disabled,=,Medium +5.12.1,"System Services","Microsoft iSCSI Initiator Service (MSiSCSI)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MSiSCSI,Start,,,,3,4,=,Medium +5.12.2,"System Services","Microsoft iSCSI Initiator Service (MsiSCSI) (Service Startup type)",service,MsiSCSI,,,,,,Manual,Disabled,=,Medium +5.13.1,"System Services","Microsoft Store Install Service (InstallService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\InstallService,Start,,,,3,4,=,Medium +5.13.2,"System Services","Microsoft Store Install Service (InstallService) (Service Startup type)",service,InstallService,,,,,,Manual,Disabled,=,Medium +5.14.1,"System Services","OpenSSH SSH Server (sshd)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sshd,Start,,,,,4,=,Medium +5.14.2,"System Services","OpenSSH SSH Server (sshd) (Service Startup type)",service,sshd,,,,,,,Disabled,=,Medium +5.15.1,"System Services","Peer Name Resolution Protocol (PNRPsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPsvc,Start,,,,3,4,=,Medium +5.15.2,"System Services","Peer Name Resolution Protocol (PNRPsvc) (Service Startup type)",service,PNRPsvc,,,,,,Manual,Disabled,=,Medium +5.16.1,"System Services","Peer Networking Grouping (p2psvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2psvc,Start,,,,3,4,=,Medium +5.16.2,"System Services","Peer Networking Grouping (p2psvc) (Service Startup type)",service,p2psvc,,,,,,Manual,Disabled,=,Medium +5.17.1,"System Services","Peer Networking Identity Manager (p2pimsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2pimsvc,Start,,,,3,4,=,Medium +5.17.2,"System Services","Peer Networking Identity Manager (p2pimsvc) (Service Startup type)",service,p2pimsvc,,,,,,Manual,Disabled,=,Medium +5.18.1,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPAutoReg,Start,,,,3,4,=,Medium +5.18.2,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg) (Service Startup type)",service,PNRPAutoReg,,,,,,Manual,Disabled,=,Medium +5.19.1,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\wercplsupport,Start,,,,3,4,=,Medium +5.19.2,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport) (Service Startup type)",service,wercplsupport,,,,,,Manual,Disabled,=,Medium +5.20.1,"System Services","Remote Access Auto Connection Manager (RasAuto)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasAuto,Start,,,,3,4,=,Medium +5.20.2,"System Services","Remote Access Auto Connection Manager (RasAuto) (Service Startup type)",service,RasAuto,,,,,,Manual,Disabled,=,Medium +5.21.1,"System Services","Remote Desktop Configuration (SessionEnv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SessionEnv,Start,,,,3,4,=,Medium +5.21.2,"System Services","Remote Desktop Configuration (SessionEnv) (Service Startup type)",service,SessionEnv,,,,,,Manual,Disabled,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TermService,Start,,,,3,4,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService) (Service Startup type)",service,TermService,,,,,,Manual,Disabled,=,Medium +5.23.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\UmRdpService,Start,,,,3,4,=,Medium +5.23.2,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService) (Service Startup type)",service,UmRdpService,,,,,,Manual,Disabled,=,Medium +5.24.1,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RpcLocator,Start,,,,3,4,=,Medium +5.24.2,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator) (Service Startup type)",service,RpcLocator,,,,,,Manual,Disabled,=,Medium +5.25.1,"System Services","Remote Registry (RemoteRegistry)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteRegistry,Start,,,,4,4,=,Medium +5.25.2,"System Services","Remote Registry (RemoteRegistry) (Service Startup type)",service,RemoteRegistry,,,,,,Disabled,Disabled,=,Medium +5.26.1,"System Services","Routing and Remote Access (RemoteAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess,Start,,,,4,4,=,Medium +5.26.2,"System Services","Routing and Remote Access (RemoteAccess) (Service Startup type)",service,RemoteAccess,,,,,,Disabled,Disabled,=,Medium +5.27.1,"System Services","Server (LanmanServer)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer,Start,,,,2,4,=,Medium +5.27.2,"System Services","Server (LanmanServer) (Service Startup type)",service,LanmanServer,,,,,,Automatic,Disabled,=,Medium +5.28.1,"System Services","Simple TCP/IP Services (simptcp)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\simptcp,Start,,,,,4,=,Medium +5.28.2,"System Services","Simple TCP/IP Services (simptcp) (Service Startup type)",service,simptcp,,,,,,"",Disabled,=,Medium +5.29.1,"System Services","SNMP Service (SNMP)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SNMP,Start,,,,,4,=,Medium +5.29.2,"System Services","SNMP Service (SNMP) (Service Startup type)",service,SNMP,,,,,,"",Disabled,=,Medium +5.30.1,"System Services","SSDP Discovery (SSDPSRV)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SSDPSRV,Start,,,,3,4,=,Medium +5.30.2,"System Services","SSDP Discovery (SSDPSRV) (Service Startup type)",service,SSDPSRV,,,,,,Manual,Disabled,=,Medium +5.31.1,"System Services","UPnP Device Host (upnphost)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\upnphost,Start,,,,3,4,=,Medium +5.31.2,"System Services","UPnP Device Host (upnphost) (Service Startup type)",service,upnphost,,,,,,Manual,Disabled,=,Medium +5.32.1,"System Services","Web Management Service (WMSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc,Start,,,,,4,=,Medium +5.32.2,"System Services","Web Management Service (WMSvc) (Service Startup type)",service,WMSvc,,,,,,"",Disabled,=,Medium +5.33.1,"System Services","Windows Error Reporting Service (WerSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WerSvc,Start,,,,3,4,=,Medium +5.33.2,"System Services","Windows Error Reporting Service (WerSvc) (Service Startup type)",service,WerSvc,,,,,,Manual,Disabled,=,Medium +5.34.1,"System Services","Windows Event Collector (Wecsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Wecsvc,Start,,,,3,4,=,Medium +5.34.2,"System Services","Windows Event Collector (Wecsvc) (Service Startup type)",service,Wecsvc,,,,,,Manual,Disabled,=,Medium +5.35.1,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc,Start,,,,3,4,=,Medium +5.35.2,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc) (Service Startup type)",service,WMPNetworkSvc,,,,,,Manual,Disabled,=,Medium +5.36.1,"System Services","Windows Mobile Hotspot Service (icssvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\icssvc,Start,,,,3,4,=,Medium +5.36.2,"System Services","Windows Mobile Hotspot Service (icssvc) (Service Startup type)",service,icssvc,,,,,,Manual,Disabled,=,Medium +5.37.1,"System Services","Windows Push Notifications System Service (WpnService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WpnService,Start,,,,2,4,=,Medium +5.37.2,"System Services","Windows Push Notifications System Service (WpnService) (Service Startup type)",service,WpnService,,,,,,Automatic,Disabled,=,Medium +5.38.1,"System Services","Windows PushToInstall Service (PushToInstall)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PushToInstall,Start,,,,3,4,=,Medium +5.38.2,"System Services","Windows PushToInstall Service (PushToInstall) (Service Startup type)",service,PushToInstall,,,,,,Manual,Disabled,=,Medium +5.39.1,"System Services","Windows Remote Management (WS-Management) (WinRM)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WinRM,Start,,,,3,4,=,Medium +5.39.2,"System Services","Windows Remote Management (WS-Management) (WinRM) (Service Startup type)",service,WinRM,,,,,,Manual,Disabled,=,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC,Start,,,,,4,=,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC) (Service Startup type)",service,W3SVC,,,,,,,Disabled,=,Medium +5.41.1,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium +5.41.2,"System Services","Xbox Accessory Management Service (XboxGipSvc) (Service Startup type)",service,XboxGipSvc,,,,,,Manual,Disabled,=,Medium +5.42.1,"System Services","Xbox Live Auth Manager (XblAuthManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager,Start,,,,3,4,=,Medium +5.42.2,"System Services","Xbox Live Auth Manager (XblAuthManager) (Service Startup type)",service,XblAuthManager,,,,,,Manual,Disabled,=,Medium +5.43.1,"System Services","Xbox Live Game Save (XblGameSave)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave,Start,,,,3,4,=,Medium +5.43.2,"System Services","Xbox Live Game Save (XblGameSave) (Service Startup type)",service,XblGameSave,,,,,,Manual,Disabled,=,Medium +5.44.1,"System Services","Xbox Live Networking Service (XboxNetApiSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc,Start,,,,3,4,=,Medium +5.44.2,"System Services","Xbox Live Networking Service (XboxNetApiSvc) (Service Startup type)",service,XboxNetApiSvc,,,,,,Manual,Disabled,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Security Group Management",auditpol,,,,,,,Success,Success,contains,Low +17.2.3,"Advanced Audit Policy Configuration","User Account Management",auditpol,,,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,,,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,,,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,,,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,,,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA},DllName,,,,,"C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.9,"MSS (Legacy)","Enable Safe DLL search mode",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.13,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.7.1.1,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match an ID",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDs,,,,0,1,=,Medium +18.8.7.1.2,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium +18.8.7.1.3,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium +18.8.7.1.4,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium +18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium +18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium +18.8.7.1.6,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off access to the Store",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoUseStoreOpenWith,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.13,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.14.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.14.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.31.1,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium +18.8.31.2,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.5,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.6,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.11.1.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.1.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecovery,,,,0,1,=,Medium +18.9.11.1.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVManageDRA,,,,1,1,=,Medium +18.9.11.1.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Password",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryPassword,,,,,2,=,Medium +18.9.11.1.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Key",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryKey,,,,,2,=,Medium +18.9.11.1.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.1.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.1.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHardwareEncryption,,,,,1,=,Medium +18.9.11.1.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowSoftwareEncryptionFailover,,,,1,1,=,Medium +18.9.11.1.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRestrictHardwareEncryptionAlgorithms,,,,0,0,=,Medium +18.9.11.1.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.1.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of passwords for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVPassphrase,,,,0,0,=,Medium +18.9.11.1.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowUserCert,,,,,1,=,Medium +18.9.11.1.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVEnforceUserCert,,,,0,1,=,Medium +18.9.11.2.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium +18.9.11.2.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow Secure Boot for integrity validation",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSecureBootForIntegrity,,,,0,1,=,Medium +18.9.11.2.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecovery,,,,0,1,=,Medium +18.9.11.2.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSManageDRA,,,,1,0,=,Medium +18.9.11.2.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryPassword,,,,,1,=,Medium +18.9.11.2.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryKey,,,,1,0,=,Medium +18.9.11.2.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHideRecoveryPage,,,,0,1,=,Medium +18.9.11.2.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryInfoToStore,,,,0,1,=,Medium +18.9.11.2.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRequireActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHardwareEncryption,,,,0,1,=,Medium +18.9.11.2.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSoftwareEncryptionFailover,,,,0,1,=,Medium +18.9.11.2.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRestrictHardwareEncryptionAlgorithms,,,,0,0,=,Medium +18.9.11.2.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.2.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of passwords for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSPassphrase,,,,,0,=,Medium +18.9.11.2.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseAdvancedStartup,,,,0,1,=,Medium +18.9.11.2.17,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,,,,1,0,=,Medium +18.9.11.2.18,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPM,,,,0,0,=,Medium +18.9.11.2.19,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup PIN",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMPIN,,,,0,1,=,Medium +18.9.11.2.20,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMKey,,,,0,0,=,Medium +18.9.11.2.21,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key and PIN",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMKeyPIN,,,,0,0,=,Medium +18.9.11.3.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Allow access to BitLocker-protected removable data drives from earlier versions of Windows",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.3.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecovery,,,,0,1,=,Medium +18.9.11.3.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVManageDRA,,,,,1,=,Medium +18.9.11.3.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryPassword,,,,,0,=,Medium +18.9.11.3.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryKey,,,,,0,=,Medium +18.9.11.3.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.3.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.3.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHardwareEncryption,,,,,1,=,Medium +18.9.11.3.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowSoftwareEncryptionFailover,,,,,1,=,Medium +18.9.11.3.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRestrictHardwareEncryptionAlgorithms,,,,,0,=,Medium +18.9.11.3.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.3.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of passwords for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVPassphrase,,,,,0,=,Medium +18.9.11.3.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowUserCert,,,,,1,=,Medium +18.9.11.3.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVEnforceUserCert,,,,,1,=,Medium +18.9.11.3.17,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Deny write access to removable drives not protected by BitLocker",Registry,,HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE,RDVDenyWriteAccess,,,,,1,=,Medium +18.9.11.3.18,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium +18.9.11.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Disable new DMA devices when this computer is locked",Registry,,HKLM:\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,,,,0,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.13.1,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.15.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,3,2,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium +18.9.39.2,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.45.1,"Microsoft Edge","Allow Address bar drop-down list suggestions",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI,ShowOneBox,,,,1,0,=,Medium +18.9.45.2,"Microsoft Edge","Allow Adobe Flash",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons,FlashPlayerEnabled,,,,1,0,=,Medium +18.9.45.3,"Microsoft Edge","Allow InPrivate Browsing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main,AllowInPrivate,,,,1,0,=,Medium +18.9.45.4,"Microsoft Edge","Allow Sideloading of extension",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions,AllowSideloadingOfExtensions,,,,1,0,=,Medium +18.9.45.5,"Microsoft Edge","Configure cookies",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main,Cookies,,,,2,1,=,Medium +18.9.45.6,"Microsoft Edge","Configure Password Manager",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,"FormSuggest Passwords",,,,,no,=,Medium +18.9.45.7,"Microsoft Edge","Configure Pop-up Blocker",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,AllowPopups,,,,,yes,=,Medium +18.9.45.8,"Microsoft Edge","Configure search suggestions in Address bar",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\SearchScopes,ShowSearchSuggestionsGlobal,,,,,0,=,Medium +18.9.45.9,"Microsoft Edge","Configure the Adobe Flash Click-to-Run setting",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Security,FlashClickToRunMode,,,,,1,=,Medium +18.9.45.10,"Microsoft Edge","Prevent access to the about:flags page in Microsoft Edge",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,PreventAccessToAboutFlagsInMicrosoftEdge,,,,,1,=,Medium +18.9.45.11,"Microsoft Edge","Prevent certificate error overrides",Registry,,"HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings",PreventCertErrorOverrides,,,,,1,=,Medium +18.9.45.12,"Microsoft Edge","Prevent using Localhost IP address for WebRTC",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,HideLocalHostIP,,,,,1,=,Medium +18.9.52.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.58.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium +18.9.59.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.59.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDenyTSConnections,,,,0,1,=,Medium +18.9.59.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.59.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.59.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.59.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.59.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.59.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.59.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.59.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium +18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium +18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.61.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium +18.9.61.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium +18.9.61.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.61.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.69.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium +18.9.69.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium +18.9.69.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium +18.9.69.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium +18.9.69.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium +18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=,Medium +18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,,0,=,Medium +18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.77.13.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +18.9.77.13.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +18.9.77.13.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +18.9.77.13.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.77.13.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +18.9.77.13.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.77.13.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +18.9.77.13.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +18.9.77.13.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +18.9.77.13.1.2.8.2,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +18.9.77.13.1.2.9.1,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +18.9.77.13.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +18.9.77.13.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +18.9.77.13.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.77.13.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.77.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.77.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.78.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium +18.9.78.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium +18.9.78.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium +18.9.78.4,"Microsoft Defender Application Guard","Allow files to download and save to the host operating system from Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,SaveFilesToHost,,,,,0,=,Medium +18.9.78.4,"Microsoft Defender Application Guard","Allow users to trust files that open in Windows Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,FileTrustCriteria,,,,,1,!=,Medium +18.9.78.6,"Microsoft Defender Application Guard","Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AppHVSIClipboardSettings,,,,,1,=,Medium +18.9.78.7,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,1,=,Medium +18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.80.2.1,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +18.9.80.2.2,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for files",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverrideAppRepUnknown,,,,,1,=,Medium +18.9.80.2.3,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +18.9.82.1,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium +18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.84.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.85.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.85.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.85.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.86.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.95.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,0,=,Medium +18.9.95.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.97.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_user.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_user.csv new file mode 100644 index 0000000..5e6e452 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1903_user.csv @@ -0,0 +1,16 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.4,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,0,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,1,=,Medium +19.7.7.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,0,=,Medium +19.7.7.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.7.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.7.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.26.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.41.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.45.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Force specific screen saver: Screen saver executable name",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",SCRNSAVE.EXE,,,,,scrnsave.scr,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv new file mode 100644 index 0000000..d596e13 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_machine.csv @@ -0,0 +1,586 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.3,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.4,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.5,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Allow log on through Remote Desktop Services",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.7,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.9,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.10,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.12,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.14.1,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14.2,"User Rights Assignment","Create symbolic links (Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,S-1-5-83-0;BUILTIN\Administrators,=,Medium +2.2.15,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.16,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"Guest;NT AUTHORITY\Local account",=,Medium +2.2.17,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.18,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.19,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.20,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.21,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.22,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.23,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.24,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.25,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.26,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.27,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.28,"User Rights Assignment","Log on as a batch job",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.29.1,"User Rights Assignment","Log on as a service",accesschk,SeServiceLogonRight,,,,,,"NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",,=,Medium +2.2.29.2,"User Rights Assignment","Log on as a service (Hyper-V)",accesschk,SeServiceLogonRight,,,,,,"S-1-5-83-0;NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",S-1-5-83-0,=,Medium +2.2.30,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.31,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.32,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.33,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.34,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.36,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.37,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.38,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status",localaccount,500,,,,,,False,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine account lockout threshold",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,MaxDevicePasswordFailedAttempts,,,,10,10,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.5,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.7,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.8.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.8.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Low +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +5.1.1,"System Services","Bluetooth Audio Gateway Service (BTAGService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\BTAGService,Start,,,,3,4,=,Medium +5.1.2,"System Services","Bluetooth Audio Gateway Service (BTAGService) (Service Startup type)",service,BTAGService,,,,,,Manual,Disabled,=,Medium +5.2.1,"System Services","Bluetooth Support Service (bthserv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\bthserv,Start,,,,3,4,=,Medium +5.2.2,"System Services","Bluetooth Support Service (bthserv) (Service Startup type)",service,bthserv,,,,,,Manual,Disabled,=,Medium +5.3.1,"System Services","Computer Browser (Browser)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Browser,Start,,,,,4,=,Medium +5.3.2,"System Services","Computer Browser (Browser) (Service Startup type)",service,Browser,,,,,,Manual,Disabled,=,Medium +5.4.1,"System Services","Downloaded Maps Manager (MapsBroker)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MapsBroker,Start,,,,2,4,=,Medium +5.4.2,"System Services","Downloaded Maps Manager (MapsBroker) (Service Startup type)",service,MapsBroker,,,,,,Automatic,Disabled,=,Medium +5.5.1,"System Services","Geolocation Service (lfsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc,Start,,,,3,4,=,Medium +5.5.2,"System Services","Geolocation Service (lfsvc) (Service Startup type)",service,lfsvc,,,,,,Manual,Disabled,=,Medium +5.6.1,"System Services","IIS Admin Service (IISADMIN)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN,Start,,,,,4,=,Medium +5.6.2,"System Services","IIS Admin Service (IISADMIN) (Service Startup type)",service,IISADMIN,,,,,,"",Disabled,=,Medium +5.7.1,"System Services","Infrared monitor service (irmon)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\irmon,Start,,,,,4,=,Medium +5.7.2,"System Services","Infrared monitor service (irmon) (Service Startup type)",service,irmon,,,,,,,Disabled,=,Medium +5.8.1,"System Services","Internet Connection Sharing (ICS) (SharedAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess,Start,,,,3,4,=,Medium +5.8.2,"System Services","Internet Connection Sharing (ICS) (SharedAccess) (Service Startup type)",service,SharedAccess,,,,,,Manual,Disabled,=,Medium +5.9.1,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lltdsvc,Start,,,,3,4,=,Medium +5.9.2,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc) (Service Startup type)",service,lltdsvc,,,,,,Manual,Disabled,=,Medium +5.10.1,"System Services","LxssManager (LxssManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager,Start,,,,"",4,=,Medium +5.10.2,"System Services","LxssManager (LxssManager) (Service Startup type)",service,LxssManager,,,,,,,Disabled,=,Medium +5.11.1,"System Services","Microsoft FTP Service (FTPSVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC,Start,,,,,4,=,Medium +5.11.2,"System Services","Microsoft FTP Service (FTPSVC) (Service Startup type)",service,FTPSVC,,,,,,"",Disabled,=,Medium +5.12.1,"System Services","Microsoft iSCSI Initiator Service (MSiSCSI)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MSiSCSI,Start,,,,3,4,=,Medium +5.12.2,"System Services","Microsoft iSCSI Initiator Service (MsiSCSI) (Service Startup type)",service,MsiSCSI,,,,,,Manual,Disabled,=,Medium +5.13.1,"System Services","Microsoft Store Install Service (InstallService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\InstallService,Start,,,,3,4,=,Medium +5.13.2,"System Services","Microsoft Store Install Service (InstallService) (Service Startup type)",service,InstallService,,,,,,Manual,Disabled,=,Medium +5.14.1,"System Services","OpenSSH SSH Server (sshd)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sshd,Start,,,,,4,=,Medium +5.14.2,"System Services","OpenSSH SSH Server (sshd) (Service Startup type)",service,sshd,,,,,,,Disabled,=,Medium +5.15.1,"System Services","Peer Name Resolution Protocol (PNRPsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPsvc,Start,,,,3,4,=,Medium +5.15.2,"System Services","Peer Name Resolution Protocol (PNRPsvc) (Service Startup type)",service,PNRPsvc,,,,,,Manual,Disabled,=,Medium +5.16.1,"System Services","Peer Networking Grouping (p2psvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2psvc,Start,,,,3,4,=,Medium +5.16.2,"System Services","Peer Networking Grouping (p2psvc) (Service Startup type)",service,p2psvc,,,,,,Manual,Disabled,=,Medium +5.17.1,"System Services","Peer Networking Identity Manager (p2pimsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2pimsvc,Start,,,,3,4,=,Medium +5.17.2,"System Services","Peer Networking Identity Manager (p2pimsvc) (Service Startup type)",service,p2pimsvc,,,,,,Manual,Disabled,=,Medium +5.18.1,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPAutoReg,Start,,,,3,4,=,Medium +5.18.2,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg) (Service Startup type)",service,PNRPAutoReg,,,,,,Manual,Disabled,=,Medium +5.19.1,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\wercplsupport,Start,,,,3,4,=,Medium +5.19.2,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport) (Service Startup type)",service,wercplsupport,,,,,,Manual,Disabled,=,Medium +5.20.1,"System Services","Remote Access Auto Connection Manager (RasAuto)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasAuto,Start,,,,3,4,=,Medium +5.20.2,"System Services","Remote Access Auto Connection Manager (RasAuto) (Service Startup type)",service,RasAuto,,,,,,Manual,Disabled,=,Medium +5.21.1,"System Services","Remote Desktop Configuration (SessionEnv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SessionEnv,Start,,,,3,4,=,Medium +5.21.2,"System Services","Remote Desktop Configuration (SessionEnv) (Service Startup type)",service,SessionEnv,,,,,,Manual,Disabled,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TermService,Start,,,,3,4,=,Medium +5.22.1,"System Services","Remote Desktop Services (TermService) (Service Startup type)",service,TermService,,,,,,Manual,Disabled,=,Medium +5.23.