as attached

image3.jpeg

image4.emf

Microsoft_Excel_Worksheet.xlsx

image5.emf

scap_gov.nist_USGCB-Windows-7.xml

accepted USGCB: Guidance for Securing Microsoft Windows 7 Systems This guide has been created to assist IT professionals in effectively securing systems running Microsoft 7 Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. NIST would appreciate acknowledgement if the document and template are used. The Federal CIO council created the Technology Information Subcommittee (TIS) at the direction of OMB to govern, among other federal activities, the FDCC iniatitive. The TIS, based on federal agency input, selects platforms and applcations for federal implementation. The TIS also is the Change Control Board (CCB) for configuration settings. As stated in the Federal CIO Council Memo to federal agencies, "The USGCB settings replace the Federal Desktop Core Configuration (FDCC) settings and provide the recommended security baselines for Information Technology products widely deployed across the agencies." Trademark Information Microsoft, Windows, Windows 7, Windows XP, Windows Vista, Internet Explorer, and Windows Firewall are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. All other names are registered trademarks or trademarks of their respective companies. National Institute of Standards and Technology SP 800-68 Automatic Updates are not Enabled IPv6 Network Protocol is not Enabled Windows Error Reporting is not Enabled Remote Assistance is not Enabled Remote Desktop Services is not Enabled Bluetooth is not Enabled v2.0.5.1 National Institute of Standards and Technology National Institute of Standards and Technology National Institute of Standards and Technology http://alpha.nist.gov United States Government Configuration Baseline 2.0.5.1 This profile represents guidance outlined in United States Government Configuration Baseline for desktop systems with Microsoft Windows 7 installed. Introduction This guide has been created to assist federal agencies in effectively securing systems with Microsoft Windows 7 based on OMB US Government Configuration Baseline (USGCB) recommendations.Under the direction of OMB and in collaboration with DHS, DISA, NSA, USAF, and Microsoft, NIST has provided the following baseline to help agencies test, implement, and deploy the Microsoft Windows 7 USGCB baseline. The USGCB is an OMB-mandated security configuration.Please refer to the USGCB home page for additional information: http://usgcb.nist.gov/ Security Guide Development In today's computing environment, the security of all computing resources, from network infrastructure devices to users' desktop computers, is essential. There are many threats to users' computers, ranging from remotely launched network service exploits to malware spread through e-mails, Web sites, and file downloads. Increasing the security of individual computers protects them from these threats and reduces the likelihood that a system will be compromised or that data will be disclosed to unauthorized parties. Effective and well-tested security configurations means that less time and money is spent eradicating malware, restoring systems from backups, and reinstalling operating systems and applications. In addition, having stronger host security increases network security (e.g., home, business, government, the Internet); for example, most distributed denial of service attacks against networks use large numbers of compromised hosts. The goal of this guide is to provide security configuration guidance to the users and system administrators of Microsoft Windows 7 systems. This advice can be adapted to any environment, from individual SOHO installations to large geographically diverse organizations. Although the guide is primarily targeted toward business environments and Windows 7 Enterprise Edition, some of the guidance is also appropriate for other Windows 7 editions. This guide draws on a large body of vendor knowledge and government and security community experience gained over many years of securing computer systems. This section of the guide is based largely on the steps proposed in NIST's FISMA Implementation Project for achieving more secure information systems. Sections 2.1 and 2.2 address the need to categorize information and information systems. Each Windows 7 system can be classified as having one of three roles; each system can also be classified according to the potential impact caused by security breaches. Section 2.3 describes threats and provides examples of security controls that can mitigate threats. Section 2.4 outlines the primary types of environments for information systems - SOHO, Enterprise, Specialized Security-Limited Functionality, and Legacy - and ties each environment to typical threat categories and security controls. Section 2.5 provides a brief overview of the implementation of the security controls and the importance of performing functionality and security testing. Finally, Section 2.6 discusses the need to monitor the security controls and maintain the system. Figure 2-1 shows the six facets to Windows 7 security that are covered in Sections 2.1 through 2.6. Windows 7 System Roles and Requirements Windows 7 security should take into account the role that the system plays. For the purposes of this guide, Windows 7 systems can be divided into three roles: inward-facing, outward-facing, and mobile. Inward-Facing: An inward-facing Windows 7 system is typically a user workstation on the interior of a network that is not directly accessible from the Internet. Physical access is also generally limited in some manner (e.g., only employees have access to the work area). In many environments, inward-facing systems share a common hardware and software configuration because they are centrally deployed and managed (e.g., Microsoft domains, Novell networks). Because an inward-facing system is usually in the same environment all the time (e.g., desktop on the corporate local area network [LAN]), the threats against the system do not change quickly. In general, inward-facing systems are relatively easy to secure, compared to outward-facing and mobile systems. Outward-Facing: An outward-facing Windows 7 system is one that is directly connected to the Internet. The classic example is a home computer that connects to the Internet through dial-up or broadband access. Such a system is susceptible to scans, probes, and attacks launched against it by remote attackers. It typically does not have the layers of protection that an inward-facing system has, such as network firewalls and intrusion detection systems. Outward-facing systems are often at high risk of compromise because they have relatively high security needs, yet are typically administered by users with little or no security knowledge. Also, threats against outward-facing systems may change quickly since anyone can attempt to attack them at any time. Mobile: A system with a mobile role typically moves between a variety of environments and physical locations. For network connectivity, this system might use both traditional wired methods (e.g., Ethernet, dialup) and wireless methods (e.g., IEEE 802.11). The mobility of the system makes it more difficult to manage centrally. It also exposes the system to a wider variety of threat environments; for example, in a single day the system might be in a home environment, an office environment, a wireless network hotspot, and a hotel room. An additional threat is the loss or theft of the system. This could lead to loss of productivity at a minimum, but could also include the disclosure of confidential information or the possible opening of a back door into the organization if remote access is not properly secured. Security Categorization of Information and Information Systems This section discusses the most significant security features inherited from previous Windows versions: Kerberos, smart card support, Internet Connection Sharing, Internet Protocol Security, and Encrypting File System. For each security feature, the section includes a brief description, an analysis of the security impact of each feature, and general recommendations for when the feature should or should not be used. It is outside the scope of this document to cover the features in great depth, so pointers to resources with additional information are provided as needed. The classic model for information security defines three objectives of security: maintaining confidentiality, integrity, and availability. Confidentiality refers to protecting information from being accessed by unauthorized parties. Integrity refers to ensuring the authenticity of information-that information is not altered, and that the source of the information is genuine. Availability means that information is accessible by authorized users. Each objective addresses a different aspect of providing protection for information. Determining how strongly a system needs to be protected is based largely on the type of information that the system processes and stores. For example, a system containing medical records probably needs much stronger protection than a computer only used for viewing publicly released documents. This is not to imply that the second system does not need protection; every system needs to be protected, but the level of protection may vary based on the value of the system and its data. To establish a standard for determining the security category of a system, NIST created Federal Information Processing Standards (FIPS) Publication (PUB) 199, Standards for Security Categorization of Federal Information and Information Systems. FIPS PUB 199 establishes three security categories-low, moderate, and high-based on the potential impact of a security breach involving a particular system. The FIPS PUB 199 definitions for each category are as follows: The potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals. The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries. The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries. Each system should be protected based on the potential impact to the system of a loss of confidentiality, integrity, or availability. Protection measures (otherwise known as security controls) tend to fall into two categories. First, security weaknesses in the system need to be resolved. For example, if a system has a known vulnerability that attackers could exploit, the system should be patched so that the vulnerability is removed or mitigated. Second, the system should offer only the required functionality to each authorized user, so that no one can use functions that are not necessary. This principle is known as least privilege. Limiting functionality and resolving security weaknesses have a common goal: give attackers as few opportunities as possible to breach a system. Although each system should ideally be made as secure as possible, this is generally not feasible because the system needs to meet the functional requirements of the system's users. Another common problem with security controls is that they often make systems less convenient or more difficult to use. When usability is an issue, many users will attempt to circumvent security controls; for example, if passwords must be long and complex, users may write them down. Balancing security, functionality, and usability is often a challenge. This guide attempts to strike a proper balance and make recommendations that provide a reasonably secure solution while offering the functionality and usability that users require. Another fundamental principle endorsed by this guide is using multiple layers of security. For example, a host may be protected from external attack by several controls, including a network-based firewall, a host-based firewall, and OS patching. The motivation for having multiple layers is that if one layer fails or otherwise cannot counteract a certain threat, other layers might prevent the threat from successfully breaching the system. A combination of network-based and host-based controls is generally most effective at providing consistent protection for systems. NIST SP 800-53, Recommended Security Controls for Federal Information Systems, proposes minimum baseline management, operational, and technical security controls for information systems. These controls are to be implemented based on the security categorizations proposed by FIPS 199, as described earlier in this section. This guidance should assist agencies in meeting baseline requirements for Windows 7 Enterprise systems deployed in their environments. Baseline Security Controls and Threat Analysis Refinement To secure a system, it is essential first to define the threats that need to be mitigated. This knowledge of threats is also key to understanding the reasons the various configuration options have been chosen in this guide. Most threats against data and resources are possible because of mistakes-either bugs in operating system and application software that create exploitable vulnerabilities, or errors made by users and administrators. Threats may involve intentional actors (e.g., an attacker who wants to access credit cards on a system) or unintentional actors (e.g., an administrator who forgets to disable user accounts of a terminated employee). Threats can be local, such as a disgruntled employee, or remote, such as an attacker in another country. The following sections describe each major threat category, list possible controls, provide examples of threats, and summarize the potential impact of the threat. The list of threats is not exhaustive; it simply represents the major threat categories that were considered during the selection of the security controls as described in this guide. Organizations should conduct risk assessments to identify the specific threats against their systems and determine the effectiveness of existing security controls in counteracting the threats, then perform risk mitigation to decide what additional measures (if any) should be implemented. This section has describes various types of local and remote threats that can negatively impact systems. The possible controls listed for the threats are primarily technical, as are the controls discussed throughout this document. However, it is important to further reduce the risks of operating a Windows 7 system by also using management and operational controls. Examples of important operational controls are restricting physical access to a system; performing contingency planning, backing up the system, storing the backups in a safe and secure location, and testing the backups regularly; and monitoring Microsoft mailing lists for relevant security bulletins. Management controls could include developing policies regarding Windows 7 system security and creating a plan for maintaining Windows 7 systems. By selecting and implementing management, operational, and technical controls for Windows 7, organizations can better mitigate the threats that Windows 7 systems may face. Another reason to use multiple types of controls is to provide better security in situations where one or more controls are circumvented or otherwise violated. This may be done not only by attackers, but also by authorized users with no malicious intent. For example, taping a list of passwords to a monitor for convenience may nullify controls designed to prevent unauthorized local access to that system. Establishing a policy against writing down passwords (management control), educating users on the dangers of password exposure (operational control), and performing periodic physical audits to identify posted passwords (operational control) may all be helpful in reducing the risks posed by writing down Local Threats Local threats either require physical access to the system or logical access to the system (e.g., an authorized user account). Local threats are grouped into three categories: boot process, unauthorized local access, and privilege escalation. Boot Process Threat: An unauthorized individual boots a computer from third-party media (e.g., removable drives, Universal Serial Bus [USB] token storage devices). This could permit the attacker to circumvent operating system (OS) security measures and gain unauthorized access to information. Examples: While traveling, an employee misplaces a laptop, and the party that acquires it tries to see what sensitive data it contains. A disgruntled employee boots a computer off third-party media to circumvent other security controls so the employee can access sensitive files (e.g., confidential data stored locally, local password file). Impact: Unauthorized parties could cause a loss of confidentiality, integrity, and availability. Possible Controls: Implement physical security measures (e.g., locked doors, badge access) to restrict access to equipment. Enable a strong and difficult-to-guess password for the Basic Input Output System (BIOS), and configure the BIOS to boot the system from the local hard drive only, assuming that the case containing the OS and data is physically secure. This will help protect the data unless the hard drive is removed from the computer. Secure local files via encryption to prevent access to data in the event the physical media is placed in another computer. Unauthorized Local Access Threat: An individual who is not permitted to access a system gains local access. Examples: A visitor to a company sits down at an unattended computer and logs in by guessing a weak password for a default user account. A former employee gains physical access to facilities and uses old credentials to log in and gain access to company resources. Impact: Because the unauthorized person is masquerading as an authorized user, this could cause a loss of confidentiality and integrity; if the user has administrative rights, this could also cause a loss of availability. Possible Controls: Require valid username and password authentication before allowing any access to system resources, and enable a password-protected screen saver. These actions help to prevent an attacker from walking up to a computer and immediately gaining access. Enable a logon banner containing a warning of the possible legal consequences of misuse. Implement a password policy to enforce stronger passwords, so that it is more difficult for an attacker to guess passwords. Do not use or reuse a single password across multiple accounts; for example, the password for a personal free e-mail account should not be the same as that used to gain access to the Windows 7 host. Establish and enforce a checkout policy for departing employees that includes the immediate disabling of their user accounts. Physically secure removable storage devices and media, such as CD-ROMs, that contain valuable information. An individual who gains access to a workspace may find it easier to take removable media than attempt to get user-level access on a system. Privilege Escalation Threat: An authorized user with normal user-level rights escalates the account's privileges to gain administrator-level access. Examples: A user takes advantage of a vulnerability in a service to gain administrator-level privileges and access another user's files. A user guesses the password for an administrator-level account, gains full access to the system, and disables several security controls. Impact: Because the user is gaining full privileges on the system, this could cause a loss of confidentiality, integrity, and availability. Possible Controls: Restrict access to all administrator-level accounts and administrative tools, configuration files, and settings. Use strong, difficult-to-guess passwords for all administrator-level accounts. Do not use the domain administrator accounts from non-administrative client hosts. These actions will make it more difficult for users to escalate their privileges. Disable unused local services. Vulnerabilities in these services may permit users to escalate their privileges. Install application and OS updates (e.g., hotfixes, service packs, patches). These updates will resolve system vulnerabilities, reducing the number of attack vectors that can be used. Encrypt sensitive data. Even administrator-level access would not permit a user to access data in encrypted files. Remote Threats Unlike local threats, remote threats do not require physical or logical access to the system. The categories of remote threats described in this section are network services, data disclosure, and malicious payloads. Network Services Threat: Remote attackers exploit vulnerable network services on a system. This includes gaining unauthorized access to services and data, and causing a denial of service (DoS) condition. Examples: A worm searches for systems with an unsecured service listening on a particular port, and then uses the service to gain full control of the system. An attacker gains access to a system through a service that did not require authentication. An attacker impersonates a user by taking advantage of a weak remote access protocol. Impact: Depending on the type of network service that is being exploited, this could cause a loss of confidentiality, integrity, and availability. Possible Controls: Disable unused services. This provides attackers with fewer chances to breach the system. Test and install application and OS updates (e.g., hotfixes, service packs, patches). These updates will resolve system software vulnerabilities, reducing the number of attack vectors that can be used. Require strong authentication before allowing access to the service. Implement a password policy to enforce stronger passwords that are harder to guess. Establish and enforce a checkout policy for departing employees that includes the immediate disabling of their user accounts. These actions help to ensure that only authorized users can access each service. Do not use weak remote access protocols and applications; instead, use only accepted, industry standard strong protocols (e.g., Internet Protocol Security [IPsec], Secure Shell [SSH], Transport Layer Security [TLS]) for accessing and maintaining systems remotely. Use firewalls or packet filters to restrict access to each service to the authorized hosts only. This prevents unauthorized hosts from gaining access to the services and also prevents worms from propagating from one host to other hosts on the network. Enable logon banners containing a warning of the possible legal consequences of misuse. Data Disclosure Threat: A third party intercepts confidential data sent over a network. Examples: On a nonswitched network, a third party is running a network monitoring utility. When a legitimate user transmits a file in an insecure manner, the third party captures the file and accesses its data. An attacker intercepts usernames and passwords sent in plaintext over a local network segment. Impact: The interception of data could lead to a loss of confidentiality. If authentication data (e.g., passwords) are intercepted, it could cause a loss of confidentiality and integrity, and possibly a loss of availability, if the intercepted credentials have administrator-level privileges. Possible Controls: Use switched networks, which make it more difficult to sniff packets. Use a secure user identification and authentication system, such as NT LanManager version 2 (NTLMv2) or Kerberos. Section 3.2.1 contains a discussion of the choices that Windows Windows 7 provides. Encrypt network communications or application data through the use of various protocols (e.g., TLS, IPsec, SSH). This protects the data from being accessed by a third party. Malicious Payloads Threat: Malicious payloads such as viruses, worms, Trojan horses, and active content attack systems through many vectors. End users of the system may accidentally trigger malicious payloads. Examples: A user visits a Web site and downloads a free game that includes a Trojan horse. When the user installs the game on her computer, the Trojan horse is also installed, which compromises the system. A user with administrative-level privileges surfs the Web and accidentally visits a malicious Web site, which successfully infects the user's system. A user installs and operates peer-to-peer (P2P) file sharing software to download music files, and the P2P software installs spyware programs onto the system. A user opens and executes a payload that was attached to a spam or spoofed message. Impact: Malware often gains full administrative-level privileges to the system, or inadvertently crashes the system. Malware may cause a loss of confidentiality, integrity, and availability. Possible Controls: Educate users on avoiding malware infections, and make them aware of local policy regarding the use of potential transmission methods such as instant messaging (IM) software and P2P file sharing services. Users who are familiar with the techniques for spreading malware should be less likely to infect their systems. Use antivirus software and spyware detection and removal utilities as an automated way of preventing most infections and detecting the infections that were not prevented. Use e-mail clients that support spam filtering-automatically detecting and quarantining messages that are known to be spam or have the same characteristics as typical spam. Do not install or use non-approved applications (e.g., P2P, IM) to connect to unknown servers. Educate users regarding the potential impact caused by the use of P2P, IM, and other untrusted software applications. Operate the system on a daily basis with a limited user account. Only use administrator-level accounts when needed for specific maintenance tasks. Many instances of malware cannot successfully infect a system unless the current user has administrative privileges. Configure server and client software such as e-mail servers and clients, Web proxy servers and clients, and productivity applications to reduce exposure to malware. For example, email servers and clients could be configured to block e-mail attachments with certain file extensions. This should help to reduce the likelihood of infections. Configure systems, particularly in specialized security-limited functionality environments, so that the default file associations prevent automatic execution of active content files (e.g., Java, JavaScript, ActiveX). Environments and Security Controls Documentation The section describes the types of environments in which a Windows 7 host may be deployed - SOHO, enterprise, and custom - as described in the NIST Security Configuration Checklists Program for IT Products. The two typical custom environments for Windows 7 are specialized security-limited functionality, which is for systems at high risk of attack or data exposure, with security taking precedence over functionality, and legacy, which is intended for situations in which the Windows 7 system has special needs that do not fit into the other profiles, such as a requirement for backward compatibility with legacy applications or servers. Each environment description also summarizes the primary threats and controls that are typically part of the environment. In addition to documenting controls, every environment should have other various security-related documentation, such as acceptable use policies and security awareness materials, that affects configuration and usage of systems and applications. The last part of this section lists some common types of security-related documentation. SOHO SOHO, sometimes called standalone, describes small, informal computer installations that are used for home or business purposes. SOHO encompasses a variety of small-scale environments and devices, ranging from laptops, mobile devices, and home computers, to telecommuting systems located on broadband networks, to small businesses and small branch offices of a company. Figure 2-2 shows a typical SOHO network architecture. Historically, SOHO environments are the least secured and most trusting. Generally, the individuals performing SOHO system administration are less knowledgeable about security. This often results in environments that are less secure than they need to be because the focus is generally on functionality and ease of use. A SOHO system might not use any security software (e.g., antivirus software, personal firewall). In some instances, there are no network-based controls such as firewalls, so SOHO systems may be directly exposed to external attacks. Therefore, SOHO environments are frequently targeted for exploitation-not necessarily to acquire information, but more commonly to be used for attacking other computers, or incidentally as collateral damage from the propagation of a worm. Because the primary threats in SOHO environments are external, and SOHO computers generally have less restrictive security policies than enterprise or specialized security-limited functionality computers, they tend to be most vulnerable to attacks from remote threat categories. (Although remote threats are the primary concern for SOHO environments, it is still important to protect against other threats.) SOHO systems are typically threatened by attacks against network services and by malicious payloads (e.g., viruses, worms). These attacks are most likely to affect availability (e.g., crashing the system, consuming all network bandwidth, breaking functionality) but may also affect integrity (e.g., infecting data files) and confidentiality (e.g., providing remote access to sensitive data, e-mailing data files to others). SOHO security is improving with the proliferation of small, inexpensive, hardware-based firewall routers that protect to some degree the SOHO machines behind them. The adoption of personal firewalls (e.g., BlackICE, ZoneAlarm, Windows Firewall) is also helping to better secure SOHO environments. Another key to SOHO security is strengthening the hosts on the SOHO network by patching vulnerabilities and altering settings to restrict unneeded functionality. Enterprise The enterprise environment, also known as a managed environment, is typically comprised of large organizational systems with defined, organized suites of hardware and software configurations, usually consisting of centrally managed workstations and servers protected from threats on the Internet with firewalls and other network security devices. Figure 2-3 shows a typical enterprise network architecture. Enterprise environments generally have a group dedicated to supporting users and providing security. The combination of structure and skilled staff allows better security practices to be implemented during initial system deployment and in ongoing support and maintenance. Enterprise installations typically use a domain model to effectively manage a variety of settings and allow the sharing of resources (e.g., file servers, printers). The enterprise can enable only the services needed for normal business operations, with other possible avenues of exploit removed or disabled. Authentication, account, and policy management can be administered centrally to maintain a consistent security posture across an organization. The enterprise environment is more restrictive and provides less functionality than the SOHO environment. Managed environments typically have better control on the flow of various types of traffic, such as filtering traffic based on protocols and ports at the enterprise's connections with external networks. Because of the supported and largely homogeneous nature of the enterprise environment, it is typically easier to use more functionally restrictive settings than it is in SOHO environments. Enterprise environments also tend to implement several layers of defense (e.g., firewalls, antivirus servers, intrusion detection systems, patch management systems, e-mail filtering), which provides greater protection for systems. In many enterprise environments, interoperability with legacy systems may not be a major requirement, further facilitating the use of more restrictive settings. In an enterprise environment, this guide should be used by advanced users and system administrators. The enterprise environment settings correspond