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\UmRdpService,Start,,,,3,4,=,Medium +5.23.2,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService) (Service Startup type)",service,UmRdpService,,,,,,Manual,Disabled,=,Medium +5.24.1,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RpcLocator,Start,,,,3,4,=,Medium +5.24.2,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator) (Service Startup type)",service,RpcLocator,,,,,,Manual,Disabled,=,Medium +5.25.1,"System Services","Remote Registry (RemoteRegistry)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteRegistry,Start,,,,4,4,=,Medium +5.25.2,"System Services","Remote Registry (RemoteRegistry) (Service Startup type)",service,RemoteRegistry,,,,,,Disabled,Disabled,=,Medium +5.26.1,"System Services","Routing and Remote Access (RemoteAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess,Start,,,,4,4,=,Medium +5.26.2,"System Services","Routing and Remote Access (RemoteAccess) (Service Startup type)",service,RemoteAccess,,,,,,Disabled,Disabled,=,Medium +5.27.1,"System Services","Server (LanmanServer)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer,Start,,,,2,4,=,Medium +5.27.2,"System Services","Server (LanmanServer) (Service Startup type)",service,LanmanServer,,,,,,Automatic,Disabled,=,Medium +5.28.1,"System Services","Simple TCP/IP Services (simptcp)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\simptcp,Start,,,,,4,=,Medium +5.28.2,"System Services","Simple TCP/IP Services (simptcp) (Service Startup type)",service,simptcp,,,,,,"",Disabled,=,Medium +5.29.1,"System Services","SNMP Service (SNMP)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SNMP,Start,,,,,4,=,Medium +5.29.2,"System Services","SNMP Service (SNMP) (Service Startup type)",service,SNMP,,,,,,"",Disabled,=,Medium +5.30.1,"System Services","SSDP Discovery (SSDPSRV)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SSDPSRV,Start,,,,3,4,=,Medium +5.30.2,"System Services","SSDP Discovery (SSDPSRV) (Service Startup type)",service,SSDPSRV,,,,,,Manual,Disabled,=,Medium +5.31.1,"System Services","UPnP Device Host (upnphost)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\upnphost,Start,,,,3,4,=,Medium +5.31.2,"System Services","UPnP Device Host (upnphost) (Service Startup type)",service,upnphost,,,,,,Manual,Disabled,=,Medium +5.32.1,"System Services","Web Management Service (WMSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc,Start,,,,,4,=,Medium +5.32.2,"System Services","Web Management Service (WMSvc) (Service Startup type)",service,WMSvc,,,,,,"",Disabled,=,Medium +5.33.1,"System Services","Windows Error Reporting Service (WerSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WerSvc,Start,,,,3,4,=,Medium +5.33.2,"System Services","Windows Error Reporting Service (WerSvc) (Service Startup type)",service,WerSvc,,,,,,Manual,Disabled,=,Medium +5.34.1,"System Services","Windows Event Collector (Wecsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Wecsvc,Start,,,,3,4,=,Medium +5.34.2,"System Services","Windows Event Collector (Wecsvc) (Service Startup type)",service,Wecsvc,,,,,,Manual,Disabled,=,Medium +5.35.1,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc,Start,,,,3,4,=,Medium +5.35.2,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc) (Service Startup type)",service,WMPNetworkSvc,,,,,,Manual,Disabled,=,Medium +5.36.1,"System Services","Windows Mobile Hotspot Service (icssvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\icssvc,Start,,,,3,4,=,Medium +5.36.2,"System Services","Windows Mobile Hotspot Service (icssvc) (Service Startup type)",service,icssvc,,,,,,Manual,Disabled,=,Medium +5.37.1,"System Services","Windows Push Notifications System Service (WpnService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WpnService,Start,,,,2,4,=,Medium +5.37.2,"System Services","Windows Push Notifications System Service (WpnService) (Service Startup type)",service,WpnService,,,,,,Automatic,Disabled,=,Medium +5.38.1,"System Services","Windows PushToInstall Service (PushToInstall)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PushToInstall,Start,,,,3,4,=,Medium +5.38.2,"System Services","Windows PushToInstall Service (PushToInstall) (Service Startup type)",service,PushToInstall,,,,,,Manual,Disabled,=,Medium +5.39.1,"System Services","Windows Remote Management (WS-Management) (WinRM)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WinRM,Start,,,,3,4,=,Medium +5.39.2,"System Services","Windows Remote Management (WS-Management) (WinRM) (Service Startup type)",service,WinRM,,,,,,Manual,Disabled,=,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC,Start,,,,,4,=,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC) (Service Startup type)",service,W3SVC,,,,,,,Disabled,=,Medium +5.41.1,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium +5.41.2,"System Services","Xbox Accessory Management Service (XboxGipSvc) (Service Startup type)",service,XboxGipSvc,,,,,,Manual,Disabled,=,Medium +5.42.1,"System Services","Xbox Live Auth Manager (XblAuthManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager,Start,,,,3,4,=,Medium +5.42.2,"System Services","Xbox Live Auth Manager (XblAuthManager) (Service Startup type)",service,XblAuthManager,,,,,,Manual,Disabled,=,Medium +5.43.1,"System Services","Xbox Live Game Save (XblGameSave)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave,Start,,,,3,4,=,Medium +5.43.2,"System Services","Xbox Live Game Save (XblGameSave) (Service Startup type)",service,XblGameSave,,,,,,Manual,Disabled,=,Medium +5.44.1,"System Services","Xbox Live Networking Service (XboxNetApiSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc,Start,,,,3,4,=,Medium +5.44.2,"System Services","Xbox Live Networking Service (XboxNetApiSvc) (Service Startup type)",service,XboxNetApiSvc,,,,,,Manual,Disabled,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Security Group Management",auditpol,,,,,,,Success,Success,contains,Low +17.2.3,"Advanced Audit Policy Configuration","User Account Management",auditpol,,,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,,,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,,,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,,,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,,,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA},DllName,,,,,"C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.9,"MSS (Legacy)","Enable Safe DLL search mode",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.13,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.7.1.1,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match an ID",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDs,,,,0,1,=,Medium +18.8.7.1.2,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium +18.8.7.1.3,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium +18.8.7.1.4,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium +18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium +18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium +18.8.7.1.6,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off access to the Store",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoUseStoreOpenWith,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.13,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.14.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.14.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.31.1,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium +18.8.31.2,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.5,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.6,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.11.1.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.1.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecovery,,,,0,1,=,Medium +18.9.11.1.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVManageDRA,,,,1,1,=,Medium +18.9.11.1.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Password",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryPassword,,,,,2,=,Medium +18.9.11.1.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Key",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryKey,,,,,2,=,Medium +18.9.11.1.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.1.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.1.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHardwareEncryption,,,,,1,=,Medium +18.9.11.1.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowSoftwareEncryptionFailover,,,,1,1,=,Medium +18.9.11.1.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRestrictHardwareEncryptionAlgorithms,,,,0,0,=,Medium +18.9.11.1.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.1.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of passwords for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVPassphrase,,,,0,0,=,Medium +18.9.11.1.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowUserCert,,,,,1,=,Medium +18.9.11.1.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVEnforceUserCert,,,,0,1,=,Medium +18.9.11.2.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium +18.9.11.2.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow Secure Boot for integrity validation",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSecureBootForIntegrity,,,,0,1,=,Medium +18.9.11.2.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecovery,,,,0,1,=,Medium +18.9.11.2.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSManageDRA,,,,1,0,=,Medium +18.9.11.2.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryPassword,,,,,1,=,Medium +18.9.11.2.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryKey,,,,1,0,=,Medium +18.9.11.2.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHideRecoveryPage,,,,0,1,=,Medium +18.9.11.2.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryInfoToStore,,,,0,1,=,Medium +18.9.11.2.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRequireActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHardwareEncryption,,,,0,1,=,Medium +18.9.11.2.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSoftwareEncryptionFailover,,,,0,1,=,Medium +18.9.11.2.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRestrictHardwareEncryptionAlgorithms,,,,0,0,=,Medium +18.9.11.2.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.2.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of passwords for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSPassphrase,,,,,0,=,Medium +18.9.11.2.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseAdvancedStartup,,,,0,1,=,Medium +18.9.11.2.17,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,,,,1,0,=,Medium +18.9.11.2.18,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPM,,,,0,0,=,Medium +18.9.11.2.19,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup PIN",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMPIN,,,,0,1,=,Medium +18.9.11.2.20,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMKey,,,,0,0,=,Medium +18.9.11.2.21,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key and PIN",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMKeyPIN,,,,0,0,=,Medium +18.9.11.3.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Allow access to BitLocker-protected removable data drives from earlier versions of Windows",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.3.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecovery,,,,0,1,=,Medium +18.9.11.3.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVManageDRA,,,,,1,=,Medium +18.9.11.3.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryPassword,,,,,0,=,Medium +18.9.11.3.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryKey,,,,,0,=,Medium +18.9.11.3.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.3.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.3.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHardwareEncryption,,,,,1,=,Medium +18.9.11.3.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowSoftwareEncryptionFailover,,,,,1,=,Medium +18.9.11.3.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRestrictHardwareEncryptionAlgorithms,,,,,0,=,Medium +18.9.11.3.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.3.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of passwords for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVPassphrase,,,,,0,=,Medium +18.9.11.3.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowUserCert,,,,,1,=,Medium +18.9.11.3.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVEnforceUserCert,,,,,1,=,Medium +18.9.11.3.17,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Deny write access to removable drives not protected by BitLocker",Registry,,HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE,RDVDenyWriteAccess,,,,,1,=,Medium +18.9.11.3.18,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium +18.9.11.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Disable new DMA devices when this computer is locked",Registry,,HKLM:\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,,,,0,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.13.1,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.15.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,3,2,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium +18.9.39.2,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.45.1,"Microsoft Edge","Allow Address bar drop-down list suggestions",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI,ShowOneBox,,,,1,0,=,Medium +18.9.45.2,"Microsoft Edge","Allow Adobe Flash",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons,FlashPlayerEnabled,,,,1,0,=,Medium +18.9.45.3,"Microsoft Edge","Allow InPrivate Browsing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main,AllowInPrivate,,,,1,0,=,Medium +18.9.45.4,"Microsoft Edge","Allow Sideloading of extension",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions,AllowSideloadingOfExtensions,,,,1,0,=,Medium +18.9.45.5,"Microsoft Edge","Configure cookies",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main,Cookies,,,,2,1,=,Medium +18.9.45.6,"Microsoft Edge","Configure Password Manager",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,"FormSuggest Passwords",,,,,no,=,Medium +18.9.45.7,"Microsoft Edge","Configure Pop-up Blocker",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,AllowPopups,,,,,yes,=,Medium +18.9.45.8,"Microsoft Edge","Configure search suggestions in Address bar",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\SearchScopes,ShowSearchSuggestionsGlobal,,,,,0,=,Medium +18.9.45.9,"Microsoft Edge","Configure the Adobe Flash Click-to-Run setting",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Security,FlashClickToRunMode,,,,,1,=,Medium +18.9.45.10,"Microsoft Edge","Prevent access to the about:flags page in Microsoft Edge",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,PreventAccessToAboutFlagsInMicrosoftEdge,,,,,1,=,Medium +18.9.45.11,"Microsoft Edge","Prevent certificate error overrides",Registry,,"HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings",PreventCertErrorOverrides,,,,,1,=,Medium +18.9.45.12,"Microsoft Edge","Prevent using Localhost IP address for WebRTC",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,HideLocalHostIP,,,,,1,=,Medium +18.9.52.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.58.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium +18.9.59.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.59.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDenyTSConnections,,,,0,1,=,Medium +18.9.59.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.59.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.59.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.59.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.59.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.59.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.59.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.59.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.59.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium +18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium +18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.61.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium +18.9.61.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium +18.9.61.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.61.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium +18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.69.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium +18.9.69.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium +18.9.69.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium +18.9.69.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium +18.9.69.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium +18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=,Medium +18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,,0,=,Medium +18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.77.10.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.77.10.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.77.13.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +18.9.77.13.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.77.13.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.77.13.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +18.9.77.13.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +18.9.77.13.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +18.9.77.13.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +18.9.77.13.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.77.13.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.77.13.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +18.9.77.13.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +18.9.77.13.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.77.13.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.77.13.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +18.9.77.13.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +18.9.77.13.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +18.9.77.13.1.2.8.2,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +18.9.77.13.1.2.9.1,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +18.9.77.13.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +18.9.77.13.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +18.9.77.13.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +18.9.77.13.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.77.13.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.77.13.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.77.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.77.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.78.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium +18.9.78.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium +18.9.78.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium +18.9.78.4,"Microsoft Defender Application Guard","Allow files to download and save to the host operating system from Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,SaveFilesToHost,,,,,0,=,Medium +18.9.78.4,"Microsoft Defender Application Guard","Allow users to trust files that open in Windows Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,FileTrustCriteria,,,,,1,!=,Medium +18.9.78.6,"Microsoft Defender Application Guard","Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AppHVSIClipboardSettings,,,,,1,=,Medium +18.9.78.7,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,1,=,Medium +18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.80.2.1,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +18.9.80.2.2,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for files",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverrideAppRepUnknown,,,,,1,=,Medium +18.9.80.2.3,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +18.9.82.1,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium +18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.84.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.85.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.85.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.85.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.86.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.95.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,0,=,Medium +18.9.95.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.97.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_user.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_user.csv new file mode 100644 index 0000000..5e6e452 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_1909_user.csv @@ -0,0 +1,16 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.4,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,0,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,1,=,Medium +19.7.7.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,0,=,Medium +19.7.7.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.7.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.7.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.26.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.41.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.45.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Force specific screen saver: Screen saver executable name",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",SCRNSAVE.EXE,,,,,scrnsave.scr,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv similarity index 98% rename from lists/finding_list_cis_microsoft_windows_10_enterprise_machine.csv rename to lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv index 6a1cfa1..5633f31 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_machine.csv @@ -1,13 +1,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity 1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low -1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=!0,Low 1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low 1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium 1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 1.1.6,"Account Policies","Relax minimum password length limits",Registry,,HKLM:\System\CurrentControlSet\Control\SAM,RelaxMinimumPasswordLengthLimits,,,,0,1,=,Medium 1.1.7,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low -1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=!0,Low 1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low 2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium 2.2.2,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium @@ -59,19 +59,19 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low 2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium -2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanManPrint Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium 2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium 2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium -2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium 2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium 2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low 2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low -2.3.7.3,"Security Options","Interactive logon: Machine account lockout threshold",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,MaxDevicePasswordFailedAttempts,,,,10,10,<=,Medium -2.3.7.4,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=,Medium +2.3.7.3,"Security Options","Interactive logon: Machine account lockout threshold",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,MaxDevicePasswordFailedAttempts,,,,10,10,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium 2.3.7.5,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low -2.3.7.6,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low 2.3.7.7,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,CachedLogonsCount,,,,10,4,<=,Medium 2.3.7.8.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 2.3.7.8.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low @@ -98,8 +98,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium 2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium -2.3.11.3,"Security Options","Network Security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network Security: Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -107,7 +107,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\Kernel,ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium @@ -302,9 +302,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium 18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium 18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium -18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -18.5.19.2,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium 18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium 18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium 18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium @@ -313,13 +313,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium 18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium 18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium -18.5.23.2,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium 18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium 18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium -18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium 18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium @@ -349,16 +349,16 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium 18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium 18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium -18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,1,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium 18.8.22.1.13,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium 18.8.22.1.14.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium 18.8.22.1.14.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium -18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium 18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium 18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium 18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium 18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium -18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Low +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium 18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium 18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium 18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium @@ -390,7 +390,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium 18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium 18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium -18.9.11.1.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.1.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVDiscoveryVolumeType,,,,,,=,Medium 18.9.11.1.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecovery,,,,0,1,=,Medium 18.9.11.1.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVManageDRA,,,,1,1,=,Medium 18.9.11.1.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Password",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryPassword,,,,,2,=,Medium @@ -423,7 +423,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.11.2.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of passwords for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSPassphrase,,,,,0,=,Medium 18.9.11.2.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseAdvancedStartup,,,,0,1,=,Medium 18.9.11.2.17,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,,,,1,0,=,Medium -18.9.11.3.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Allow access to BitLocker-protected removable data drives from earlier versions of Windows",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.3.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Allow access to BitLocker-protected removable data drives from earlier versions of Windows",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,,,,,,=,Medium 18.9.11.3.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecovery,,,,0,1,=,Medium 18.9.11.3.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVManageDRA,,,,,1,=,Medium 18.9.11.3.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryPassword,,,,,0,=,Medium @@ -468,7 +468,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium 18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium 18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium -18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsDefender\Spynet,LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium 18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=,Medium 18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium 18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium @@ -494,7 +494,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium 18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium 18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium -18.9.45.5.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",FileHashComputation,,,,,1,=,Medium +18.9.45.5.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium 18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,,0,=,Medium 18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium 18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium @@ -554,7 +554,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.80.2.2,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium 18.9.82.1,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium 18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium -18.9.84.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,0,=,Medium +18.9.84.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium 18.9.85.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium 18.9.85.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium 18.9.85.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium @@ -580,4 +580,4 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium 18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium 18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium -18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,SetDisablePauseUXAccess,,,,,1,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_user.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_user.csv similarity index 98% rename from lists/finding_list_cis_microsoft_windows_10_enterprise_user.csv rename to lists/finding_list_cis_microsoft_windows_10_enterprise_2004_user.csv index d0760a0..c7d66a7 100644 --- a/lists/finding_list_cis_microsoft_windows_10_enterprise_user.csv +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_2004_user.csv @@ -1,7 +1,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity 19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium 19.1.3.2,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium -19.1.3.3,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium 19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium 19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium 19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,0,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_2009_machine.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_2009_machine.csv new file mode 100644 index 0000000..727b8c6 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_2009_machine.csv @@ -0,0 +1,588 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Relax minimum password length limits",Registry,,HKLM:\System\CurrentControlSet\Control\SAM,RelaxMinimumPasswordLengthLimits,,,,0,1,=,Medium +1.1.7,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.3,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.4,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.5,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Allow log on through Remote Desktop Services",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.7,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.9,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.10,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.12,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.14.1,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14.2,"User Rights Assignment","Create symbolic links (Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,S-1-5-83-0;BUILTIN\Administrators,=,Medium +2.2.15,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.16,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"Guest;NT AUTHORITY\Local account",=,Medium +2.2.17,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.18,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.19,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.20,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.21,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.22,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.23,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.24,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.25,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.26,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.27,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.28,"User Rights Assignment","Log on as a batch job",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.29.1,"User Rights Assignment","Log on as a service",accesschk,SeServiceLogonRight,,,,,,"NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",,=,Medium +2.2.29.2,"User Rights Assignment","Log on as a service (Hyper-V)",accesschk,SeServiceLogonRight,,,,,,"S-1-5-83-0;NT SERVICE\ALL SERVICES;NT AUTHORITY\NETWORK SERVICE",S-1-5-83-0,=,Medium +2.2.30,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.31,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.32,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.33,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.34,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.36,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.37,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.38,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Users;BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status",localaccount,500,,,,,,False,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine account lockout threshold",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,MaxDevicePasswordFailedAttempts,,,,10,10,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.5,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.7,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.8.