to an enterprise security posture that will protect the information in a moderate risk environment. In the enterprise environment, systems are typically susceptible to local and remote threats. In fact, threats often encompass all the categories of threats defined in Section 2.3. Local attacks, such as unauthorized usage of another user's workstation, most often lead to a loss of confidentiality (e.g., unauthorized access to data) but may also lead to a loss of integrity (e.g., data modification) or availability (e.g., theft of a system). Remote threats may be posed not only by attackers outside the organization, but also by internal users who are attacking other internal systems across the organization's network. Most security breaches caused by remote threats involve malicious payloads sent by external parties, such as viruses and worms acquired via e-mail or infected Web sites. Threats against network services tend to payloads and network service attacks are most likely to affect availability (e.g., crashing the system, consuming all network bandwidth, breaking functionality) but may also affect integrity (e.g., infecting data files) and confidentiality (e.g., providing remote access to sensitive data). Data disclosure threats tend to come from internal parties who are monitoring traffic on local networks, and they primarily affect confidentiality. Specialized Security-Limited Functionality A specialized security-limited functionality environment is any environment, networked or standalone, that is at high risk of attack or data exposure. Figure 2-4 shows examples of systems that are often found in specialized security-limited functionality environments, including outward-facing Web, e-mail, and DNS servers, and firewalls. Typically, providing sufficiently strong protection for these systems involves a significant reduction in system functionality. It assumes systems have limited or specialized functionality in a highly threatened environment such as an outward facing firewall or public Web server, or whose data content or mission purpose is of such value that aggressive trade-offs in favor of security outweigh the potential negative consequences to other useful system attributes such as legacy applications or interoperability with other systems. The specialized security-limited functionality environment encompasses computers that contain highly confidential information (e.g., personnel records, medical records, financial information) and perform vital organizational functions (e.g., accounting, payroll processing, air traffic control). These computers might be targeted by third parties for exploitation, but also might be targeted by trusted parties inside the organization. A specialized security-limited functionality environment could be a subset of a SOHO or enterprise environment. For example, three desktops in an enterprise environment that hold confidential employee data could be thought of as a specialized security-limited functionality environment within an enterprise environment. In addition, a laptop used by a mobile worker might be a specialized security-limited functionality environment within a SOHO environment. A specialized security-limited functionality environment might also be a self-contained environment outside any other environment-for instance, a government security installation dealing in sensitive data. Systems in specialized security-limited functionality environments face the same threats as systems in enterprise environments. Threats from both insiders and external parties are a concern. Because of the risks and possible consequences of a compromise in a specialized security-limited functionality environment, it usually has the most functionally restrictive and secure configuration. The suggested configuration is complex and provides the greatest protection at the expense of ease of use, functionality, and remote system management. In a specialized security-limited functionality environment, this guide is targeted at experienced security specialists and seasoned system administrators who understand the impact of implementing these strict requirements. Legacy A legacy environment contains older systems or applications that use outdated communication mechanisms. This most often occurs when machines operating in a legacy environment need more open security settings so they can communicate to the appropriate resources. For example, a system may need to use services and applications that require insecure authentication mechanisms such as null user sessions or open pipes. Because of these special needs, the system does not fit into any of the standard environments; therefore, it should be classified as a legacy environment system. Legacy environments may exist within SOHO and enterprise environments, and in rare cases within specialized security-limited functionality environments as well. Depending on the situation, a legacy environment may face any combination of internal and external threats. The potential impact of the threats should be determined by considering the threats that the system faces (as described in the previous three sections) and then considering what additional risk the system has because of the legacy accommodations. SecurityDocumentation An organization typically has many documents related to the security of Windows 7 systems. Foremost among the documents is a Windows 7 security configuration guide that specifies how Windows 7 systems should be configured and secured. As mentioned in Section 2.2, NIST SP 800-53 proposes management, operational, and technical security controls for systems, each of which should have associated documentation. In addition to documenting procedures for implementing and maintaining various controls, every environment should also have other security-related policies and documentation that affect the configuration, maintenance, and usage of systems and applications. Examples of such documents are as follows: Rules of behavior and acceptable use policy Configuration management policy, plan, and procedures Authorization to connect to the network IT contingency plans Security awareness and training for end users and administrators. Implementation and Testing of Security Controls Implementing security controls can be a daunting task. As described in Section 2.2, many security controls have a negative impact on system functionality and usability. In some cases, a security control can even have a negative impact on other security controls. For example, installing a patch could inadvertently break another patch, or enabling a firewall could inadvertently block antivirus software from automatically updating its signatures or disrupt patch management software, remote management software and other security and maintenance-related utilities. Therefore, it is important to perform testing for all security controls to determine what impact they have on system security, functionality, and usability, and to take appropriate steps to address any significant issues. As described in Section 5, NIST has compiled a set of security templates, as well as additional recommendations for security-related configuration changes. The controls proposed in this guide and the NIST Windows 7 security templates are consistent with the FISMA controls, as discussed in Section 2.2. The NIST template for Specialized Security-Limited Functionality environments represents the consensus settings from CIS, DISA, Microsoft, NIST, NSA, and USAF; the other NIST templates are based on Microsoft's templates and recommendations. Although the guidance presented in this document has undergone considerable testing, every system is unique, so it is certainly possible for certain settings to cause unexpected problems. System administrators should perform their own testing, especially for the applications used by their organizations, to identify any functionality or usability problems before the guidance is deployed throughout organizations. It is also critical to confirm that the desired security settings have been implemented properly and are working as expected. See Section 4.4 for information on tools that can identify security-related misconfigurations and vulnerabilities on Windows 7 systems. Monitoring and Maintenance Every system needs to be monitored and maintained on a regular basis so that security issues can be identified and mitigated promptly, reducing the likelihood of a security breach. However, no matter how carefully systems are monitored and maintained, incidents may still occur, so organizations should be prepared to respond to them. Depending on the environment, some preventative actions may be partially or fully automated. Guidance on performing various monitoring and maintenance activities is provided in subsequent sections of this document or other NIST publications. Recommended actions include the following: Subscribing to and monitoring various vulnerability notification mailing lists (e.g., Microsoft Security Notification Service) Acquiring and installing software updates (e.g., OS and application patches, antivirus signatures) Monitoring event logs to identify problems and suspicious activity Providing remote system administration and assistance Monitoring changes to OS and software settings Protecting and sanitizing media Responding promptly to suspected incidents Assessing the security posture of the system through vulnerability assessments Disabling unneeded user accounts and deleting accounts that have been disabled for some time Maintaining system, peripheral, and accessory hardware (periodically and as needed), and logging all hardware maintenance activities. Summary of Recommendations Protect each system based on the potential impact to the system of a loss of confidentiality, integrity, or availability. Reduce the opportunities that attackers have to breach a system by resolving security weaknesses and limiting functionality according to the principle of least privilege. Select security controls that provide a reasonably secure solution while supporting the functionality and usability that users require. Use multiple layers of security so that if one layer fails or otherwise cannot counteract a certain threat, other layers might prevent the threat from successfully breaching the system. Conduct risk assessments to identify threats against systems and determine the effectiveness of existing security controls in counteracting the threats. Perform risk mitigation to decide what additional measures (if any) should be implemented. Document procedures for implementing and maintaining security controls. Maintain other security-related policies and documentation that affect the configuration, maintenance, and usage of systems and applications, such as acceptable use policy, configuration management policy, and IT contingency plans. Test all security controls, including the settings in the NIST security templates, to determine what impact they have on system security, functionality, and usability. Take appropriate steps to address any significant issues before applying the controls to production systems. Monitor and maintain systems on a regular basis so that security issues can be identified and mitigated promptly. Actions include acquiring and installing software updates, monitoring event logs, providing remote system administration and assistance, monitoring changes to OS and software settings, protecting and sanitizing media, responding promptly to suspected incidents, performing vulnerability assessments, disabling and deleting unused user accounts, and maintaining hardware. Windows 7 Security Components Overview This section presents an overview of the various security features offered by the Windows 7 Enterprise operating system (OS). Many of the components have been inherited from earlier versions of Windows, often with improvements and enhancements. Windows 7 also includes several new security features. This guide provides general descriptions of most of these features, with pointers or links to more detailed information whenever possible. New Features in Windows 7 Windows 7 comes with several new security features. Each new security feature is briefly described below, and most also include a reference to a Microsoft Web page that contains more detailed information. This section also includes an analysis of the security impact of each feature and general recommendations for when the feature should or should not be used. The new security features in Windows 7 are as follows: Security Features Inherited from earlier Windows versions This section discusses the most significant security features inherited from previous Windows versions: Kerberos, smart card support, Internet Protocol Security, Encrypting File System, Windows Firewall, Bitlocker Drive Encryption, Windows Defender, and User Account Control (UAC). For each security feature, the section includes a brief description, an analysis of the security impact of each feature, and general recommendations for when the feature should or should not be used. It is outside the scope of this document to cover the features in great depth, so pointers to resources with additional information are provided as needed. Kerberos In a domain, Windows 7 provides support for MIT Kerberos v.5 authentication, as defined in Internet Engineering Task Force (IETF) Request for Comment (RFC) 1510. The Kerberos protocol is composed of three subprotocols: Authentication Service (AS) Exchange, Ticket-Granting Service (TGS) Exchange, and Client/Server (CS) Exchange. The Kerberos v.5 standard can be used only in pure Windows domain environments. Windows domain members use Kerberos as the default network client/server authentication protocol, replacing the older and less secure NTLM and LanManager (LM) authentication methods. The older methods are still supported to allow legacy Windows clients to authenticate to a Windows domain environment. Windows 7 standalone workstations and members of NT domains do not use Kerberos to perform local authentication; they use the traditional NTLM. Because Kerberos provides stronger protection for logon credentials than older authentication methods, it should be used whenever possible. NIST recommends disabling LM and NTLM v1 in specialized security-limited functionality environments, and disabling LM in all other environments. Smart Card Support In the past, interactive logon meant an ability to authenticate a user to a network by using a form of a shared credential, such as a hashed password. Windows 7 supports public-key interactive logon by using a X.509 v.3 certificate stored on a smart card. (This can be used only to log on to domain accounts, not local accounts, unless third party software has replaced the built-in Graphical Identification and Authentication [GINA].) Instead of a password, the user types a personal identification number (PIN) to the GINA, and the PIN authenticates the user to the card. This process is fully integrated with the Microsoft implementation of Kerberos. Smart card-based authentication is appropriate for specialized security-limited functionality environments in which strong authentication is required, and one-factor authentication (username and password) is insufficient. Smart cards provide two-factor authentication, because users must possess the physical smart card and must know the PIN. If smart cards or other types of authentication tokens are being used, the organization should have a policy and procedures in place to educate users on properly using tokens (e.g., not sharing them with other users) and protecting them (e.g., immediately reporting a lost or stolen token). Internet Protocol Security Windows 7 includes an implementation of the IETF Internet Protocol Security (IPsec) standard called Windows IP Security. It provides network-level support for confidentiality and integrity. Confidentiality is achieved by encrypting packets, which prevents unauthorized parties from gaining access to data as it passes over networks. Integrity is supported by calculating a hash for each packet based partially on a secret key shared by the sender and receiver, and sending the hash in the packet. The recipient will recalculate the hash, and if it matches the original hash, then the packet was not altered in transit. Windows IP Security also offers packet filtering capabilities, such as limiting traffic based on the source or destination IP address. Windows IP Security provides a solution for protecting data traversing public networks (e.g., the Internet) and for protecting sensitive data on private networks (e.g., an enterprise LAN). It is also commonly used to protect wireless network communications in enterprise and SOHO environments. Using Windows IP Security in conjunction with a personal firewall such as Windows Firewall can provide protection against network-based attacks by limiting both inbound and outbound packets. Encrypting File System The Encrypting File System (EFS) provides users a method to transparently encrypt or decrypt files and folders residing on an NTFS-formatted volume. In addition, EFS now maintains encryption persistence, which means that any file or folder that has been designated as encrypted will remain encrypted when moved to another NTFS-formatted filesystem. Files are still transmitted unencrypted across the network (except when Web Distributed Authoring and Versioning [WebDAV] is used, which will transmit encrypted files across networks), so users should transfer the files through a separate encrypting protocol, such as TLS or IPsec. EFS is best used to provide local encryption for files and is particularly useful for laptops and other systems at high risk of physical attack. Windows Firewall Windows Firewall is a stateful personal firewall. When properly configured, it limits the access that other computers have to the Windows 7 machine through the network. This significantly reduces the exposure of the machine to network-based attacks such as the Blaster worm. Windows Firewall can also be used to protect shares when a mobile computer is used outside its normal secure and trusted environment, or to protect access to network shares on an untrusted network. Domain administrators can disable the use of Windows Firewall through Group Policy, but this is generally not recommended unless it is interfering with required functionality or a third party firewall is already in use. Administrators can also use Group Policy to set any Windows Firewall configuration option. Windows Firewall can add another layer to a network security model in enterprise and specialized security-limited functionality environments, and it is sometimes the only layer of network defense in SOHO environments. Bitlocker Drive Encryption BitLocker helps keep everything from documents to passwords safer by encrypting the entire drive that Windows and your data reside on. Once BitLocker is turned on, any file you save on that drive is encrypted automatically. BitLocker To Go-a new feature of Windows 7-gives the lockdown treatment to easily-misplaced portable storage devices like USB flash drives and external hard drives. Windows Defender Windows Defender is software that helps protect your computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software by detecting and removing known spyware from your computer. Windows Defender features Real-Time Protection, a monitoring system that recommends actions against spyware when it's detected, minimizes interruptions, and helps you stay productive. Windows Defender does not perform the functions normally associated with an anti-virus application. User Account Control User Account Control (UAC) is a security component first introduced in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows 7, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a non-administrative user account in Windows. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows 7. Summary of Recommendations Disable LM and NTLM v1 in specialized security-limited functionality environments. Use Kerberos authentication whenever possible. As appropriate, use Smart Cards or another multifactor authentication method. As appropriate, use Windows IP Security to protect data traversing public networks and sensitive data on private networks. Use EFS to protect confidential data. Use host-based firewalls on systems. Consider implementing Bitlocker Drive Encryption on systems that store sensitive data. This is particular important for mobile systems and systems that may not be physically secure. Utilize an anti-spyware product to protect system integrity Enable User Account Control to help ensure the principle of least privilege while enabling productivity. Installation, Backup, and Patching This section of the guide contains advice on performing Windows 7 installations, and backing up and patching Windows 7 systems. It discusses the risks of installing a new system on a network and the factors to consider when partitioning Windows 7 hard drives. It also describes various installation techniques and provides pointers to more information on performing them. Another important topic is the ability of Windows 7 to back up and restore data and system configuration information. This section also discusses how to update existing systems through Microsoft Update and other means to ensure that they are running the latest service packs and hotfixes. Advice is also presented on identifying missing patches and security misconfigurations on systems. Organizations should have sound configuration management policies that govern changes made to operating systems and applications, such as applying patches to an operating system or modifying application configuration settings to provide greater security. Configuration management policies should also address the initial installation of the operating system, the installation of each application, and the roles, responsibilities, and processes for performing and documenting system changes caused by upgrades, patches, and other methods of modification. Performing a New Installation This guide assumes that a new Windows 7 installation is being performed from scratch. If an administrator or user is upgrading an existing Windows installation, some of the advice in this guide may be inappropriate and could possibly cause problems. Because a machine is unsecured and very vulnerable to exploitation through the network during installation, it is recommended that all installations and initial patching be done with the computer disconnected from any network. If a computer must be connected to a network, then it is recommended that the network be isolated and strongly protected (e.g., shielded by a firewall on a trusted network segment) to minimize exposure to any network attacks during installation. If possible, the latest service pack and security patches should be downloaded from Microsoft's Web site, archived to read-only media, such as CD-ROMs, and kept physically secure. Partitioning Advice One of the major decisions during installation is how to partition hard drives. The primary consideration is how large the disk drive is; for example, partitioning is not recommended for drives under 6 gigabytes (GB). For larger drives, the following factors should be considered: How large is the drive? How many physical drives does the machine have? If the system only has one drive, is there a desire to logically separate the OS and applications from data? An example of the benefit of this is that if the OS needs to be upgraded or reinstalled, the data can easily be preserved. What is the purpose of this computer? For example, if a computer will be used to share files within a workgroup, it may be useful to have a separate partition for the file share. Is there a need for redundancy (e.g., mirroring a data partition onto a second drive)? Windows 7 provides a feature known as dynamic disks. On a dynamic disk, partition sizes can be changed as needed. For example, an administrator could create an OS and applications partition and a data partition on a large drive, leaving much of the drive space available for future allocation. As needed, the administrator can use the free space to create new partitions and to expand the existing partitions. This provides considerable flexibility for future growth. Users are cautioned that, as with any other feature, dynamic disks should be tested before deploying them on production systems. Another important consideration during installation is which type of filesystem to use for each partition. NIST recommends using NTFS for each partition unless there is a particular need to use another type of filesystem. Section 7.1 contains more information on NTFS and other filesystem options. Installation Methods There are several ways to perform Windows 7 installations. This section covers three primary methods: local installations, cloning through Sysprep, and the Remote Installation Services (RIS). Local Installation The local installation approach refers to traditional methods of installing Windows, such as using a Microsoft CD. This is effective only for installing a small number of computers at a time because it requires user attention throughout the installation. When installing Windows 7 from a CD, follow the default steps, except for the following: For the Network Setting configuration, select Custom and disable all network clients, services, and protocols that are not required. Although this will help to limit the computer's exposure to network-based attacks, consider the implications of disabling each service because this may inadvertently break required functionality (e.g., connecting to remote servers and printers). See Section 7.5 for more information on network clients, services, and protocols. Consider disabling the following services: Client for Microsoft Networks (most users will require this service) Client Service for NetWare File and Printer Sharing for Microsoft Networks QoS Packet Scheduler NWLink IPX/SPX/NetBIOS Compatible Transport Protocol If possible, assign an Internet Protocol (IP) address, default gateway, and domain name system (DNS) server. Even if the computer will be joining a domain, choose to be in only a workgroup, and change the workgroup name to something other than the default of WORKGROUP. Set all environment-specific settings, such as the time zone. When the installation prompts for accounts to be added, only one account should be added initially. Other accounts can always been added later once the system is fully patched and configured. By default, the account created during the installation and the built-in Administrator account both belong to the Administrators group. After the initial post-installation boot, assign both accounts strong passwords. The next task is to install the latest service pack and hotfixes. Only after the machine has been brought up to current patch levels should it be connected to a regular network. Then, the networking configuration can be changed, such as joining the workstation to a domain, or assigning a workgroup to enable sharing of workgroup resources (e.g., shared directories, printers). Other services that were disabled during installation can be enabled if needed. It is also helpful to scan through the list of installed Windows components, determine which applications and utilities (e.g., Internet games) are not needed, and remove them. Sysprep Sysprep is a tool that permits an image from a single Windows 7 computer installation, known as a gold system, to be cloned onto multiple systems in conjunction with a cloning software program such as Symantec Ghost or cloning hardware. This technique reduces user involvement in the installation process to approximately 5 to 10 minutes at the start of the installation. The Sysprep approach has several benefits. Because the standard image can be created with a strong security configuration, Sysprep reduces the possibility of human error during the installation process. In addition, the Windows 7 installation occurs more quickly with Sysprep. This is beneficial not only for building new systems, but also for reinstalling and reconfiguring the operating system and applications much more quickly when needed - for example, as a result of hardware failure or a virus infection. In preparing the "gold" image for Sysprep, the same guidelines used for a local installation should be used, with the addition of enabling any needed services and patching the system. It is also important to physically secure image media so that it is not inadvertently or purposely altered. Remote Installation Services The Remote Installation Services (RIS) allow a computer to be booted from the network and then to automatically install an instance of Windows 7. RIS can be configured to perform either a completely automated and unattended installation with RISetup, or one that requires minimal user attendance (similar to the Sysprep tool) with RIPrep. Several hardware and software dependencies exist; therefore, Microsoft's documentation on the tool should be consulted for detailed instructions regarding how to configure this installation method. The RIS method has the same advantages as Sysprep. RIS has the additional advantage of not needing the machine to be installed to have direct access to the physical install media (e.g., a CD-ROM). This can be ideal in a specialized security-limited functionality environment in which machines might not have CD-ROM drives. The primary disadvantage of RIS is that the machine must be connected to a network while it is being installed. This could open up a window of opportunity to exploit a security weakness before installation is completed. Backing Up Systems To increase the availability of data in case of a system failure or data corruption caused by a power failure or other event, Windows 7 has built-in capabilities to back up and restore data and systems. Users run the Backup and Restore Center, which automates most of the processes. For example, during a backup the user is presented with several options, including backing up the current user's files and settings, backing up all users' files and settings, and backing up the whole system. This allows the user to back up data and systems without having to manually indicate which files and directories should be backed up, if the user's files are where the backup program expects them to be. To open the Backup and Restore center, perform the following steps: Open the Control Panel and select 'Backup or restore your files' If this is your first time using the center select 'Set up backup' the Backup and Restore Center is used to both backup or restore files. It is very important to verify periodically that backups and restores can be performed successfully; backing up a system regularly may not be beneficial if the backups are corrupt or the wrong files are being backed up, for example. Organizations should have policies and procedures that address the entire backup and recovery process, as well as the protection and storage of backup media and recovery disks. Because backups may contain sensitive user data as well as system configuration and security information (e.g., passwords), backup media should be properly protected to prevent unauthorized access. Besides the backup wizards and utilities provided by Windows 7, there are also various third-party utilities for backing up and restoring files and systems. It is important to verify that the third-party software can properly back up and restore Windows 7 specific resources, such as the Windows registry and EFS-encrypted files and folders. Windows 7's built-in utilities also use a shadow copy backup technique when possible, which allows it to create backups of files that are in use. Third-party backup utilities used on Windows 7 systems should have good mechanisms for handling open files. Updating Existing Systems Host security - securing a given computer - has become increasingly important. As such, it is essential to keep a host up to current patch levels to eliminate known vulnerabilities and weaknesses. In conjunction with antivirus software and a personal firewall, patching goes a long way to securing a host against outside attacks and exploitation. Microsoft provides two mechanisms for distributing security updates: Automatic Updates and individual patch distribution. In smaller environments, either method may be sufficient for keeping systems current with patches. Other environments typically have a software change management control process or a patch management program that tests patches before deploying them; distribution may then occur through local Windows Update Services (WUS) or Windows Server Update Services (WSUS) servers or through a third party configuration management tool. This section discusses Automatic Updates as well as patch management considerations for managed environments. This section also defines the types of updates that Microsoft typically provides. Update Notification As described later in this section, it is possible to configure Windows 7 systems to download critical updates automatically. However, this still leaves other updates that can only be downloaded manually. Therefore, it is important for Windows 7 system administrators to be notified of new updates that Microsoft releases. The Microsoft Security Notification Service is a mailing list that notifies subscribers of new security issues and the availability of all types of Microsoft updates. Microsoft security bulletins are also available online from the TechNet Security Resource Center. Individual bulletins are issued for each new vulnerability and are incorporated into monthly bulletins that list the vulnerabilities and potential severity (e.g., critical, important, moderate). Each bulletin provides guidance regarding under what circumstances the suggested mitigation strategy (e.g., patch) should be applied. Microsoft Update Types Microsoft releases updated code for Windows 7-related security issues through three mechanisms: hotfixes, security rollups, and service packs. A hotfix is a patch that fixes a specific problem. When a new vulnerability is discovered in Windows 7 or a Microsoft application (e.g., Internet Explorer), Microsoft develops a hotfix that will resolve the problem. Hotfixes are released on an individual basis as needed. Hotfixes should be applied as soon as practical for vulnerabilities that are likely to be exploited. (Whenever possible, hotfixes should first be tested on a nonproduction system to ensure that they do not inadvertently break functionality or introduce a new security problem by invalidating a previously configured security control.) A security rollup is a collection of several hotfixes. The security rollup makes the same cumulative changes to the system that would be performed if each hotfix were installed separately. However, it is easier to download and install a single security rollup than 10 hotfixes. Microsoft releases security rollups on occasion when merited. Security rollups are most useful for updating existing systems that have not been maintained and for patching new systems. A service pack (SP) is a major upgrade to the operating system that resolves dozens of functional and security problems and often introduces some new features or makes significant configuration changes to systems. Service packs incorporate most previously released hotfixes, so once an SP has been applied to a system, there is no need to install the hotfixes that were included in the service pack. Service packs are released on a periodic basis. Because SPs often make major changes to the operating system, organizations should test the SP thoroughly before deploying it in production. In SOHO environments, the best approach is to delay installation of the SP for at least a few weeks so that early adopters can identify any bugs or issues. However, if the SP provides a fix for a major security issue, and the fix is not available through hotfixes, it may be less risky to install the SP immediately than to let the system remain unpatched. Automatic Updates One facility that is available to patch systems with little to no user intervention is the Automatic Updates feature. When enabled, it will automatically check the Microsoft update servers for OS and Microsoft application updates, including service packs, security roll-ups, and hotfixes, as well as updated hardware drivers. Automatic Updates has a prioritization feature that ensures the most critical security updates are installed before less important updates. Automatic Updates provides four configuration options to users: Install updates automatically Download updates but let me choose whether to install them Check for updates but let me choose whether to download and install them Never check for updates The following options are also cofigurable: The day and time to install updates if Install updates automatically is selected. Give me recommended updates the same way I receive important updates Allow all users to install updates on the computer Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows Show me detailed notifications when new Microsoft software is available Generally, it is best to configure the system to download updates automatically, unless bandwidth usage is a concern. For example, downloading patches could adversely affect the functionality of a computer that is connected to the Internet on a slow link. In this case, it would be preferable for Automatic Updates to be configured to notify the user that new patches are available. The user should then make arrangements to download the patch at the next time when the computer is not needed for normal functionality. Choosing whether to install updates automatically or prompt the user is dependent upon the situation. If the user is likely to ignore the notifications, then it may be more effective to install the updates on a schedule. If the system is in use at unpredictable days and times, then it may be difficult to set a schedule that will not interfere with system usage. Another issue to consider is that many updates require the system to be rebooted before the update takes effect. Windows 7 offers an Install updates and shutdown option as part of its Shut Down dialog box, which may be helpful in reminding users to launch the update installation process. It is highly recommended that the Automatic Updates service be enabled to keep the OS and key Microsoft applications (e.g., Internet Explorer, Outlook Express) fully patched. To enable Automatic Updates, perform the following steps: Click the Start menu and select Control Panel. Select System and Security. Select Turn Automatic Updating On or Off. Choose the appropriate selection in the combobox (such as Download updates for me, but let me choose when to install them). Configure additional options as desired Click OK to apply the settings. A user can also force the system to check for available updates by selecting Windows Update from the start menu. Some organizations do not want the latest updates applied immediately to their Windows systems. For example, in a managed environment it may be undesirable for hotfixes to be deployed to production systems until they have been tested by Windows administrators and security administrators. In addition, in large environments, many systems may need to download the same hotfix simultaneously. This could cause a serious impact on network bandwidth. Organizations with such concerns often establish a local WUS or WSUS update server that contains approved updates or implement another method of patch management. The Automatic Updates feature on Windows 7 systems should then be configured to point to the local update server. Unfortunately, although WUS and WSUS provide a method for distributing Microsoft updates, they cannot be used to distribute third party software updates. Patching in Managed Environments Enterprise and specialized security-limited functionality environments, especially those that are considered managed environments, should have a patch management program that is responsible for acquiring, testing, and verifying each patch, then arranging for its distribution to systems throughout the organization. NIST SP 800-40 version 2, Creating a Patch and Vulnerability Management Program, provides in-depth advice on establishing patching processes and testing and applying patches. For each patch that is released, the patch management team should research the associated vulnerabilities and prioritize the patch appropriately. It is not uncommon for several patches to be released in a relatively short time, and typically one or two of the patches are much more important to the organization than the others. Each patch should be tested with system configurations that are representative of the organization's systems. Once the team determines that the patch is suitable for deployment, the patch needs to be distributed through automated or manual means for installation on all appropriate systems. (There are several third-party applications available for patch management and distribution, which support many types of platforms and offer functionality that supports enterprise requirements.) Finally, the team needs to check systems periodically to confirm that the patch has been installed on each system, and to take actions to ensure that missing patches are applied. Microsoft offers the following command-line tools that may be helpful in hotfix deployment, as follows: The qchain.exe tool allows multiple hotfixes to be installed at one time, instead of installing a hotfix, rebooting, then installing another hotfix. The qfecheck.exe tool can be used to track and verify installed hotfixes. Identifying Security Issues Host security is largely dependent upon staying up to date with security patches as well as identifying and remediating other security weaknesses. The Microsoft Baseline Security Analyzer (MBSA) is a utility that can scan the local computer and remote computers to identify security issues. MBSA must have local administrator-level access on each computer that it is scanning. MBSA offers both graphical user interface (GUI) and command-line interfaces. MBSA can identify which updates are missing from the operating system and common Microsoft applications (e.g., Internet Explorer, Media Player, Internet Information Services [IIS], Exchange Server, Structured Query Language [SQL] Server) on each system. For the operating system and a few applications (e.g., Internet Explorer, IIS, SQL Server, Office), it can also identify other security issues, such as insecure configurations and settings. MBSA only identifies the problems; it has no ability to change settings or download and install updates onto systems. The methods discussed in Section 4.3 should be used to download and apply patches. Individual systems can also monitor their own security state and alert users of potential problems. Windows 7 offers the Windows Security Action Center, which is a service that can be configured to monitor the state of the system's firewall (either Windows Firewall or a third-party firewall) and antivirus software, as well as the settings for Automatic Updates. Windows Security Center can generate alerts if the firewall, antivirus software, or Automatic Updates feature is not enabled, and also if certain major configuration settings are insecure, such as not setting antivirus software to perform real-time scanning, and not setting Automatic Updates to download and install updates automatically. Windows Security Center can monitor several types of third-party firewall and antivirus software. Windows Security Center is most helpful in SOHO environments, so that users can monitor the security state of their systems. In an enterprise environment, systems might be updated through methods other than Automatic Updates, and the status of systems' firewalls and antivirus software might already be monitored centrally. Summary of Recommendations Use the recommendations presented in this guide only on new Windows 7 systems, not systems upgraded from previous versions of Windows. For upgraded systems, some of the advice in this guide may be inappropriate and could possibly cause problems. Have sound configuration management policies that govern changes made to operating systems and applications, such as applying patches and modifying configuration settings. Until a new system has been fully installed and patched, either keep it disconnected from all networks, or connect it to an isolated, strongly protected network. Use NTFS for each hard drive partition unless there is a particular need to use another type of filesystem. Disable all network clients, services, and protocols that are not required. Assign strong passwords to the built-in administrator account and the user account created during installation. Keep systems up to current patch levels to eliminate known vulnerabilities and weaknesses. Use MBSA or other similar utilities on a regular basis to identify patch status issues. USGCB Security Settings This section identfies specific controls identified as part of the USGCB for Windows 7 that must be implemented. Most of the settings in this section can be configured manually using the Local Security Policy mmc snap-in. Account Policies Group This section includes both account lockout and password policy settings GPO Computer Configuration\Windows Settings\Security Settings\Account Policies Account Lockout Policy Settings Attackers often attempt to gain access to user accounts by guessing passwords. Windows 7 can be configured to lock out (disable) an account when too many failed login attempts occur for a single user account in a certain time period. The following account lockout parameters are set in the NIST templates:One of the main challenges in setting account policies is balancing security, functionality, and usability. For example, locking out user accounts after only a few failed logon attempts in a long time period may make it more difficult to gain unauthorized access to accounts by guessing passwords, but may also sharply increase the number of calls to the help desk to unlock accounts accidentally locked by failed attempts from legitimate users. This could also cause more users to write down their passwords or choose easier-to-remember passwords. Organizations should carefully think out such issues before setting Windows 7 account policies. GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy Account Lockout Duration The amount of time in seconds that an account is locked before it is automatically unlocked by the system. 15 minutes = 900 seconds A value of 0 means that an administrator must unlock the account. 900 0 900 3600 86400 Account Lockout Threshold The maximum number of failed attempts that can occur before the account is locked out 50 3 5 10 50 Reset Account Lockout Counter After The time period in seconds to be used with the lockout threshold value. For example, if the threshold is set to 10 attempts and the duration is set to 15 minutes, then if more than 10 failed login attempts occur with a single user account within a 15-minute period, the account will be disabled. 15 minutes = 900 seconds 900 900 3600 86400 Account Lockout Duration This value specifies how long the user account should be locked out. This is often set to a low but substantial value (e.g., 15 minutes), for two reasons. First, a legitimate user that is accidentally locked out only has to wait 15 minutes to regain access, instead of asking an administrator to unlock the account. Second, an attacker who is guessing passwords using brute force methods will only be able to try a small number of passwords at a time, then wait 15 minutes before trying any more. This greatly reduces the chances that the brute force attack will be successful. GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy CCE-9308-8 Account Lockout Threshold The threshold value specifies the maximum number of failed attempts that can occur before the account is locked out. GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy CCE-9136-3 Reset Account Lockout Counter After This specifies the time period to be used with the lockout threshold value. For example, if the threshold is set to 10 attempts and the duration is set to 15 minutes, then if more than 10 failed login attempts occur with a single user account within a 15-minute period, the account will be disabled. GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy CCE-9400-3 Password Policy Settings In addition to educating users regarding the selection and use of good passwords, it is also important to set password parameters so that passwords are sufficiently strong. This reduces the likelihood of an attacker guessing or cracking passwords to gain unauthorized access to the system.86 As described in Section 3.2.1, NIST recommends the use of NTLM v2 or Kerberos instead of LM or NTLM v1 for authentication. The following parameters are specified in the NIST templates: GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Enforce Password History The number of passwords remembered 24 5 24 Maximum Password Age The maximum age in seconds before a password expires. (90 days = 7776000 seconds; 60 days = 5184000) 7776000 5184000 7776000 Minimum Password Age The minimum age in seconds before a password may be changed. 1 day = 86400 seconds 86400 86400 172800 432000 Minimum Password Length The minimum number of characters required for a password 14 8 9 12 14 15 Enforce Password Complexity This value determines whether Windows 7 implements a minimum level of strong password filtering. 1 = enabled 1 0 1 Enforce Reversible Encryption When Storing Passwords This value determines whether Windows 7 is configured to prevent passwords from being stored using a two-way hash. 1 = enabled 0 0 1 Enforce Password History This setting determines how many old passwords the system will remember for each account. Users will be prevented from reusing any of the old passwords. For example, if this is set to 24, then the system will not allow users to reuse any of their last 24 passwords. Old passwords may have been compromised, or an attacker may have taken a long time to crack encrypted passwords. Reusing an old password could inadvertently give attackers access to the system. GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy CCE-8912-8 Maximum Password Age This forces users to change their passwords regularly. The lower this value is set, the more likely users will be to choose poor passwords that are easier for them to remember (e.g., Mypasswd1, Mypasswd2, Mypasswd3). The higher this value is set, the more likely the password will be compromised and used by unauthorized parties. GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy CCE-9193-4 Minimum Password Age This setting requires users to wait for a certain number of days before changing their password again. The setting prevents a user from changing a password when it reaches the maximum age and then immediately changing it back to the previous password. Unfortunately, this setting also prevents users who inadvertently reveal a new password to others from changing it immediately without administrator intervention. GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy CCE-9330-2 Minimum Password Length This setting specifies the minimum length of a password in characters. The rationale behind this setting is that longer passwords are more difficult to guess and crack than shorter passwords. The downside is that longer passwords are often more difficult for users to remember. Organizations that want to set a relatively large minimum password length should encourage their users to use passphrases, which may be easier to remember than conventional passwords. GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy CCE-9357-5 Password Complexity Like the Minimum Password Length setting, this setting makes it more difficult to guess or crack passwords. Enabling this setting implements complexity requirements including not having the user account name in the password and using a mixture of character types, including upper case and lower case letters, digits, and special characters such as punctuation marks. GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy CCE-9370-8 Reversible Password Encryption If this setting is enabled, passwords will be stored in a decryptible format, putting them at higher risk of compromise. This setting should be disabled unless it is needed to support a legacy authentication protocol, such as Challenge Handshake Authentication Protocol (CHAP). GPO Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy CCE-9260-1 Local Policies Group This section includes legacy audit policy settings, user rights assignment policy settings, and security options policy settings. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies Audit Policy Settings Windows 7 includes powerful system auditing capabilities. The purpose of auditing is to record certain types of actions to a log, so that system administrators can review the logs and detect unauthorized activity. Audit logs may also be helpful when investigating a security incident that has occurred. As shown in Table 6-1, system auditing is available for logon events, account management, directory service access, object access, policy change, privilege use, process tracking, and system events. Each audit policy category can be configured to record successful events, failed events, both successful and failed events, or neither. Section 7.3 describes how file auditing can be configured, as well as how the Event Viewer can be used to review log entries. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy User Rights Assignments The NIST security templates specify which groups (e.g., Administrators, Users) have certain user rights. The goal is for each group to have only the necessary rights, and for users to only belong to the necessary groups. This is the principle of least privilege, described previously in Section 2.2. Examples of user rights that can be specified are as follows: Accessing the system remotely and locally Performing backups Changing the time and date on the system Managing the logs Shutting down the system.Verify that the user right '' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment Access This Computer From The Network Verify that the user right 'Access This Computer From The Network' has been granted appropriately. (Only Administrators) NOTE: This can break IPSec see Microsoft Knowledge Base article 823659 for further guidance GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9253-6 Act As Part Of The Operating System Verify that the user right 'Act As Part Of The Operating System' has been granted appropriately. (No One) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9407-8 Adjust Memory Quotas For A Process Verify that the user right 'Adjust Memory Quotas For A Process' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9068-8 Log On Locally Verify that the user right 'Allow Log On Locally' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9345-0 Log On Through Terminal Services Verify that the user right 'Allow Log On Through Terminal Services' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9107-4 Back Up Files and Directories Verify that the user right 'Back Up Files and Directories' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9389-8 Bypass Traverse Checking Verify that the user right 'Bypass Traverse Checking' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8414-5 Change the System Time Verify that the user right 'Change the System Time' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8612-4 Change the time zone The "Change the time zone" user right should be assigned to the appropriate accounts. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8423-6 Create A Pagefile Verify that the user right 'Create A Pagefile' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9185-0 Create A Token Object Verify that the user right 'Create A Token Object' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9215-5 Create Global Objects Verify that the user right 'Create Global Objects' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8431-9 Create Permanent Shared Objects Verify that the user right 'Create Permanent Shared Objects' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9254-4 Create Symbolic Links Verify that the user right 'Create Symbolic Links' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8460-8 Debug Programs Verify that the user right 'Debug Programs' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8583-7 Deny Access To This Computer From The Network Verify that the user right 'Deny Access To This Computer From The Network' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9244-5 Deny Logon As A Batch Job Verify that the user right 'Deny Logon As A Batch Job' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9212-2 Deny Logon As A Service Verify that the user right 'Deny Logon As A Service' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9098-5 Deny Logon Locally Verify that the user right 'Deny Logon Locally' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9239-5 Deny Logon Through Remote Desktop Services Verify that the user right 'Deny Logon Through Remote Desktop Services' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9274-2 Force Shutdown From A Remote System Verify that the user right 'Force Shutdown From A Remote System' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9336-9 Generate Security Audits Verify that the user right 'Generate Security Audits' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9226-2 Impersonate a Client After Authentication Verify that the user right 'Impersonate a Client After Authentication' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8467-3 Increase a Process Working Set The "Increase a Process Working Set" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9048-0 Increase Scheduling Priority Verify that the user right 'Increase Scheduling Priority' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8999-5 Load And Unload Device Drivers Verify that the user right 'Load And Unload Device Drivers' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9135-5 Lock Pages In Memory Verify that the user right 'Lock Pages In Memory' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9289-0 Log On As A Batch Job Verify that the user right 'Log On As A Batch Job' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9320-3 Log On As A Service Verify that the user right 'Log On As A Service' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9461-5 Manage Auditing And Security Log Verify that the user right 'Manage Auditing And Security Log' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9223-9 Modify an object label The "Modify an object label" user right should be assigned to the appropriate accounts. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9149-6 Modify Firmware Environment Values Verify that the user right 'Modify Firmware Environment Values' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9417-7 Perform Volume Maintenance Tasks Verify that the user right 'Perform Volume Maintenance Tasks' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8475-6 Profile Single Process Verify that the user right 'Profile Single Process' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9388-0 Profile System Performance Verify that the user right 'Profile System Performance' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9419-3 Remove Computer From Docking Station Verify that the user right 'Remove Computer From Docking Station' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9326-0 Replace A Process Level Token Verify that the user right 'Replace A Process Level Token' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-8732-0 Restore Files And Directories Verify that the user right 'Restore Files And Directories' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9124-9 Shut Down The System Verify that the user right 'Shut Down The System' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9014-2 Take Ownership Of Files Or Other Objects Verify that the user right 'Take Ownership Of Files Or Other Objects' has been granted appropriately. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment CCE-9309-6 Security Options Settings Besides the Local Security Policy settings mentioned earlier in this section, additional settings called Security Options can be modified to achieve greater security than the default settings provide. The NIST templates specify values for dozens of such settings. Examples of the types of settings available are as follows: Limiting the use of blank passwords Renaming the default Administrator and Guest accounts Restricting remote access to floppy and CD-ROM drives Encrypting secure channel data in a domain Securing the interactive logon screen (e.g., not showing the previous user's account name, displaying a warning banner, prompting users to change passwords before they expire) Restricting which types of network access may be performed Specifying which types of authentication may be used (e.g., NTLM v2).The Security Options settings can also be accessed and adjusted manually by performing the following steps: From the Start menu, choose Control Panel. Select Administrative Tools, and then choose Local Security Policy. Expand Local Policies and select Security Options. The right pane lists the security option and indicates the current setting for each. Make any necessary changes by double-clicking on the appropriate security option, modifying the setting, and clicking OK to save the change. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security options Accounts: Administrator account status The Administrator account status is enabled to allow the administrator to perform configuration control of the system. 0 0 1 Status of Guest Account This value defines the desired status of the built-in Guest account. 0 = disabled; 1 = enabled. 0 0 1 Accounts: Limit local account use to blank passwords to console logon only This value defines the desired status of limiting the use of blank passwords. 1 = enabled; 0= disabled 1 0 1 Audit: Audit the use of Backup and Restore privilege Controls the ability to audit the use of all user privileges, including Backup and Restore. If this policy is disabled, certain user rights will not be audited even if "Audit privilege use" audit policy is enabled. 00 00 01 Audit: Audit the access of global system objects Controls the ability to audit access of global systems objects. When this setting is enabled, system objects such as mutexes, events, semaphores, and DOS devices, are created with a default system access control list (SACL). 0 0 1 Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings 1 0 1 Audit: Shut down system immediately if unable to log security audits If events cannot be written to the security log, the system is halted immediately. If the system halts as a result of a full log, an administrator must log ont the system and clear the log. 0 0 1 Prevent Users From Installing Printer Drivers Defines who is allowed to add and to delete printer drivers on the local system. 1 = Enabled; 0 = disabled 0 0 1 Restrict Access to CDROM Drive This value determines if access to the CDROM drive is restricted to locally logged-on users. 1 = restricted 0 0 1 Restrict Access to Floppy Drive This value determines if access to the floppy drive is restricted to locally logged-on users. 1 = restricted 0 0 1 Domain member: Digitally encrypt secure channel data (when possible) Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic should be encrypted. 1 0 1 Domain member: Disable machine account password changes Computer account passwords are changed automatically every seven days. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. If this policy is disabled, a new password for the computer account will be generated every week. 0 0 1 Maximum Machine Account Password Age This setting controls the maximum password age that a machine account may have. 30 7 30 Require Strong Session Key This setting controls the required strength of a session key. 1 0 1 Interactive logon: Do not display last user name This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box. 1 0 1 Interactive logon: Do not require CTRL+ALT+DEL Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner. 0 = disabled 0 0 1 Interactive logon: Message text for users attempting to log on Specifies a text message that is displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. .+ .+ Interactive logon: Message title for users attempting to log on The logon banner should be titled with a warning label containing the name of the owning organization. .+ .+ Number of Previous Logons to Cache (in Case Domain Controller Is Not Available) Defines the number of last logon credentials cached for users who log on interactively to a system. 2 0 1 2 5 10 Prompt User to Change Password Before Expiration This setting configures the system to display a warning to users telling them how many days are left before their password expires. 14 14 Require Domain Controller Authentication to Unlock Workstation This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. 0 0 1 Smart Card Removal Behavior This value determines the desired behavior when a smart card is removed. 0 - No action 1 - Lock workstation 2 - Force logoff 1 0 1 2 Client Digitally Sign Communications (Always) This check verifies that the client policy is set to always sign packets. 0 0 1 Microsoft network client: Digitally sign communications (if server agrees) This check verifies that the client policy is set to sign packets if the server agrees. 1 0 1 Microsoft network client: Send unencrypted password to third-party SMB servers Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication. 0 0 1 Amount of Idle Time Required Before Suspending Session Administrators should use this setting to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. 15 15 Microsoft network server: Digitally sign communications (always) This check verifies that the server policy is set to always sign packets. 1 0 1 Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Digitally sign communications (if client agrees). This check verifies that the server policy is set to sign packets if the client agrees. 1 0 1 Microsoft network server: Disconnect clients when logon hours expire Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored. 1 0 1 Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients 537395200 537395200 Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers 537395200 537395200 Network access: Allow anonymous SID/Name translation Network access: Allow anonymous SID/name translation This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, an anonymous user can request the SID attribute for another user. An anonymous user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name. This setting affects both the SID-to-name translation as well as the name-to-SID translation. If this policy setting is disabled, an anonymous user cannot request the SID attribute for another user. Default on workstations and member servers: Disabled. Default on domain controllers running Windows Server 2008 or later: Disabled. Default on domain controllers running Windows Server 2003 R2 or earlier: Enabled 0 0 1 Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources. Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Disabled. Important This policy has no impact on domain controllers. 1 0 1 Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow anonymous enumeration of SAM accounts and shares This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy. Default: Disabled. 1 0 1 Network access: Do not allow storage of credentials or .NET Passports for network authentication Network access: Do not allow storage of credentials or .NET Passports for network authentication 1 0 1 Network access: Let Everyone permissions apply to anonymous users Network access: Let Everyone permissions apply to anonymous users 0 0 1 Network access: Restrict anonymous access to Named Pipes and Shares Network access: Restrict anonymous access to Named Pipes and Shares 1 0 1 Network access: Sharing and security model for local accounts Network access: Sharing and security model for local accounts 0 0 1 Network security: Do not store LAN Manager hash value on next password change Network security: Do not store LAN Manager hash value on next password change 1 0 1 Network security: Force logoff when logon hours expire Network security: Force logoff when logon hours expire 0 0 1 Network Security: LAN Manager Authentication Level Network Security: LAN Manager Authentication Level 5 0 1 2 3 4 5 Network Security: LDAP client signing requirements Network Security: LDAP client signing requirements 1 0 1 2 Recovery Console: Allow Automatic Administrative Logon Recovery Console: Allow Automatic Administrative Logon 0 0 1 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders 0 0 1 Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt or sign secure channel data (always). Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted or signed. If this policy is enabled, outgoing secure channel traffic should be encrypted. 1 0 1 Domain member: Digitally sign secure channel data (when possible) Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, all outgoing secure channel traffic should be signed. 1 0 1 Shutdown: Allow System to be Shut Down Without Having to Log On Shutdown: Allow System to be Shut Down Without Having to Log On 0 0 1 Shutdown: Clear Virtual Memory Pagefile Shutdown: Clear Virtual Memory Pagefile 1 0 1 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing 0 0 1 System objects: Require case insensitivity for non-Windows subsystems System objects: Require case insensitivity for non-Windows subsystems 0 0 1 System objects: Strengthen default permissions of internal system objects System objects: Strengthen default permissions of internal system objects 1 0 1 Admin Approval Mode for the Built-in Administrator account This security setting determines the behavior of Admin Approval Mode for the Built-in Administrator account. 0 0 1 Behavior of the elevation prompt for administrators in Admin Approval Mode This security setting determines the behavior of the elevation prompt for administrators. 4 0 1 2 3 4 5 Behavior of the elevation prompt for standard users This security setting determines the behavior of the elevation prompt for standard users. 1 0 1 3 Detect application installations and prompt for elevation This security setting determines the behavior of application installation detection for the computer. 0 0 1 Only elevate executables that are signed and validated This security setting will enforce public key infrastructure (PKI) signature checks on any interactive application that requests elevation of privilege. Enterprise administrators can control which administrative applications are allowed through the certificates in the local computer's Trusted Publishers certificate store. 0 0 1 Only elevate UIAccess applications that are installed in secure locations This security setting will enforce the requirement that applications requesting to be run with a UIAccess integrity level must reside in a secure location on the file system. 0 0 1 Run all administrators in Admin Approval Mode This security setting determines the behavior of all UAC policies for the entire system. 0 0 1 Switch to the secure desktop when prompting for elevation This security setting determines whether the elevation prompt appears on the interactive user's desktop or the secure desktop. 0 0 1 Virtualize file and registry write failures to per-user locations This security setting enables the redirection of application write failures to defined locations in both the registry and file system. This feature mitigates those applications that historically ran as administrator and wrote runtime application data to protected locations (%ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software\...). Virtualization facilitates the running of applications that historically failed to run as standard user because of application write failures. 0 0 1 Accounts: Administrator account status The Administrator account status is enabled to allow the administrator to perform configuration control of the system. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9199-1 Accounts: Guest account status A system faces an increased vulnerability threat if the built-in guest account is not disabled. This account is a known account that exists on all Windows systems and cannot be deleted. This account is initialized during the installation of the operating system with no password assigned. This account is a member of the Everyone user group and has all the rights and permissions associated with that group, which could subsequently provide access to system resources to anonymous users. Ensure the built-in guest account is disabled. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8714-8 Accounts: Limit local account use to blank passwords to console logon only In Windows 7, accounts with null or blank passwords can only be used to log on at the physical system's logon screen. This means that accounts with blank or null passwords cannot be used over networks or with the secondary logon service (RunAs). This feature prevents attackers and malware from gaining remote access through blank passwords. Section 6 contains information on other recommended password settings. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9418-5 Accounts: Rename administrator account The Administrator account is created by default when installing Windows 7, but is disabled. Associating the Administrator SID with a different name may thwart a potential hacker who is targeting the built-in Administrator account. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8484-8 Accounts: Rename guest account The Guest account is created by default when installing Windows 7, but is disabled. Associating the Guest SID with a different name may thwart a potential hacker who is targeting the built-in Guest account. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9229-6 Audit: Audit the access of global system objects Controls the ability to audit access of global systems objects. When this setting is enabled, system objects such as mutexes, events, semaphores, and DOS devices, are created with a default system access control list (SACL). GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9150-4 Audit: Audit the use of Backup and Restore privilege Controls the ability to audit the use of all user privileges, including Backup and Restore. If this policy is disabled, certain user rights will not be audited even if "Audit privilege use" audit policy is enabled. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8789-0 Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9432-6 Devices: Prevent users from installing printer drivers This setting determines who is allowed to install a printer driver as part of adding a network printer. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9026-6 Devices: Restrict CD-ROM access to locally logged-on user only Removable media devices (CD-ROM) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9304-7 Devices: Restrict floppy access to locally logged-on user only Removable media devices (floppy disks) are readable by others on the network if they are not properly configured. A process can remain running in the background after a user logs off, thereby, permitting access to the media, while another user is logged on to the system. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9440-9 Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt or sign secure channel data (always). Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted or signed. If this policy is enabled, outgoing secure channel traffic should be encrypted. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8974-8 Domain member: Digitally encrypt secure channel data (when possible) Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but not all information is encrypted. If this policy is enabled, outgoing secure channel traffic should be encrypted. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9251-0 Domain member: Digitally sign secure channel data (when possible) Requests sent on the secure channel are authenticated, and sensitive information (such as passwords) is encrypted, but the channel is not integrity checked. If this policy is enabled, all outgoing secure channel traffic should be signed. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9375-7 Domain member: Disable machine account password changes Computer account passwords are changed automatically every seven days. Enabling this policy to disable automatic password changes can make the system more vulnerable to malicious access. Frequent password changes can be a significant safeguard for your system. If this policy is disabled, a new password for the computer account will be generated every week. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9295-7 Domain member: Maximum machine account password age This setting controls the maximum password age that a machine account may have. This setting should be set to no more that 30 days, ensuring that the machine changes its password monthly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9123-1 Domain member: Require strong (Windows 2000 or later) session key This setting controls the required strength of a session key. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9387-2 Interactive logon: Do not display last user name This setting determines whether the name of the last user to log on to the computer will be displayed in the Windows logon dialog box. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9449-0 Interactive logon: Do not require CTRL+ALT+DEL Disabling the Ctrl+Alt+Del security attention sequence can compromise system security. Because only Windows responds to the Ctrl+Alt+Del security sequence, you can be assured that any passwords you enter following that sequence are sent only to Windows. If you eliminate the sequence requirement, malicious programs can request and receive your Windows password. Disabling this sequence also suppresses a custom logon banner. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9317-9 Interactive logon: Message text for users attempting to log on Failure to display the logon banner prior to a logon attempt will negate legal proceedings resulting from unauthorized access to system resources. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8973-0 Interactive logon: Message title for users attempting to log on The logon banner should be titled with a warning label containing the name of the owning organization. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8740-3 Interactive logon: Number of previous logons to cache (in case domain controller is not available) The default Windows 7 configuration caches the last logon credentials for users who log on interactively to a system. This feature is provided for system availability reasons such as the users machine is disconnected from the network or domain controllers are not available. Even though the credential cache is well-protected, storing encrypted copies of users passwords on workstations do not always have the same physical protection required for domain controllers. If a workstation is attacked, the unauthorized individual may isolate the password to a domain user account using a password-cracking program, and gain access to the domain. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8487-1 Interactive logon: Prompt user to change password before expiration This setting configures the system to display a warning to users telling them how many days are left before their password expires. By giving the user advanced warning, the user has time to construct a sufficiently strong password. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9307-0 Interactive logon: Require Domain Controller authentication to unlock workstation This setting controls the behavior of the system when you attempt to unlock the workstation. If this setting is enabled, the system will pass the credentials to the domain controller (if in a domain) for authentication before allowing the system to be unlocked. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8818-7 Interactive logon: Smart card removal behavior When the smart card for a logged-on user is removed from the smart card reader, the workstation should be locked. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9067-0 Microsoft network client: Digitally sign communications (always) This check verifies that the client policy is set to always sign packets. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9327-8 Microsoft network client: Digitally sign communications (if server agrees) This check verifies that the client policy is set to sign packets if the server agrees. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9344-3 Microsoft network client: Send unencrypted password to third-party SMB servers Some non-Microsoft SMB servers only support unencrypted (plain text) password authentication. Sending plain text passwords across the network, when authenticating to an SMB server, reduces the overall security of the environment. Check with the Vendor of the SMB server to see if there is a way to support encrypted password authentication. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9265-0 Microsoft network server: Amount of idle time required before suspending session Administrators should use this setting to control when a computer disconnects an inactive SMB session. If client activity resumes, the session is automatically reestablished. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9406-0 Microsoft network server: Digitally sign communications (always) This check verifies that the server policy is set to always sign packets. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9040-7 Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Digitally sign communications (if client agrees). This check verifies that the server policy is set to sign packets if the client agrees. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8825-2 Microsoft network server: Disconnect clients when logon hours expire Users should not be permitted to remain logged on to the network after they have exceeded their permitted logon hours. In many cases, this indicates that a user forgot to log off before leaving for the day. However, it may also indicate that a user is attempting unauthorized access at a time when the system may be less closely monitored. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9358-3 Network access: Allow anonymous SID-Name translation Determines if an anonymous user can request security identifier (SID) attributes for another user or use a SID to get the corresponding username. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9531-5 Network access: Do not allow anonymous enumeration of SAM accounts If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names, thus providing a map of potential points to attack the system. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9249-4 Network access: Do not allow anonymous enumeration of SAM accounts and shares If this setting is disabled, it allows anonymous logon users (null session connections) to list all account names and enumerate all shared resources, thus providing a map of potential points to attack the system. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9156-1 Network access: Do not allow storage of passwords and credentials for network authentication This setting controls the storage of authentication credentials or .NET passports on the local system. Such credentials should never be stored on the local machine as that may lead to account compromise. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8654-6 Network access: Let Everyone permissions apply to anonymous users This setting helps define the permissions that anonymous users have. If this setting is enabled then anonymous users have the same rights and permissions as the built-in Everyone group. Anonymous users should not have these permissions or rights. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8936-7 Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths(System\CurrentControlSet\Control\ProductOptions; System\CurrentControlSet\Control\Server Applications; Software\Microsoft\Windows NT\CurrentVersion) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9121-5 Network access: Remotely accessible registry paths and sub paths Network access: Remotely accessible registry paths ("Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog") GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9386-4 Network access: Restrict anonymous access to Named Pipes and Shares This check determines whether anonymous access is restricted to named pipes and shares. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9540-6 Network access: Sharing and security model for local accounts Windows 7 includes two network-sharing security models Classic and Guest only. It is recommended that the Classic mode be used. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9503-4 Network security: Do not store LAN Manager hash value on next password change This setting controls whether or not a LAN Manager hash of the password is stored in the SAM the next time the password is changed. The LAN Manager hash is a weak encryption algorithm and there are several tools available that use this hash to retrieve account passwords. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8937-5 Network security: Force logoff when logon hours expire This setting controls whether or not users are forced to log off when their allowed logon hours expire. If logon hours are set for users, then this should be enforced. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9704-8 Network security: LAN Manager Authentication Level Windows network authentication has changed considerably as various security vulnerabilities have been identified and fixed. The original LAN Manager (or LM) password hash is considered very weak, but is still used by most Windows 9x clients. Using commercially available software, and off-the-shelf computers, most LM password hashes can be used to reveal the actual password in a matter of days, or hours. With the release of Windows NT 4.0, Microsoft developed NTLM authentication. Serious vulnerabilities made NTLM almost as easy to crack as LM, so NTLM version 2 (NTLMv2) was introduced. NTLMv2 provides significant improvements to security; when combined with strong password policy, accounts are well protected against brute force attacks. All of these authentication methods are incorporated into Windows 2000. All authentication models work with a hash of the password, not the password itself. This presents challenges with down-level compatibility between operating systems. In order to smooth the transition, when one computer attempts to authenticate with another, the default behavior is to send the basic LM hash along with the more secure NTLM hash. This setting improves control over the response to an authentication challenge: Send LM and NTLM responses, Send LM and NTLM, Use NTLMv2 session security if negotiated, Send NTLM response only, Send NTLMv2 response only, Send NTLMv2 response only\refuse LM, Send NTLMv2 response only\refuse LM and NTLM, The default, and weakest option, is the first: send LM and NTLM responses. As a result, using NTLM is ineffective because both protocols are sent together. In order to take a much more effective stand to protect network authentication, set LAN Manager Authentication Level to Send NTLMv2 response only\refuse LM and NTLM. Enabling this setting may have adverse effects on your ability to communicate with other Windows machines unless the change is made network-wide. If you find that you are unable to require a certain level of LM Authentication, back down to "Send LM and NTLM - Use NTLMv2 session security if negotiated" and try your network authentication again. Communication with Windows 9x/Me machines requires the DSCLIENT.EXE utility from the Windows 2000 installation CD. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8806-2 Network security: LDAP client signing requirements Similar to the SMB protocol, the LDAP protocol supports signing. LDAP, "Lightweight Directory Access Protocol," provides one means for the client to talk to active directory. LDAP protocol is text-based, but supports authentication to gain access to sensitive sections of the directory. Require signing to provide the assurance of mutual authentication for this communications channel. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9768-3 Network security: Minimum session security for NTLM SSP based (including secure RPC) clients NTLM authentication can provide a security service to manage connection between various clients and servers, including through the Remote Procedure Call (RPC) service. Windows 2000 improved the security model for secure, authenticated client-server communications; this setting manages the new features for communications established by this workstation. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9534-9 Network security: Minimum session security for NTLM SSP based (including secure RPC) servers Similar to "Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients", this setting manages features for communication services provided by this workstation to other computers. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9736-0 Recovery Console: Allow Automatic Administrative Logon The Recovery Console, new to Windows 2000 and XP, provides a limited command-line access to an otherwise unbootable operating system. The console allows access to the NTFS file system, which does not natively allow access when the operating system becomes unbootable. Other third-party applications have been developed to perform this action as well, but the Recovery Console is part of the operating system. It can be installed from the Windows 2000 CD with the "d:\i386\winnt32.exe /cmdcons" command. It can also be run directly from the Windows 2000 installation CD. The Recovery Console does not grant full and unrestricted access to the operating system by default. It does require that you log on using the password of the default Administrator account. Keep in mind that this must be the local administrator account, not just a member of the local administrators group. Also, the policy for renaming the administrator account does not apply to the recovery console, and that password must be used. If configured, a boot to the recovery console could result in automatic logon, and bypass the need for the password of the administrator account. Since this gives administrator access to anyone who can reboot the computer, the setting is generally disabled. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8807-0 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders By default, the Recovery Console only allows access to the root folder of each drive, and the operating system folder (typically C:\Windows). The console also prevents copying files from the hard drive onto removable media. Although this protection can be bypassed by enabling floppy copy and drive access, the setting is enabled by default and should remain disabled. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8945-8 Shutdown: Allow System to be Shut Down Without Having to Log On Some systems run critical processes and should only be shut down by authorized users. Occasionally, special processes could be evoked during system startup, sometimes even trojaned processes. In environments where abnormal system reboots could cause problems, require a logon prior to reboot. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9707-1 Shutdown: Clear Virtual Memory Pagefile Virtual memory extends the physical memory available to the CPU. As data and applications fill the available physical memory, the operating system writes less-frequently used pages of memory out to disk, into the virtual memory pagefile. This greatly extends the amount of "virtual" memory available to the computer. Since the pagefile contains information that was in memory, it potentially holds a great deal of information useful for an attacker. Digging through the pagefile can reveal SSL web pages, queries set from the client to databases, sometimes even user ids and passwords from poorly written applications. The workstation does not clean this information from the pagefile on shutdown. Although the file can not be accessed when booted in Windows, anyone booting the workstation to an alternate operating system (e.g., from a boot CD) may access the page file. Enabling this options provides greater security by erasing the data during normal operations; however, this may also significantly increase the time required to shut down the computer. When enabled, the hibernation file (hiberfil.sys) is also cleaned on shutdown. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9222-1 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9266-8 System objects: Require case insensitivity for non-Windows subsystems The Windows operating systems ignore case when accessing resources; for example, "C:\Windows", "C:\WINDOWS" and "c:\windows" all refer to the same directory. However, the Windows kernel allows interfaces with other case-sensitive operating systems (e.g., Unix). Enabling this setting causes the interoperability features to be case-insensitive as well. This setting has no effect when the workstation communicates only with other Windows systems. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9319-5 System objects: Strengthen default permissions of internal system objects This setting actually digs deep into the operating system behavior and should be left at the default setting (Enabled) unless explicitly required. "Internal system objects" are shared physical and logical resources such as semaphores and DOS device name; the objects all are created with access control lists (ACLs). When enabled, the ACL allows other non-administrative system processes to query internal system objects, but will not allow them to modify them. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9191-8 User Account Control: Admin Approval Mode for the Built-in Administrator account The "User Account Control: Admin Approval Mode for the Built-in Administrator account" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8811-2 User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode The "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8958-1 User Account Control: Behavior of the elevation prompt for standard users The "User Account Control: Behavior of the elevation prompt for standard users" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8813-8 User Account Control: Detect application installations and prompt for elevation The "User Account Control: Detect application installations and prompt for elevation" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9616-4 User Account Control: Only elevate executables that are signed and validated The "User Account Control: Only elevate executables that are signed and validated" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9021-7 User Account Control: Only elevate UIAccess applications that are installed in secure locations The "User Account Control: Only elevate UIAccess applications that are installed in secure locations" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9801-2 User Account Control: Run all administrators in Admin Approval Mode The "User Account Control: Run all administrators in Admin Approval Mode" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9189-2 User Account Control: Switch to the secure desktop when prompting for elevation The "User Account Control: Switch to the secure desktop when prompting for elevation" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9395-5 User Account Control: Virtualize file and registry write failures to per-user locations The "User Account Control: Virtualize file and registry write failures to per-user locations" setting should be configured correctly. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8817-9 MSS Security Options Settings The settings identified in this section do not appear in the Windows 7 GPO by default. They can be added by obtaining a modified sceregvl.inf file for use on the system. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security options MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended) Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed. 0 0 1 MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. Microsoft recommends to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting 2 0 1 2 MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Internet Control Message Protocol (ICMP) redirects cause the stack to plumb host routes. These routes override the Open Shortest Path First (OSPF)-generated routes, attackers can use source routed packets to conceal the address of their computer. HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect 0 0 1 MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. HKLM\System\CurrentControlSet\Tcpip\Parameters\KeepAliveTime 300000 300000 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windows- based systems to the IP addresses configured on those systems. This value determines whether the computer releases its NetBIOS name when it receives a name release request. The NoNameReleaseOnDemand setting configures the system to refuse name release requests to release its SMB name. This setting prevents an attacker from sending a name release request to a server, causing the server to be inaccessible to legitimate clients. If this setting is configured on a client, however, and that client is mis-configured with the same name as a critical server, the server will be unable to recover the name, and legitimate requests may be directed to the rogue server instead, causing a denial of service condition at best. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ NoNameReleaseOnDemand registry key. 1 0 1 MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically. HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery 0 0 1 2 MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) to avoid having to reimplement functionality. The operating system actually loads several DLLs for each program, depending on what type of program it is. When the program does not specify an absolute location for a DLL, the default search order is used to locate it. By default, the search order used by the operating system is as follows: 1. Memory 2. KnownDLLs 3. Manifests and .local 4. Application directory 5. Current working directory 6. System directories (%systemroot%, %systemroot%\system, and %systemroot%\system32) 7. The path variable The fact that the current working directory is searched before the system directories can be used by someone with access to the file system to cause a program launched by a user to load a spoofed DLL. If a user launches a program by double-clicking a document, the current working directory is actually the location of the document. If a DLL in that directory has the same name as a system DLL in that location will then be loaded instead of the system DLL. This attack vector was actually used by the Nimda virus. To combat this, a new setting was created in Service Pack 3, which moves the current working directory to after the system directories in the search order. To avoid application compatibility issues, however, this switch was not turned on by default. To turn it on, set the following registry valueMACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode 1 0 1 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Setting Added to Registry to Make Screensaver Password Protection Immediate The default grace period allowed for user movement before the screen - saver lock takes effect is five seconds. Leaving the grace period in the default setting makes your computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period. 0 0 5 MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) 3 3 5 MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Windows Server 2003 and Service Pack 3 for Windows 2000 include a new feature for generating a security audit in the security event log when the security log reaches a user defined threshold. Note: new to W2K3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel 90 90 MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering 1 0 1 2 3 Microsoft network server: SPN Target name validation This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. 1 0 1 2 MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Allowing source routed network traffic allows attackers to obscure their identity and location. 2 0 1 2 MSS: (Hidden) Hide computer from the browse list (Not Recommended except for highly secure environments) Hiding the computer from the Browse List removes one method attackers might use to gether information about computers on the network. 1 0 1 MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default). 3 3 5 Network security: Allow Local System to use computer identity for NTLM This policy setting allows services running as Local System to use the computer identity when negotiating NTLM authentication. 1 0 1 Network security: Allow LocalSystem NULL session fallback This policy setting allows the system to fall back no a NULL session. 0 0 1 Network Security: Allow PKU2U authentication requests to this computer to use online identities Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. 0 0 1 Network Security: Configure encryption types allowed for Kerberos This policy setting allows you to specify tdhe allowed encryption types for Kerberos authentication. 2147483644 2147483644 MSS: (AutoAdminLogon) Enable Automatic Logon (Not Recommended) Determines whether the automatic logon feature is enabled. Automatic logon uses the domain, user name, and password stored in the registry to log users on to the computer when the system starts. The Log On to Windows dialog box is not displayed. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9342-7 MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9496-1 MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8513-4 MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds This value controls how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet. If the remote computer is still reachable, it acknowledges the keep-alive packet. HKLM\System\CurrentControlSet\Tcpip\Parameters\KeepAliveTime GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9426-8 MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering (recommended) MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9439-1 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Network basic input/output system (NetBIOS) over TCP/IP is a networking protocol that, among other things, provides a means of easily resolving NetBIOS names registered on Windows- based systems to the IP addresses configured on those systems. This value determines whether the computer releases its NetBIOS name when it receives a name release request. The NoNameReleaseOnDemand setting configures the system to refuse name release requests to release its SMB name. This setting prevents an attacker from sending a name release request to a server, causing the server to be inaccessible to legitimate clients. If this setting is configured on a client, however, and that client is mis-configured with the same name as a critical server, the server will be unable to recover the name, and legitimate requests may be directed to the rogue server instead, causing a denial of service condition at best. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters\ NoNameReleaseOnDemand registry key. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8562-1 MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) This setting is used to enable or disabled the Internet Router Discovery Protocol (IRDP). IRDP allows the system to detect and configure Default Gateway addresses automatically. HKLM\System\CurrentControlSet\Tcpip\Parameters\PerformRouterDiscovery GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9458-1 MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Most programs on the Windows platform make use of various Dynamic Link Libraries (DLL) to avoid having to reimplement functionality. The operating system actually loads several DLLs for each program, depending on what type of program it is. When the program does not specify an absolute location for a DLL, the default search order is used to locate it. By default, the search order used by the operating system is as follows: 1. Memory 2. KnownDLLs 3. Manifests and .local 4. Application directory 5. Current working directory 6. System directories (%systemroot%, %systemroot%\system, and %systemroot%\system32) 7. The path variable The fact that the current working directory is searched before the system directories can be used by someone with access to the file system to cause a program launched by a user to load a spoofed DLL. If a user launches a program by double-clicking a document, the current working directory is actually the location of the document. If a DLL in that directory has the same name as a system DLL in that location will then be loaded instead of the system DLL. This attack vector was actually used by the Nimda virus. To combat this, a new setting was created in Service Pack 3, which moves the current working directory to after the system directories in the search order. To avoid application compatibility issues, however, this switch was not turned on by default. To turn it on, set the following registry valueMACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9348-4 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Setting Added to Registry to Make Screensaver Password Protection Immediate The default grace period allowed for user movement before the screen - saver lock takes effect is five seconds. Leaving the grace period in the default setting makes your computer vulnerable to a potential attack from someone walking up to the console to attempt to log onto the system before the lock takes effect. An entry to the registry can be made to adjust the length of the grace period. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8591-0 MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9456-5 MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Windows Server 2003 and Service Pack 3 for Windows 2000 include a new feature for generating a security audit in the security event log when the security log reaches a user defined threshold. Note: new to W2K3 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9501-8 Microsoft network server: SPN Target name validation This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8503-5 MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Allowing source routed network traffic allows attackers to obscure their identity and location. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8655-3 MSS: (Hidden) Hide computer from the browse list (Not Recommended except for highly secure environments) Hiding the computer from the Browse List removes one method attackers might use to gether information about computers on the network. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8560-5 MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default). GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9487-0 Network security: Allow Local System to use computer identity for NTLM This policy setting allows services running as Local System to use the computer identity when negotiating NTLM authentication. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9096-9 Network security: Allow LocalSystem NULL session fallback This policy setting allows the system to fall back no a NULL session. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-8804-7 Network Security: Allow PKU2U authentication requests to this computer to use online identities Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9770-9 Network Security: Configure encryption types allowed for Kerberos This policy setting allows you to specify tdhe allowed encryption types for Kerberos authentication. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9532-3 System Services Group This section identifies requirements for the state of certain services on the system. System Services Settings This section identifies requirements for the state of certain services on the system. Fax Service Defines the startup state of the service 4 2 3 4 HomeGroup Listener Service Defines the startup state of the service 4 2 3 4 HomeGroup Provider Service Defines the startup state of the service 4 2 3 4 Media Center Extender Service Defines the startup state of the service 4 2 3 4 Parental Controls Service Defines the startup state of the service 4 2 3 4 Fax Service Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network. GPO Computer Configuration\Windows Settings\Security Settings\System Services CCE-10150-1 HomeGroup Listener Makes local computer changes associated with configuration and maintenance of the homegroup-joined computer. If this service is stopped or disabled, your computer will not work properly in a homegroup and your homegroup might not work properly. It is recommended that you keep this service running. CCE-10543-7 Homegroup Provider Performs networking tasks associated with configuration and maintenance of homegroups. If this service is stopped or disabled, your computer will be unable to detect other homegroups and your homegroup might not work properly. It is recommended that you keep this service running. CCE-9910-1 Media Center Extender Allows Media Center Extenders to locate and connect to the computer. CCE-10699-7 Parental Controls Service This service is a stub for Windows Parental Control functionality that existed in Vista. It is provided for backward compatibility only. CCE-10311-9 Conditional: Bluetooth not enabled Conditional: Bluetooth not enabled Bluetooth Support Service Defines the startup state of the service 4 2 3 4 Bluetooth Support Service The Bluetooth service supports discovery and association of remote Bluetooth devices. Stopping or disabling this service may cause already installed Bluetooth devices to fail to operate properly and prevent new devices from being discovered or associated. CCE-10661-7 Advanced Audit Policy Settings Windows 7 give more control over individual audit policy through subcategories that were not available prior to Windows Vista. Account Logon Audit Settings This section contains the policy settings which control the auditing of credential validation. Credential Validation This audit policy reports the results of validation tests on credentials submitted for a user account logon request. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE Computer Account Management This audit policy reports the results of validation tests on credentials submitted for a user account logon request. CCE-9725-3 CCE-9718-8 Account Management Settings The Account Management audit category helps you track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts. computer-account-management This audit policy reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE other-account-management-events This audit policy reports other account management events. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE security-group-management This audit policy reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE user-account-management This audit policy reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE Computer Account Management This audit policy reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. CCE-9498-7 CCE-9608-1 Other Account Management Events This audit policy reports other account management events. CCE-9657-8 CCE-9668-5 Security Group Management This audit policy reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. CCE-9692-5 CCE-9056-3 User Account Management This audit policy reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. CCE-9542-2 CCE-9800-4 Detailed Tracking Settings The Detailed Tracking audit category determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so it is typically set to No Auditing. However, this setting can provide a great benefit during an incident response from the detailed log of the processes started and the time when they were launched. process-creation This audit policy reports the creation of a process and the name of the program or user that created it. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE Process Creation This audit policy reports the creation of a process and the name of the program or user that created it. CCE-9562-0 CCE-9805-3 Logon Logoff Settings This audit category generates events that record the creation and destruction of logon sessions. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. logoff when a user logs off from the system. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE logon This audit policy reports a user attempts to log on to the system. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE special-logon This audit policy reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE Logoff when a user logs off from the system. CCE-8856-7 CCE-9058-9 Logon This audit policy reports a user attempts to log on to the system. CCE-9683-4 CCE-9213-0 Special Logon This audit policy reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. CCE-9763-4 CCE-9521-6 Object Access Settings By itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses an object-for example, a file, folder, registry key, or printer-that has a specified system access control list (SACL), effectively enabling auditing to take place. file-system This audit policy reports when file system objects are accessed. Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE registry This audit policy reports when registry objects are accessed. Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE File System This audit policy reports when file system objects are accessed. Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. CCE-9217-1 CCE-9811-1 Registry This audit policy reports when registry objects are accessed. Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. CCE-9737-8 CCE-10078-4 Policy Change Settings The Policy Change audit category determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. policy_change_audit changes in audit policy including SACL changes. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE authentication-policy-change changes in authentication policy. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE Audit Policy Change changes in audit policy including SACL changes. CCE-10021-4 CCE-9235-3 Authentication Policy Change changes in authentication policy. CCE-9976-2 CCE-10014-9 Privilege Use Settings The Privilege Use audit category determines whether to audit each instance of a user exercising a user right. If you configure this value to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. This policy setting can generate a very large number of event records. sensitive-privilege-use when a user account or service uses a sensitive privilege. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE Sensitive Privilege Use when a user account or service uses a sensitive privilege. CCE-9878-0 CCE-9172-8 System Settings The System audit category allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system. ipsec-driver This audit policy reports on the activities of the Internet Protocol security (IPsec) driver. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE security-state-change This audit policy reports changes in security state of the system, such as when the security subsystem starts and stops. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE security-system-extension the loading of extension code such as authentication packages by the security subsystem. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE system-integrity on violations of integrity of the security subsystem. AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE IPsec Driver This audit policy reports on the activities of the Internet Protocol security (IPsec) driver. CCE-9925-9 CCE-9802-0 Security State Change This audit policy reports changes in security state of the system, such as when the security subsystem starts and stops. CCE-9850-9 CCE-9179-3 Security System Extension the loading of extension code such as authentication packages by the security subsystem. CCE-9863-2 CCE-9998-6 System Integrity on violations of integrity of the security subsystem. CCE-9520-8 CCE-9194-2 USGCB Other Settings USGCB identifies the following additional controls that must be checked in order to verify compliance. Computer Configuration - Administrative Templates - Network Settings This section includes settings for configuring network features. Link-Layer Topology Discovery The Link Layer Topology Discovery (LLTD) specification describes how the LLTD protocol operates over wired (802.3 Ethernet) and wireless (802.11) media. LLTD enables device discovery via the data-link layer and determines the topology of a network. This specification also describes the Quality of Service (QoS) Extensions that enable stream prioritization and quality media streaming experiences, even on networks with limited bandwidth. Turn on Mapper I/O (LLTDIO) driver This policy setting turns on the Mapper I/O network protocol driver. (Enabled=1; Disabled=0; Not Configured) 0 0 1 Turn on Responder (RSPNDR) driver This policy setting turns on the Responder network protocol driver. (Enabled=1; Disabled=0; Not Configured) 0 0 1 Turn on Mapper I/O (LLTDIO) driver This policy setting turns on the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. GPO Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery CCE-9783-2 Turn on Responder (RSPNDR) driver This policy setting turns on the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. GPO Computer Configuration\Administrative Templates\Network\Link-Layer Topology Discovery CCE-10059-4 Microsoft Peer-to-Peer Networking Services This section includes settings for configuring Microsoft Peer-to-Peer Networking Services. Turn Off Microsoft Peer-to-Peer Networking Services This setting turns off Microsoft Peer-to-Peer Networking Services. (Enabled=1; Disabled=0; Not Configured) 1 0 1 Turn Off Microsoft Peer-to-Peer Networking Services This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working. GPO Computer Configuration\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services CCE-10438-0 Network Connection Settings The features for implementing and administering small networks are described as follows: -- Internet Connection Sharing (ICS) -- ICS provides Internet access for a home or small office network by using one common connection as the Internet gateway. The ICS host is the only computer that is directly connected to the Internet. Multiple ICS clients simultaneously use the common Internet connection and benefit from Internet services as if the clients were directly connected to the Internet service provider (ISP). Security is enhanced when ICS is enabled because only the ICS host computer is visible to the Internet. The addresses of ICS clients are hidden from the Internet rendering ICS clients invisible to the Internet. In addition, ICS simplifies the configuration of small networks by providing local private network services, such as name resolution and addressing. Note: You should not use Internet Connection Sharing in an existing network with Windows 2000 Server domain controllers, Domain Name System (DNS) servers, gateways, Dynamic Host Configuration Protocol (DHCP) servers, or systems configured for static IP addresses. -- Internet Connection Firewall (ICF) -- With ICF, the firewall checks all communications that cross the connection between your network and the Internet and is selective about which responses from the Internet it allows. ICF protects only the computer on which it is enabled. If ICF is enabled on the Internet Connection Sharing (ICS) host computer, however, ICS clients that use the shared Internet connection for Internet connectivity are protected because they cannot be seen from outside your network. For this reason, you should always enable ICF on the ICS host computer. In addition, if there are clients on your network with direct Internet connections, or if you have a stand-alone computer that is connected to the Internet, then you should enable ICF on those Internet connections as well. -- Network Bridge -- Network Bridge removes the need for routing and bridging hardware in a home or small office network that consists of multiple LAN segments. With Network Bridge, multiple LAN segments become a single IP subnet, even if the LAN segments are of mixed network media types. Network Bridge automates the configuration and management of the address allocation, routing, and name resolution that is typically required in a network that consists of multiple LAN segments. Caution If neither ICF nor ICS is enabled on your network, do not set up Network Bridge between the public Internet connection and the private network connection. Setting up Network Bridge between the public Internet connection and the private network connection creates an unprotected link between your network and the Internet, leaving your network vulnerable to external attacks. When either ICF or ICS is enabled, this risk is mitigated. Prohibit installation and configuration of Network Bridge on your DNS domain network Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured. 1 1 0 require_domain_users_to_elevate_when_setting_a_networks_location Require Domain users to elevate when setting a networks location should be properly configured. 1 0 1 require_domain_users_to_elevate_when_setting_a_networks_location Route all traffic through the internal network should be properly configured. Enabled Enabled Disabled Prohibit installation and configuration of Network Bridge on your DNS domain network Installation and Configuration of Network Bridge on the DNS Domain Network should be properly configured. GPO Computer Configuration\Administrative Templates\Network\Network Connections CCE-9953-1 Require Domain users to elevate when setting a networks location Require Domain users to elevate when setting a networks location should be properly configured. CCE-10359-8 Route all traffic through the internal network Route all traffic through the internal network should be properly configured. CCE-10509-8 TCP/IP Settings This section includes settings for configuring the TCP/IP stack. Conditional: IPv6 not enabled Conditional: IPv6 not enabled 6to4 State This policy setting allows you to configure 6to4 state. Disabled Default Enabled Disabled ISATAP State This policy setting allows you to configure ISATAP State. Disabled Default Enabled Disabled Teredo State This policy setting allows you to configure Teredo State. Disabled Disabled Default Client Enterprise Client IP HTTPS State This policy setting allows you to configure IP HTTPS state. 3 0 3 2 IP HTTPS URL This policy setting allows you to configure IP HTTPS URL. ^.+$ ^.+$ ^$ 6to4 State This policy setting allows you to configure 6to4 state. CCE-10266-5 ISATAP State This policy setting allows you to configure ISATAP State. CCE-10130-3 Teredo State This policy setting allows you to configure Teredo State. CCE-10011-5 IP HTTPS This policy setting allows you to configure IP HTTPS state. CCE-10764-9 Windows Connect Now This section includes settings for configuring Windows Connect Now. Configuration of Wireless Settings Using Windows Connect Now Configuration of Wireless Settings Using Windows Connect Now. (Enabled = 1; Disabled = 0) 0 0 1 Prohibit Access of the Windows Connect Now Wizards Prohibit Access of the Windows Connect Now Wizards. (Enabled = 1; Disabled = 0) 0 0 1 Configuration of Wireless Settings Using Windows Connect Now Configuration of Wireless Settings Using Windows Connect Now GPO Computer Configuration\Administrative Templates\Network\Windows Connect Now CCE-9879-8 Prohibit Access of the Windows Connect Now Wizards Prohibit Access of the Windows Connect Now Wizards GPO Computer Configuration\Administrative Templates\Network\Windows Connect Now CCE-10778-9 Printers This section includes settings for configuring Printers. Printers Settings This section includes settings for configuring Printers. Extend point and print connection to search Windows update and use alternate connection if needed Extend Point and Print connection to search Windows Update and use alternate cooection if needed 1 1 0 Extend point and print connection to search Windows update and use alternate connection if needed This policy setting allows you to manage where client computers search for Point and Printer drivers. CCE-10782-1 Computer Configuration - Administrative Templates - System Settings This section includes settings for configuring the system. Device Installation This section includes settings for configuring device installation. Allow remote access to the PnP interface Computer Configuration\Administrative Templates\System\Device Installation: Allow remote access to the PnP interface. (Enabled = 1; Disabled = 0) 0 0 1 Do not create system restore point when new device driver installed Computer Configuration\Administrative Templates\System\Device Installation: Do not create system restore point when new device driver installed. (Enabled = 1; Disabled = 0) 0 0 1 Do not send a Windows Error Report when a generic driver is installed on a device Computer Configuration\Administrative Templates\System\Device Installation: Do not send a Windows Error Report when a generic driver is installed on a device. (Enabled = 0; Disabled = 1) 1 0 1 prevent_device_metadata_retrieval_from_the_internet prevent_device_metadata_retrieval_from_the_internet 1 0 1 specify_search_order_for_device_driver_source_locations specify_search_order_for_device_driver_source_locations 0 0 1 1 Allow remote access to the PnP interface Computer Configuration\Administrative Templates\System\Device Installation: Allow remote access to the PnP interface. GPO Computer Configuration\Administrative Templates\System\Device Installation CCE-10769-8 Do not send a Windows Error Report when a generic driver is installed on a device Computer Configuration\Administrative Templates\System\Device Installation: Do not send a Windows Error Report when a generic driver is installed on a device. GPO Computer Configuration\Administrative Templates\System\Device Installation CCE-9901-0 Prevent creation of a system restore point during device activity that would normally promp creation of a restore point. Computer Configuration\Administrative Templates\System\Device Installation: Do not create system restore point when new device driver installed. GPO Computer Configuration\Administrative Templates\System\Device Installation CCE-10553-6 Prevent device metadata retrieval from the internet This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. CCE-10165-9 Specify search order for device driver source locations This policy setting allows you to specify the order in which Windows searches source locations for device drivers. CCE-9919-2 Driver Installation This section includes settings for configuring driver installation. Group Policy Client-Side Extensions The following rules specify the desired setting for the client-side extensions designed for Group Policy. Registry Policy Processing Computer Configuration\Administrative Templates\System: Group Policy - Registry Policy Processing. 0 -1 0 1 2 3 HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy SUCCESS Type: REG_DWORD, Length: 4, Data: 1 Computer Configuration\Administrative Templates\System: Group Policy - Registry Policy Processing. 