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.8.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Low +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.7,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.9,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.10,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.11,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.12,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.14.1,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,>=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +5.1.1,"System Services","Bluetooth Audio Gateway Service (BTAGService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\BTAGService,Start,,,,3,4,=,Medium +5.1.2,"System Services","Bluetooth Audio Gateway Service (BTAGService) (Service Startup type)",service,BTAGService,,,,,,Manual,Disabled,=,Medium +5.2.1,"System Services","Bluetooth Support Service (bthserv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\bthserv,Start,,,,3,4,=,Medium +5.2.2,"System Services","Bluetooth Support Service (bthserv) (Service Startup type)",service,bthserv,,,,,,Manual,Disabled,=,Medium +5.3.1,"System Services","Computer Browser (Browser)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Browser,Start,,,,,4,=,Medium +5.3.2,"System Services","Computer Browser (Browser) (Service Startup type)",service,Browser,,,,,,Manual,Disabled,=,Medium +5.4.1,"System Services","Downloaded Maps Manager (MapsBroker)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MapsBroker,Start,,,,2,4,=,Medium +5.4.2,"System Services","Downloaded Maps Manager (MapsBroker) (Service Startup type)",service,MapsBroker,,,,,,Automatic,Disabled,=,Medium +5.5.1,"System Services","Geolocation Service (lfsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lfsvc,Start,,,,3,4,=,Medium +5.5.2,"System Services","Geolocation Service (lfsvc) (Service Startup type)",service,lfsvc,,,,,,Manual,Disabled,=,Medium +5.6.1,"System Services","IIS Admin Service (IISADMIN)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\IISADMIN,Start,,,,,4,=,Medium +5.6.2,"System Services","IIS Admin Service (IISADMIN) (Service Startup type)",service,IISADMIN,,,,,,"",Disabled,=,Medium +5.7.1,"System Services","Infrared monitor service (irmon)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\irmon,Start,,,,,4,=,Medium +5.7.2,"System Services","Infrared monitor service (irmon) (Service Startup type)",service,irmon,,,,,,,Disabled,=,Medium +5.8.1,"System Services","Internet Connection Sharing (ICS) (SharedAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SharedAccess,Start,,,,3,4,=,Medium +5.8.2,"System Services","Internet Connection Sharing (ICS) (SharedAccess) (Service Startup type)",service,SharedAccess,,,,,,Manual,Disabled,=,Medium +5.9.1,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\lltdsvc,Start,,,,3,4,=,Medium +5.9.2,"System Services","Link-Layer Topology Discovery Mapper (lltdsvc) (Service Startup type)",service,lltdsvc,,,,,,Manual,Disabled,=,Medium +5.10.1,"System Services","LxssManager (LxssManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LxssManager,Start,,,,"",4,=,Medium +5.10.2,"System Services","LxssManager (LxssManager) (Service Startup type)",service,LxssManager,,,,,,,Disabled,=,Medium +5.11.1,"System Services","Microsoft FTP Service (FTPSVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\FTPSVC,Start,,,,,4,=,Medium +5.11.2,"System Services","Microsoft FTP Service (FTPSVC) (Service Startup type)",service,FTPSVC,,,,,,"",Disabled,=,Medium +5.12.1,"System Services","Microsoft iSCSI Initiator Service (MSiSCSI)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MSiSCSI,Start,,,,3,4,=,Medium +5.12.2,"System Services","Microsoft iSCSI Initiator Service (MsiSCSI) (Service Startup type)",service,MsiSCSI,,,,,,Manual,Disabled,=,Medium +5.13.1,"System Services","OpenSSH SSH Server (sshd)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sshd,Start,,,,,4,=,Medium +5.13.2,"System Services","OpenSSH SSH Server (sshd) (Service Startup type)",service,sshd,,,,,,,Disabled,=,Medium +5.14.1,"System Services","Peer Name Resolution Protocol (PNRPsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPsvc,Start,,,,3,4,=,Medium +5.14.2,"System Services","Peer Name Resolution Protocol (PNRPsvc) (Service Startup type)",service,PNRPsvc,,,,,,Manual,Disabled,=,Medium +5.15.1,"System Services","Peer Networking Grouping (p2psvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2psvc,Start,,,,3,4,=,Medium +5.15.2,"System Services","Peer Networking Grouping (p2psvc) (Service Startup type)",service,p2psvc,,,,,,Manual,Disabled,=,Medium +5.16.1,"System Services","Peer Networking Identity Manager (p2pimsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\p2pimsvc,Start,,,,3,4,=,Medium +5.16.2,"System Services","Peer Networking Identity Manager (p2pimsvc) (Service Startup type)",service,p2pimsvc,,,,,,Manual,Disabled,=,Medium +5.17.1,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PNRPAutoReg,Start,,,,3,4,=,Medium +5.17.2,"System Services","PNRP Machine Name Publication Service (PNRPAutoReg) (Service Startup type)",service,PNRPAutoReg,,,,,,Manual,Disabled,=,Medium +5.18.1,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\wercplsupport,Start,,,,3,4,=,Medium +5.18.2,"System Services","Problem Reports and Solutions Control Panel Support (wercplsupport) (Service Startup type)",service,wercplsupport,,,,,,Manual,Disabled,=,Medium +5.19.1,"System Services","Remote Access Auto Connection Manager (RasAuto)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasAuto,Start,,,,3,4,=,Medium +5.19.2,"System Services","Remote Access Auto Connection Manager (RasAuto) (Service Startup type)",service,RasAuto,,,,,,Manual,Disabled,=,Medium +5.20.1,"System Services","Remote Desktop Configuration (SessionEnv)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SessionEnv,Start,,,,3,4,=,Medium +5.20.2,"System Services","Remote Desktop Configuration (SessionEnv) (Service Startup type)",service,SessionEnv,,,,,,Manual,Disabled,=,Medium +5.21.1,"System Services","Remote Desktop Services (TermService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TermService,Start,,,,3,4,=,Medium +5.21.2,"System Services","Remote Desktop Services (TermService) (Service Startup type)",service,TermService,,,,,,Manual,Disabled,=,Medium +5.22.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\UmRdpService,Start,,,,3,4,=,Medium +5.22.1,"System Services","Remote Desktop Services UserMode Port Redirector (UmRdpService) (Service Startup type)",service,UmRdpService,,,,,,Manual,Disabled,=,Medium +5.23.1,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RpcLocator,Start,,,,3,4,=,Medium +5.23.2,"System Services","Remote Procedure Call (RPC) Locator (RpcLocator) (Service Startup type)",service,RpcLocator,,,,,,Manual,Disabled,=,Medium +5.24.1,"System Services","Remote Registry (RemoteRegistry)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteRegistry,Start,,,,4,4,=,Medium +5.24.2,"System Services","Remote Registry (RemoteRegistry) (Service Startup type)",service,RemoteRegistry,,,,,,Disabled,Disabled,=,Medium +5.25.1,"System Services","Routing and Remote Access (RemoteAccess)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RemoteAccess,Start,,,,4,4,=,Medium +5.25.2,"System Services","Routing and Remote Access (RemoteAccess) (Service Startup type)",service,RemoteAccess,,,,,,Disabled,Disabled,=,Medium +5.26.1,"System Services","Server (LanmanServer)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer,Start,,,,2,4,=,Medium +5.26.2,"System Services","Server (LanmanServer) (Service Startup type)",service,LanmanServer,,,,,,Automatic,Disabled,=,Medium +5.27.1,"System Services","Simple TCP/IP Services (simptcp)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\simptcp,Start,,,,,4,=,Medium +5.27.2,"System Services","Simple TCP/IP Services (simptcp) (Service Startup type)",service,simptcp,,,,,,"",Disabled,=,Medium +5.28.1,"System Services","SNMP Service (SNMP)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SNMP,Start,,,,,4,=,Medium +5.28.2,"System Services","SNMP Service (SNMP) (Service Startup type)",service,SNMP,,,,,,"",Disabled,=,Medium +5.29.1,"System Services","Special Administration Console Helper (sacsvr)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\sacsvr,Start,,,,,4,=,Medium +5.29.2,"System Services","Special Administration Console Helper (sacsvr) (Service Startup type)",service,sacsvr,,,,,,,Disabled,=,Medium +5.30.1,"System Services","SSDP Discovery (SSDPSRV)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\SSDPSRV,Start,,,,3,4,=,Medium +5.30.2,"System Services","SSDP Discovery (SSDPSRV) (Service Startup type)",service,SSDPSRV,,,,,,Manual,Disabled,=,Medium +5.31.1,"System Services","UPnP Device Host (upnphost)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\upnphost,Start,,,,3,4,=,Medium +5.31.2,"System Services","UPnP Device Host (upnphost) (Service Startup type)",service,upnphost,,,,,,Manual,Disabled,=,Medium +5.32.1,"System Services","Web Management Service (WMSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMSvc,Start,,,,,4,=,Medium +5.32.2,"System Services","Web Management Service (WMSvc) (Service Startup type)",service,WMSvc,,,,,,"",Disabled,=,Medium +5.33.1,"System Services","Windows Error Reporting Service (WerSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WerSvc,Start,,,,3,4,=,Medium +5.33.2,"System Services","Windows Error Reporting Service (WerSvc) (Service Startup type)",service,WerSvc,,,,,,Manual,Disabled,=,Medium +5.34.1,"System Services","Windows Event Collector (Wecsvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Wecsvc,Start,,,,3,4,=,Medium +5.34.2,"System Services","Windows Event Collector (Wecsvc) (Service Startup type)",service,Wecsvc,,,,,,Manual,Disabled,=,Medium +5.35.1,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WMPNetworkSvc,Start,,,,3,4,=,Medium +5.35.2,"System Services","Windows Media Player Network Sharing Service (WMPNetworkSvc) (Service Startup type)",service,WMPNetworkSvc,,,,,,Manual,Disabled,=,Medium +5.36.1,"System Services","Windows Mobile Hotspot Service (icssvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\icssvc,Start,,,,3,4,=,Medium +5.36.2,"System Services","Windows Mobile Hotspot Service (icssvc) (Service Startup type)",service,icssvc,,,,,,Manual,Disabled,=,Medium +5.37.1,"System Services","Windows Push Notifications System Service (WpnService)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WpnService,Start,,,,2,4,=,Medium +5.37.2,"System Services","Windows Push Notifications System Service (WpnService) (Service Startup type)",service,WpnService,,,,,,Automatic,Disabled,=,Medium +5.38.1,"System Services","Windows PushToInstall Service (PushToInstall)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\PushToInstall,Start,,,,3,4,=,Medium +5.38.2,"System Services","Windows PushToInstall Service (PushToInstall) (Service Startup type)",service,PushToInstall,,,,,,Manual,Disabled,=,Medium +5.39.1,"System Services","Windows Remote Management (WS-Management) (WinRM)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\WinRM,Start,,,,3,4,=,Medium +5.39.2,"System Services","Windows Remote Management (WS-Management) (WinRM) (Service Startup type)",service,WinRM,,,,,,Manual,Disabled,=,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\W3SVC,Start,,,,,4,=,Medium +5.40.1,"System Services","World Wide Web Publishing Service (W3SVC) (Service Startup type)",service,W3SVC,,,,,,,Disabled,=,Medium +5.41.1,"System Services","Xbox Accessory Management Service (XboxGipSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxGipSvc,Start,,,,3,4,=,Medium +5.41.2,"System Services","Xbox Accessory Management Service (XboxGipSvc) (Service Startup type)",service,XboxGipSvc,,,,,,Manual,Disabled,=,Medium +5.42.1,"System Services","Xbox Live Auth Manager (XblAuthManager)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblAuthManager,Start,,,,3,4,=,Medium +5.42.2,"System Services","Xbox Live Auth Manager (XblAuthManager) (Service Startup type)",service,XblAuthManager,,,,,,Manual,Disabled,=,Medium +5.43.1,"System Services","Xbox Live Game Save (XblGameSave)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XblGameSave,Start,,,,3,4,=,Medium +5.43.2,"System Services","Xbox Live Game Save (XblGameSave) (Service Startup type)",service,XblGameSave,,,,,,Manual,Disabled,=,Medium +5.44.1,"System Services","Xbox Live Networking Service (XboxNetApiSvc)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\XboxNetApiSvc,Start,,,,3,4,=,Medium +5.44.2,"System Services","Xbox Live Networking Service (XboxNetApiSvc) (Service Startup type)",service,XboxNetApiSvc,,,,,,Manual,Disabled,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Security Group Management",auditpol,,,,,,,Success,Success,contains,Low +17.2.3,"Advanced Audit Policy Configuration","User Account Management",auditpol,,,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,,,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,,,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,,,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,,,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE",Registry,,HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA},DllName,,,,,"C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (DisableSavePassword) Prevent the dial-up password from being saved",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Parameters,DisableSavePassword,,,,,1,=,Medium +18.4.5,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.6,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.7,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.8,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.9,"MSS (Legacy)","Enable Safe DLL search mode",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.10,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.13,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.5.23.2.1,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.7.1.1,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match an ID",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDs,,,,0,1,=,Medium +18.8.7.1.2,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match ID PCI\CC_0C0A (Thunderbolt)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs,PCI\CC_0C0A,,,,0,PCI\CC_0C0A,=,Medium +18.8.7.1.3,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices that match an ID (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceIDsRetroactive,,,,0,1,=,Medium +18.8.7.1.4,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClasses,,,,0,1,=,Medium +18.8.7.1.5.1,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match d48179be-ec20-11d1-b6b8-00c04fa372a7 (SBP-2 drive)",RegistryList,,HKLM:\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,d48179be-ec20-11d1-b6b8-00c04fa372a7,,,,0,d48179be-ec20-11d1-b6b8-00c04fa372a7,=,Medium +18.8.7.1.5.2,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 7ebefbc0-3200-11d2-b4c2-00a0C9697d07 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,,,,0,7ebefbc0-3200-11d2-b4c2-00a0C9697d07,=,Medium +18.8.7.1.5.3,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match c06ff265-ae09-48f0-812c-16753d7cba83 (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,c06ff265-ae09-48f0-812c-16753d7cba83,,,,0,c06ff265-ae09-48f0-812c-16753d7cba83,=,Medium +18.8.7.1.5.4,"Administrative Templates: System","Device Installation: Device Installation Restrictions: Prevent installation of devices using drivers that match 6bdd1fc1-810f-11d0-bec7-08002be2092f (SBP-2 drive)",RegistryList,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses,6bdd1fc1-810f-11d0-bec7-08002be2092f,,,,0,6bdd1fc1-810f-11d0-bec7-08002be2092f,=,Medium +18.8.7.1.6,"Administrative Templates: System","Device Installation Restrictions: Prevent installation of devices using drivers that match an device setup class (Retroactive)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions,DenyDeviceClassesRetroactive,,,,0,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off access to the Store",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoUseStoreOpenWith,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.13,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.14.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.14.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.31.1,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium +18.8.31.2,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Allow standby states (S1-S3) when sleeping (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.5,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.6,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.4.2,"Administrative Templates: Windows Components","App Package Deployment: Prevent non-admin users from installing packaged Windows apps",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Appx,BlockNonAdminUserInstall,,,,0,1,=,Medium +18.9.5.1,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.6.2,"Administrative Templates: Windows Components","App runtime: Block launching Universal Windows apps with Windows Runtime API access from hosted content",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,BlockHostedAppAccessWinRT,,,,0,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.11.1.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.1.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecovery,,,,0,1,=,Medium +18.9.11.1.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVManageDRA,,,,1,1,=,Medium +18.9.11.1.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Password",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryPassword,,,,,2,=,Medium +18.9.11.1.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Recovery Key",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRecoveryKey,,,,,2,=,Medium +18.9.11.1.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.1.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.1.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.1.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVHardwareEncryption,,,,,1,=,Medium +18.9.11.1.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowSoftwareEncryptionFailover,,,,1,1,=,Medium +18.9.11.1.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVRestrictHardwareEncryptionAlgorithms,,,,0,0,=,Medium +18.9.11.1.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of hardware-based encryption for fixed data drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.1.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of passwords for fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVPassphrase,,,,0,0,=,Medium +18.9.11.1.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVAllowUserCert,,,,,1,=,Medium +18.9.11.1.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Fixed Data Drives: Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\FVE,FDVEnforceUserCert,,,,0,1,=,Medium +18.9.11.2.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow enhanced PINs for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseEnhancedPin,,,,0,1,=,Medium +18.9.11.2.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Allow Secure Boot for integrity validation",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSecureBootForIntegrity,,,,0,1,=,Medium +18.9.11.2.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecovery,,,,0,1,=,Medium +18.9.11.2.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSManageDRA,,,,1,0,=,Medium +18.9.11.2.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryPassword,,,,,1,=,Medium +18.9.11.2.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRecoveryKey,,,,1,0,=,Medium +18.9.11.2.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHideRecoveryPage,,,,0,1,=,Medium +18.9.11.2.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSActiveDirectoryInfoToStore,,,,0,1,=,Medium +18.9.11.2.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRequireActiveDirectoryBackup,,,,0,1,=,Medium +18.9.11.2.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSHardwareEncryption,,,,0,1,=,Medium +18.9.11.2.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowSoftwareEncryptionFailover,,,,0,1,=,Medium +18.9.11.2.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSRestrictHardwareEncryptionAlgorithms,,,,0,0,=,Medium +18.9.11.2.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of hardware-based encryption for operating system drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.2.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure use of passwords for operating system drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,OSPassphrase,,,,,0,=,Medium +18.9.11.2.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseAdvancedStartup,,,,0,1,=,Medium +18.9.11.2.17,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,,,,1,0,=,Medium +18.9.11.3.1,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Allow access to BitLocker-protected removable data drives from earlier versions of Windows",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDiscoveryVolumeType,,,,,,=,Medium +18.9.11.3.2,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecovery,,,,0,1,=,Medium +18.9.11.3.3,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVManageDRA,,,,,1,=,Medium +18.9.11.3.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Password",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryPassword,,,,,0,=,Medium +18.9.11.3.5,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Recovery Key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRecoveryKey,,,,,0,=,Medium +18.9.11.3.6,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHideRecoveryPage,,,,,1,=,Medium +18.9.11.3.7,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.8,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVActiveDirectoryInfoToStore,,,,,1,=,Medium +18.9.11.3.9,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Choose how BitLocker-protected removable drives can be recovered: Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRequireActiveDirectoryBackup,,,,,0,=,Medium +18.9.11.3.10,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVHardwareEncryption,,,,,1,=,Medium +18.9.11.3.11,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Use BitLocker software-based encryption when hardware encryption is not available",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowSoftwareEncryptionFailover,,,,,1,=,Medium +18.9.11.3.12,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Restrict encryption algorithms and cipher suites allowed for hardware-based encryption",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVRestrictHardwareEncryptionAlgorithms,,,,,0,=,Medium +18.9.11.3.13,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of hardware-based encryption for removable data drives: Restrict crypto algorithms or cipher suites",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowedHardwareEncryptionAlgorithms,,,,,2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42,=,Medium +18.9.11.3.14,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of passwords for removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVPassphrase,,,,,0,=,Medium +18.9.11.3.15,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVAllowUserCert,,,,,1,=,Medium +18.9.11.3.16,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVEnforceUserCert,,,,,1,=,Medium +18.9.11.3.17,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Deny write access to removable drives not protected by BitLocker",Registry,,HKLM:\System\CurrentControlSet\Policies\Microsoft\FVE,RDVDenyWriteAccess,,,,,1,=,Medium +18.9.11.3.18,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Removable Data Drives: Do not allow write access to devices configured in another organization",Registry,,HKLM:\Software\Policies\Microsoft\FVE,RDVDenyCrossOrg,,,,,0,=,Medium +18.9.11.4,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Disable new DMA devices when this computer is locked",Registry,,HKLM:\Software\Policies\Microsoft\FVE,DisableExternalDMAUnderLock,,,,0,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.13.1,"Administrative Templates: Windows Components","Cloud Content: Turn off cloud optimized content",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableCloudOptimizedContent,,,,0,1,=,Medium +18.9.13.2,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.15.3,"Administrative Templates: Windows Components","Credential User Interface: Prevent the use of security questions for local accounts",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,NoLocalPasswordResetQuestions,,,,0,1,=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.17.1,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,3,2,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.35.1,"Administrative Templates: Windows Components","HomeGroup: Prevent the computer from joining a homegroup",Registry,,HKLM:\Software\Policies\Microsoft\Windows\HomeGroup,DisableHomeGroup,,,,0,1,=,Medium +18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=,Medium +18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.45.4.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +18.9.45.4.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +18.9.45.4.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +18.9.45.4.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +18.9.45.4.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.45.4.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.45.4.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +18.9.45.4.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +18.9.45.4.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.45.4.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.45.4.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +18.9.45.4.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +18.9.45.4.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +18.9.45.4.1.2.8.2,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +18.9.45.4.1.2.9.1,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +18.9.45.4.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +18.9.45.4.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +18.9.45.4.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.45.4.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium +18.9.45.4.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.45.5.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium +18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,0,=,Medium +18.9.45.8.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium +18.9.45.8.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,,0,=,Medium +18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.45.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.46.1,"Microsoft Defender Application Guard","Allow auditing events in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AuditApplicationGuard,,,,,1,=,Medium +18.9.46.2,"Microsoft Defender Application Guard","Allow camera and microphone access in Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowCameraMicrophoneRedirection,,,,,0,=,Medium +18.9.46.3,"Microsoft Defender Application Guard","Allow data persistence for Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowPersistence,,,,,0,=,Medium +18.9.46.4,"Microsoft Defender Application Guard","Allow files to download and save to the host operating system from Microsoft Defender Application Guard",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,SaveFilesToHost,,,,,0,=,Medium +18.9.46.5,"Microsoft Defender Application Guard","Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AppHVSIClipboardSettings,,,,,1,=,Medium +18.9.46.6,"Microsoft Defender Application Guard","Turn on Microsoft Defender Application Guard in Managed Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\AppHVSI,AllowAppHVSI_ProviderSet,,,,,1,=,Medium +18.9.48.1,"Microsoft Edge","Allow Address bar drop-down list suggestions",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\ServiceUI,ShowOneBox,,,,1,0,=,Medium +18.9.48.2,"Microsoft Edge","Allow Adobe Flash",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Addons,FlashPlayerEnabled,,,,1,0,=,Medium +18.9.48.3,"Microsoft Edge","Allow InPrivate Browsing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main,AllowInPrivate,,,,1,0,=,Medium +18.9.48.4,"Microsoft Edge","Allow Sideloading of extension",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Extensions,AllowSideloadingOfExtensions,,,,1,0,=,Medium +18.9.48.5,"Microsoft Edge","Configure cookies",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main,Cookies,,,,2,1,=,Medium +18.9.48.6,"Microsoft Edge","Configure Password Manager",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,"FormSuggest Passwords",,,,,no,=,Medium +18.9.48.7,"Microsoft Edge","Configure Pop-up Blocker",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,AllowPopups,,,,,yes,=,Medium +18.9.48.8,"Microsoft Edge","Configure search suggestions in Address bar",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\SearchScopes,ShowSearchSuggestionsGlobal,,,,,0,=,Medium +18.9.48.9,"Microsoft Edge","Configure the Adobe Flash Click-to-Run setting",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Security,FlashClickToRunMode,,,,,1,=,Medium +18.9.48.10,"Microsoft Edge","Prevent access to the about:flags page in Microsoft Edge",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,PreventAccessToAboutFlagsInMicrosoftEdge,,,,,1,=,Medium +18.9.48.11,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for files",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverrideAppRepUnknown,,,,,1,=,Medium +18.9.48.12,"Microsoft Edge","Prevent certificate error overrides",Registry,,"HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings",PreventCertErrorOverrides,,,,,1,=,Medium +18.9.48.13,"Microsoft Edge","Prevent using Localhost IP address for WebRTC",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,HideLocalHostIP,,,,,1,=,Medium +18.9.55.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.61.1,"Administrative Templates: Windows Components","Push To Install: Turn off Push To Install service",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PushToInstall,DisablePushToInstall,,,,,1,=,Medium +18.9.62.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.62.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Allow users to connect remotely by using Remote Desktop Services",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDenyTSConnections,,,,0,1,=,Medium +18.9.62.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.62.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.62.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.62.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.62.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.62.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.62.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.62.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.62.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.62.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=!0,Medium +18.9.62.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.62.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.63.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.64.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.64.3,"Administrative Templates: Windows Components","Search: Allow Cortana",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortana,,,,1,0,=,Medium +18.9.64.4,"Administrative Templates: Windows Components","Search: Allow Cortana above lock screen",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCortanaAboveLock,,,,1,0,=,Medium +18.9.64.5,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.64.6,"Administrative Templates: Windows Components","Search: Allow search and Cortana to use location",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowSearchToUseLocation,,,,1,0,=,Medium +18.9.69.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.72.1,"Administrative Templates: Windows Components","Store: Disable all apps from Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableStoreApps,,,,,1,=,Medium +18.9.72.2,"Administrative Templates: Windows Components","Store: Only display the private store within the Microsoft Store",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RequirePrivateStoreOnly,,,,,1,=,Medium +18.9.72.3,"Administrative Templates: Windows Components","Store: Turn off Automatic Download and Install of updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,AutoDownload,,,,,4,=,Medium +18.9.72.4,"Administrative Templates: Windows Components","Store: Turn off the offer to update to the latest version of Windows",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,DisableOSUpgrade,,,,,1,=,Medium +18.9.72.5,"Administrative Templates: Windows Components","Store: Turn off the Store application",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsStore,RemoveWindowsStore,,,,,1,=,Medium +18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.80.2.1,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +18.9.80.2.2,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +18.9.82.1,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium +18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.84.