0 0 1 HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges SUCCESS Type: REG_DWORD, Length: 4, Data: 0 Computer Configuration\Administrative Templates\System: Group Policy - Registry Policy Processing. 1 0 1 Registry Policy Computer Configuration\Administrative Templates\System: Group Policy - Registry Policy Processing. GPO Computer Configuration\Administrative Templates\System\Group Policy CCE-9361-7 Internet Communication Management This section includes settings for configuring Internet Communication Management. Internet Communication settings This section includes settings for configuring Internet communications. Turn off downloading of print drivers over HTTP Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off downloading of print drivers over HTTP. 1 0 1 Turn off event views "Events.asp" links Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Event Views "Events.asp" Links. 1 0 1 Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com. 1 0 1 Turn off Internet download for Web publishing and online ordering wizards Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards. 1 0 1 Turn Off Internet File Association Service Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet File Association Service. 1 0 1 Turn off printing over HTTP Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off printing over HTTP. 1 0 1 Turn Off Registration if URL Connection is Referring to Microsoft.com Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Registration if URL Connection is Referring to Microsoft.com. 1 0 1 Turn off Search Companion content file updates Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Search Companion content file updates. 1 0 1 Turn Off the "Order Prints" Picture Task Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off the "Order Prints" Picture Task. 1 0 1 Turn off the "Publish to Web" task for files and folders Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the "Publish to Web" task for files and folders. 1 0 1 Turn off the Windows Messenger Customer Experience Improvement Program Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program. 2 1 2 Turn Off Windows Error Reporting Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Error Reporting. 0 1 0 Turn Off Handwriting Recognition Error Reporting Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Handwriting Recognition Error Reporting. 1 0 1 turn_off_handwriting_personalization_data_sharing turn_off_handwriting_personalization_data_sharing 1 0 1 Turn off downloading of print drivers over HTTP Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off downloading of print drivers over HTTP. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-9195-9 Turn off event views "Events.asp" links Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Event Views "Events.asp" Links. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-9819-4 Turn off handwriting personalization data sharing Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off handwriting personalization data sharing. CCE-10658-3 Turn off handwriting recognition error reporting Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Handwriting Recognition Error Reporting. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-10645-0 Turn off Internet connection wizard if URL connection is referring to Microsoft.com Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-10649-2 Turn off Internet download for Web publishing and online ordering wizards Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Internet download for Web publishing and online ordering wizards. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-9674-3 Turn off Internet file association service Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Internet File Association Service. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-10795-3 Turn off printing over HTTP Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off printing over HTTP. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-10061-0 Turn off registration if URL connection is referring to Microsoft.com Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Registration if URL Connection is Referring to Microsoft.com. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-10160-0 Turn off Search Companion content file updates Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off Search Companion content file updates. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-10140-2 Turn off the "Order Prints" picture task Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off the "Order Prints" Picture Task. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-9823-6 Turn off the "Publish to Web" task for files and folders Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the "Publish to Web" task for files and folders. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-9643-8 Turn off the Windows Messenger Customer Experience Improvement Program Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn off the Windows Messenger Customer Experience Improvement Program. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-9559-6 Turn Off Windows Error Reporting Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings: Turn Off Windows Error Reporting. GPO Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings CCE-10441-4 Logon This section includes settings for configuring logon options. Always Use Classic Logon Computer Configuration\Administrative Templates\System: Logon - Always Use Classic Logon. 0 1 0 Do not process the run once list Computer Configuration\Administrative Templates\System: Logon - Do not process the run once list. 1 0 1 Always Use Classic Logon Computer Configuration\Administrative Templates\System: Logon - Always Use Classic Logon. GPO Computer Configuration\Administrative Templates\System\Logon CCE-10591-6 Do not process the run once list Computer Configuration\Administrative Templates\System: Logon - Do not process the run once list. GPO Computer Configuration\Administrative Templates\System\Logon CCE-10154-3 Power Management This section includes settings for configuring power management. Sleep settings This section includes settings for configuring sleep. Require a Password when a Computer Wakes (On Battery) Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings - Require a Password when a Computer Wakes (On Battery). 1 0 1 Require a Password when a Computer Wakes (Plugged) Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings - Require a Password when a Computer Wakes (Plugged). 1 0 1 Require a Password when a Computer Wakes (On Battery) Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings - Require a Password when a Computer Wakes (On Battery). GPO Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings CCE-9829-3 Require a Password when a Computer Wakes (Plugged) Computer Configuration\Administrative Templates\System\Power Management: Sleep Settings - Require a Password when a Computer Wakes (Plugged). GPO Computer Configuration\Administrative Templates\System\Power Management\Sleep Settings CCE-9670-1 Remote Assistance This section includes settings for configuring remote assistance. Turn on session logging Computer Configuration\Administrative Templates\System: Remote Assistance - Turn on session logging. 1 0 1 Turn on session logging Computer_Configuration - Administrative_Templates - System: Remote Assistance - Turn on session logging. GPO Computer Configuration\Administrative Templates\System\Remote Assistance CCE-10344-0 Conditional: Remote assistance not enabled Conditional: remote assistance not enabled Offer Remote Assistance Computer Configuration\Administrative Templates\System: Remote Assistance - Offer Remote Assistance. 0 0 1 Solicited Remote Assistance Computer Configuration\Administrative Templates\System: Remote Assistance - Solicited Remote Assistance. 0 0 1 User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop This setting was added to Windows Vista SP1 specifically to enable Remote Assistance. It allows certain applications stored in secure folders, such as system32, to bypass the secure desktop so that they can function as designed. Enabling this setting will lower security slightly but enable Remote Assistance. For more information see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx. 0 0 1 Offer Remote Assistance Computer_Configuration - Administrative_Templates - System: Remote Assistance - Offer Remote Assistance. GPO Computer Configuration\Administrative Templates\System\Remote Assistance CCE-9960-6 Solicited Remote Assistance Computer_Configuration - Administrative_Templates - System: Remote Assistance - Solicited Remote Assistance. GPO Computer Configuration\Administrative Templates\System\Remote Assistance CCE-9506-7 User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop This setting was added to Windows Vista SP1 specifically to enable Remote Assistance. It allows certain applications stored in secure folders, such as system32, to bypass the secure desktop so that they can function as designed. Enabling this setting will lower security slightly but enable Remote Assistance. For more information see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9301-3 Remote Procedure Call This section includes settings for configuring remote procedure call. Restrictions for Unauthenticated RPC clients Computer Configuration\Administrative Templates\System: Remote Assistance - Restrictions for Unauthenticated RPC clients. (Enabled: Authenticated = 1) 1 0 1 2 RPC Endpoint Mapper Client Authentication Computer Configuration\Administrative Templates\System: Remote Assistance - RPC Endpoint Mapper Client Authentication. 1 0 1 Restrictions for Unauthenticated RPC clients Computer_Configuration - Administrative_Templates - System: Remote Assistance - Restrictions for Unauthenticated RPC clients. GPO Computer Configuration\Administrative Templates\System\Remote Procedure Call CCE-9396-3 RPC Endpoint Mapper Client Authentication Computer_Configuration - Administrative_Templates - System: Remote Assistance - RPC Endpoint Mapper Client Authentication. GPO Computer Configuration\Administrative Templates\System\Remote Procedure Call CCE-10181-6 Troubleshooting and Diagnostics This section includes settings for configuring troubleshooting and diagnostics. Microsoft Support Diagnostic Tool This section includes settings for configuring the Microsoft Support Diagnostic Tool. Microsoft support diagnostic tool: turn on msdt interactive communication with support provider Microsoft support diagnostic tool: turn on msdt interactive communication with support provider 0 0 1 Microsoft support diagnostic tool: turn on msdt interactive communication with support provider Microsoft support diagnostic tool: turn on msdt interactive communication with support provider CCE-9842-6 Scripted Diagnostic Settings This section includes settings for configuring the scripted diagnostics. troubleshooting_allow_user_to_access_online_troubleshooting_content_on_microsoft_servers_from_the_troubleshooting_control_panel troubleshooting_allow_user_to_access_online_troubleshooting_content_on_microsoft_servers_from_the_troubleshooting_control_panel 0 0 1 Troubleshooting: allow user to access online troubleshooting content on Microsoft server from the troubleshooting control panel Troubleshooting: allow user to access online troubleshooting content on Microsoft server from the troubleshooting control panel CCE-10606-2 Windows Performance Perftrack This section includes settings for configuring Windows Performance Perftrack. Enable or disable perftrack This policy setting specifies whether to enable or disable tracking of responsiveness events. 0 0 1 Enable or disable perftrack This policy setting specifies whether to enable or disable tracking of responsiveness events. CCE-10219-4 Windows Time Service This section includes settings for configuring the Windows Time Service. Time Providers This section includes settings for configuring Windows time providers. Configure Windows NTP client This policy setting includes parameters for controlling the Windows NTP Client. .* .+ Configure Windows NTP client This policy setting includes parameters for controlling the Windows NTP Client. CCE-10500-7 Windows Components This section includes settings for configuring Windows components. Application Compatibility Settings This section includes settings for configuring application compatibility. Turn off program inventory This policy controls the state of the Program Inventory collector in the system. 1 0 1 Turn off program inventory This policy controls the state of the Program Inventory collector in the system. CCE-10787-0 Autoplay Policies Computer Configuration\Administrative Templates\Windows Components: Autoplay Policies Turn off autoplay for non volume devices This policy setting determines whether autoplay is enabled for non volume devices. 1 0 1 default_behavior_for_autorun default_behavior_for_autorun 1 1 2 Turn off Autoplay Turn off Autoplay 0 181 255 Default behavior for autorun Configures the autorun settings on the system. GPO Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies: Default behavior for autorun CCE-10527-0 Turn off Autoplay Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies: Turn off Autoplay. GPO Computer Configuration\Administrative Templates\Windows Components\AutoPlay Policies CCE-9528-1 Turn off autoplay for non volume devices This policy setting determines whether autoplay is enabled for non volume devices. CCE-10655-9 Credential User Interface Computer Configuration\Administrative Templates\Windows Components: Credential User Interface Enumerate administrator accounts on elevation Computer Configuration\Administrative Templates\Windows Components\Credential User Interface: Enumerate administrator accounts on elevation. 1 0 1 Enumerate administrator accounts on elevation Computer Configuration\Administrative Templates\Windows Components\Credential User Interface: Enumerate administrator accounts on elevation. GPO Computer Configuration\Administrative Templates\Windows Components\Credential User Interface CCE-9938-2 Digital Locker This section includes settings for configuring Digital Locker. digital_locker Specifies whether Digital Locker can run. 1 0 1 Do not allow digital locker to run Specifies whether Digital Locker can run. CCE-10759-9 Desktop Gadgets This section includes settings for configuring Desktop Gadgets. Disable unpacking and installation of gadgets that are not digitally signed Sidebar gadgets can be deployed as compressed files, either digitally signed or unsigned. If you enable this setting, Windows Sidebar will not extract any gadgets that have not been digitally signed. If you disable or do not configure this setting, Window 1 0 1 Turn Off User Installed Windows Sidebar Gadgets Turn Off User Installed Windows Sidebar Gadgets 1 0 1 Override the More Gadgets Link Override the More Gadgets Link GPO Computer Configuration\Administrative Templates\Windows Components\Windows Sidebar CCE-9857-4 Disable unpacking and installation of gadgets that are not digitally signed Sidebar gadgets can be deployed as compressed files, either digitally signed or unsigned. If you enable this setting, Windows Sidebar will not extract any gadgets that have not been digitally signed. If you disable or do not configure this setting, Window GPO Computer Configuration\Administrative Templates\Windows Components\Windows Sidebar CCE-10811-8 Turn Off User Installed Windows Sidebar Gadgets Turn Off User Installed Windows Sidebar Gadgets GPO Computer Configuration\Administrative Templates\Windows Components\Windows Sidebar CCE-10586-6 Event Log Service Settings Windows 7 records information about significant events in four logs: the Application Log, the Security Log, the Setup Log, and the System Log. The logs contain error messages, audit information, and other records of activity on the system. The logs can be used not only to identify suspicious and malicious behavior and investigate security incidents, but also to assist in troubleshooting system and application problems. It is important to specify the maximum log size because if it is too low, the system will not have much room for storing information on system activity. Application Log This section includes settings for configuring the application log. Maximum Application Log Size The value defines the maximum size (in KB) of the application log. 32768 16384 32768 81920 Maximum Application Log Size Maximum Application Log Size GPO Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Application CCE-9603-2 Security Log This section includes settings for configuring the security log. Maximum Security Log Size The value defines the maximum size (in KB) of the security log. 81920 16384 32768 81920 Maximum Security Log Size Maximum Security Log Size GPO Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security CCE-9967-1 Setup Log This section includes settings for configuring the setup log. Maximum Setup Log Size The value defines the maximum size (in KB) of the setup log. 32768 16384 32768 81920 Maximum Setup Log Size Maximum Setup Log Size GPO Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Setup CCE-10714-4 System Log This section includes settings for configuring the system log. Maximum System Log Size The value defines the maximum size (in KB) of the system log. 32768 16384 32768 81920 Maximum System Log Size Maximum System Log Size GPO Computer Configuration\Administrative Templates\Windows Components\Event Log Service\System CCE-10156-8 Game Explorer Computer Configuration\Administrative Templates\Windows Components: Game Explorer Turn Off Downloading of Game Information Computer Configuration\Administrative Templates\Windows Components\Game Explorer: Turn Off Downloading of Game Information. 0 1 0 turn_off_game_updates turn_off_game_updates 0 1 0 Turn Off Downloading of Game Information Computer Configuration\Administrative Templates\Windows Components\Game Explorer: Turn Off Downloading of Game Information. GPO Computer Configuration\Administrative Templates\Windows Components\Game Explorer CCE-10828-2 Turn off game updates Turn off game updates CCE-10850-6 HomeGroup Settings This section includes settings for configuring the HomeGroup feature. prevent_the_computer_from_joining_a_homegroup prevent_the_computer_from_joining_a_homegroup 1 0 1 Prevent the computer from joining a Homegroup Prevent the computer from joining a Homegroup CCE-10183-2 Netmeeting This section includes settings for configuring Netmeeting. Disable remote desktop sharing Disable remote desktop sharing. 1 0 1 Disable remote desktop sharing Specifies whether Digital Locker can run. CCE-10763-1 Remote Desktop Services This section includes settings for configuring Remote Desktop Services. Remote Desktop Connection Client This section includes settings for configuring the Remote Desktop client. Do not allow passwords to be saved Do not allow passwords to be saved 1 0 1 Do not allow passwords to be saved The "Do not allow passwords to be saved" setting should be configured correctly for Terminal Services. GPO Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Remote Desktop Connection Client CCE-10090-9 Remote Desktop Session Host This section includes settings for configuring the Remote Desktop Session Host. Conditional: RDS not enabled Conditional: RDS not enabled Allow users to connect remotely using Remote Desktop Services This policy setting determines whether or not users can connect to the computer using Remote Desktop Services. 1 1 0 Allow users to connect remotely using Remote Desktop Services This policy setting determines whether or not users can connect to the computer using Remote Desktop Services. GPO Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections CCE-9985-3 Security Settings This section includes settings for configuring the Remote Desktop security settings. Set client connection encryption level Set client connection encryption level 3 1 2 3 Always prompt client for password upon connection Always prompt client for password upon connection 1 0 1 Always prompt client for password upon connection The "Always Prompt Client for Password upon Connection" policy should be set correctly for Terminal Services. GPO Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security CCE-10103-0 Set client connection encryption level The "Set Client connection Encryption Level" policy should be set correctly for Terminal Services. GPO Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Security CCE-9764-2 Session Time Limits This section includes settings for configuring the Remote Desktop connection session time limit settings. Set a time limit for disconnected sessions You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging off and ending the session. (1 min) 60000 60000 Set a time limit for active but idle Terminal Services sessions This policy setting allows you to specify the maximum amount of time that an active Terminal Services session can be idle (without user input) before it is automatically disconnected. (15 min) 900000 900000 Set a time limit for disconnected sessions The "Set time limit for disconnected sessions" policy should be set correctly for Terminal Services. GPO Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits CCE-9858-2 Set a time limit for active but idle Terminal Services sessions The "Set time limit for idle sessions" policy should be set correctly for Terminal Services. GPO Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits CCE-10608-8 Temporary Folders This section includes settings for configuring Remote Desktop temporary folders. do_not_delete_temp_folders_upon_exit do_not_delete_temp_folders_upon_exit 1 1 0 do_not_use_temporary_folders_per_session do_not_use_temporary_folders_per_session 1 1 0 Do not delete temp folders upon exit Do not delete temp folders upon exit CCE-10856-3 Do not use temporary folders per session Do not use temporary folders per session CCE-9864-0 RSS Feeds This section includes settings for configuring RSS feeds. turn_off_downloading_of_enclosures turn_off_downloading_of_enclosures 1 0 1 Turn off downloading of enclosures Turn off downloading of enclosures CCE-10730-0 Search Search Allow indexing of encrypted files Allow indexing of encrypted files 0 0 1 Prevent indexing uncached Exchange folders Prevent indexing uncached Exchange folders 1 0 1 Enable indexing uncached Exchange folders Enable indexing uncached Exchange folders 1 1 0 Allow indexing of encrypted files Allow indexing of encrypted files GPO Computer Configuration\Administrative Templates\Windows Components\Search CCE-10496-8 Enable indexing uncached Exchange folders Prevent indexing uncached Exchange folders GPO Computer Configuration\Administrative Templates\Windows Components\Search CCE-9866-5 Windows Anytime Upgrade This section includes settings for configuring Windows Anytime Upgrade. prevent_windows_anytime_upgrade_from_running prevent_windows_anytime_upgrade_from_running 1 0 1 Prevent Windows anytime upgrade from running Prevent Windows anytime upgrade from running CCE-10137-8 Windows Defender Windows Defender Configure Microsoft SpyNet Reporting When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information. 0 0 1 Configure Microsoft SpyNet Reporting When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Defender CCE-9868-1 Windows Error Reporting Windows Error Reporting Disable Logging If this setting is enabled Windows Error Reporting events will not be logged to the system event log. 0 0 1 Display Error Notification Display Error Notification 1 1 0 Do Not Send Additional Data If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user. 1 0 1 Disable Logging If this setting is enabled Windows Error Reporting events will not be logged to the system event log. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting CCE-10157-6 Display Error Notification The "Display Error Notification" setting should be configured correctly. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting CCE-10709-4 Do Not Send Additional Data If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting CCE-10824-1 Conditional: WER not enabled Conditional: WER not enabled Disable Windows Error Reporting If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Problem Reports and Solutions control panel. 1 0 1 Disable Windows Error Reporting If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Problem Reports and Solutions control panel. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Error Reporting CCE-9914-3 Windows Explorer Settings Windows Explorer Turn off Heap termination on corruption Turn off Heap termination on corruption 0 0 1 Turn off shell protocol protected mode Turn off shell protocol protected mode 0 0 1 turn_off_data_execution_prevention_for_explorer turn_off_data_execution_prevention_for_explorer 0 0 1 Turn off data execution prevention for explorer Turn off data execution prevention for explorer CCE-9918-4 Turn off Heap termination on corruption Turn off Heap termination on corruption GPO Computer Configuration\Administrative Templates\Windows Components\Windows Explorer CCE-9874-9 Turn off shell protocol protected mode Turn off shell protocol protected mode GPO Computer Configuration\Administrative Templates\Windows Components\Windows Explorer CCE-10623-7 Windows Installer Settings Windows Installer Disable IE security prompt for Windows Installer scripts Disable IE security prompt for Windows Installer scripts 0 0 1 Enable user control over installs Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer. 0 0 1 Prohibit non-administrators from applying vendor signed updates This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. 1 0 1 Disable IE security prompt for Windows Installer scripts Disable IE security prompt for Windows Installer scripts GPO Computer Configuration\Administrative Templates\Windows Components\Windows Installer CCE-9875-6 Enable user control over installs Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Installer CCE-9876-4 Prohibit non-administrators from applying vendor signed updates This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Installer CCE-9888-9 Windows Logon Options Windows Logon Options Report when logon server was not available during user logon This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. 1 0 1 Report Logon Server Not Available During User logon This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Logon Options CCE-9907-7 Windows Mail Windows Mail Turn off the communities features Turn off the communities features 1 0 1 Allow Windows Mail Allow Windows Mail 0 0 1 Turn off the communities features Turn off the communities features CCE-11252-4 Allow Windows Mail Allow Windows Mail CCE-10882-9 Windows Media Digital Rights Management Windows Media Digital Rights Management Prevent Windows Media DRM Internet Access Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. 1 0 1 Prevent Windows Media DRM Internet Access Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Media Digital Rights Management CCE-9908-5 Windows Media Player Settings This section includes settings for configuring Windows Media Player. Do Not Show First Use Dialog Boxes The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly. 1 0 1 Prevent Automatic Updates The "Disable Media Player for automatic updates" policy should be set correctly. 1 0 1 Do Not Show First Use Dialog Boxes The "Do Not Show First Use Dialog Boxes" setting for Windows Media Player should be configured correctly. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Media Player CCE-10692-2 Prevent Automatic Updates The "Disable Media Player for automatic updates" policy should be set correctly. GPO Computer Configuration\Administrative Templates\Windows Components\Windows Media Player CCE-10602-1 Conditional: Automatic Updates Conditional: automatic updates not enabled Configure automatic updates Configure automatic updates 0 0 1 Reschedule automatic updates scheduled installation Reschedule automatic updates scheduled installation 1 0 1 No auto restart with logged on users for scheduled automatic updates installations No auto restart with logged on users for scheduled automatic updates installations 0 0 1 Do not display 'Install updates and shut diown option' in shut down windows dialog box Do not display 'Install updates and shut diown option' in shut down windows dialog box 0 0 1 Configure automatic updates Configure automatic updates CCE-9403-7 Reschedule automatic updates scheduled installation Reschedule automatic updates scheduled installation CCE-10205-3 No auto restart with logged on users for scheduled automatic updates installations No auto restart with logged on users for scheduled automatic updates installations CCE-9672-7 Do not display 'Install updates and shut diown option' in shut down windows dialog box Do not display 'Install updates and shut diown option' in shut down windows dialog box CCE-9464-9 Programs and Features Group Optional Windows Programs and Features that should not be installed, located at Control Panel\Programs and Features\Turn Windows features on or off Games are not installed Games are not installed CCE-18880-5 Internet Information Services Internet Information Services is not installed CCE-18249-3 Simple TCPIP Services Simple TCPIP Services is not installed CCE-18629-6 Telnet Client Telnet Client is not installed CCE-18659-3 Telnet Server Telnet Server is not installed CCE-18739-3 TFTP Client TFTP Client is not installed CCE-18190-9 Windows Media Center Windows Media Center is not installed CCE-18300-4 Local User Policy Settings Local User Policy Settings Enable screen saver Enable screen saver GPO User Configuration\Administrative Templates\Control Panel\Personalization CCE-10051-1 Password protect the screen saver Password protect the screen saver GPO User Configuration\Administrative Templates\Control Panel\Personalization CCE-9730-3 Screen Saver timeout Screen Saver timeout GPO User Configuration\Administrative Templates\Control Panel\Personalization CCE-10148-5 Turn off Help Ratings Turn off Help Ratings GPO User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings CCE-10295-4 Do not preserve zone information in file attachments Do not preserve zone information in file attachments GPO User Configuration\Administrative Templates\Windows Components\Attachment Manager CCE-10166-7 Hide mechanisms to remove zone information Hide mechanisms to remove zone information GPO User Configuration\Administrative Templates\Windows Components\Attachment Manager CCE-9684-2 Notify antivirus programs when opening attachments Notify antivirus programs when opening attachments GPO User Configuration\Administrative Templates\Windows Components\Attachment Manager CCE-10076-8 Prevent users from sharing files within their profile Prevent users from sharing files within their profile GPO User Configuration\Administrative Templates\Windows Components\Network Sharing CCE-10644-3 Network access: Named Pipes that can be accessed anonymously Network access: Named Pipes that can be accessed anonymously. Pipes are internal system communications processes. They are identified internally by ID numbers that vary between systems. To make access to these processes easier, these pipes are given names that do not vary between systems. This setting controls which of these pipes anonymous users may access. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9218-9 Network access: Shares that can be accessed anonymously This setting controls which network shares may be accessed by an anonymous user. The default setting includes the shares, DFS$, and COMCFG. It is recommended that they be left as the default setting. GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options CCE-9196-7 Security Patches Securing a given computer has become increasingly important. As such, it is essential to keep a host up to current patch levels to eliminate known vulnerabilities and weaknesses. In conjunction with antivirus software and a personal firewall, patching goes a long way to securing a host against outside attacks and exploitation. Microsoft provides two mechanisms for distributing security updates: Automatic Updates and Microsoft Update. In smaller environments, either method may be sufficient for keeping systems current with patches. Other environments typically have a software change management control process or a patch management program that tests patches before deploying them; distribution may then occur through local Windows Update Services (WUS) or Windows Server Update Services (WSUS) servers, which provide approved security patches for use by the Automatic Updates feature. Security Patches Up-To-Date All known security patches have been installed. 