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.85.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.85.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.85.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.86.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.95.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,0,=,Medium +18.9.95.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.97.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium +18.9.102.5,"Administrative Templates: Windows Components","Windows Update: Remove access to 'Pause updates' feature",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,SetDisablePauseUXAccess,,,,,1,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_10_enterprise_2009_user.csv b/lists/finding_list_cis_microsoft_windows_10_enterprise_2009_user.csv new file mode 100644 index 0000000..c9cf635 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_10_enterprise_2009_user.csv @@ -0,0 +1,15 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=!0,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,0,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,1,=,Medium +19.7.8.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,0,=,Medium +19.7.8.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.8.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.8.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.28.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.43.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.47.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv similarity index 97% rename from lists/finding_list_cis_microsoft_windows_server_2019_machine.csv rename to lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv index 7ae38ed..85147d3 100644 --- a/lists/finding_list_cis_microsoft_windows_server_2019_machine.csv +++ b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_machine.csv @@ -1,12 +1,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity 1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low -1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=!0,Low 1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low 1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium 1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium 1.1.6,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High 1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low -1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=!0,Low 1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low 2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium 2.2.2,"User Rights Assignment","Access this computer from the network (DC)",accesschk,SeNetworkLogonRight,,,,,,"NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS;BUILTIN\Pre-Windows 2000 Compatible Access;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users;Everyone","NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users",=,Medium @@ -67,7 +67,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low 2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low 2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium -2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanManPrint Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium 2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium 2.3.5.2,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium 2.3.5.3,"Security Options","Domain controller: Refuse machine account password changes (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,RefusePasswordChange,,,,1,0,=,Medium @@ -75,13 +75,13 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium 2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium 2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium -2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium 2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium 2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low 2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low -2.3.7.3,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=,Medium +2.3.7.3,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium 2.3.7.4,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low -2.3.7.5,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.5,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low 2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,CachedLogonsCount,,,,10,4,<=,Medium 2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low 2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low @@ -110,8 +110,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.10.13,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium 2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium 2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium -2.3.11.3,"Security Options","Network Security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium -2.3.11.4,"Security Options","Network Security: Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium 2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High 2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low 2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium @@ -119,7 +119,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium 2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium 2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium -2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SessionManager\Kernel,ObCaseInsensitive,,,,,1,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium 2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium 2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium 2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium @@ -203,7 +203,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium 18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium 18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium -18.3.5,"MS Security Guide","Extended Protection for LDAP Authentication (DC)",Registry,,HKLM:\\SYSTEM\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,,2,=,Medium +18.3.5,"MS Security Guide","Extended Protection for LDAP Authentication (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,,2,=,Medium 18.3.6,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium 18.3.7,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,,0,=,High 18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium @@ -233,9 +233,9 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium 18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium 18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium -18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -18.5.19.2,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium 18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium 18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium 18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium @@ -249,7 +249,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium 18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium 18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium -18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium 18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium 18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium 18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Member)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium @@ -270,16 +270,16 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium 18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium 18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium -18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium 18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium 18.8.22.1.13.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium 18.8.22.1.13.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium -18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium 18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium 18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium 18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium 18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium -18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Low +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium 18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium 18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers (Member)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium 18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium @@ -344,12 +344,12 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.59.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium 18.9.59.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium 18.9.59.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium -18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,0,=,Medium +18.9.59.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium 18.9.60.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium 18.9.61.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium 18.9.61.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 18.9.66.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium -18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsDefender\Spynet,LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.77.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium 18.9.77.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=,Medium 18.9.77.7.1,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,,0,=,Medium 18.9.77.9.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium @@ -384,7 +384,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium 18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium 18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium -18.9.84.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,0,=,Medium +18.9.84.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium 18.9.85.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium 18.9.85.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium 18.9.85.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_user.csv b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_user.csv similarity index 100% rename from lists/finding_list_cis_microsoft_windows_server_2019_user.csv rename to lists/finding_list_cis_microsoft_windows_server_2019_1809_1.1.0_user.csv diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_machine.csv b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_machine.csv new file mode 100644 index 0000000..5637a44 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_machine.csv @@ -0,0 +1,419 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +1.1.1,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,>=,Low +1.1.2,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,<=!0,Low +1.1.3,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,>=,Low +1.1.4,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,>=,Medium +1.1.5,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +1.1.6,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +1.2.1,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,>=,Low +1.2.2,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,10,<=!0,Low +1.2.3,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,>=,Low +2.2.1,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +2.2.2,"User Rights Assignment","Access this computer from the network (DC)",accesschk,SeNetworkLogonRight,,,,,,"NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS;BUILTIN\Pre-Windows 2000 Compatible Access;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users;Everyone","NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users",=,Medium +2.2.3,"User Rights Assignment","Access this computer from the network (Member)",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Pre-Windows 2000 Compatible Access;BUILTIN\Administrators;NT AUTHORITY\Authenticated Users;Everyone","BUILTIN\Administrators;NT AUTHORITY\Authenticated Users",=,Medium +2.2.4,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,Medium +2.2.5,"User Rights Assignment","Add workstations to domain (DC)",accesschk,SeMachineAccountPrivilege,,,,,,"NT AUTHORITY\Authenticated Users",BUILTIN\Administrators,=,Medium +2.2.6,"User Rights Assignment","Adjust memory quotas for a process",accesschk,SeIncreaseQuotaPrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.7,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Administrators,=,Medium +2.2.8,"User Rights Assignment","Allow log on through Remote Desktop Services (DC)",accesschk,SeRemoteInteractiveLogonRight,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.9,"User Rights Assignment","Allow log on through Remote Desktop Services (Member)",accesschk,SeRemoteInteractiveLogonRight,,,,,,"BUILTIN\Remote Desktop Users;BUILTIN\Administrators","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +2.2.10,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +2.2.11,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.12,"User Rights Assignment","Change the time zone",accesschk,SeTimeZonePrivilege,,,,,,"BUILTIN\Device Owners;BUILTIN\Users;BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.13,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.14,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,Medium +2.2.15,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.16,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +2.2.17,"User Rights Assignment","Create symbolic links (DC)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.18.1,"User Rights Assignment","Create symbolic links (Member)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.18.2,"User Rights Assignment","Create symbolic links (Member, Hyper-V)",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,S-1-5-83-0;BUILTIN\Administrators,S-1-5-83-0;BUILTIN\Administrators,=,Medium +2.2.19,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.20,"User Rights Assignment","Deny access to this computer from the network (DC)",accesschk,SeDenyNetworkLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.21,"User Rights Assignment","Deny access to this computer from the network (Member)",accesschk,SeDenyNetworkLogonRight,,,,,,BUILTIN\Guests,"BUILTIN\Guests;NT AUTHORITY\Local account and member of Administrators group",=,Medium +2.2.22,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.23,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.24,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +2.2.25,"User Rights Assignment","Deny log on through Remote Desktop Services (DC)",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,BUILTIN\Guests,=,Medium +2.2.26,"User Rights Assignment","Deny log on through Remote Desktop Services (Member)",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"BUILTIN\Guests;NT AUTHORITY\Local account",=,Medium +2.2.27,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation (DC)",accesschk,SeEnableDelegationPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.28,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation (Member)",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +2.2.29,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.30,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.31,"User Rights Assignment","Impersonate a client after authentication (DC)",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.32,"User Rights Assignment","Impersonate a client after authentication (Member)",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.33,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators","Window Manager\Window Manager Group;BUILTIN\Administrators",=,Medium +2.2.34,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.35,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +2.2.36,"User Rights Assignment","Log on as a batch job (DC)",accesschk,SeBatchLogonRight,,,,,,"BUILTIN\Performance Log Users;BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.37.1,"User Rights Assignment","Manage auditing and security log (DC)",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.37.2,"User Rights Assignment","Manage auditing and security log (DC and Exchange)",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,"NT AUTHORITY\EXCHANGE SERVERS;BUILTIN\Administrators",=,Medium +2.2.38,"User Rights Assignment","Manage auditing and security log (Member)",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.39,"User Rights Assignment","Modify an object label",accesschk,SeReLabelPrivilege,,,,,,,,=,Medium +2.2.40,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.41,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.42,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.2.43,"User Rights Assignment","Profile system performance",accesschk,SeSystemProfilePrivilege,,,,,,"NT SERVICE\WdiServiceHost;BUILTIN\Administrators","NT SERVICE\WdiServiceHost;BUILTIN\Administrators",=,Medium +2.2.44,"User Rights Assignment","Replace a process level token",accesschk,SeAssignPrimaryTokenPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +2.2.45,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.46,"User Rights Assignment","Shut down the system",accesschk,SeShutdownPrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +2.2.47,"User Rights Assignment","Synchronize directory service data (DC)",accesschk,SeSyncAgentPrivilege,,,,,,,,=,Medium +2.2.48,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +2.3.1.1,"Security Options","Accounts: Administrator account status (Member)",localaccount,500,,,,,,True,False,=,Medium +2.3.1.2,"Security Options","Accounts: Block Microsoft accounts",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,NoConnectedUser,,,,0,3,=,Low +2.3.1.3,"Security Options","Accounts: Guest account status (Member)",localaccount,501,,,,,,False,False,=,Medium +2.3.1.4,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +2.3.1.5,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,Administrator,!=,Low +2.3.1.6,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Guest,!=,Low +2.3.2.1,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Low +2.3.2.2,"Security Options","Audit: Shut down system immediately if unable to log security audits",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,CrashOnAuditFail,,,,0,0,=,Low +2.3.4.1,"Security Options","Devices: Allowed to format and eject removable media",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AllocateDASD,,,,,2,=,Medium +2.3.4.2,"Security Options","Devices: Prevent users from installing printer drivers",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers",AddPrinterDrivers,,,,0,1,=,Medium +2.3.5.1,"Security Options","Domain controller: Allow server operators to schedule tasks (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa,SubmitControl,,,,,0,=,Medium +2.3.5.2,"Security Options","Domain controller: Allow vulnerable Netlogon secure channel connections",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,VulnerableChannelAllowList,,,,,,=,Medium +2.3.5.3,"Security Options","Domain controller: LDAP server channel binding token requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LdapEnforceChannelBinding,,,,1,2,=,Medium +2.3.5.4,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium +2.3.5.5,"Security Options","Domain controller: Refuse machine account password changes (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,RefusePasswordChange,,,,1,0,=,Medium +2.3.6.1,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +2.3.6.2,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +2.3.6.3,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +2.3.6.4,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Medium +2.3.6.5,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,<=!0,Medium +2.3.6.6,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +2.3.7.1,"Security Options","Interactive logon: Do not require CTRL+ALT+DEL",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCAD,,,,1,0,=,Low +2.3.7.2,"Security Options","Interactive logon: Don't display last signed-in",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,DontDisplayLastUserName,,,,0,1,=,Low +2.3.7.3,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,<=!0,Medium +2.3.7.4,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,,!=,Low +2.3.7.5,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,,!=,Low +2.3.7.6,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,CachedLogonsCount,,,,10,4,<=,Medium +2.3.7.7.1,"Security Options","Interactive logon: Prompt user to change password before expiration (Max)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,14,<=,Low +2.3.7.7.2,"Security Options","Interactive logon: Prompt user to change password before expiration (Min)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PasswordExpiryWarning,,,,5,5,>=,Low +2.3.7.8,"Security Options","Interactive logon: Require Domain Controller Authentication to unlock workstation (Member)",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ForceUnlockLogon,,,,,1,=,Medium +2.3.7.9,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium +2.3.8.1,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.8.2,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +2.3.8.3,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +2.3.9.1,"Security Options","Microsoft network server: Amount of idle time required before suspending session",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters,AutoDisconnect,,,,15,15,<=,Medium +2.3.9.2,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +2.3.9.3,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +2.3.9.4,"Security Options","Microsoft network server: Disconnect clients when logon hours expire",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,enableforcedlogoff,,,,1,1,=,Medium +2.3.9.5,"Security Options","Microsoft network server: Server SPN target name validation level (Member)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,SMBServerNameHardeningLevel,,,,,1,>=,Medium +2.3.10.1,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,Medium +2.3.10.2,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,Medium +2.3.10.3,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,Medium +2.3.10.4,"Security Options","Network access: Do not allow storage of passwords and credentials for network authentication",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,DisableDomainCreds,,,,0,1,=,Medium +2.3.10.5,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +2.3.10.6,"Security Options","Network access: Named Pipes that can be accessed anonymously (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,"netlogon samr lsarpc",=,Medium +2.3.10.7,"Security Options","Network access: Named Pipes that can be accessed anonymously (Member)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,NullSessionPipes,,,,,,=,Medium +2.3.10.8,"Security Options","Network access: Remotely accessible registry paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths,Machine,,,,"System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion","System\CurrentControlSet\Control\ProductOptions System\CurrentControlSet\Control\Server Applications Software\Microsoft\Windows NT\CurrentVersion",=,Medium +2.3.10.9,"Security Options","Network access: Remotely accessible registry paths and sub-paths",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths,Machine,,,,"System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog","System\CurrentControlSet\Control\Print\Printers System\CurrentControlSet\Services\Eventlog Software\Microsoft\OLAP Server Software\Microsoft\Windows NT\CurrentVersion\Print Software\Microsoft\Windows NT\CurrentVersion\Windows System\CurrentControlSet\Control\ContentIndex System\CurrentControlSet\Control\Terminal Server System\CurrentControlSet\Control\Terminal Server\UserConfig System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration Software\Microsoft\Windows NT\CurrentVersion\Perflib System\CurrentControlSet\Services\SysmonLog",=,Medium +2.3.10.10,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,Medium +2.3.10.11,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM (Member)",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +2.3.10.12,"Security Options","Network access: Shares that can be accessed anonymously",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,NullSessionShares,,,,,,=,Medium +2.3.10.13,"Security Options","Network access: Sharing and security model for local accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,ForceGuest,,,,0,0,=,Medium +2.3.11.1,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +2.3.11.2,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +2.3.11.3,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +2.3.11.4,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,<=,Medium +2.3.11.5,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +2.3.11.6,"Security Options","Network security: Force logoff when logon hours expires",secedit,"System Access\ForceLogoffWhenHourExpire",,,,,,0,1,=,Low +2.3.11.7,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,Medium +2.3.11.8,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +2.3.11.9,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +2.3.11.10,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +2.3.13.1,"Security Options","Shutdown: Allow system to be shut down without having to log on",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,ShutdownWithoutLogon,,,,1,0,=,Medium +2.3.15.1,"Security Options","System objects: Require case insensitivity for non-Windows subsystem",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel",ObCaseInsensitive,,,,,1,=,Medium +2.3.15.2,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Medium +2.3.17.1,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +2.3.17.2,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium +2.3.17.3,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +2.3.17.4,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +2.3.17.5,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +2.3.17.6,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +2.3.17.7,"Security Options","User Account Control: Switch to the secure desktop when prompting for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,PromptOnSecureDesktop,,,,1,1,=,Medium +2.3.17.8,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +9.1.1,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +9.1.2,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,Medium +9.1.3,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.1.4,"Windows Firewall","Display a notification (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DisableNotifications,,,,0,1,=,Low +9.1.5,"Windows Firewall","Name of log file (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\domainfw.log,=,Low +9.1.6,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.1.7,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.1.8,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.2.1,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +9.2.2,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,Medium +9.2.3,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.2.4,"Windows Firewall","Display a notification (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DisableNotifications,,,,0,1,=,Low +9.2.5,"Windows Firewall","Name of log file (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\privatefw.log,=,Low +9.2.6,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.2.7,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.2.8,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +9.3.1,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +9.3.2,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,Medium +9.3.3,"Windows Firewall","Outbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultOutboundAction,,,,0,0,=,Medium +9.3.4,"Windows Firewall","Display a notification (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DisableNotifications,,,,0,1,=,Low +9.3.5,"Windows Firewall","Apply local firewall rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalPolicyMerge,,,,0,0,=,Low +9.3.6,"Windows Firewall","Apply local connection security rules (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,AllowLocalIPsecPolicyMerge,,,,0,0,=,Low +9.3.7,"Windows Firewall","Name of log file (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFilePath,,,,%SystemRoot%\System32\logfiles\firewall\pfirewall.log,%SystemRoot%\System32\logfiles\firewall\publicfw.log,=,Low +9.3.8,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,>=,Medium +9.3.9,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Medium +9.3.10,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +17.1.1,"Advanced Audit Policy Configuration","Credential Validation",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.1.2,"Advanced Audit Policy Configuration","Kerberos Authentication Service",auditpol,,,,,,,,"Success and Failure",=,Low +17.1.3,"Advanced Audit Policy Configuration","Kerberos Service Ticket Operations",auditpol,,,,,,,,"Success and Failure",=,Low +17.2.1,"Advanced Audit Policy Configuration","Application Group Management",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.2.2,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,,,,,,,,Success,contains,Low +17.2.3,"Advanced Audit Policy Configuration","Distribution Group Management",auditpol,,,,,,,,Success,contains,Low +17.2.4,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,,,,,,,,Success,contains,Low +17.2.5,"Advanced Audit Policy Configuration","Security Group Management",auditpol,,,,,,,Success,Success,contains,Low +17.2.6,"Advanced Audit Policy Configuration","User Account Management",auditpol,,,,,,,Success,"Success and Failure",=,Low +17.3.1,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.3.2,"Advanced Audit Policy Configuration","Process Creation",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.4.1,"Advanced Audit Policy Configuration","Directory Service Access",auditpol,,,,,,,,Failure,contains,Low +17.4.2,"Advanced Audit Policy Configuration","Directory Service Changes",auditpol,,,,,,,,Success,contains,Low +17.5.1,"Advanced Audit Policy Configuration","Account Lockout",auditpol,,,,,,,Success,Failure,contains,Low +17.5.2,"Advanced Audit Policy Configuration","Group Membership",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.5.3,"Advanced Audit Policy Configuration",Logoff,auditpol,,,,,,,Success,Success,contains,Low +17.5.4,"Advanced Audit Policy Configuration",Logon,auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.5.5,"Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.5.6,"Advanced Audit Policy Configuration","Special Logon",auditpol,,,,,,,Success,Success,contains,Low +17.6.1,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.6.2,"Advanced Audit Policy Configuration","File Share",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.3,"Advanced Audit Policy Configuration","Other Object Access Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.6.4,"Advanced Audit Policy Configuration","Removable Storage",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.1,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.2,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,,,,,,,Success,Success,contains,Low +17.7.3,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.7.4,"Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.7.5,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,,,,,,,"No Auditing",Failure,contains,Low +17.8.1,"Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.1,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,,,,,,,"No Auditing","Success and Failure",=,Low +17.9.2,"Advanced Audit Policy Configuration","Other System Events",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +17.9.3,"Advanced Audit Policy Configuration","Security State Change",auditpol,,,,,,,Success,Success,contains,Low +17.9.4,"Advanced Audit Policy Configuration","Security System Extension",auditpol,,,,,,,"No Auditing",Success,contains,Low +17.9.5,"Advanced Audit Policy Configuration","System Integrity",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Low +18.1.1.1,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Low +18.1.1.2,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +18.1.2.2,"Administrative Templates: Control Panel","Regional and Language Options: Allow users to enable online speech recognition services",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\InputPersonalization,AllowInputPersonalization,,,,1,0,=,Medium +18.1.3,"Administrative Templates: Control Panel","Allow Online Tips",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,AllowOnlineTips,,,,1,0,=,Medium +18.2.1,"Administrative Templates: LAPS","LAPS AdmPwd GPO Extension / CSE (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA},DllName,,,,,"C:\\Program Files\\LAPS\\CSE\\AdmPwd.dll",=,Medium +18.2.2,"Administrative Templates: LAPS","Do not allow password expiration time longer than required by policy (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PwdExpirationProtectionEnabled,,,,,1,=,Medium +18.2.3,"Administrative Templates: LAPS","Enable local admin password management (Member)",Registry,,"HKLM:\Software\Policies\Microsoft Services\AdmPwd",AdmPwdEnabled,,,,,1,=,Medium +18.2.4,"Administrative Templates: LAPS","Password Settings: Password Complexity (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordComplexity,,,,,4,=,Medium +18.2.5,"Administrative Templates: LAPS","Password