2.0 2015-04-07T10:00:00 USGCB Windows 7 User Settings Checklist USGCB Windows 7 User Settings: Question 1 Enable screen saver CCE-10051-1 ocil:usgcb.win7.checklist:testaction:1 USGCB Windows 7 User Settings: Question 2 Password protect the screen saver CCE-9730-3 ocil:usgcb.win7.checklist:testaction:2 USGCB Windows 7 User Settings: Question 3 Screen Saver timeout CCE-10148-5 ocil:usgcb.win7.checklist:testaction:3 USGCB Windows 7 User Settings: Question 4 Turn off Help Ratings CCE-10295-4 ocil:usgcb.win7.checklist:testaction:4 USGCB Windows 7 User Settings: Question 5 Do not preserve zone information in file attachments CCE-10166-7 ocil:usgcb.win7.checklist:testaction:5 USGCB Windows 7 User Settings: Question 6 Hide mechanisms to remove zone information CCE-9684-2 ocil:usgcb.win7.checklist:testaction:6 USGCB Windows 7 User Settings: Question 7 Notify antivirus programs when opening attachments CCE-10076-8 ocil:usgcb.win7.checklist:testaction:7 USGCB Windows 7 User Settings: Question 8 Prevent users from sharing files within their profile. CCE-10644-3 ocil:usgcb.win7.checklist:testaction:8 USGCB Windows 7 Security Options Settings: Question 9 Network access: Named Pipes that can be accessed anonymously CCE-9218-9 ocil:usgcb.win7.checklist:testaction:9 USGCB Windows 7 Security Options Settings: Question 10 Network access: Shares that can be accessed anonymously CCE-9196-7 ocil:usgcb.win7.checklist:testaction:10 PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL PASS FAIL Does the Windows setting "Enable screen saver" located at "User Configuration\Administrative Templates\Control Panel\Personalization" have the value Enabled? Does the Windows setting "Password protect the screen saver" located at "User Configuration\Administrative Templates\Control Panel\Personalization" have the value Enabled? Does the Windows setting "Screen Saver timeout" located at "User Configuration\Administrative Templates\Control Panel\Personalization" have the value Enabled:900 seconds? Does the Windows setting "Turn off Help Ratings" located at "User Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication Settings" have the value Enabled? Does the Windows setting "Do not preserve zone information in file attachments" located at "User Configuration\Administrative Templates\Windows Components\Attachment Manager" have the value Disabled? Does the Windows setting "Hide mechanisms to remove zone information" located at "User Configuration\Administrative Templates\Windows Components\Attachment Manager" have the value Enabled? Does the Windows setting "Notify antivirus programs when opening attachments" located at "User Configuration\Administrative Templates\Windows Components\Attachment Manager" have the value Enabled? Does the Windows setting "Prevent users from sharing files within their profile." located at "User Configuration\Administrative Templates\Windows Components\Network Sharing" have the value Enabled? Does the Windows setting "Network access: Named Pipes that can be accessed anonymously" located at "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" have no value (None)? Does the Windows setting "Network access: Shares that can be accessed anonymously located at "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options" have no value (None)? National Institute of Standards and Technology 5.8 2015-04-07T10:00:00.000-04:00 Account Lockout Duration Microsoft Windows 7 Account Lockout Duration Account Lockout Threshold Microsoft Windows 7 Account Lockout Duration Reset Account Lockout Counter After Microsoft Windows 7 Reset Account Lockout Counter After Enforce Password History Microsoft Windows 7 The number of passwords remembered Maximum Password Age Microsoft Windows 7 This forces users to change their passwords regularly. Minimum Password Age Microsoft Windows 7 This setting requires users to wait for a certain number of days before changing their password again. Minimum Password Length Microsoft Windows 7 Minimum Password Length Password Complexity Microsoft Windows 7 Password Complexity Reversible Password Encryption Microsoft Windows 7 Reversible Password Encryption Access from the Network - Administrators Microsoft Windows 7 Administrators may access this computer from the network. NOTE: This can break IPSec see Microsoft Knowledge Base article 823659 for further guidance Act as Part of the Operating System - None Microsoft Windows 7 No one has the right to act as part of the operating system Adjust Memory Quotas - Administrators, LOCAL SERVICE, NETWORK SERVICE Microsoft Windows 7 Administrators, LOCAL SERVICE, NETWORK SERVICE may adjust memory quotas for a process Log On Locally - Administrators, Users Microsoft Windows 7 Administrators and Users are allowed to log on locally Logon Through Terminal Services - Administrators, Remote Desktop Users Microsoft Windows 7 Administrators, Remote Desktop Users are allowed to logon through Terminal Services Back Up Files and Directories - Administrators Microsoft Windows 7 Administrators are allowed to back up files and directories Bypass Traverse Checking - Administrators, Users, Local Service, Network Service Microsoft Windows 7 Administrators, Users, Local Service and Network Service may bypass traverse checking Change System Time - Administrators and Local Service Microsoft Windows 7 Administrators and Local Service may change the system time Change the time zone - Administrators, Users, and Local Service Microsoft Windows 7 Administrators, Users, and Local Service may change the time zone Create a Pagefile - Administrators Microsoft Windows 7 Administrators may create a pagefile Create a Token Object - None Microsoft Windows 7 No one is allowed to create a token object Create Global Objects - Administrators, SERVICE, Local Service, Network Service Microsoft Windows 7 Administrators, SERVICE, Local Service and Network Service may Create Global Objects Create Permanent Shared Objects - None Microsoft Windows 7 No one is allowed to create permanent shared objects Create Symbolic Links - Administrators Microsoft Windows 7 Administrators may create symbolic links Debug Programs - None Microsoft Windows 7 No one is allowed to debug programs Deny Access from Network - Guest Microsoft Windows 7 Guests are denied access to this computer from the network Deny Logon As Batch Job - Guests Microsoft Windows 7 Guests are denied logon as a batch job Deny Logon As A Service - None Microsoft Windows 7 No one is denied logon as a service Deny Logon Locally - Guests, any service accounts Microsoft Windows 7 Guests, and any service accounts are denied logon locally Deny Logon Through Terminal Services - Guests Microsoft Windows 7 Guests are denied logon through Terminal Services Force Shutdown From Remote System - Adminstrators Microsoft Windows 7 Administrators may force shutdown from a remote system Generate Security Audits - LOCAL SERVICE, NETWORK SERVICE Microsoft Windows 7 LOCAL SERVICE and NETWORK SERVICE may generate security audits Impersonate a Client after Authentication - Administrators, SERVICE, Local Service, Network Service Microsoft Windows 7 Administrators, SERVICE, Local Service and Network Service may Impersonate a Client after Authentication Increase a Process Working Set - Administrators and Local Service Microsoft Windows 7 Administrators and Local Service may increase a process working set. Increase Scheduling Priority - Administrators Microsoft Windows 7 Administrators may increase scheduling priority Load and Unload Device Drivers - Administrators Microsoft Windows 7 Administrators may load and unload device drivers Lock Pages in Memory - None Microsoft Windows 7 No one may lock pages in memory Log On As a Batch Job - None Microsoft Windows 7 No one may log on as a batch job Log On As a Service - None Microsoft Windows 7 Noone may log on as a service Manage Auditing and Security Log - Administrators Microsoft Windows 7 Administrators may manage the auditing and security log Modify an object label - None Microsoft Windows 7 Noone may modify an object label. Modify Firmware Environment Values - Administrators Microsoft Windows 7 Administrators may modify firmware environment variables Perform Volume Maintenance Tasks - Administrators Microsoft Windows 7 Administrators may perform volume maintenance tasks Profile Single Process - Administrators Microsoft Windows 7 Administrators may profile a single process Profile System Performance - Administrators, NT Service\WdiServiceHost Microsoft Windows 7 Administrators, NT Service\WdiServiceHost may profile the system performance Remove Computer From Docking Stations - Administrators, Users Microsoft Windows 7 Users and Administrators may remove the computer from its docking station Replace a Process Level Token - LOCAL SERVICE, NETWORK SERVICE Microsoft Windows 7 LOCAL SERVICE and NETWORK SERVICE may replace a process level token Restore Files and Directories - Administrators Microsoft Windows 7 Administrators may restore files and directories Shut Down the System - Administrators, Users Microsoft Windows 7 Administrators and Users may shut down the system Take Ownership of Files or Other Objects - Administrators Microsoft Windows 7 Administrators may take ownership of files or other objects Accounts: Guest account status Microsoft Windows 7 This definition verifies that the Guest account is enabled/disabled based on the policy defined by the user. Accounts: Limit local account use to blank passwords to console logon only Microsoft Windows 7 Accounts: Limit local account use to blank passwords to console logon only Accounts: Rename Administrator Account Microsoft Windows 7 Accounts: Rename Administrator Account Accounts: Rename Guest Account Microsoft Windows 7 Accounts: Rename Guest Account Audit: Audit the access of global system objects Microsoft Windows 7 Audit the access of global system objects is disabled Audit: Audit the use of Backup and Restore privilege Microsoft Windows 7 Audit: Audit the use of Backup and Restore privilege Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Microsoft Windows 7 Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Devices: Prevent users from installing printer drivers Microsoft Windows 7 Devices: Prevent users from installing printer drivers Devices: Restrict CD-ROM access to locally logged-on user only Microsoft Windows 7 Devices: Restrict CD-ROM access to locally logged-on user only Devices: Restrict Floppy access to locally logged-on user only Microsoft Windows 7 Devices: Restrict Floppy access to locally logged-on user only Domain member: Digitally encrypt or sign secure channel data (always) Microsoft Windows 7 Domain member: Digitally encrypt or sign secure channel data (always) Domain member: Digitally encrypt or sign secure channel data (when possible) Microsoft Windows 7 Domain member: Digitally encrypt or sign secure channel data (when possible) Domain member: Digitally sign secure channel data (when possible) Microsoft Windows 7 Domain member: Digitally sign secure channel data (when possible) Domain member: Disable machine account password changes Microsoft Windows 7 Domain member: Disable machine account password changes Domain member: Maximum machine account password age Microsoft Windows 7 Domain member: Maximum machine account password age Domain member: Require strong (Windows 2000 or later) session key Microsoft Windows 7 Domain member: Require strong (Windows 2000 or later) session key Interactive logon: Do not display last user name Microsoft Windows 7 Interactive logon: Do not display last user name Interactive logon: Do not require CTRL+ALT+DEL Microsoft Windows 7 Interactive logon: Do not require CTRL+ALT+DEL Interactive logon: Message text for users attempting to log on Microsoft Windows 7 Interactive logon: Message text for users attempting to log on Interactive logon: Message title for users attempting to log on Microsoft Windows 7 Interactive logon: Message title for users attempting to log on Interactive logon: Number of previous logons to cache (in case domain controller is not available) Microsoft Windows 7 Interactive logon: Number of previous logons to cache (in case domain controller is not available) Interactive logon: Prompt user to change password before expiration Microsoft Windows 7 Interactive logon: Prompt user to change password before expiration Interactive logon: Require Domain Controller authentication to unlock workstation Microsoft Windows 7 Interactive logon: Require Domain Controller authentication to unlock workstation Interactive logon: Smart card removal behavior Microsoft Windows 7 Interactive logon: Require Domain Controller authentication to unlock workstation Microsoft network client: Digitally sign communications (always) Microsoft Windows 7 Microsoft network client: Digitally sign communications (always) Microsoft network client: Digitally sign communications (if server agrees) Microsoft Windows 7 Microsoft network client: Digitally sign communications (if server agrees) Microsoft network client: Send unencrypted password to third-party SMB servers Microsoft Windows 7 Microsoft network client: Send unencrypted password to third-party SMB servers Microsoft network server: Amount of idle time required before suspending session Microsoft Windows 7 Microsoft network server: Amount of idle time required before suspending session Microsoft network server: Digitally sign communications (always) Microsoft Windows 7 Microsoft network server: Digitally sign communications (always) Microsoft network server: Digitally sign communications (if client agrees) Microsoft Windows 7 Microsoft network server: Digitally sign communications (if client agrees) Microsoft network server: Disconnect clients when logon hours expire Microsoft Windows 7 Microsoft network server: Disconnect clients when logon hours expire Network access: Allow anonymous SID/Name translation Microsoft Windows 7 Determines if an anonymous user can request security identifier (SID) attributes for another user. Network access: Do not allow anonymous enumeration of SAM accounts Microsoft Windows 7 Network access: Do not allow anonymous enumeration of SAM accounts Network access: Do not allow anonymous enumeration of SAM accounts and shares Microsoft Windows 7 Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Do not allow storage of credentials or .NET Passports for network authentication Microsoft Windows 7 Network access: Do not allow storage of credentials or .NET Passports for network authentication Network access: Let Everyone permissions apply to anonymous users Microsoft Windows 7 Network access: Let Everyone permissions apply to anonymous users Network access: Named Pipes that can be accessed anonymously Microsoft Windows 7 Network access: Named Pipes that can be accessed anonymously Network access: Remotely accessible registry paths Microsoft Windows 7 Network access: Remotely accessible registry paths Network access: Remotely accessible registry paths and sub paths Microsoft Windows 7 Network access: Remotely accessible registry paths and sub paths Network access: Restrict anonymous access to Named Pipes and Shares Microsoft Windows 7 Network access: Restrict anonymous access to Named Pipes and Shares Network access: Shares that can be accessed anonymously Microsoft Windows 7 Network access: Shares that can be accessed anonymously Network access: Sharing and security model for local accounts Microsoft Windows 7 Network access: Sharing and security model for local accounts Network security: Do not store LAN Manager hash value on next password change Microsoft Windows 7 Network security: Do not store LAN Manager hash value on next password change Network security: Force logoff when logon hours expire Microsoft Windows 7 Network security: Force logoff when logon hours expire Network Security: LAN Manager Authentication Level Microsoft Windows 7 Network Security: LAN Manager Authentication Level Network Security: LDAP client signing requirements Microsoft Windows 7 Network Security: LDAP client signing requirements Registry test. Determine the level of data signing that is requested by clients. Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients Microsoft Windows 7 Network Security: Minimum session security for NTLM SSP based (including secure RPC) clients Registry test. Determine the minimum session security for NTLM SSP clients. Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers Microsoft Windows 7 Network Security: Minimum session security for NTLM SSP based (including secure RPC) servers Recovery Console: Allow Automatic Administrative Logon Microsoft Windows 7 Recovery Console: Allow Automatic Administrative Logon Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders Microsoft Windows 7 Recovery Console: Allow Floppy Copy and Access to All Drives and All Folders Shutdown: Allow System to be Shut Down Without Having to Log On Microsoft Windows 7 Shutdown: Allow System to be Shut Down Without Having to Log On Shutdown: Clear Virtual Memory Pagefile Microsoft Windows 7 Shutdown: Clear Virtual Memory Pagefile System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing Microsoft Windows 7 System Cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing System objects: Require case insensitivity for non-Windows subsystems Microsoft Windows 7 System objects: Require case insensitivity for non-Windows subsystems System objects: Strengthen default permissions of internal system objects Microsoft Windows 7 System objects: Strengthen default permissions of internal system objects Admin Approval Mode for the Built-in Administrator account Microsoft Windows 7 Admin Approval Mode for the Built-in Administrator account Behavior of the elevation prompt for administrators in Admin Approval Mode Microsoft Windows 7 Behavior of the elevation prompt for administrators in Admin Approval Mode Behavior of the elevation prompt for standard users Microsoft Windows 7 Behavior of the elevation prompt for standard users Detect application installations and prompt for elevation Microsoft Windows 7 Detect application installations and prompt for elevation Only elevate executables that are signed and validated Microsoft Windows 7 Only elevate executables that are signed and validated Only elevate UIAccess applications that are installed in secure locations Microsoft Windows 7 Only elevate UIAccess applications that are installed in secure locations Run all administrators in Admin Approval Mode Microsoft Windows 7 Run all administrators in Admin Approval Mode Switch to the secure desktop when prompting for elevation Microsoft Windows 7 Switch to the secure desktop when prompting for elevation Virtualize file and registry write failures to per-user locations Microsoft Windows 7 Virtualize file and registry write failures to per-user locations MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) Microsoft Windows 7 MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) Microsoft Windows 7 MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes Microsoft Windows 7 MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds Microsoft Windows 7 MSS: (KeepAliveTime)How often keep-alive packets are sent in milliseconds NoDefaultExempt for IPSEC Filtering Enabled Microsoft Windows 7 MSS: (NoDefaultExempt) Enable NoDefaultExempt for IPSec Filtering MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers Microsoft Windows 7 MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) Microsoft Windows 7 MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure DefaultGateway addresses (could lead to DoS) MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) Microsoft Windows 7 MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) Microsoft Windows 7 MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) Microsoft Windows 7 MSS: (TCPMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Microsoft Windows 7 MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning Bluetooth Support Service Microsoft Windows 7 Bluetooth Support Service State Fax Service Microsoft Windows 7 Fax Service State HomeGroup Listener Service Microsoft Windows 7 HomeGroup Listener Service State HomeGroup Provider Service Microsoft Windows 7 HomeGroup Provider Service State Media Center Extender Service Microsoft Windows 7 Media Center Extender Service State Parental Controls Service Microsoft Windows 7 Parental Controls Service State Computer Account Management Microsoft Windows 7 Computer Account Management Other Account Management Events Microsoft Windows 7 Other Account Management Events Security Group Management Microsoft Windows 7 Security Group Management User Account Management Microsoft Windows 7 User Account Management Process Creation Microsoft Windows 7 Process Creation Logoff Microsoft Windows 7 Logoff Logon Microsoft Windows 7 Logon Special Logon Microsoft Windows 7 Special Logon Audit Policy Change Microsoft Windows 7 Audit Policy Change Authentication Policy Change Microsoft Windows 7 Authentication Policy Change Sensitive Privilege Use Microsoft Windows 7 Sensitive Privilege Use IPsec Driver Microsoft Windows 7 IPsec Driver Security State Change Microsoft Windows 7 Security State Change Security System Extension Microsoft Windows 7 Security System Extension System Integrity Microsoft Windows 7 System Integrity Turn on Mapper I/O (LLTDIO) driver Microsoft Windows 7 Turn on Mapper I/O (LLTDIO) driver Turn on Responder (RSPNDR) driver Microsoft Windows 7 Turn on Responder (RSPNDR) driver Turn Off Microsoft Peer-to-Peer Networking Services Microsoft Windows 7 Turn Off Microsoft Peer-to-Peer Networking Services Prohibit installation and configuration of Network Bridge on your DNS domain network Microsoft Windows 7 Prohibit installation and configuration of Network Bridge on your DNS domain network Require domain users to elevate when setting a network's location Microsoft Windows 7 Require domain users to elevate when setting a network's location Route all traffic through the internal network Microsoft Windows 7 Route all traffic through the internal network 6to4 State Microsoft Windows 7 6to4 State ISATAP State Microsoft Windows 7 ISATAP State Teredo State Microsoft Windows 7 Teredo State IP HTTPS Microsoft Windows 7 IP HTTPS Configuration of Wireless Settings Using Windows Connect Now Microsoft Windows 7 Configuration of Wireless Settings Using Windows Connect Now Prohibit Access of the Windows Connect Now Wizards Microsoft Windows 7 Prohibit Access of the Windows Connect Now Wizards Extend Point and Print connection to search Windows Update and use alternate cooection if needed Microsoft Windows 7 Extend Point and Print connection to search Windows Update and use alternate cooection if needed Allow remote access to the PnP interface Microsoft Windows 7 Allow remote access to the PnP interface Do not send a Windows Error Report when a generic driver is installed on a device Microsoft Windows 7 Do not send a Windows Error Report when a generic driver is installed on a device Do not create system restore point when new device driver installed Microsoft Windows 7 Do not create system restore point when new device driver installed Do not create system restore point when new device driver installed on a device matches the prescribed value Microsoft Windows 7 Prevent device metadata retrieval from internet Specify Search Order for device driver source locations Microsoft Windows 7 Specify Search Order for device driver source locations Registry Policy Processing Microsoft Windows 7 Registry Policy Processing Turn off downloading of print drivers over HTTP Microsoft Windows 7 Turn off downloading of print drivers over HTTP Turn Off Event Views "Events.asp" Links Microsoft Windows 7 Turn Off Event Views "Events.asp" Links Turn off handwriting personalization data sharing Microsoft Windows 7 Turn off handwriting personalization data sharing Turn Off Handwriting Reconition Error Reporting Microsoft Windows 7 Turn Off Handwriting Reconition Error Reporting Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com Microsoft Windows 7 Turn Off Internet Connection Wizard if URL Connection is Referring to Microsoft.com Turn off Internet download for Web publishing and online ordering wizards Microsoft Windows 7 Turn off Internet download for Web publishing and online ordering wizards Turn Off Internet File Association Service Microsoft Windows 7 Turn Off Internet File Association Service Turn off printing over HTTP Microsoft Windows 7 Turn off printing over HTTP Turn Off Registration if URL Connection is Referring to Microsoft.com Microsoft Windows 7 Turn Off Registration if URL Connection is Referring to Microsoft.com Turn off Search Companion content file updates Microsoft Windows 7 Turn off Search Companion content file updates Turn Off the "Order Prints" Picture Task Microsoft Windows 7 Turn Off the "Order Prints" Picture Task Turn off the "Publish to Web" task for files and folders Microsoft Windows 7 Turn off the "Publish to Web" task for files and folders Customer Experience Improvement Program Microsoft Windows 7 Customer Experience Improvement Program Turn off Windows Error Reporting Microsoft Windows 7 Turn off Windows Error Reporting Always Use Classic Logon Microsoft Windows 7 Always Use Classic Logon Require a Password when a Computer Wakes (On Battery) Microsoft Windows 7 Require a Password when a Computer Wakes (On Battery) Require a Password when a Computer Wakes (Plugged in) Microsoft Windows 7 Require a Password when a Computer Wakes (Plugged in) Offer Remote Assistance Microsoft Windows 7 Offer Remote Assistance Solicited Remote Assistance Microsoft Windows 7 Solicited Remote Assistance Turn on session logging Microsoft Windows 7 Turn on session logging Restrictions for Unauthenticated RPC clients Microsoft Windows 7 Restrictions for Unauthenticated RPC clients RPC Endpoint Mapper Client Authentication Microsoft Windows 7 RPC Endpoint Mapper Client Authentication Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Microsoft Windows 7 Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via Windows Online Troubleshooting Service - WOTS) Microsoft Windows 7 Troubleshooting: Allow user to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via Windows Online Troubleshooting Service - WOTS) Enable/Disable PerfTrack Microsoft Windows 7 Enable/Disable PerfTrack Turn off Program Inventory Microsoft Windows 7 Turn off Program Inventory Default behavior for AutoRun Microsoft Windows 7 Default behavior for AutoRun Turn off Autoplay Microsoft Windows 7 Turn off Autoplay is set correctly. Turn off Autoplay for non-volume devices Microsoft Windows 7 Turn off Autoplay for non-volume devices Enumerate administrator accounts on elevation Microsoft Windows 7 Enumerate administrator accounts on elevation Override the More Gadgets Lnk Microsoft Windows 7 Override the More Gadgets Lnk Disable unpacking and installation of gadgets that are not digitally signed Microsoft Windows 7 Sidebar gadgets can be deployed as compressed files, either digitally signed or unsigned. If you enable this setting, Windows Sidebar will not extract any gadgets that have not been digitally signed. If you disable or do not configure this setting, Window Turn Off User Installed Windows Sidebar Gadgets Microsoft Windows 7 Turn Off User Installed Windows Sidebar Gadgets Maximum Application Log Size Microsoft Windows 7 This definition tests the the maximum allowed size of the application log is at least as big as the supplied value. Maximum Security Log Size Microsoft Windows 7 This definition tests the the maximum allowed size of the security log is at least as big as the supplied value. Maximum Setup Log Size Microsoft Windows 7 This definition tests the the maximum allowed size of the setup log is at least as big as the supplied value. Maximum System Log Size Microsoft Windows 7 This definition tests the the maximum allowed size of the system log is at least as big as the supplied value. Turn Off Downloading of Game Information Microsoft Windows 7 Turn Off Downloading of Game Information Turn off game updates Microsoft Windows 7 Turn off game updates Prevent the computer from joining a HomeGroup Microsoft Windows 7 Prevent the computer from joining a HomeGroup Do not allow passwords to be saved Microsoft Windows 7 Do not allow passwords to be saved Always prompt client for password upon connection Microsoft Windows 7 Always prompt client for password upon connection Set client connection encryption level Microsoft Windows 7 Set client connection encryption level Set a time limit for active but idle Terminal Services sessions Microsoft Windows 7 This policy setting allows you to specify the maximum amount of time that an active Terminal Services session can be idle (without user input) before it is automatically disconnected. (15 min) Set a time limit for disconnected sessions Microsoft Windows 7 You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging off and ending the session. (1 min) Do not delete temp folder upon exit Microsoft Windows 7 Do not delete temp folder upon exit Do not use tempoary folders per session Microsoft Windows 7 Do not use tempoary folders per session Turn off downloading of enclosures Microsoft Windows 7 Turn off downloading of enclosures Allow indexing of encrypted files Microsoft Windows 7 Allow indexing of encrypted files Prevent indexing uncached Exchange folders Microsoft Windows 7 Prevent indexing uncached Exchange folders Prevent Windows Anytime Upgrade from running Microsoft Windows 7 Prevent Windows Anytime Upgrade from running Configure Microsoft SpyNet Reporting Microsoft Windows 7 When Windows Defender detects software or changes by software not yet classified for risks, you see how other members responded to the alert. In turn, the action you apply help other members choose how to respond. Your actions also help Microsoft choose which software to investigate for potential threats. You can choose to send basic or additional information about detected software. Additional information helps improve how Windows Defender works. It can include, for example, the location of detected items on your computer if harmful software has been removed. Windows Defender will automatically collect and send the information. Disable Logging Microsoft Windows 7 If this setting is enabled Windows Error Reporting events will not be logged to the system event log. Disable Windows Error Reporting Microsoft Windows 7 If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Problem Reports and Solutions control panel. Display Error Notification Microsoft Windows 7 Display Error Notification Do Not Send Additional Data Microsoft Windows 7 If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user. Turn off Data Execution Protection Microsoft Windows 7 Turn off Data Execution Protection Turn off Heap termination on corruption Microsoft Windows 7 Turn off Heap termination on corruption Turn off shell protocol protected mode Microsoft Windows 7 Turn off shell protocol protected mode Disable IE security prompt for Windows Installer scripts Microsoft Windows 7 Disable IE security prompt for Windows Installer scripts Enable user control over installs Microsoft Windows 7 Permits users to change installation options that typically are available only to system administrators. This setting bypasses some of the security features of Windows Installer. Prohibit non-administrators from applying vendor signed updates Microsoft Windows 7 This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Prohibit non-administrators from applying vendor signed updates