Settings: Password Length (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,15,>=,Medium +18.2.6,"Administrative Templates: LAPS","Password Settings: Password Age (Days) (Member)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft Services\AdmPwd",PasswordLength,,,,,30,<=,Medium +18.3.1,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +18.3.2,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +18.3.3,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +18.3.4,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,Medium +18.3.5,"MS Security Guide","NetBT NodeType configuration",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters,NodeType,,,,0,2,=,Medium +18.3.6,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,,0,=,High +18.4.1,"MSS (Legacy)","MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",AutoAdminLogon,,,,0,0,=,Medium +18.4.2,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.3,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +18.4.4,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Medium +18.4.5,"MSS (Legacy)","MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,KeepAliveTime,,,,,300000,<=,Medium +18.4.6,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium +18.4.7,"MSS (Legacy)","MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,PerformRouterDiscovery,,,,,0,=,Medium +18.4.8,"MSS (Legacy)","Enable Safe DLL search mode",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager",SafeDLLSearchMode,,,,0,1,=,Medium +18.4.9,"MSS (Legacy)","MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)",Registry,,"HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon",ScreenSaverGracePeriod,,,,5,5,<=,Medium +18.4.10,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.11,"MSS (Legacy)","MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,TcpMaxDataRetransmissions,,,,5,3,<=,Medium +18.4.12,"MSS (Legacy)","MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\Security,WarningLevel,,,,0,90,<=,Medium +18.5.4.1,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium +18.5.5.1,"Administrative Templates: Network","Fonts: Enable Font Providers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableFontProviders,,,,1,0,=,Medium +18.5.8.1,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +18.5.9.1.1,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOndomain)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOndomain,,,,0,0,=,Medium +18.5.9.1.2,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (AllowLLTDIOOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowLLTDIOOnPublicNet,,,,0,0,=,Medium +18.5.9.1.3,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (EnableLLTDIO)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableLLTDIO,,,,0,0,=,Medium +18.5.9.1.4,"Administrative Templates: Network","Link-Layer Topology Discovery: Turn on Mapper I/O (LLTDIO) driver (ProhibitLLTDIOOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitLLTDIOOnPrivateNet,,,,0,0,=,Medium +18.5.9.2.1,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnDomain)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LLTD,AllowRspndrOnDomain,,,,0,0,=,Medium +18.5.9.2.2,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (AllowRspndrOnPublicNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,AllowRspndrOnPublicNet,,,,0,0,=,Medium +18.5.9.2.3,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (EnableRspndr)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,EnableRspndr,,,,0,0,=,Medium +18.5.9.2.4,"Administrative Templates: Network","Turn on Responder (RSPNDR) driver (ProhibitRspndrOnPrivateNet)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LLTD,ProhibitRspndrOnPrivateNet,,,,0,0,=,Medium +18.5.10.2,"Administrative Templates: Network","Turn off Microsoft Peer-to-Peer Networking Services",Registry,,HKLM:\Software\policies\Microsoft\Peernet,Disabled,,,,0,1,=,Medium +18.5.11.2,"Administrative Templates: Network","Network Connections: Prohibit installation and configuration of Network Bridge on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_AllowNetBridge_NLA,,,,0,0,=,Medium +18.5.11.3,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +18.5.11.4,"Administrative Templates: Network","Network Connections: Require domain users to elevate when setting a network's location",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_StdDomainUserSetLocation,,,,0,1,=,Medium +18.5.14.1.1,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.14.1.2,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +18.5.19.2.1,"Administrative Templates: Network","Disable IPv6",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters,DisabledComponents,,,,0,255,=,Medium +18.5.20.1.1,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (EnableRegistrars)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,EnableRegistrars,,,,1,0,=,Medium +18.5.20.1.2,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableUPnPRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableUPnPRegistrar,,,,1,0,=,Medium +18.5.20.1.3,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableInBand802DOT11Registrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableInBand802DOT11Registrar,,,,1,0,=,Medium +18.5.20.1.4,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableFlashConfigRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableFlashConfigRegistrar,,,,1,0,=,Medium +18.5.20.1.5,"Administrative Templates: Network","Windows Connect Now: Configuration of wireless settings using Windows Connect Now (DisableWPDRegistrar)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\Registrars,DisableWPDRegistrar,,,,1,0,=,Medium +18.5.20.2,"Administrative Templates: Network","Windows Connect Now: Prohibit access of the Windows Connect Now wizards",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WCN\UI,DisableWcnUi,,,,0,1,=,Medium +18.5.21.1,"Administrative Templates: Network","Windows Connection Manager: Minimize the number of simultaneous connections to the Internet or a Windows Domain",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fMinimizeConnections,,,,1,3,=,Medium +18.5.21.2,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +18.7.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off notifications network usage",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoCloudApplicationNotification,,,,0,1,=,Medium +18.8.3.1,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +18.8.4.1,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium +18.8.4.2,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +18.8.5.1,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium +18.8.5.2,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,3,=,Medium +18.8.5.3,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Medium +18.8.5.4,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,1,=,Medium +18.8.5.5,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Member)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,Medium +18.8.5.6,"Administrative Templates: System","Device Guard: Credential Guard Configuration (DC)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,0,=,Medium +18.8.5.7,"Administrative Templates: System","Device Guard: Secure Launch Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,ConfigureSystemGuardLaunch,,,,0,1,=,Medium +18.8.14.1,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +18.8.21.2,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +18.8.21.3,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +18.8.21.4,"Administrative Templates: System","Group Policy: Continue experiences on this device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableCdp,,,,1,0,=,Medium +18.8.21.5,"Administrative Templates: System","Group Policy: Turn off background refresh of Group Policy",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableBkGndGroupPolicy,,,,0,0,=,Medium +18.8.22.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +18.8.22.1.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting personalization data sharing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\TabletPC,PreventHandwritingDataSharing,,,,0,1,=,Medium +18.8.22.1.3,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off handwriting recognition error reporting",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\HandwritingErrorReports,PreventHandwritingErrorReports,,,,0,1,=,Medium +18.8.22.1.4,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard",ExitOnMSICW,,,,0,1,=,Medium +18.8.22.1.5,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +18.8.22.1.6,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +18.8.22.1.7,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Registration if URL connection is referring to Microsoft.com",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Registration Wizard Control",NoRegistration,,,,0,1,=,Medium +18.8.22.1.8,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Search Companion content file updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\SearchCompanion,DisableContentFileUpdates,,,,0,1,=,Medium +18.8.22.1.9,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Order Prints' picture task",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoOnlinePrintsWizard,,,,0,1,=,Medium +18.8.22.1.10,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the 'Publish to Web' task for files and folders",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPublishingWizard,,,,0,1,=,Medium +18.8.22.1.11,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\Messenger\Client,CEIP,,,,0,2,=,Medium +18.8.22.1.12,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Customer Experience Improvement Program",Registry,,HKLM:\Software\Policies\Microsoft\SQMClient\Windows,CEIPEnable,,,,1,0,=,Medium +18.8.22.1.13.1,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 1",Registry,,HKLM:\Software\Policies\Microsoft\PCHealth\ErrorReporting,DoReport,,,,1,0,=,Medium +18.8.22.1.13.2,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Windows Error Reporting 2",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Windows Error Reporting",Disabled,,,,0,1,=,Medium +18.8.25.1.1,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitBehavior)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitBehavior,,,,1,0,=,Medium +18.8.25.1.2,"Administrative Templates: System","Kerberos: Support device authentication using certificate (DevicePKInitEnabled)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\kerberos\parameters,DevicePKInitEnabled,,,,1,1,=,Medium +18.8.26.1,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +18.8.27.1,"Administrative Templates: System","Locale Services: Disallow copying of user input methods to the system account for sign-in",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Control Panel\International",BlockUserInputMethodsForSignIn,,,,0,1,=,Medium +18.8.28.1,"Administrative Templates: System","Logon: Block user from showing account details on sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockUserFromShowingAccountDetailsOnSignin,,,,0,1,=,Medium +18.8.28.2,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +18.8.28.3,"Administrative Templates: System","Logon: Do not enumerate connected users on domain-joined computers",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,DontEnumerateConnectedUsers,,,,0,1,=,Medium +18.8.28.4,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers (Member)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +18.8.28.5,"Administrative Templates: System","Logon: Turn off app notifications on the lock screen",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DisableLockScreenAppNotifications,,,,0,1,=,Medium +18.8.28.6,"Administrative Templates: System","Logon: Turn off picture password sign-in",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,BlockDomainPicturePassword,,,,0,1,=,Medium +18.8.28.7,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +18.8.31.1,"Administrative Templates: System","OS Policies: Allow Clipboard synchronization across devices",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,AllowCrossDeviceClipboard,,,,1,0,=,Medium +18.8.31.2,"Administrative Templates: System","OS Policies: Allow upload of User Activities",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,UploadUserActivities,,,,1,0,=,Medium +18.8.34.6.1,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (on battery)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,DCSettingIndex,,,,1,0,=,Medium +18.8.34.6.2,"Administrative Templates: System","Sleep Settings: Allow network connectivity during connected-standby (plugged in)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9,ACSettingIndex,,,,1,0,=,Medium +18.8.34.6.3,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +18.8.34.6.4,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +18.8.36.1,"Administrative Templates: System","Remote Assistance: Configure Offer Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowUnsolicited,,,,1,0,=,Medium +18.8.36.2,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,Medium +18.8.37.1,"Administrative Templates: System","Remote Procedure Call: Enable RPC Endpoint Mapper Client Authentication (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",EnableAuthEpResolution,,,,0,1,=,Medium +18.8.37.2,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +18.8.47.5.1,"Administrative Templates: System","Troubleshooting and Diagnostics: Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy,DisableQueryRemoteServer,,,,1,0,=,Medium +18.8.47.11.1,"Administrative Templates: System","Windows Performance PerfTrack: Enable/Disable PerfTrack",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d},ScenarioExecutionEnabled,,,,1,0,=,Medium +18.8.49.1,"Administrative Templates: System","User Profiles: Turn of the advertising ID",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AdvertisingInfo,DisabledByGroupPolicy,,,,0,1,=,Medium +18.8.52.1.1,"Administrative Templates: System","Time Providers: Enable Windows NTP Client",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient,Enabled,,,,0,1,=,Medium +18.8.52.1.2,"Administrative Templates: System","Time Providers: Enable Windows NTP Server (Member)",Registry,,HKLM:\Software\Policies\Microsoft\W32time\TimeProviders\NtpServer,Enabled,,,,0,0,=,Medium +18.9.4.1,"Administrative Templates: Windows Components","App Package Deployment: Allow a Windows app to share application data between users",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager,AllowSharedLocalAppData,,,,1,0,=,Medium +18.9.6.1,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +18.9.8.1,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,Medium +18.9.8.2,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,Medium +18.9.8.3,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,Medium +18.9.10.1.1,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +18.9.12.1,"Administrative Templates: Windows Components","Camera: Allow Use of Camera",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Camera,AllowCamera,,,,1,0,=,Medium +18.9.13.1,"Administrative Templates: Windows Components","Cloud Content: Turn off cloud optimized content",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableCloudOptimizedContent,,,,0,1,=,Medium +18.9.13.2,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Medium +18.9.14.1,"Administrative Templates: Windows Components","Connect: Require pin for pairing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Connect,RequirePinForPairing,,,,0,1,>=,Medium +18.9.15.1,"Administrative Templates: Windows Components","Credential User Interface: Do not display the password reveal button",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredUI,DisablePasswordReveal,,,,0,1,=,Medium +18.9.15.2,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +18.9.16.1,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,<=,Medium +18.9.16.2,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DisableEnterpriseAuthProxy,,,,0,1,=,Medium +18.9.16.3,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Do not show feedback notifications",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,DoNotShowFeedbackNotifications,,,,0,1,=,Medium +18.9.16.4,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Toggle user control over Insider builds",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\PreviewBuilds,AllowBuildPreview,,,,1,0,=,Medium +18.9.26.1.1,"Administrative Templates: Windows Components","Event Log Service: Application: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,Retention,,,,,0,=,Medium +18.9.26.1.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +18.9.26.2.1,"Administrative Templates: Windows Components","Event Log Service: Security: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,Retention,,,,,0,=,Medium +18.9.26.2.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +18.9.26.3.1,"Administrative Templates: Windows Components","Event Log Service: Setup: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,Retention,,,,,0,=,Medium +18.9.26.3.2,"Administrative Templates: Windows Components","Event Log Service: Setup: Specify the maximum log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Setup,MaxSize,,,,4096,32768,>=,Medium +18.9.26.4.1,"Administrative Templates: Windows Components","Event Log Service: System: Control Event Log behavior when the log file reaches its maximum size",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,Retention,,,,,0,=,Medium +18.9.26.4.2,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +18.9.30.2,"Administrative Templates: Windows Components","File Explorer: Turn off Data Execution Prevention for Explorer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoDataExecutionPrevention,,,,,0,=,Medium +18.9.30.3,"Administrative Templates: Windows Components","File Explorer: Turn off heap termination on corruption",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer,NoHeapTerminationOnCorruption,,,,,0,=,Medium +18.9.30.4,"Administrative Templates: Windows Components","File Explorer: Turn off shell protocol protected mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,PreXPSP2ShellProtocolBehavior,,,,,0,=,Medium +18.9.39.1,"Administrative Templates: Windows Components","Location and Sensors: Turn off location",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\LocationAndSensors,DisableLocation,,,,0,1,=,Medium +18.9.43.1,"Administrative Templates: Windows Components","Messaging: Allow Message Service Cloud Sync",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\Messaging,AllowMessageSync,,,,1,0,=,Medium +18.9.44.1,"Administrative Templates: Windows Components","Microsoft account: Block all consumer Microsoft account user authentication",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftAccount,DisableUserAuth,,,,,1,=,Medium +18.9.45.3.1,"Microsoft Defender Antivirus","MAPS: Configure local setting override for reporting to Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",LocalSettingOverrideSpynetReporting,,,,,0,=,Medium +18.9.45.3.2,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,0,=,Medium +18.9.45.4.1.1,"Microsoft Defender Exploit Guard","Attack Surface Reduction rules",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR",ExploitGuard_ASR_Rules,,,,0,1,=,Medium +18.9.45.4.1.2.1.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +18.9.45.4.1.2.1.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +18.9.45.4.1.2.2.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +18.9.45.4.1.2.2.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +18.9.45.4.1.2.3.1,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +18.9.45.4.1.2.3.2,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +18.9.45.4.1.2.4.1,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +18.9.45.4.1.2.4.2,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +18.9.45.4.1.2.5.1,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,0,1,=,Medium +18.9.45.4.1.2.5.2,"Microsoft Defender Exploit Guard","ASR: Block Adobe Reader from creating child processes",MpPreferenceAsr,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,,,,,,0,1,=,Medium +18.9.45.4.1.2.6.1,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +18.9.45.4.1.2.6.2,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +18.9.45.4.1.2.7.1,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe) (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,0,1,=,Medium +18.9.45.4.1.2.7.2,"Microsoft Defender Exploit Guard","ASR: Block credential stealing from the Windows local security authority subsystem (lsass.exe)",MpPreferenceAsr,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,,,,,,0,1,=,Medium +18.9.45.4.1.2.8.1,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,0,1,=,Medium +18.9.45.4.1.2.8.2,"Microsoft Defender Exploit Guard","ASR: Block untrusted and unsigned processes that run from USB",MpPreferenceAsr,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,,,,,,0,1,=,Medium +18.9.45.4.1.2.9.1,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +18.9.45.4.1.2.9.2,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +18.9.45.4.1.2.10.1,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +18.9.45.4.1.2.10.2,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +18.9.45.4.1.2.11.1,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",26190899-1602-49e8-8b27-eb1d0a1ce869,,,,0,1,=,Medium +18.9.45.4.1.2.11.2,"Microsoft Defender Exploit Guard","ASR: Block Office communication applications from creating child processes",MpPreferenceAsr,26190899-1602-49e8-8b27-eb1d0a1ce869,,,,,,0,1,=,Medium +18.9.45.4.1.2.12.1,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,0,1,=,Medium +18.9.45.4.1.2.12.2,"Microsoft Defender Exploit Guard","ASR: Block persistence through WMI event subscription",MpPreferenceAsr,e6db77e5-3df2-4cf1-b95a-636979351e5b,,,,,,0,1,=,Medium +18.9.45.4.3.1,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium +18.9.45.5.1,"Microsoft Defender Antivirus","MpEngine: Enable file hash computation feature",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine",EnableFileHashComputation,,,,,1,=,Medium +18.9.45.8.1,"Microsoft Defender Antivirus","Real-time Protection: Scan all downloaded files and attachments",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableIOAVProtection,,,,0,1,=,Medium +18.9.45.8.2,"Microsoft Defender Antivirus","Real-time Protection: Turn off real-time protection",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableRealtimeMonitoring,,,,0,0,=,Medium +18.9.45.8.3,"Microsoft Defender Antivirus","Real-time Protection: Turn on behavior monitoring (Policy)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection",DisableBehaviorMonitoring,,,,,0,=,Medium +18.9.45.10.1,"Microsoft Defender Antivirus","Reporting: Configure Watson events",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting",DisableGenericRePorts,,,,,1,=,Medium +18.9.45.11.1,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +18.9.45.11.2,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +18.9.45.14,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,Medium +18.9.45.15,"Microsoft Defender Antivirus","Turn off Windows Defender Antivirus",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",DisableAntiSpyware,,,,0,0,=,Medium +18.9.55.1,"Administrative Templates: Windows Components","OneDrive: Prevent the usage of OneDrive for file storage",Registry,,HKLM:\Software\Policies\Microsoft\Windows\OneDrive,DisableFileSyncNGSC,,,,0,1,=,Medium +18.9.62.2.2,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +18.9.62.3.2.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Connections: Restrict Remote Desktop Services users to a single Remote Desktop Services session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fSingleSessionPerUser,,,,,1,=,Medium +18.9.62.3.3.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow COM port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCcm,,,,0,1,=,Medium +18.9.62.3.3.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +18.9.62.3.3.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow LPT port redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableLPT,,,,0,1,=,Medium +18.9.62.3.3.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow supported Plug and Play device redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisablePNPRedir,,,,0,1,=,Medium +18.9.62.3.9.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +18.9.62.3.9.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +18.9.62.3.9.3,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require use of specific security layer for remote (RDP) connections",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",SecurityLayer,,,,0,2,=,Medium +18.9.62.3.9.4,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require user authentication for remote connections by using Network Level Authentication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",UserAuthentication,,,,,1,=,Medium +18.9.62.3.9.5,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +18.9.62.3.10.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for active but idle Remote Desktop Services sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxIdleTime,,,,,900000,<=,Medium +18.9.62.3.10.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Session Time Limits: Set time limit for disconnected sessions",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MaxDisconnectionTime,,,,,60000,=,Medium +18.9.62.3.11.1,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not delete temp folders upon exit",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DeleteTempDirsOnExit,,,,,1,=,Medium +18.9.62.3.11.2,"Administrative Templates: Windows Components","Remote Desktop Session Host: Temporary folders: Do not use temporary folders per session",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",PerSessionTempDir,,,,,1,=,Medium +18.9.63.1,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +18.9.64.2,"Administrative Templates: Windows Components","Search: Allow Cloud Search",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowCloudSearch,,,,1,0,=,Medium +18.9.64.3,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +18.9.69.1,"Administrative Templates: Windows Components","Software Protection Platform: Turn off KMS Client Online AVS Validation",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform",NoGenTicket,,,,,1,=,Medium +18.9.80.1.1.1,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +18.9.80.1.1.2,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +18.9.84.1,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow suggested apps in Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowSuggestedAppsInWindowsInkWorkspace,,,,1,0,=,Medium +18.9.84.2,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,1,<=,Medium +18.9.85.1,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +18.9.85.2,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +18.9.85.3,"Administrative Templates: Windows Components","Windows Installer: Prevent Internet Explorer security prompt for Windows Installer scripts",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,SafeForScripting,,,,1,0,=,Medium +18.9.86.1,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +18.9.95.1,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,0,=,Medium +18.9.95.2,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,0,=,Medium +18.9.97.1.1,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,Medium +18.9.97.1.2,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.1.3,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +18.9.97.2.1,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,Medium +18.9.97.2.2,"Administrative Templates: Windows Components","WinRM Service: Allow remote server management through WinRM",Registry,,HKLM:Software\Policies\Microsoft\Windows\WinRM\Service,AllowAutoConfig,,,,1,0,=,Medium +18.9.97.2.3,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +18.9.97.2.4,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium +18.9.98.1,"Administrative Templates: Windows Components","Windows Remote Shell: Allow Remote Shell Access",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS,AllowRemoteShellAccess,,,,1,0,=,Medium +18.9.99.2.1,"Administrative Templates: Windows Components","App and browser protection: Prevent users from modifying settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection",DisallowExploitProtectionOverride,,,,,1,=,Medium +18.9.102.1.1.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuilds)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuilds,,,,,1,=,Medium +18.9.102.1.1.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Manage preview builds (ManagePreviewBuildsPolicyValue)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,ManagePreviewBuildsPolicyValue,,,,,0,=,Medium +18.9.102.1.2.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdates,,,,,1,=,Medium +18.9.102.1.2.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (BranchReadinessLevel)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,BranchReadinessLevel,,,,,16,=,Medium +18.9.102.1.2.3,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Preview Builds and Feature Updates are received (DeferFeatureUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferFeatureUpdatesPeriodInDays,,,,,180,>=,Medium +18.9.102.1.3.1,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdates)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdates,,,,,1,=,Medium +18.9.102.1.3.2,"Administrative Templates: Windows Components","Windows Update: Windows Update for Business: Select when Quality Updates are received (DeferQualityUpdatesPeriodInDays)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate,DeferQualityUpdatesPeriodInDays,,,,,0,>=,Medium +18.9.102.2,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoUpdate,,,,,0,>=,Medium +18.9.102.3,"Administrative Templates: Windows Components","Windows Update: Configure Automatic Updates: Scheduled install day",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,ScheduledInstallDay,,,,,0,>=,Medium +18.9.102.4,"Administrative Templates: Windows Components","Windows Update: No auto-restart with logged on users for scheduled automatic updates installations",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\Au,NoAutoRebootWithLoggedOnUsers,,,,,0,>=,Medium diff --git a/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_user.csv b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_user.csv new file mode 100644 index 0000000..2e15f46 --- /dev/null +++ b/lists/finding_list_cis_microsoft_windows_server_2019_1809_1.2.0_user.csv @@ -0,0 +1,16 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +19.1.3.1,"Administrative Templates: Control Panel","Enable screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveActive,,,,,1,=,Medium +19.1.3.2,"Administrative Templates: Control Panel","Force specific screen saver: Screen saver executable name",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",SCRNSAVE.EXE,,,,,scrnsave.scr,=,Medium +19.1.3.3,"Administrative Templates: Control Panel","Password protect the screen saver",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaverIsSecure,,,,,1,=,Medium +19.1.3.4,"Administrative Templates: Control Panel","Screen saver timeout",Registry,,"HKCU:\Software\Policies\Microsoft\Windows\Control Panel\Desktop",ScreenSaveTimeOut,,,,,900,<=,Medium +19.5.1.1,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Medium +19.6.6.1.1,"Administrative Templates: System","Internet Communication Management: Internet Communication Settings: Turn off Help Experience Improvement Program",Registry,,HKCU:\Software\Policies\Microsoft\Assistance\Client\1.0,NoImplicitFeedback,,,,0,1,=,Medium +19.7.4.1,"Administrative Templates: Windows Components","Attachment Manager: Do not preserve zone information in file attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,SaveZoneInformation,,,,,0,=,Medium +19.7.4.2,"Administrative Templates: Windows Components","Attachment Manager: Notify antivirus programs when opening attachments",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments,ScanWithAntiVirus,,,,,1,=,Medium +19.7.8.1,"Administrative Templates: Windows Components","Cloud Content: Configure Windows spotlight on lock screen",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,ConfigureWindowsSpotlight,,,,,0,=,Medium +19.7.8.2,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Medium +19.7.8.3,"Administrative Templates: Windows Components","Cloud Content: Do not use diagnostic data for tailored experiences",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableTailoredExperiencesWithDiagnosticData,,,,0,1,=,Medium +19.7.8.4,"Administrative Templates: Windows Components","Cloud Content: Turn off all Windows spotlight features",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsSpotlightFeatures,,,,0,1,=,Medium +19.7.28.1,"Administrative Templates: Windows Components","Network Sharing: Prevent users from sharing files within their profile",Registry,,HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoInplaceSharing,,,,0,1,=,Medium +19.7.43.1,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKCU:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,Medium +19.7.47.2.1,"Administrative Templates: Windows Components","Windows Media Player: Playback: Prevent Codec Download",Registry,,HKCU:\Software\Policies\Microsoft\WindowsMediaPlayer,PreventCodecDownload,,,,,1,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv b/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv new file mode 100644 index 0000000..610619a --- /dev/null +++ b/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_machine.csv @@ -0,0 +1,394 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +V-63415,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,=,Medium +V-63419,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,=,Medium +V-63421,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,=,Medium +V-63423,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,=,Medium +V-63427,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +V-63429,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +V-63405,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,=,Medium +V-63409,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,3,=,Medium +V-63413,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,=,Medium +V-63843,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +V-63845,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +V-63847,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,High +V-63851,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Users;BUILTIN\Administrators,=,Medium +V-63853,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +V-63855,"User Rights Assignment","Change the system time",accesschk,SeSystemTimePrivilege,,,,,,"BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE","BUILTIN\Administrators;NT AUTHORITY\LOCAL SERVICE;NT SERVICE\autotimesvc",=,Medium +V-63857,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-63859,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,High +V-63861,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +V-63863,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +V-63865,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-63869,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,High +V-63871,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"Guest;NT AUTHORITY\Local account;Domain Admins;Enterprise Admins",=,Medium +V-63873,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,"Domain Admins;Enterprise Admins",=,Medium +V-63875,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,"Domain Admins;Enterprise Admins",=,Medium +V-63877,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,"BUILTIN\Guests;Domain Admins;Enterprise Admins",=,Medium +V-63879,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"NT AUTHORITY\Local account;BUILTIN\Guests;Domain Admins;Enterprise Admins",=,Medium +V-63881,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,,=,Medium +V-63883,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-63889,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +V-63917,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-63925,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +V-63927,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-63931,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-63933,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-63935,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-63939,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +V-63941,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-63601,"Security Options","Accounts: Administrator account status",localaccount,500,,,,,,False,False,=,Medium +V-63611,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +V-63617,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,Medium +V-63619,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,X_Admin,=,Medium +V-63625,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Visitor,=,Medium +V-71761,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Medium +V-63639,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +V-63643,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +V-63647,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +V-63653,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Low +V-63661,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,=,Low +V-63665,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +V-63669,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,=,Medium +V-63675,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only., By using this IS (which includes any device attached to this IS), you consent to the following conditions:, -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations., -At any time, the USG may inspect and seize data stored on this IS., -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose., -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy., -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.",=,Medium +V-63681,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,"US Department of Defense Warning Statement",=,Low +V-63687,"Security Options","Interactive logon: Number of previous logons to cache (in case domain controller is not available)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,CachedLogonsCount,,,,10,10,=,Low +V-63697,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium +V-63703,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +V-63711,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +V-63719,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +V-63739,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,High +V-63745,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,High +V-63749,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,High +V-63755,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +V-63759,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,High +V-71769,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +V-63765,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +V-63767,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +V-63795,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,=,Medium +V-63797,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +V-63801,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,High +V-63803,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +V-63805,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +V-63807,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +V-63811,"Security Options","System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy,Enabled,,,,,1,=,Medium +V-220943,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Low +V-63817,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +V-63819,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium +V-63821,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +V-63825,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +V-63827,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +V-63829,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +V-63831,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +V-74719,"System Services","Secondary Logon (seclogon)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\seclogon,Start,,,,3,4,=,Medium +V-74719,"System Services","Secondary Logon (seclogon) (Service Startup type)",service,seclogon,,,,,,Manual,Disabled,=,Medium +"V-63431 / V-63435","Advanced Audit Policy Configuration","Credential Validation",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +V-63445,"Advanced Audit Policy Configuration","Security Group Management",auditpol,,,,,,,Success,Success,contains,Medium +"V-63447 / V-63449","Advanced Audit Policy Configuration","User Account Management",auditpol,,,,,,,Success,"Success and Failure",=,Medium +V-63451,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,,,,,,,"No Auditing",Success,contains,Medium +V-63453,"Advanced Audit Policy Configuration","Process Creation",auditpol,,,,,,,"No Auditing",Success,contains,Medium +V-71759,"Advanced Audit Policy Configuration","Account Lockout",auditpol,,,,,,,Success,Failure,contains,Medium +V-63457,"Advanced Audit Policy Configuration","Group Membership",auditpol,,,,,,,"No Auditing",Success,contains,Medium +V-63459,"Advanced Audit Policy Configuration",Logoff,auditpol,,,,,,,Success,Success,contains,Medium +"V-63463 / V-63467","Advanced Audit Policy Configuration",Logon,auditpol,,,,,,,"Success and Failure","Success and Failure",=,Medium +"V-99541 / V-99543","Advanced Audit Policy Configuration","Other Logon/Logoff Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +V-63469,"Advanced Audit Policy Configuration","Special Logon",auditpol,,,,,,,Success,Success,contains,Medium +V-99545,"Advanced Audit Policy Configuration","Detailed File Share",auditpol,,,,,,,"No Auditing",Failure,contains,Medium +"V-74721 / V-75027","Advanced Audit Policy Configuration","File Share",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-74409 / V-74411","Advanced Audit Policy Configuration","Other Object Access Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-63471 / V-63473","Advanced Audit Policy Configuration","Removable Storage",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +V-63479,"Advanced Audit Policy Configuration","Audit Policy Change",auditpol,,,,,,,Success,Success,contains,Medium +V-63481,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,,,,,,,Success,Success,contains,Medium +V-71761,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,,,,,,,"No Auditing",Success,contains,Medium +"V-99547 / V-99549","Advanced Audit Policy Configuration","MPSSVC Rule-Level Policy Change",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +V-99553,"Advanced Audit Policy Configuration","Other Policy Change Events",auditpol,,,,,,,"No Auditing",Failure,contains,Medium +"V-63483 / V-63487","Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +V-63491,"Advanced Audit Policy Configuration","IPsec Driver",auditpol,,,,,,,"No Auditing",Failure,contains,Medium +"V-63499 / V-63503","Advanced Audit Policy Configuration","Other System Events",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Medium +V-63507,"Advanced Audit Policy Configuration","Security State Change",auditpol,,,,,,,Success,Success,contains,Medium +V-63513,"Advanced Audit Policy Configuration","Security System Extension",auditpol,,,,,,,"No Auditing",Success,contains,Medium +"V-63515 / V-63517","Advanced Audit Policy Configuration","System Integrity",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Medium +V-63545,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen camera",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenCamera,,,,0,1,=,Medium +V-63549,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +V-63597,"MS Security Guide","Apply UAC restrictions to local accounts on network logons",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +V-74725,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +V-74723,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +V-68849,"MS Security Guide","Enable Structured Exception Handling Overwrite Protection (SEHOP)",Registry,,"HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\kernel",DisableExceptionChainValidation,,,,,0,=,High +V-72329,"MS Security Guide","Remove ""Run As Different User"" from context menus (batfile)",Registry,,HKLM:\SOFTWARE\Classes\batfile\shell\runasuser," SuppressionPolicy",,,,,1000,=,Medium +V-72329,"MS Security Guide","Remove ""Run As Different User"" from context menus (cmdfile)",Registry,,HKLM:\SOFTWARE\Classes\cmdfile\shell\runasuser," SuppressionPolicy",,,,,1000,=,Medium +V-72329,"MS Security Guide","Remove ""Run As Different User"" from context menus (exefile)",Registry,,HKLM:\SOFTWARE\Classes\exefile\shell\runasuser," SuppressionPolicy",,,,,1000,=,Medium +V-72329,"MS Security Guide","Remove ""Run As Different User"" from context menus (mscfile)",Registry,,HKLM:\SOFTWARE\Classes\mscfile\shell\runasuser," SuppressionPolicy",,,,,1000,=,Medium +V-71763,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,,0,=,Medium +V-63555,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +V-63559,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Medium +V-63563,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Low +V-63567,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Low +V-63569,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +V-71765,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium +V-63577,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +V-63577,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +V-74413,"Administrative Templates: Network","SSL Configuration Settings: ECC Curve Order",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002,EccCurves,,,,,"NistP384 NistP256 ",=,Medium +V-71765,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium +V-63591,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium +V-68817,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +V-74699,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +V-63595,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Low +V-63595,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Low +V-63603,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Low +V-77083,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,0,=,Low +V-63599,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,High +V-63607,"Administrative Templates: System","Early Launch Antimalware: Boot-Start Driver Initialization Policy",Registry,,HKLM:\System\CurrentControlSet\Policies\EarlyLaunch,DriverLoadPolicy,,,,0,3,=,Medium +V-63609,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +V-63609,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +V-63615,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +V-63621,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoWebServices,,,,0,1,=,Medium +V-63623,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +V-99557,"Administrative Templates: System","Kernel DMA Protection: Enumeration policy for external devices incompatible with Kernel DMA Protection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection",DeviceEnumerationPolicy,,,,2,0,=,Medium +V-63629,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +V-63633,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +V-99559,"Administrative Templates: System","Logon: Turn on convenience PIN sign-in",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,AllowDomainPINLogon,,,,1,0,=,Medium +V-63721,"Administrative Templates: System","PIN Complexity: Minimum PIN length",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity,MinimumPINLength,,,,,6,=,Medium +V-63645,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +V-63649,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +V-63651,"Administrative Templates: System","Remote Assistance: Configure Solicited Remote Assistance",Registry,,"HKLM:\Software\policies\Microsoft\Windows NT\Terminal Services",fAllowToGetHelp,,,,1,0,=,High +V-63657,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +V-94719,"Administrative Templates: Windows Components","App Privacy: Let Windows apps activate with voice while the system is locked",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppPrivacy,LetAppsActivateWithVoiceAboveLock,,,,0,2,=,Medium +V-63659,"Administrative Templates: Windows Components","App runtime: Allow Microsoft accounts to be optional",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System,MSAOptional,,,,,1,=,Medium +V-63663,"Administrative Templates: Windows Components","Application Compatibility: Turn off Inventory Collector",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat,DisableInventory,,,,0,1,=,Low +V-63667,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,High +V-63671,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,High +V-63673,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,High +V-63677,"Administrative Templates: Windows Components","Biometrics: Facial Features: Configure enhanced anti-spoofing",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures,EnhancedAntiSpoofing,,,,,1,=,Medium +V-94861,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Configure minimum PIN length for startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,MinimumPIN,,,,,6,=,Medium +V-94859,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Allow BitLocker without a compatible TPM",Registry,,HKLM:\Software\Policies\Microsoft\FVE,EnableBDEWithNoTPM,,,,1,1,=,Medium +V-94859,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPM,,,,0,1,=,Medium +V-94859,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup PIN",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMPIN,,,,0,1,=,Medium +V-94859,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMKey,,,,0,1,=,Medium +V-94859,"Administrative Templates: Windows Components","BitLocker Drive Encryption: Operating System Drives: Require additional authentication at startup: Configure TPM startup key and PIN",Registry,,HKLM:\Software\Policies\Microsoft\FVE,UseTPMKeyPIN,,,,0,1,=,Medium +V-71771,"Administrative Templates: Windows Components","Cloud Content: Turn off Microsoft consumer experiences",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CloudContent,DisableWindowsConsumerFeatures,,,,0,1,=,Low +V-63679,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +V-63683,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,2,=,Medium +V-65681,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,3,2,=,Medium +V-63519,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +V-63523,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,1024000,>=,Medium +V-63527,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +V-63709,"Microsoft Edge","Configure Password Manager",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Main,"FormSuggest Passwords",,,,,no,=,Medium +V-63701,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for files",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverrideAppRepUnknown,,,,,1,=,Medium +V-82139,"Microsoft Edge","Prevent certificate error overrides",Registry,,"HKLM:\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings",PreventCertErrorOverrides,,,,,1,=,Medium +V-63713,"Microsoft Edge","Configure Windows Defender SmartScreen",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,EnabledV9,,,,,1,=,Medium +V-63699,"Microsoft Edge","Prevent bypassing Microsoft Defender SmartScreen prompts for sites",Registry,,HKLM:\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter,PreventOverride,,,,,1,=,Medium +V-63729,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +V-63731,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +V-63733,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +V-63737,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +V-63741,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +V-63743,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +V-63751,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +V-77235,"Microsoft Defender Exploit Guard","Use a common set of exploit protection settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection",ExploitProtectionSettings,,,,,,!=,Medium +V-77235,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77235,"Microsoft Defender Exploit Guard","Exploit protection: Override Relocate Images (ASLR) (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/ASLR/OverrideForceRelocateImages,,,,,,,False,=,Medium +V-77235,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77235,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77235,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77235,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77235,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77235,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77235,"Microsoft Defender Exploit Guard","Exploit protection: ImageLoad: Override Block Remote Images (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/ImageLoad/OverrideBlockRemoteImageLoads,,,,,,,False,=,Medium +V-77205,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (firefox.exe)",ProcessmitigationApplication,firefox.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77205,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (firefox.exe)",ProcessmitigationApplication,firefox.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77209,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77209,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77209,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77209,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77209,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77209,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77209,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77209,"Microsoft Defender Exploit Guard","Exploit protection: ImageLoad: Override Block Remote Images (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/ImageLoad/OverrideBlockRemoteImageLoads,,,,,,,False,=,Medium +V-77209,"Microsoft Defender Exploit Guard","Exploit protection: Child Process: Override Child Process (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/ChildProcess/OverrideChildProcess,,,,,,,False,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: ImageLoad: Override Block Remote Images (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/ImageLoad/OverrideBlockRemoteImageLoads,,,,,,,False,=,Medium +V-77213,"Microsoft Defender Exploit Guard","Exploit protection: Child Process: Override Child Process (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/ChildProcess/OverrideChildProcess,,,,,,,False,=,Medium +V-77189,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77189,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77189,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77189,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77189,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77189,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77189,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77189,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77191,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77191,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77191,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77191,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77191,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77191,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77191,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77191,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77195,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (chrome.exe)",ProcessmitigationApplication,chrome.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77201,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77201,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77201,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77201,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77201,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77201,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77201,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77201,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77217,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77217,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77217,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77217,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77217,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77217,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77217,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77217,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77221,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77221,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77221,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77221,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77221,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77221,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77221,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77221,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (java.exe)",ProcessmitigationApplication,java.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (javaw.exe)",ProcessmitigationApplication,javaw.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (javaws.exe)",ProcessmitigationApplication,javaws.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77223,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77227,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77227,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77227,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77227,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77227,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77227,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77227,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77227,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77231,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77231,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77231,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77231,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77231,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77231,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77231,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77231,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77233,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77233,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77233,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77233,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77233,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77233,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77233,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77233,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77239,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77239,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77239,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77239,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77239,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77239,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77239,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77243,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77243,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77243,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77243,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77243,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77243,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77243,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77243,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77245,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77245,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77245,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77245,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77245,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77245,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77245,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77247,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77247,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77247,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77247,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77247,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77247,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77247,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77247,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77249,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77249,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77249,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export AddressFilter (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77249,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77249,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77249,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77249,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77249,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77255,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77255,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77255,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export AddressFilter (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77255,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77255,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77255,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77255,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77255,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-220898,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-220898,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-220898,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export AddressFilter (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-220898,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-220898,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-220898,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-220898,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-220898,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77263,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77263,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-77263,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77263,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77263,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77263,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77263,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77263,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77267,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77267,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77267,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77267,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77267,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77267,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77267,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-77269,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-77269,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-77269,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-77269,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-77269,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-77269,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-77269,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-63685,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +V-63685,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +V-74417,"Administrative Templates: Windows Components","Windows Game Recording and Broadcasting: Enables or disables Windows Game Recording and Broadcasting",Registry,,HKLM:\Software\Policies\Microsoft\Windows\GameDVR,AllowGameDVR,,,,1,0,=,Medium +V-63717,"Administrative Templates: Windows Components","Windows Hello for Business: Use a hardware security device",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\PassportForWork,RequireSecurityDevice,,,,,1,=,Medium +V-99561,"Administrative Templates: Windows Components","Windows Ink Workspace: Allow Windows Ink Workspace",Registry,,HKLM:\Software\Policies\Microsoft\WindowsInkWorkspace,AllowWindowsInkWorkspace,,,,1,0,=,Medium +V-63321,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +V-63325,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,High +V-63333,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +V-68819,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,1,=,Medium +V-230220,PowerShell,"Turn on PowerShell Transcription",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\Transcription,EnableTranscripting,,,,0,1,=,Medium +V-63335,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,High +V-63339,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +V-71763,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +V-63347,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,High +V-63369,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +V-63375,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_user.csv b/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_user.csv new file mode 100644 index 0000000..acb2a94 --- /dev/null +++ b/lists/finding_list_dod_microsoft_windows_10_stig_v2r1_user.csv @@ -0,0 +1,5 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +V-63839,"Administrative Templates: Start Menu and Taskbar","Notifications: Turn off toast notifications on the lock screen",Registry,,HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications,NoToastApplicationNotificationOnLockScreen,,,,0,1,=,Low +V-99563,"Administrative Templates: Windows Components","Cloud Content: Do not suggest third-party content in Windows spotlight",Registry,,HKCU:\Software\Policies\Microsoft\Windows\CloudContent,DisableThirdPartySuggestions,,,,0,1,=,Low +V-102617,"Administrative Templates: Windows Components","File Explorer: Explorer Frame Pane: Turn off Preview Pane",Registry,,HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoReadingPane,,,,,1,=,Medium +V-102617,"Administrative Templates: Windows Components","File Explorer: Explorer Frame Pane: Turn on or off details pane",Registry,,HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPreviewPane,,,,,1,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv b/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv new file mode 100644 index 0000000..fd80756 --- /dev/null +++ b/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_machine.csv @@ -0,0 +1,361 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +V-93479,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,=,Medium +V-93477,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,=,Medium +V-93471,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,=,Medium +V-93463,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,=,Medium +V-93459,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +V-93465,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +V-93145,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,=,Medium +V-93141,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,3,=,Medium +V-93143,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,=,Medium +V-93049,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +V-93007,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS",=,Medium +V-93051,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,High +V-93039,"User Rights Assignment","Add workstations to domain (DC)",accesschk,SeMachineAccountPrivilege,,,,,,"NT AUTHORITY\Authenticated Users",BUILTIN\Administrators,=,Medium +V-93017,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Administrators,=,Medium +V-92997,"User Rights Assignment","Allow log on through Remote Desktop Services (DC)",accesschk,SeRemoteInteractiveLogonRight,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93053,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +V-93055,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93057,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,High +V-93059,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +V-93061,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +V-93063,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93065,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,High +V-93009,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,BUILTIN\Guests,=,Medium +V-93011,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,BUILTIN\Guests,=,Medium +V-93013,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,"",=,Medium +V-93015,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,BUILTIN\Guests,=,Medium +V-92963,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,BUILTIN\Guests,=,Medium +V-93047,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,BUILTIN\Administrators,=,Medium +V-93067,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93069,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +V-93071,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +V-93073,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +V-93075,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93077,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +V-93197,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93079,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93081,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93083,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93085,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +V-93087,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93497,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +V-93279,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,High +V-93281,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,X_Admin,=,Medium +V-93283,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Visitor,=,Medium +V-93545,"Security Options","Domain controller: LDAP server signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\NTDS\Parameters,LDAPServerIntegrity,,,,1,2,=,Medium +V-93273,"Security Options","Domain controller: Refuse machine account password changes (DC)",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters,RefusePasswordChange,,,,1,0,=,Medium +V-93151,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Medium +V-93547,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +V-93549,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +V-93551,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +V-93455,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Low +V-93285,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,=,Low +V-93553,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +V-92961,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,=,Medium +V-93147,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only., By using this IS (which includes any device attached to this IS), you consent to the following conditions:, -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations., -At any time, the USG may inspect and seize data stored on this IS., -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose., -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy., -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.",=,Medium +V-93149,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,"US Department of Defense Warning Statement",=,Low +V-93287,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium +V-93555,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +V-93557,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +V-93469,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +V-93559,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +V-93561,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +V-93289,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,High +V-93291,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,High +V-93537,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,High +V-93293,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +V-93539,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,High +V-93045,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +V-93295,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +V-93297,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +V-93299,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +V-93495,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,=,Medium +V-93467,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +V-93301,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,High +V-93303,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +V-93305,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +V-93307,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +V-93493,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,=,Medium +V-93511,"Security Options","System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy,Enabled,,,,,1,=,Medium +V-93309,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Low +V-93431,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +V-93521,"Security Options","User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableUIADesktopToggle,,,,,0,=,Medium +V-93523,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium +V-93433,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +V-93525,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +V-93527,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +V-93435,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +V-93529,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +"V-93153 / V-93155","Advanced Audit Policy Configuration","Credential Validation",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +V-92985,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,,,,,,,,Success,contains,Medium +V-93089,"Advanced Audit Policy Configuration","Other Account Management Events",auditpol,,,,,,,,Success,contains,Medium +V-92979,"Advanced Audit Policy Configuration","Security Group Management",auditpol,,,,,,,Success,Success,contains,Medium +"V-92981 / V-92983","Advanced Audit Policy Configuration","User Account Management",auditpol,,,,,,,Success,"Success and Failure",=,Medium +V-93157,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,,,,,,,"No Auditing",Success,contains,Medium +V-93091,"Advanced Audit Policy Configuration","Process Creation",auditpol,,,,,,,"No Auditing",Success,contains,Medium +"V-93133 / V-93135","Advanced Audit Policy Configuration","Directory Service Access",auditpol,,,,,,,,"Success and Failure",=,Medium +"V-93137 / V-93139","Advanced Audit Policy Configuration","Directory Service Changes",auditpol,,,,,,,,"Success and Failure",=,Medium +V-92989,"Advanced Audit Policy Configuration","Account Lockout",auditpol,,,,,,,Success,Failure,contains,Medium +V-93159,"Advanced Audit Policy Configuration","Group Membership",auditpol,,,,,,,"No Auditing",Success,contains,Medium +V-93171,"Advanced Audit Policy Configuration",Logoff,auditpol,,,,,,,Success,Success,contains,Medium +"V-92967 / V-92969","Advanced Audit Policy Configuration",Logon,auditpol,,,,,,,"Success and Failure","Success and Failure",=,Medium +V-93161,"Advanced Audit Policy Configuration","Special Logon",auditpol,,,,,,,Success,Success,contains,Medium +"V-93163 / V-93165","Advanced Audit Policy Configuration","Other Object Access Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-93167 / V-93169","Advanced Audit Policy Configuration","Removable Storage",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-93095 / V-93099","Advanced Audit Policy Configuration","Audit Policy Change",auditpol,,,,,,,Success,"Success and Failure",=,Medium +V-93097,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,,,,,,,Success,Success,contains,Medium +V-93099,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,,,,,,,"No Auditing",Success,contains,Medium +"V-93101 / V-93103","Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-93105 / V-93107","Advanced Audit Policy Configuration","IPsec Driver",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-93109 / V-93111","Advanced Audit Policy Configuration","Other System Events",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Medium +V-93113,"Advanced Audit Policy Configuration","Security State Change",auditpol,,,,,,,Success,Success,contains,Medium +V-93115,"Advanced Audit Policy Configuration","Security System Extension",auditpol,,,,,,,"No Auditing",Success,contains,Medium +"V-93117 / V-93119","Advanced Audit Policy Configuration","System Integrity",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Medium +V-93399,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +V-93395,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +V-93393,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +V-93401,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,,0,=,Medium +V-93233,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Low +V-93235,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Low +V-93237,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Low +V-93541,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Low +V-93239,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +V-93241,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +V-93241,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +V-93173,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +V-93243,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +V-93245,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Low +V-93245,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Low +V-93245,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Low +V-93229,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,0,=,Low +V-93277,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,3,=,High +V-93251,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +V-93251,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +V-93403,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +V-93403,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +V-93407,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +V-93253,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +V-93255,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +V-93409,"Administrative Templates: Windows Components","Application Compatibility: Turn off Inventory Collector",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat,DisableInventory,,,,0,1,=,Low +V-93373,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,High +V-93375,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,High +V-93377,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,High +V-93517,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +V-93257,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,=,Medium +V-93259,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,3,2,=,Medium +V-93177,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +V-93179,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +V-93181,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +V-93425,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +V-93533,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +V-93427,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +V-92971,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +V-92973,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +V-93265,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +V-93415,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Use a common set of exploit protection settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection",ExploitProtectionSettings,,,,,,!=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Override Relocate Images (ASLR) (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/ASLR/OverrideForceRelocateImages,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: ImageLoad: Override Block Remote Images (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/ImageLoad/OverrideBlockRemoteImageLoads,,,,,,,False,=,Medium +V-93329,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (firefox.exe)",ProcessmitigationApplication,firefox.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93329,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (firefox.exe)",ProcessmitigationApplication,firefox.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: ImageLoad: Override Block Remote Images (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/ImageLoad/OverrideBlockRemoteImageLoads,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Child Process: Override Child Process (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/ChildProcess/OverrideChildProcess,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: ImageLoad: Override Block Remote Images (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/ImageLoad/OverrideBlockRemoteImageLoads,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Child Process: Override Child Process (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/ChildProcess/OverrideChildProcess,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93325,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (chrome.exe)",ProcessmitigationApplication,chrome.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (java.exe)",ProcessmitigationApplication,java.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (javaw.exe)",ProcessmitigationApplication,javaw.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (javaws.exe)",ProcessmitigationApplication,javaws.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export AddressFilter (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export AddressFilter (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export AddressFilter (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93411,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +V-93411,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +V-93199,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +V-93201,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,High +V-93269,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +V-93175,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,1,=,Medium +V-93503,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,High +V-93499,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +V-93505,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +V-93507,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,High +V-93501,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +V-93429,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_user.csv b/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_user.csv new file mode 100644 index 0000000..b60d65d --- /dev/null +++ b/lists/finding_list_dod_microsoft_windows_server_2019_dc_stig_v2r1_user.csv @@ -0,0 +1,3 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +V-102625,"Administrative Templates: Windows Components","File Explorer: Explorer Frame Pane: Turn off Preview Pane",Registry,,HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoReadingPane,,,,,1,=,Medium +V-102625,"Administrative Templates: Windows Components","File Explorer: Explorer Frame Pane: Turn on or off details pane",Registry,,HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPreviewPane,,,,,1,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv b/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv new file mode 100644 index 0000000..b4e6d51 --- /dev/null +++ b/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_machine.csv @@ -0,0 +1,357 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +V-93479,"Account Policies","Length of password history maintained",accountpolicy,,,,,,,None,24,=,Medium +V-93477,"Account Policies","Maximum password age",accountpolicy,,,,,,,42,60,=,Medium +V-93471,"Account Policies","Minimum password age",accountpolicy,,,,,,,0,1,=,Medium +V-93463,"Account Policies","Minimum password length",accountpolicy,,,,,,,0,14,=,Medium +V-93459,"Account Policies","Password must meet complexity requirements",secedit,"System Access\PasswordComplexity",,,,,,0,1,=,Medium +V-93465,"Account Policies","Store passwords using reversible encryption",secedit,"System Access\ClearTextPassword",,,,,,0,0,=,High +V-93145,"Account Policies","Account lockout duration",accountpolicy,,,,,,,30,15,=,Medium +V-93141,"Account Policies","Account lockout threshold",accountpolicy,,,,,,,Never,3,=,Medium +V-93143,"Account Policies","Reset account lockout counter",accountpolicy,,,,,,,30,15,=,Medium +V-93049,"User Rights Assignment","Access Credential Manager as a trusted caller",accesschk,SeTrustedCredManAccessPrivilege,,,,,,,,=,Medium +V-93007,"User Rights Assignment","Access this computer from the network",accesschk,SeNetworkLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;Everyone","BUILTIN\Remote Desktop Users;BUILTIN\Administrators",=,Medium +V-93051,"User Rights Assignment","Act as part of the operating system",accesschk,SeTcbPrivilege,,,,,,,,=,High +V-93017,"User Rights Assignment","Allow log on locally",accesschk,SeInteractiveLogonRight,,,,,,"BUILTIN\Backup Operators;BUILTIN\Users;BUILTIN\Administrators;COMPUTERNAME\Guest",BUILTIN\Administrators,=,Medium +V-93053,"User Rights Assignment","Back up files and directories",accesschk,SeBackupPrivilege,,,,,,"BUILTIN\Administrators;BUILTIN\Backup Operators",BUILTIN\Administrators,=,Medium +V-93055,"User Rights Assignment","Create a pagefile",accesschk,SeCreatePagefilePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93057,"User Rights Assignment","Create a token object",accesschk,SeCreateTokenPrivilege,,,,,,,,=,High +V-93059,"User Rights Assignment","Create global objects",accesschk,SeCreateGlobalPrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +V-93061,"User Rights Assignment","Create permanent shared objects",accesschk,SeCreatePermanentPrivilege,,,,,,,,=,Medium +V-93063,"User Rights Assignment","Create symbolic links",accesschk,SeCreateSymbolicLinkPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93065,"User Rights Assignment","Debug programs",accesschk,SeDebugPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,High +V-93009,"User Rights Assignment","Deny access to this computer from the network",accesschk,SeDenyNetworkLogonRight,,,,,,COMPUTERNAME\Guest,"Guest;NT AUTHORITY\Local account;Domain Admins;Enterprise Admins",=,Medium +V-93011,"User Rights Assignment","Deny log on as a batch job",accesschk,SeDenyBatchLogonRight,,,,,,,"Domain Admins;Enterprise Admins",=,Medium +V-93013,"User Rights Assignment","Deny log on as a service",accesschk,SeDenyServiceLogonRight,,,,,,,"Domain Admins;Enterprise Admins",=,Medium +V-93015,"User Rights Assignment","Deny log on locally",accesschk,SeDenyInteractiveLogonRight,,,,,,BUILTIN\Guests,"BUILTIN\Guests;Domain Admins;Enterprise Admins",=,Medium +V-92963,"User Rights Assignment","Deny log on through Remote Desktop Services",accesschk,SeDenyRemoteInteractiveLogonRight,,,,,,,"NT AUTHORITY\Local account;BUILTIN\Guests;Domain Admins;Enterprise Admins",=,Medium +V-93047,"User Rights Assignment","Enable computer and user accounts to be trusted for delegation",accesschk,SeEnableDelegationPrivilege,,,,,,,"",=,Medium +V-93067,"User Rights Assignment","Force shutdown from a remote system",accesschk,SeRemoteShutdownPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93069,"User Rights Assignment","Generate security audits",accesschk,SeAuditPrivilege,,,,,,"NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +V-93071,"User Rights Assignment","Impersonate a client after authentication",accesschk,SeImpersonatePrivilege,,,,,,"NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE","NT AUTHORITY\SERVICE;BUILTIN\Administrators;NT AUTHORITY\NETWORK SERVICE;NT AUTHORITY\LOCAL SERVICE",=,Medium +V-93073,"User Rights Assignment","Increase scheduling priority",accesschk,SeIncreaseBasePriorityPrivilege,,,,,,"Window Manager\Window Manager Group;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +V-93075,"User Rights Assignment","Load and unload device drivers",accesschk,SeLoadDriverPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93077,"User Rights Assignment","Lock pages in memory",accesschk,SeLockMemoryPrivilege,,,,,,,,=,Medium +V-93197,"User Rights Assignment","Manage auditing and security log",accesschk,SeSecurityPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93079,"User Rights Assignment","Modify firmware environment values",accesschk,SeSystemEnvironmentPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93081,"User Rights Assignment","Perform volume maintenance tasks",accesschk,SeManageVolumePrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93083,"User Rights Assignment","Profile single process",accesschk,SeProfileSingleProcessPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93085,"User Rights Assignment","Restore files and directories",accesschk,SeRestorePrivilege,,,,,,"BUILTIN\Backup Operators;BUILTIN\Administrators",BUILTIN\Administrators,=,Medium +V-93087,"User Rights Assignment","Take ownership of files or other objects",accesschk,SeTakeOwnershipPrivilege,,,,,,BUILTIN\Administrators,BUILTIN\Administrators,=,Medium +V-93497,"Security Options","Accounts: Guest account status",localaccount,501,,,,,,False,False,=,Medium +V-93279,"Security Options","Accounts: Limit local account use of blank passwords to console logon only",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LimitBlankPasswordUse,,,,1,1,=,High +V-93281,"Security Options","Accounts: Rename administrator account",localaccount,500,,,,,,Administrator,X_Admin,=,Medium +V-93283,"Security Options","Accounts: Rename guest account",localaccount,501,,,,,,Guest,Visitor,=,Medium +V-93151,"Security Options","Audit: Force audit policy subcategory settings to override audit policy category settings",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,SCENoApplyLegacyAuditPolicy,,,,"",1,=,Medium +V-93547,"Security Options","Domain member: Digitally encrypt or sign secure channel data (always)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireSignOrSeal,,,,1,1,=,Medium +V-93549,"Security Options","Domain member: Digitally encrypt secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SealSecureChannel,,,,1,1,=,Medium +V-93551,"Security Options","Domain member: Digitally sign secure channel data (when possible)",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,SignSecureChannel,,,,1,1,=,Medium +V-93455,"Security Options","Domain member: Disable machine account password changes",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,DisablePasswordChange,,,,0,0,=,Low +V-93285,"Security Options","Domain member: Maximum machine account password age",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,MaximumPasswordAge,,,,30,30,=,Low +V-93553,"Security Options","Domain member: Require strong (Windows 2000 or later) session key",Registry,,HKLM:\System\CurrentControlSet\Services\Netlogon\Parameters,RequireStrongKey,,,,1,1,=,Medium +V-92961,"Security Options","Interactive logon: Machine inactivity limit",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,InactivityTimeoutSecs,,,,900,900,=,Medium +V-93147,"Security Options","Interactive logon: Message text for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeText,,,,,"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only., By using this IS (which includes any device attached to this IS), you consent to the following conditions:, -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations., -At any time, the USG may inspect and seize data stored on this IS., -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose., -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy., -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.",=,Medium +V-93149,"Security Options","Interactive logon: Message title for users attempting to log on",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LegalNoticeCaption,,,,,"US Department of Defense Warning Statement",=,Low +V-93287,"Security Options","Interactive logon: Smart card removal behavior",Registry,,"HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",ScRemoveOption,,,,0,1,=,Medium +V-93555,"Security Options","Microsoft network client: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +V-93557,"Security Options","Microsoft network client: Digitally sign communications (if server agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnableSecuritySignature,,,,1,1,=,Medium +V-93469,"Security Options","Microsoft network client: Send unencrypted password to third-party SMB servers",Registry,,HKLM:\System\CurrentControlSet\Services\LanmanWorkstation\Parameters,EnablePlainTextPassword,,,,0,0,=,Medium +V-93559,"Security Options","Microsoft network server: Digitally sign communications (always)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RequireSecuritySignature,,,,0,1,=,Medium +V-93561,"Security Options","Microsoft network server: Digitally sign communications (if client agrees)",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,EnableSecuritySignature,,,,0,1,=,Medium +V-93289,"Security Options","Network access: Allow anonymous SID/Name translation",secedit,"System Access\LSAAnonymousNameLookup",,,,,,0,0,=,High +V-93291,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymousSAM,,,,1,1,=,High +V-93537,"Security Options","Network access: Do not allow anonymous enumeration of SAM accounts and shares",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictAnonymous,,,,0,1,=,High +V-93293,"Security Options","Network access: Let Everyone permissions apply to anonymous users",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,EveryoneIncludesAnonymous,,,,0,0,=,Medium +V-93539,"Security Options","Network access: Restrict anonymous access to Named Pipes and Shares",Registry,,HKLM:\System\CurrentControlSet\Services\LanManServer\Parameters,RestrictNullSessAccess,,,,1,1,=,High +V-93045,"Security Options","Network access: Restrict clients allowed to make remote calls to SAM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,RestrictRemoteSAM,,,,,O:BAG:BAD:(A;;RC;;;BA),=,Medium +V-93295,"Security Options","Network security: Allow Local System to use computer identity for NTLM",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,UseMachineId,,,,,1,=,Medium +V-93297,"Security Options","Network security: Allow LocalSystem NULL session fallback",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,allownullsessionfallback,,,,0,0,=,Medium +V-93299,"Security Options","Network security: Allow PKU2U authentication requests to this computer to use online identities",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\pku2u,AllowOnlineID,,,,,0,=,Medium +V-93495,"Security Options","Network security: Configure encryption types allowed for Kerberos",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters,SupportedEncryptionTypes,,,,,2147483640,=,Medium +V-93467,"Security Options","Network security: Do not store LAN Manager hash value on next password change",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,NoLMHash,,,,1,1,=,High +V-93301,"Security Options","Network security: LAN Manager authentication level",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa,LmCompatibilityLevel,,,,3,5,=,High +V-93303,"Security Options","Network security: LDAP client signing requirements",Registry,,HKLM:\System\CurrentControlSet\Services\LDAP,LDAPClientIntegrity,,,,1,1,>=,Medium +V-93305,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) clients",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinClientSec,,,,536870912,537395200,=,Medium +V-93307,"Security Options","Network security: Minimum session security for NTLM SSP based (including secure RPC) servers",Registry,,HKLM:\System\CurrentControlSet\Control\Lsa\MSV1_0,NTLMMinServerSec,,,,536870912,537395200,=,Medium +V-93493,"Security Options","System cryptography: Force strong key protection for user keys stored on the computer",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Cryptography,ForceKeyProtection,,,,,1,=,Medium +V-93511,"Security Options","System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy,Enabled,,,,,1,=,Medium +V-93309,"Security Options","System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)",Registry,,"HKLM:\System\CurrentControlSet\Control\Session Manager",ProtectionMode,,,,1,1,=,Low +V-93431,"Security Options","User Account Control: Admin Approval Mode for the Built-in Administrator account",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,FilterAdministratorToken,,,,0,1,=,Medium +V-93521,"Security Options","User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableUIADesktopToggle,,,,,0,=,Medium +V-93523,"Security Options","User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorAdmin,,,,0,2,=,Medium +V-93433,"Security Options","User Account Control: Behavior of the elevation prompt for standard users",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,ConsentPromptBehaviorUser,,,,0,0,=,Medium +V-93525,"Security Options","User Account Control: Detect application installations and prompt for elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableInstallerDetection,,,,1,1,=,Medium +V-93527,"Security Options","User Account Control: Only elevate UIAccess applications that are installed in secure locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableSecureUIAPaths,,,,1,1,=,Medium +V-93435,"Security Options","User Account Control: Run all administrators in Admin Approval Mode",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableLUA,,,,1,1,=,Medium +V-93529,"Security Options","User Account Control: Virtualize file and registry write failures to per-user locations",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,EnableVirtualization,,,,1,1,=,Medium +"V-93153 / V-93155","Advanced Audit Policy Configuration","Credential Validation",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +V-92985,"Advanced Audit Policy Configuration","Computer Account Management",auditpol,,,,,,,,Success,contains,Medium +V-92979,"Advanced Audit Policy Configuration","Security Group Management",auditpol,,,,,,,Success,Success,contains,Medium +"V-92981 / V-92983","Advanced Audit Policy Configuration","User Account Management",auditpol,,,,,,,Success,"Success and Failure",=,Medium +V-93157,"Advanced Audit Policy Configuration","Plug and Play Events",auditpol,,,,,,,"No Auditing",Success,contains,Medium +V-93091,"Advanced Audit Policy Configuration","Process Creation",auditpol,,,,,,,"No Auditing",Success,contains,Medium +V-92989,"Advanced Audit Policy Configuration","Account Lockout",auditpol,,,,,,,Success,Failure,contains,Medium +V-93159,"Advanced Audit Policy Configuration","Group Membership",auditpol,,,,,,,"No Auditing",Success,contains,Medium +V-93171,"Advanced Audit Policy Configuration",Logoff,auditpol,,,,,,,Success,Success,contains,Medium +"V-92967 / V-92969","Advanced Audit Policy Configuration",Logon,auditpol,,,,,,,"Success and Failure","Success and Failure",=,Medium +V-93161,"Advanced Audit Policy Configuration","Special Logon",auditpol,,,,,,,Success,Success,contains,Medium +"V-93163 / V-93165","Advanced Audit Policy Configuration","Other Object Access Events",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-93167 / V-93169","Advanced Audit Policy Configuration","Removable Storage",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-93095 / V-93099","Advanced Audit Policy Configuration","Audit Policy Change",auditpol,,,,,,,Success,"Success and Failure",=,Medium +V-93097,"Advanced Audit Policy Configuration","Authentication Policy Change",auditpol,,,,,,,Success,Success,contains,Medium +V-93099,"Advanced Audit Policy Configuration","Authorization Policy Change",auditpol,,,,,,,"No Auditing",Success,contains,Medium +"V-93101 / V-93103","Advanced Audit Policy Configuration","Sensitive Privilege Use",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-93105 / V-93107","Advanced Audit Policy Configuration","IPsec Driver",auditpol,,,,,,,"No Auditing","Success and Failure",=,Medium +"V-93109 / V-93111","Advanced Audit Policy Configuration","Other System Events",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Medium +V-93113,"Advanced Audit Policy Configuration","Security State Change",auditpol,,,,,,,Success,Success,contains,Medium +V-93115,"Advanced Audit Policy Configuration","Security System Extension",auditpol,,,,,,,"No Auditing",Success,contains,Medium +"V-93117 / V-93119","Advanced Audit Policy Configuration","System Integrity",auditpol,,,,,,,"Success and Failure","Success and Failure",=,Medium +V-93399,"Administrative Templates: Control Panel","Personalization: Prevent enabling lock screen slide",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Personalization,NoLockScreenSlideshow,,,,0,1,=,Low +V-93519,"MS Security Guide","Apply UAC restrictions to local accounts on network logons (Member)",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,LocalAccountTokenFilterPolicy,,,,,0,=,Medium +V-93395,"MS Security Guide","Configure SMB v1 client driver",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\MrxSmb10,Start,,,,,4,=,Medium +V-93393,"MS Security Guide","Configure SMB v1 server",Registry,,HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters,SMB1,,,,,0,=,Medium +V-93401,"MS Security Guide","WDigest Authentication",Registry,,HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest,UseLogonCredential,,,,,0,=,Medium +V-93233,"MSS (Legacy)","MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip6\Parameters,DisableIPSourceRouting,,,,,2,=,Low +V-93235,"MSS (Legacy)","MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,DisableIPSourceRouting,,,,,2,=,Low +V-93237,"MSS (Legacy)","MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes",Registry,,HKLM:\System\CurrentControlSet\Services\Tcpip\Parameters,EnableICMPRedirect,,,,,0,=,Low +V-93541,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Low +V-93239,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium +V-93241,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +V-93241,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +V-93173,"Administrative Templates: System","Audit Process Creation: Include command line in process creation events",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit,ProcessCreationIncludeCmdLine_Enabled,,,,0,0,=,Medium +V-93243,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium +V-93245,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Low +V-93245,"Administrative Templates: System","Device Guard: Select Platform Security Level (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,RequirePlatformSecurityFeatures,,,,,1,=,Low +V-93245,"Administrative Templates: System","Device Guard: Virtualization Based Protection of Code Integrity (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HypervisorEnforcedCodeIntegrity,,,,,1,=,Low +V-93229,"Administrative Templates: System","Device Guard: Require UEFI Memory Attributes Table (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,HVCIMATRequired,,,,,0,=,Low +V-93277,"Administrative Templates: System","Device Guard: Credential Guard Configuration (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,LsaCfgFlags,,,,,1,=,High +V-93251,"Administrative Templates: System","Group Policy: Do not apply during periodic background processing",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoGPOListChanges,,,,0,0,=,Medium +V-93251,"Administrative Templates: System","Group Policy: Process even if the Group Policy objects have not changed",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}",NoBackgroundPolicy,,,,1,0,=,Medium +V-93403,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off downloading of print drivers over HTTP",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Printers",DisableWebPnPDownload,,,,0,1,=,Medium +V-93403,"Administrative Templates: System","Internet Communication Management: Internet Communication settings: Turn off printing over HTTP",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers",DisableHTTPPrinting,,,,0,1,=,Medium +V-93407,"Administrative Templates: System","Logon: Do not display network selection UI",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,DontDisplayNetworkSelectionUI,,,,0,1,=,Medium +V-93419,"Administrative Templates: System","Logon: Enumerate local users on domain-joined computers (Member)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\System,EnumerateLocalUsers,,,,0,0,=,Medium +V-93253,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (on battery)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,DCSettingIndex,,,,0,1,=,Medium +V-93255,"Administrative Templates: System","Sleep Settings: Require a password when a computer wakes (plugged in)",Registry,,HKLM:\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51,ACSettingIndex,,,,0,1,=,Medium +V-93453,"Administrative Templates: System","Remote Procedure Call: Restrict Unauthenticated RPC clients (Member)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\Rpc",RestrictRemoteClients,,,,0,1,=,Medium +V-93409,"Administrative Templates: Windows Components","Application Compatibility: Turn off Inventory Collector",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\AppCompat,DisableInventory,,,,0,1,=,Low +V-93373,"Administrative Templates: Windows Components","AutoPlay Policies: Disallow Autoplay for non-volume devices",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Explorer,NoAutoplayfornonVolume,,,,0,1,=,High +V-93375,"Administrative Templates: Windows Components","AutoPlay Policies: Set the default behavior for AutoRun",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoAutorun,,,,0,1,=,High +V-93377,"Administrative Templates: Windows Components","AutoPlay Policies: Turn off Autoplay",Registry,,HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,,,,0,255,=,High +V-93517,"Administrative Templates: Windows Components","Credential User Interface: Enumerate administrator accounts on elevation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI,EnumerateAdministrators,,,,1,0,=,Medium +V-93257,"Administrative Templates: Windows Components","Data Collection and Preview Builds: Allow Telemetry",Registry,,HKLM:\Software\Policies\Microsoft\Windows\DataCollection,AllowTelemetry,,,,2,1,=,Medium +V-93259,"Administrative Templates: Windows Components","Delivery Optimization: Download Mode",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization,DODownloadMode,,,,3,2,=,Medium +V-93177,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Application log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Application,MaxSize,,,,4096,32768,>=,Medium +V-93179,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum Security log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\Security,MaxSize,,,,4096,196608,>=,Medium +V-93181,"Administrative Templates: Windows Components","Event Log Service: Specify the maximum System log file size (KB)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\EventLog\System,MaxSize,,,,4096,32768,>=,Medium +V-93425,"Administrative Templates: Windows Components","Remote Desktop Connection Client: Do not allow passwords to be saved",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",DisablePasswordSaving,,,,0,1,=,Medium +V-93533,"Administrative Templates: Windows Components","Remote Desktop Session Host: Device and Resource Redirection: Do not allow drive redirection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fDisableCdm,,,,0,1,=,Medium +V-93427,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Always prompt for password upon connection",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fPromptForPassword,,,,0,1,=,Medium +V-92971,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Require secure RPC communication",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",fEncryptRPCTraffic,,,,0,1,=,Medium +V-92973,"Administrative Templates: Windows Components","Remote Desktop Session Host: Security: Set client connection encryption level",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services",MinEncryptionLevel,,,,0,3,=,Medium +V-93265,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium +V-93415,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Use a common set of exploit protection settings",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection",ExploitProtectionSettings,,,,,,!=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Override Relocate Images (ASLR) (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/ASLR/OverrideForceRelocateImages,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93349,"Microsoft Defender Exploit Guard","Exploit protection: ImageLoad: Override Block Remote Images (ONEDRIVE.EXE)",ProcessmitigationApplication,ONEDRIVE.EXE/ImageLoad/OverrideBlockRemoteImageLoads,,,,,,,False,=,Medium +V-93329,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (firefox.exe)",ProcessmitigationApplication,firefox.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93329,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (firefox.exe)",ProcessmitigationApplication,firefox.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: ImageLoad: Override Block Remote Images (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/ImageLoad/OverrideBlockRemoteImageLoads,,,,,,,False,=,Medium +V-93331,"Microsoft Defender Exploit Guard","Exploit protection: Child Process: Override Child Process (fltldr.exe)",ProcessmitigationApplication,fltldr.exe/ChildProcess/OverrideChildProcess,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: ImageLoad: Override Block Remote Images (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/ImageLoad/OverrideBlockRemoteImageLoads,,,,,,,False,=,Medium +V-93333,"Microsoft Defender Exploit Guard","Exploit protection: Child Process: Override Child Process (GROOVE.EXE)",ProcessmitigationApplication,GROOVE.EXE/ChildProcess/OverrideChildProcess,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93321,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (Acrobat.exe)",ProcessmitigationApplication,Acrobat.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93323,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (AcroRd32.exe)",ProcessmitigationApplication,AcroRd32.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93325,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (chrome.exe)",ProcessmitigationApplication,chrome.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93327,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (EXCEL.EXE)",ProcessmitigationApplication,EXCEL.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93335,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (iexplore.exe)",ProcessmitigationApplication,iexplore.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93337,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (INFOPATH.EXE)",ProcessmitigationApplication,INFOPATH.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (java.exe)",ProcessmitigationApplication,java.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (java.exe)",ProcessmitigationApplication,java.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (javaw.exe)",ProcessmitigationApplication,javaw.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (javaw.exe)",ProcessmitigationApplication,javaw.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (javaws.exe)",ProcessmitigationApplication,javaws.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93339,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (javaws.exe)",ProcessmitigationApplication,javaws.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93341,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (LYNC.EXE)",ProcessmitigationApplication,LYNC.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93343,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (MSACCESS.EXE)",ProcessmitigationApplication,MSACCESS.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93345,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (MSPUB.EXE)",ProcessmitigationApplication,MSPUB.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93347,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (OIS.EXE)",ProcessmitigationApplication,OIS.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93351,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (OUTLOOK.EXE)",ProcessmitigationApplication,OUTLOOK.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93353,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (plugin-container.exe)",ProcessmitigationApplication,plugin-container.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93355,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (POWERPNT.EXE)",ProcessmitigationApplication,POWERPNT.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export AddressFilter (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93357,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (PPTVIEW.EXE)",ProcessmitigationApplication,PPTVIEW.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export AddressFilter (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93359,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (VISIO.EXE)",ProcessmitigationApplication,VISIO.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export AddressFilter (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93361,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (VPREVIEW.EXE)",ProcessmitigationApplication,VPREVIEW.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Force randomization for images (ASLR) (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/ASLR/ForceRelocateImages,,,,,,,ON,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93363,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (WINWORD.EXE)",ProcessmitigationApplication,WINWORD.EXE/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93365,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (wmplayer.exe)",ProcessmitigationApplication,wmplayer.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Override Data Execution Prevention (DEP) (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/DEP/OverrideDEP,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableExportAddressFilter,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Export Address Filter Plus (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableExportAddressFilterPlus,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable Import Address Filter (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableImportAddressFilter,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Stack Pivot (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableRopStackPivot,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Caller Check (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableRopCallerCheck,,,,,,,False,=,Medium +V-93367,"Microsoft Defender Exploit Guard","Exploit protection: Payload: Override Enable ROP Sim Exec (wordpad.exe)",ProcessmitigationApplication,wordpad.exe/Payload/OverrideEnableRopSimExec,,,,,,,False,=,Medium +V-93411,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,EnableSmartScreen,,,,1,1,=,Medium +V-93411,"Administrative Templates: Windows Components","File Explorer: Configure Windows Defender SmartScreen to warn and prevent bypass",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\System,ShellSmartScreenLevel,,,,Warn,Block,=,Medium +V-93199,"Administrative Templates: Windows Components","Windows Installer: Allow user control over installs",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,EnableUserControl,,,,1,0,=,Medium +V-93201,"Administrative Templates: Windows Components","Windows Installer: Always install with elevated privileges",Registry,,HKLM:\Software\Policies\Microsoft\Windows\Installer,AlwaysInstallElevated,,,,1,0,=,High +V-93269,"Administrative Templates: Windows Components","Windows Logon Options: Sign-in and lock last interactive user automatically after a restart",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableAutomaticRestartSignOn,,,,0,1,=,Medium +V-93175,PowerShell,"Turn on PowerShell Script Block Logging",Registry,,HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging,EnableScriptBlockLogging,,,,0,1,=,Medium +V-93503,"Administrative Templates: Windows Components","WinRM Client: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowBasic,,,,1,0,=,High +V-93499,"Administrative Templates: Windows Components","WinRM Client: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowUnencryptedTraffic,,,,1,0,=,Medium +V-93505,"Administrative Templates: Windows Components","WinRM Client: Disallow Digest authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Client,AllowDigest,,,,1,0,=,Medium +V-93507,"Administrative Templates: Windows Components","WinRM Service: Allow Basic authentication",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowBasic,,,,1,0,=,High +V-93501,"Administrative Templates: Windows Components","WinRM Service: Allow unencrypted traffic",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,AllowUnencryptedTraffic,,,,1,0,=,Medium +V-93429,"Administrative Templates: Windows Components","WinRM Service: Disallow WinRM from storing RunAs credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WinRM\Service,DisableRunAs,,,,0,1,=,Medium diff --git a/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_user.csv b/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_user.csv new file mode 100644 index 0000000..b60d65d --- /dev/null +++ b/lists/finding_list_dod_microsoft_windows_server_2019_member_stig_v2r1_user.csv @@ -0,0 +1,3 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +V-102625,"Administrative Templates: Windows Components","File Explorer: Explorer Frame Pane: Turn off Preview Pane",Registry,,HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoReadingPane,,,,,1,=,Medium +V-102625,"Administrative Templates: Windows Components","File Explorer: Explorer Frame Pane: Turn on or off details pane",Registry,,HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoPreviewPane,,,,,1,=,Medium diff --git a/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv b/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv new file mode 100644 index 0000000..bfcb44c --- /dev/null +++ b/lists/finding_list_dod_windows_defender_antivirus_stig_v2r1.csv @@ -0,0 +1,32 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +V-75147,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,=,High +V-75159,"Microsoft Defender Antivirus","Exclusions: Turn off Auto Exclusions",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Exclusions",DisableAutoExclusions,,,,,0,=,Medium +V-75163,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,=,Medium +V-75167,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium +V-75207,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium +V-75235,"Microsoft Defender Antivirus","Scan: Scan removable drives",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableRemovableDriveScanning,,,,,0,=,Medium +V-75237,"Microsoft Defender Antivirus","Scan: Specify the day of the week to run a scheduled scan",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",ScheduleDay,,,,,0,=,Medium +V-75239,"Microsoft Defender Antivirus","Scan: Turn on e-mail scanning",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Scan",DisableEmailScanning,,,,,0,=,Medium +V-75241,"Microsoft Defender Antivirus","Security Intelligence Updates: Define the number of days before spyware security intelligence is considered out of date",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Signature Updates",ASSignatureDue,,,,,7,=,High +V-75243,"Microsoft Defender Antivirus","Security Intelligence Updates: Define the number of days before virus security intelligence is considered out of date",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Signature Updates",AVSignatureDue,,,,,7,=,High +V-75245,"Microsoft Defender Antivirus","Security Intelligence Updates: Specify the day of the week to check for security intelligence updates",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Signature Updates",ScheduleDay,,,,,0,=,Medium +V-75247,"Microsoft Defender Antivirus","Threats: Specify threat alert levels at which default action should not be taken when detected",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Threats",Threats_ThreatSeverityDefaultAction,,,,,1,=,Medium +V-75247,"Microsoft Defender Antivirus","Threats: Specify threat alert levels at which default action should not be taken when detected: Low (1)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction",1,,,,,2,=,Medium +V-75247,"Microsoft Defender Antivirus","Threats: Specify threat alert levels at which default action should not be taken when detected: Medium (2)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction",2,,,,,2,=,Medium +V-75247,"Microsoft Defender Antivirus","Threats: Specify threat alert levels at which default action should not be taken when detected: High (4)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction",4,,,,,2,=,Medium +V-75247,"Microsoft Defender Antivirus","Threats: Specify threat alert levels at which default action should not be taken when detected: Severe (5)",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction",5,,,,,2,=,Medium +V-77967,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,0,1,=,Medium +V-77967,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating child processes",MpPreferenceAsr,d4f940ab-401b-4efc-aadc-ad5f3c50688a,,,,,,0,1,=,Medium +V-77969,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",3b576869-a4ec-4529-8536-b80a7769e899,,,,0,1,=,Medium +V-77969,"Microsoft Defender Exploit Guard","ASR: Block Office applications from creating executable content",MpPreferenceAsr,3b576869-a4ec-4529-8536-b80a7769e899,,,,,,0,1,=,Medium +V-77975,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,0,1,=,Medium +V-77975,"Microsoft Defender Exploit Guard","ASR: Block execution of potentially obfuscated scripts",MpPreferenceAsr,5beb7efe-fd9a-4556-801d-275e5ffc04cc,,,,,,0,1,=,Medium +V-77971,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,0,1,=,Medium +V-77971,"Microsoft Defender Exploit Guard","ASR: Block Office applications from injecting into other processes",MpPreferenceAsr,75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84,,,,,,0,1,=,Medium +V-77977,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,0,1,=,Medium +V-77977,"Microsoft Defender Exploit Guard","ASR: Block Win32 imports from Macro code in Office",MpPreferenceAsr,92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b,,,,,,0,1,=,Medium +V-77965,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,0,1,=,Medium +V-77965,"Microsoft Defender Exploit Guard","ASR: Block executable content from email client and webmail",MpPreferenceAsr,be9ba2d9-53ea-4cdc-84e5-9b1eeee46550,,,,,,0,1,=,Medium +V-77973,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables (Policy)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\rules",d3e037e1-3eb8-44c8-a917-57927947596d,,,,0,1,=,Medium +V-77973,"Microsoft Defender Exploit Guard","ASR: Impede JavaScript and VBScript to launch executables",MpPreferenceAsr,d3e037e1-3eb8-44c8-a917-57927947596d,,,,,,0,1,=,Medium +V-75209,"Microsoft Defender Exploit Guard","Network Protection: Prevent users and apps from accessing dangerous websites",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection",EnableNetworkProtection,,,,,1,=,Medium diff --git a/lists/finding_list_dod_windows_firewall_stig_v1r7.csv b/lists/finding_list_dod_windows_firewall_stig_v1r7.csv new file mode 100644 index 0000000..7af0b65 --- /dev/null +++ b/lists/finding_list_dod_windows_firewall_stig_v1r7.csv @@ -0,0 +1,19 @@ +ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Namespace,Property,DefaultValue,RecommendedValue,Operator,Severity +V-17415,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium +V-17418,"Windows Firewall","Inbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultInboundAction,,,,1,1,=,High +V-17419,"Windows Firewall","Outbound Connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,DefaultOutboundAction,,,,0,0,=,Medium +V-17425,"Windows Firewall","Log size limit (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogFileSize,,,,4096,16384,=,Low +V-17426,"Windows Firewall","Log dropped packets (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogDroppedPackets,,,,0,1,=,Low +V-17427,"Windows Firewall","Log successful connections (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +V-17416,"Windows Firewall","EnableFirewall (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,EnableFirewall,,,,0,1,=,Medium +V-17428,"Windows Firewall","Inbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultInboundAction,,,,1,1,=,High +V-17429,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +V-17435,"Windows Firewall","Log size limit (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogFileSize,,,,4096,16384,=,Low +V-17436,"Windows Firewall","Log dropped packets (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogDroppedPackets,,,,0,1,=,Low +V-17437,"Windows Firewall","Log successful connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low +V-17417,"Windows Firewall","EnableFirewall (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,EnableFirewall,,,,0,1,=,Medium +V-17438,"Windows Firewall","Inbound Connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile,DefaultInboundAction,,,,1,1,=,High +V-17429,"Windows Firewall","Outbound Connections (Private Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile,DefaultOutboundAction,,,,0,0,=,Medium +V-17445,"Windows Firewall","Log size limit (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogFileSize,,,,4096,16384,=,Low +V-17446,"Windows Firewall","Log dropped packets (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogDroppedPackets,,,,0,1,=,Low +V-17447,"Windows Firewall","Log successful connections (Public Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging,LogSuccessfulConnections,,,,0,1,=,Low diff --git a/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv b/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv index 037e5b0..8977955 100644 --- a/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_10_2004_machine.csv @@ -143,8 +143,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10652,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium -10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium +10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium 10656,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_10_2009_machine.csv b/lists/finding_list_msft_security_baseline_windows_10_2009_machine.csv index de3e90b..1279d6a 100644 --- a/lists/finding_list_msft_security_baseline_windows_10_2009_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_10_2009_machine.csv @@ -143,8 +143,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10652,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,0,=,Medium -10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium +10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10655,"Administrative Templates: Network","Windows Connection Manager: Prohibit connection to non-domain networks when connected to domain authenticated network",Registry,,HKLM:\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy,fBlockNonDomain,,,,,1,=,Medium 10656,"Administrative Templates: Network","WLAN Settings: Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services",Registry,,HKLM:\Software\Microsoft\wcmsvc\wifinetworkmanager\config,AutoConnectAllowedOEM,,,,1,0,=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium @@ -337,7 +337,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium -10998,"Microsoft Defender Antivirus","Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium +10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium 10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10999,"Microsoft Defender Antivirus","MpEngine: Select cloud protection level",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine",MpCloudBlockLevel,,,,,2,>=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv index ceebdce..9d1688b 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2004_dc_machine.csv @@ -118,8 +118,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium -10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium +10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium 10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv index eb321ba..e50dfa8 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2004_member_machine.csv @@ -117,7 +117,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium 10653,"Administrative Templates: Network","Network Connections: Prohibit use of Internet Connection Sharing on your DNS domain network",Registry,,"HKLM:\Software\Policies\Microsoft\Windows\Network Connections",NC_ShowSharedAccessUI,,,,1,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium +10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium 10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2009_dc_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2009_dc_machine.csv index cd77444..3d6b812 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2009_dc_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2009_dc_machine.csv @@ -118,8 +118,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium -10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium +10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium 10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium @@ -281,7 +281,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium -10998,"Microsoft Defender Antivirus","Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium +10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium 10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10999,"Microsoft Defender Antivirus","MpEngine: Select cloud protection level",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine",MpCloudBlockLevel,,,,,2,>=,Medium diff --git a/lists/finding_list_msft_security_baseline_windows_server_2009_member_machine.csv b/lists/finding_list_msft_security_baseline_windows_server_2009_member_machine.csv index 27ac317..af8a828 100644 --- a/lists/finding_list_msft_security_baseline_windows_server_2009_member_machine.csv +++ b/lists/finding_list_msft_security_baseline_windows_server_2009_member_machine.csv @@ -116,8 +116,8 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10643,"MSS (Legacy)","MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers",Registry,,HKLM:\System\CurrentControlSet\Services\Netbt\Parameters,NoNameReleaseOnDemand,,,,0,1,=,Medium 10650,"Administrative Templates: Network","DNS Client: Turn off multicast name resolution (LLMNR)",Registry,,"HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient",EnableMulticast,,,,1,0,=,Medium 10651,"Administrative Templates: Network","Lanman Workstation: Enable insecure guest logons",Registry,,HKLM:\Software\Policies\Microsoft\Windows\LanmanWorkstation,AllowInsecureGuestAuth,,,,1,0,=,Medium -10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium -10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1,RequireIntegrity=1",=,Medium +10653,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (NETLOGON)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\NETLOGON,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium +10654,"Administrative Templates: Network","Network Provider: Hardened UNC Paths (SYSVOL)",Registry,,HKLM:\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths,\\*\SYSVOL,,,,,"RequireMutualAuthentication=1, RequireIntegrity=1",=,Medium 10670,"Administrative Templates: System","Credentials Delegation: Encryption Oracle Remediation",Registry,,HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters,"“AllowEncryptionOracle",,,,0,0,=,Medium 10671,"Administrative Templates: System","Credentials Delegation: Remote host allows delegation of non-exportable credentials",Registry,,HKLM:\Software\Policies\Microsoft\Windows\CredentialsDelegation,AllowProtectedCreds,,,,,1,=,Medium 10672,"Administrative Templates: System","Device Guard: Turn On Virtualization Based Security (Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard,EnableVirtualizationBasedSecurity,,,,,1,=,Medium @@ -281,7 +281,7 @@ ID,Category,Name,Method,MethodArgument,RegistryPath,RegistryItem,ClassName,Names 10970,"Administrative Templates: Windows Components","RSS Feeds: Prevent downloading of enclosures",Registry,,"HKLM:\Software\Policies\Microsoft\Internet Explorer\Feeds",DisableEnclosureDownload,,,,,1,=,Medium 10971,"Administrative Templates: Windows Components","Search: Allow indexing of encrypted files",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search",AllowIndexingEncryptedStoresOrItems,,,,1,0,=,Medium 10972,"Microsoft Defender Antivirus","Configure detection for potentially unwanted applications",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender",PUAProtection,,,,0,1,>=,Medium -10998,"Microsoft Defender Antivirus","Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium +10998,"Microsoft Defender Antivirus","MAPS: Configure the 'Block at First Sight' feature",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",DisableBlockAtFirstSeen,,,,,0,>=,Medium 10973,"Microsoft Defender Antivirus","MAPS: Join Microsoft MAPS",Registry,,"HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet",SpynetReporting,,,,,2,=,Medium 10974,"Microsoft Defender Antivirus","MAPS: Send file samples when further analysis is required",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\Spynet",SubmitSamplesConsent,,,,,1,=,Medium 10999,"Microsoft Defender Antivirus","MpEngine: Select cloud protection level",Registry,,"HKLM:\Software\Policies\Microsoft\Windows Defender\MpEngine",MpCloudBlockLevel,,,,,2,>=,Medium