Microsoft Windows 7 This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Prevent Windows Media DRM Internet Access Microsoft Windows 7 Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. Do Not Show First Use Dialog Boxes Microsoft Windows 7 Do Not Show First Use Dialog Boxes This policy prevents the Privacy Options and Installation Options dialog boxes from being displayed the first time a user starts Windows Media Player. This policy prevents the dialog boxes which allow users to select privacy, file types, and other desktop options from being displayed when the Player is first started. Some of the options can be configured by using other Windows Media Player group policies. When this policy is not configured or disabled, the dialog boxes are displayed when the user starts the Player for the first time. Prevent Automatic Updates Microsoft Windows 7 Prevents users from being prompted to update Windows Media Player. This policy prevents the Player from being updated and prevents users with administrator rights from being prompted to update the Player if an updated version is available. The Check for Player Updates command on the Help menu in the Player is not available. In addition, none of the time intervals in the Check for updates section on the Player tab are selected or available. When this policy is not configured or disabled, Check for Player Updates is available only to users with administrator rights and they may be prompted to update the Player if an updated version is available. By default, users with administrator rights can select how frequently updates are checked for. Users without administrator rights do not see Check for Player Updates and are never prompted to update the Player even without this policy. configure automatic updates Microsoft Windows 7 configure automatic updates Games are not installed Microsoft Windows 7 Games are not installed Internet Information Services Microsoft Windows 7 Internet Information Services is not installed Simple TCPIP Services Microsoft Windows 7 Simple TCPIP Services is not installed Telnet Client Microsoft Windows 7 Telnet Client is not installed Telnet Server Microsoft Windows 7 Telnet Server is not installed TFTP Client Microsoft Windows 7 TFTP Client is not installed Windows Media Center Microsoft Windows 7 Windows Media Center is not installed Administrator Account Status Microsoft Windows 7 This definition verifies that the Administrator account is enabled/disabled based on the policy defined by the user. Microsoft network server: Server SPN target name validation level Microsoft Windows 7 This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) Microsoft Windows 7 Allowing source routed network traffic allows attackers to obscure their identity and location. MSS: (Hidden) Hide computer from the browse list (Not Recommended except for highly secure environments Microsoft Windows 7 Hiding the computer from the Browse List removes one method attackers might use to gether information about computers on the network. MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default). Microsoft Windows 7 MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default). Network security: Allow Local System to use computer identity for NTLM Microsoft Windows 7 This policy setting allows services running as Local System to use the computer identity when negotiating NTLM authentication. Network security: Allow LocalSystem NULL session fallback Microsoft Windows 7 This policy setting allows the system to fall back no a NULL session. Network Security: Allow PKU2U authentication requests to this computer to use online identities Microsoft Windows 7 Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. Network Security: Configure encryption types allowed for Kerberos Microsoft Windows 7 This policy setting allows you to specify tdhe allowed encryption types for Kerberos authentication. User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop Microsoft Windows 7 This setting was added to Windows Vista SP1 specifically to enable Remote Assistance. It allows certain applications stored in secure folders, such as system32, to bypass the secure desktop so that they can function as designed. Enabling this setting will lower security slightly but enable Remote Assistance. For more information see http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx. Allow users to connect remotely using Remote Desktop Services Microsoft Windows 7 This policy setting determines whether or not users can connect to the computer using Remote Desktop Services. Do not run digital locker Microsoft Windows 7 Do not run digital locker disable remote desktop Microsoft Windows 7 disable remote desktop disable communities Microsoft Windows 7 disable communities turn off windows mail Microsoft Windows 7 turn off windows mail do not process the run once list Microsoft Windows 7 do not process the run once list do not display install updates and shut down Microsoft Windows 7 do not display install updates and shut down no auto restart with logged on users Microsoft Windows 7 no auto restart with logged on users reschedule automatic updates Microsoft Windows 7 reschedule automatic updates configure windows time provider Microsoft Windows 7 configure windows time provider File System Microsoft Windows 7 File System registry Microsoft Windows 7 registry Credential Validation Microsoft Windows 7 This audit policy reports the results of validation tests on credentials submitted for a user account logon request. Automatic updates are not enabled Microsoft Windows 7 Automatic updates are not enabled IPv6 Network Protocol is not Enabled Microsoft Windows 7 IPv6 Network Protocol is not Enabled Windows Error Reporting is not Enabled Microsoft Windows 7 Windows Error Reporting is not Enabled Remote Assistance is not Enabled Microsoft Windows 7 Remote Assistance is not Enabled Remote Desktop Services is not Enabled Microsoft Windows 7 Remote Desktop Services is not Enabled Bluetooth is not Enabled Microsoft Windows 7 Bluetooth is not Enabled Microsoft Windows 7 is installed Microsoft Windows 7 The operating system installed on the system is Microsoft Windows 7 HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion SystemRoot HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion ProgramFilesDir HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName .* HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\EventLog\Application MaxSize HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\EventLog\Security MaxSize HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\EventLog\System MaxSize HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup MaxSize HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\Network Connections NC_AllowNetBridge_NLA HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\DW DWAllowHeadless oval:gov.nist.usgcb.windowsseven:var:23 HKEY_LOCAL_MACHINE System\Currentcontrolset\Control\Lsa Limitblankpassworduse Administrator Guest HKEY_LOCAL_MACHINE System\Currentcontrolset\Control\Lsa AuditBaseObjects HKEY_LOCAL_MACHINE System\Currentcontrolset\Control\Lsa FullPrivilegeAuditing HKEY_LOCAL_MACHINE System\Currentcontrolset\Control\Lsa scenoapplylegacyauditpolicy HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers AddPrinterDrivers HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AllocateCDRoms HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AllocateFloppies HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Netlogon\Parameters SealSecureChannel HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Netlogon\Parameters RequireSignOrSeal HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Netlogon\Parameters SignSecureChannel HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Netlogon\Parameters MaximumPasswordAge HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Netlogon\Parameters RequireStrongKey HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System DontDisplayLastUserName HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System DisableCAD HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System LegalNoticeText HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System LegalNoticeCaption HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon CachedLogonsCount HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon PasswordExpiryWarning HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon ForceUnlockLogon HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon scremoveoption HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanmanWorkstation\Parameters RequireSecuritySignature HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanmanWorkstation\Parameters EnableSecuritySignature HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanmanWorkstation\Parameters EnablePlainTextPassword HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanmanServer\Parameters AutoDisconnect HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanmanServer\Parameters RequireSecuritySignature HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanmanServer\Parameters EnableSecuritySignature HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanManServer\Parameters EnableForcedLogOff HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon AutoAdminLogon HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Tcpip\Parameters DisableIPSourceRouting HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Tcpip\Parameters EnableICMPRedirect HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Tcpip\Parameters KeepAliveTime HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Netbt\Parameters NoNameReleaseOnDemand HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Tcpip\Parameters PerformRouterDiscovery HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Session Manager SafeDllSearchMode HKEY_LOCAL_MACHINE Software\Microsoft\Windows NT\CurrentVersion\Winlogon ScreenSaverGracePeriod HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Tcpip\Parameters TcpMaxDataRetransmissions HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\Eventlog\Security WarningLevel HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa RestrictAnonymousSAM HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa RestrictAnonymous HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa DisableDomainCreds HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa EveryoneIncludesAnonymous HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanManServer\Parameters NullSessionPipes HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths Machine HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths Machine HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanManServer\Parameters restrictnullsessaccess HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanManServer\Parameters NullSessionShares HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa ForceGuest HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa NoLMHash HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Lsa LmCompatibilityLevel HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\LDAP LDAPClientIntegrity HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 NTLMMinClientSec HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 NTLMMinServerSec HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole SecurityLevel HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole SetCommand HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System ShutdownWithoutLogon HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management ClearPageFileAtShutdown HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy Enabled HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Session Manager\Kernel ObCaseInsensitive HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Control\Session Manager ProtectionMode HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting LoggingDisabled HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting Disabled HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting DontSendAdditionalData HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Explorer NoHeapTerminationOnCorruption HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\Explorer PreXPSP2ShellProtocolBehavior HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Installer SafeForScripting HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Installer EnableUserControl HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Installer DisableLUAPatching HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\WindowsMediaPlayer GroupPrivacyAcceptance HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\WindowsMediaPlayer DisableAutoUpdate HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System ReportControllerMissing HKEY_LOCAL_MACHINE Software\Policies\Microsoft\WMDRM DisableOnline HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar TurnOffUnsignedGadgets HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar OverrideMoreGadgetsLink HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar TurnOffUserInstalledGadgets HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services fAllowUnsolicited HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services fAllowToGetHelp HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Rpc RestrictRemoteClients HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Rpc EnableAuthEpResolution HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoPublishingWizard HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoWebServices HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\SearchCompanion DisableContentFileUpdates HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Printers DisableHTTPPrinting HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Printers DisableWebPnPDownload HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI EnumerateAdministrators HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services DisablePasswordSaving HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services fPromptForPassword HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services MinEncryptionLevel .* Administrators Administrators oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:170 Users Users oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:170 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:173 LOCAL SERVICE NETWORK SERVICE oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:170 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:175 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:176 Remote Desktop Users Remote Desktop Users oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:170 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:179 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:170 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:173 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:176 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:175 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:170 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:175 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:170 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:173 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:175 Guests Guests oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:175 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:176 SERVICE oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:170 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:187 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:175 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:176 HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\LLTD EnableLLTDIO HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\LLTD AllowLLTDIOOnDomain HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\LLTD AllowLLTDIOOnPublicNet HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\LLTD ProhibitLLTDIOOnPrivateNet HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\LLTD EnableRspndr HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\LLTD AllowRspndrOnDomain HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\LLTD AllowRspndrOnPublicNet HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\LLTD ProhibitRspndrOnPrivateNet HKEY_LOCAL_MACHINE Software\policies\Microsoft\Peernet Disabled HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\WCN\Registrars EnableRegistrars HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\WCN\UI DisableWcnUi HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\DeviceInstall\Settings AllowRemoteRPC HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\DeviceInstall\Settings DisableSystemRestore HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\DeviceInstall\Settings DisableSendGenericDriverNotFoundToWER HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} NoBackgroundPolicy HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} NoGPOListChanges oval:gov.nist.usgcb.windowsseven:var:145 HKEY_LOCAL_MACHINE Software\Policies\Microsoft\EventViewer MicrosoftEventVwrDisableLinks HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\HandwritingErrorReports PreventHandwritingErrorReports HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Internet Connection Wizard ExitOnMSICW HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoInternetOpenWith HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Registration Wizard Control NoRegistration HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoOnlinePrintsWizard HKEY_LOCAL_MACHINE Software\Policies\Microsoft\PCHealth\ErrorReporting DoReport HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System LogonType HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 DCSettingIndex HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51 ACSettingIndex HKEY_LOCAL_MACHINE Software\policies\Microsoft\Windows NT\Terminal Services LoggingEnabled HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\GameUX DownloadGameInfo HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\Windows Search AllowIndexingEncryptedStoresOrItems HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\Windows Search PreventIndexingUncachedExchangeFolders HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services MaxIdleTime HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services MaxDisconnectionTime HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows Defender\SpyNet HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows Defender\SpyNet SpyNetReporting HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\IPSEC NoDefaultExempt oval:gov.nist.usgcb.windowsseven:obj:3 oval:gov.nist.usgcb.windowsseven:obj:3 oval:gov.nist.usgcb.windowsseven:ste:3 root\rsop\computer SELECT Setting FROM RSOP_SecuritySettingBoolean WHERE KeyName='LSAAnonymousNameLookup' HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System FilterAdministratorToken HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorAdmin HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System ConsentPromptBehaviorUser HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System EnableInstallerDetection HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System ValidateAdminCodeSignatures HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System EnableSecureUIAPaths HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System PromptOnSecureDesktop HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System EnableVirtualization NT Service\WdiServiceHost oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:170 oval:gov.nist.usgcb.windowsseven:obj:168 oval:gov.nist.usgcb.windowsseven:obj:3471 HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\bthserv Start HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\HomeGroupListener Start HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\HomeGroupProvider Start HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\Mcx2Svc Start HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\WPCSvc Start HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\Fax Start HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\GameUX\Games HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\W3Svc DisplayName HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\simptcp DisplayName telnet.exe HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\tlntsvr tftp.exe ehshell.exe HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\LanManServer\Parameters SMBServerNameHardeningLevel HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Tcpip6\Parameters DisableIPSourceRouting HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Lanmanserver\Parameters Hidden HKEY_LOCAL_MACHINE System\CurrentControlSet\Services\Tcpip6\Parameters TcpMaxDataRetransmissions HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa UseMachineId HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa\MSV1_0 allownullsessionfallback HKEY_LOCAL_MACHINE System\CurrentControlSet\Control\Lsa\pku2u AllowOnlineID HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters SupportedEncryptionTypes HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableUIADesktopToggle HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services fDenyTSConnections HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Network Connections NC_StdDomainUserSetLocation HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\TCPIP\v6Transition 6to4_State HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\TCPIP\v6Transition ISATAP_State HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\Device Metadata PreventDeviceMetadataFromNetwork HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy EnableQueryRemoteServer HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\AppCompat DisableInventory HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Explorer NoAutoplayfornonVolume HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\GameUX GameUpdateOptions HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\HomeGroup DisableHomeGroup HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services DeleteTempDirsOnExit HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services PerSessionTempDir HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Internet Explorer\Feeds DisableEnclosureDownload HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU Disabled HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\Explorer NoDataExecutionPrevention HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy DisableQueryRemoteServer HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows NT\Printers DoNotInstallCompatibleDriverFromWindowsUpdate HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\TCPIP\v6Transition Force_Tunneling HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\TCPIP\v6Transition Teredo_State HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface IPHTTPS_ClientUrl HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface IPHTTPS_ClientState HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoAutorun HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\TabletPC PreventHandwritingDataSharing HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\WDI\{9c5a40da-b965-4fc3-8781-88dd50a6299d} ScenarioExecutionEnabled HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\DriverSearching SearchOrderConfig HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Messenger\Client CEIP HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\Digital Locker DoNotRunDigitalLocker HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Conferencing NoRDS HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows Mail DisableCommunities HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows Mail ManualLaunchAllowed HKEY_LOCAL_MACHINE Software\Microsoft\Windows\CurrentVersion\Policies\Explorer DisableLocalMachineRunOnce HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\WindowsUpdate\AU NoAUShutdownOption HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoRebootWithLoggedOnUsers HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\WindowsUpdate\AU RescheduleWaitTimeEnabled HKEY_LOCAL_MACHINE Software\Policies\Microsoft\W32time\Parameters NtpServer oval:gov.nist.usgcb.windowsseven:obj:200102 oval:gov.nist.usgcb.windowsseven:obj:200102 oval:gov.nist.usgcb.windowsseven:ste:200101 .* HKEY_LOCAL_MACHINE Software\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\services\TCPIP6\Parameters DisabledComponents HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting CorporateWerServer HKEY_LOCAL_MACHINE Software\policies\Microsoft\Windows NT\Terminal Services fAllowUnsolicited HKEY_LOCAL_MACHINE Software\policies\Microsoft\Windows NT\Terminal Services fAllowToGetHelp HKEY_LOCAL_MACHINE SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services fDenyTSConnections HKEY_LOCAL_MACHINE SYSTEM\CurrentControlSet\Services\bthserv Start windows ^[a-zA-Z0-9\(\)\s]*[Ww][Ii][Nn][Dd][Oo][Ww][Ss] 7[a-zA-Z0-9\(\)\s]*$ reg_dword ^S-1-5-[0-9-]+501$ reg_dword reg_dword reg_dword 0 -1 4294967295 -1 -1 4294967295 0 reg_dword reg_dword reg_binary reg_dword reg_dword reg_sz reg_sz reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword 0 reg_dword reg_dword reg_dword reg_sz reg_sz reg_sz reg_dword reg_dword reg_sz reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_sz reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_sz reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_multi_sz ^$ reg_multi_sz System\CurrentControlSet\Control\ProductOptions reg_multi_sz System\CurrentControlSet\Control\Server Applications reg_multi_sz Software\Microsoft\Windows NT\CurrentVersion reg_multi_sz ^((System\\CurrentControlSet\\Control\\ProductOptions)|(System\\CurrentControlSet\\Control\\Server Applications)|(Software\\Microsoft\\Windows NT\\CurrentVersion))$ reg_multi_sz System\CurrentControlSet\Control\Print\Printers reg_multi_sz System\CurrentControlSet\Services\Eventlog reg_multi_sz Software\Microsoft\OLAP Server reg_multi_sz Software\Microsoft\Windows NT\CurrentVersion\Print reg_multi_sz Software\Microsoft\Windows NT\CurrentVersion\Windows reg_multi_sz ^((Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows)|(System\\CurrentControlSet\\Control\\Print\\Printers)|(System\\CurrentControlSet\\Services\\Eventlog)|(Software\\Microsoft\\OLAP Server)|(Software\\Microsoft\\Windows NT\\CurrentVersion\\Print)|(System\\CurrentControlSet\\Control\\ContentIndex)|(System\\CurrentControlSet\\Control\\Terminal Server)|(System\\CurrentControlSet\\Control\\Terminal Server\\UserConfig)|(System\\CurrentControlSet\\Control\\Terminal Server\\DefaultUserConfiguration)|(Software\\Microsoft\\Windows NT\\CurrentVersion\\Perflib)|(System\\CurrentControlSet\\Services\\SysmonLog))$ reg_multi_sz System\CurrentControlSet\Control\ContentIndex reg_multi_sz System\CurrentControlSet\Control\Terminal Server reg_multi_sz System\CurrentControlSet\Control\Terminal Server\UserConfig reg_multi_sz System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration reg_multi_sz Software\Microsoft\Windows NT\CurrentVersion\Perflib reg_multi_sz System\CurrentControlSet\Services\SysmonLog reg_dword reg_multi_sz reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_sz .+ reg_dword reg_dword reg_dword 255 reg_dword 1 0 0 1 0 1 0 0 1 1 0 1 0 1 0 0 1 0 1 0 1 0 0 1 0 0 1 1 1 1 1 1 0 1 0 1 0 1 0 1 0 0 0 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword 0 reg_dword 1 -1 0 1 2 3 reg_dword reg_dword 1 AUDIT_SUCCESS_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_SUCCESS_FAILURE 1 0 1 0 reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_sz reg_sz reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_sz reg_sz reg_sz reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_sz reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword reg_dword ^S-1-5-[0-9-]+500$ reg_dword 1 reg_dword 268435455 reg_dword .* reg_dword 1 reg_dword 1 reg_dword 2 \System32 -1 0 1 2 3 AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE \ehome AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE AUDIT_NONE AUDIT_SUCCESS AUDIT_FAILURE AUDIT_SUCCESS_FAILURE National Institute of Standards and Technology 5.6 2015-04-07T10:00:00.000-04:00 Use the Windows Update Agent (WUA) to check for installed updates Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows 7 Microsoft Windows Server 2008 R2 Use the Windows Update Agent (WUA) to check for installed updates (IsInstalled=0 and IsHidden=0 and CategoryIDs contains '0FA1201D-4330-4FA8-8AE9-B877473B6441') .* National Institute of Standards and Technology 5.4 2015-04-07T10:00:00.000-04:00 Microsoft Windows 7 is installed Microsoft Windows 7 The operating system installed on the system is Microsoft Windows 7 HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductName windows ^[a-zA-Z0-9\(\)\s]*[Ww][Ii][Nn][Dd][Oo][Ww][Ss] 7[a-zA-Z0-9\(\)\s]*$ Microsoft Windows 7 This CPE Name represents Windows 7 oval:gov.nist.cpe.oval:def:1 zy1sIAFNdTLbLCw2K7g1708d+gj7aa797PCsHv7Tx7c= OzckB6Y3eglpSTW+5CTa2+MAgsTi4V6194fTKB4EZRknzYm/KYKqh+kvUniumsnsh5BYlMshJIzr MQqB2D9ixg== qqBXPvvIVhSROm+rJI9/5PD5F0O3WD1Lkuam5hC+JmE= F0BwfA84gd9iFR5Qu1VO6EeTSeev4xlaSiOoEW/Nf54n6pNF2vDDTlCtgzIu9VFVQaWJlLDrkPr8 HAMvvrzU27HdbLpDwqMndic0rBAmgls9Fut9Cdy3AKRRoS/vUllipOI429jdNtR+hsMVIHp5qHcn g6EvWbauT9QqfJ5H0LoEjA7GV9kO4aYuvgvV4rGcjnIL1Qf1ie3pgKMmIK02IxvbRVSp51x/W7bL 2kDgPqh5RhcvrzC/hvhd8tNUPYzZLwiezgdRI588dWu3XxQ/9pb75Rcc5HXE+wX4mWD5CQoMxOnl zACpXa1pHvQ6q6/IXNH817jJ3xuQdaNrwA6C8A== qWzXj28PJq2X57lS4lxyhUsi0m85AE7t/CmT1d9M56yUu8II9mru5xUuijy/LWqYGZ1fznmRchkK c+3LPMiitLefRlDVU0ISD/pDBPc1zw/3kaH04h9RHbKdw74TUvnpE6hp7/vERCQROP9w6GZg7tq5 9AXnrXbYr25pZtoYn345uYnLgTP0w2GQ0D5rSbm5hWYkHzlOjKKgPcDIKbaL+YpkDaTMEiQ1D3E+ +bR/rBzqrZxUYUYFw/MIzuRBKDx0qbmLXc3SbyRuM3Kdz3KGdOxP7qBtFUQvbpxgS6+DP0o7pLAD VKXsKnS04mKaaF8+RAj4rdRnsoJYJBsSyR6pJw== AQAB CN=SECURITY AUTOMATION PROGRAM MANAGER,OU=Devices,OU=National Institute of Standards and Technology,OU=Department of Commerce,O=U.S. Government,C=US BBYEFL+UoHO0E14cNCTjldeFWYWJRQEH OU=Entrust Managed Services SSP CA,OU=Certification Authorities,O=Entrust,C=US 1149213983 MIIHeTCCBmGgAwIBAgIESUO2+zANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJVUzEQMA4GA1UE ChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEoMCYGA1UECxMf RW50cnVzdCBNYW5hZ2VkIFNlcnZpY2VzIFNTUCBDQTAeFw0xNTAxMTQxMjMyNTlaFw0xODAxMTQx MzAyNTlaMIHBMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MR8wHQYDVQQL ExZEZXBhcnRtZW50IG9mIENvbW1lcmNlMTcwNQYDVQQLEy5OYXRpb25hbCBJbnN0aXR1dGUgb2Yg U3RhbmRhcmRzIGFuZCBUZWNobm9sb2d5MRAwDgYDVQQLEwdEZXZpY2VzMSwwKgYDVQQDEyNTRUNV UklUWSBBVVRPTUFUSU9OIFBST0dSQU0gTUFOQUdFUjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKls149vDyatl+e5UuJccoVLItJvOQBO7fwpk9XfTOeslLvCCPZq7ucVLoo8vy1qmBmd X855kXIZCnPtyzzIorS3n0ZQ1VNCEg/6QwT3Nc8P95Gh9OIfUR2yncO+E1L56ROoae/7xEQkETj/ cOhmYO7aufQF56122K9uaWbaGJ9+ObmJy4Ez9MNhkNA+a0m5uYVmJB85ToyioD3AyCm2i/mKZA2k zBIkNQ9xPvm0f6wc6q2cVGFGBcPzCM7kQSg8dKm5i13N0m8kbjNync9yhnTsT+6gbRVEL26cYEuv gz9KO6SwA1Sl7Cp0tOJimmhfPkQI+K3UZ7KCWCQbEskeqScCAwEAAaOCA8owggPGMA4GA1UdDwEB /wQEAwIGwDAXBgNVHSAEEDAOMAwGCmCGSAFlAwIBAwcwggFeBggrBgEFBQcBAQSCAVAwggFMMIG4 BggrBgEFBQcwAoaBq2xkYXA6Ly9zc3BkaXIubWFuYWdlZC5lbnRydXN0LmNvbS9vdT1FbnRydXN0 JTIwTWFuYWdlZCUyMFNlcnZpY2VzJTIwU1NQJTIwQ0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhv cml0aWVzLG89RW50cnVzdCxjPVVTP2NBQ2VydGlmaWNhdGU7YmluYXJ5LGNyb3NzQ2VydGlmaWNh dGVQYWlyO2JpbmFyeTBLBggrBgEFBQcwAoY/aHR0cDovL3NzcHdlYi5tYW5hZ2VkLmVudHJ1c3Qu Y29tL0FJQS9DZXJ0c0lzc3VlZFRvRU1TU1NQQ0EucDdjMEIGCCsGAQUFBzABhjZodHRwOi8vb2Nz cC5tYW5hZ2VkLmVudHJ1c3QuY29tL09DU1AvRU1TU1NQQ0FSZXNwb25kZXIwGwYDVR0JBBQwEjAQ BgkqhkiG9n0HRB0xAwIBIDCCAYcGA1UdHwSCAX4wggF6MIHqoIHnoIHkhoGrbGRhcDovL3NzcGRp ci5tYW5hZ2VkLmVudHJ1c3QuY29tL2NuPVdpbkNvbWJpbmVkMSxvdT1FbnRydXN0JTIwTWFuYWdl ZCUyMFNlcnZpY2VzJTIwU1NQJTIwQ0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhvcml0aWVzLG89 RW50cnVzdCxjPVVTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q7YmluYXJ5hjRodHRwOi8vc3Nw d2ViLm1hbmFnZWQuZW50cnVzdC5jb20vQ1JMcy9FTVNTU1BDQTEuY3JsMIGKoIGHoIGEpIGBMH8x CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFbnRydXN0MSIwIAYDVQQLExlDZXJ0aWZpY2F0aW9uIEF1 dGhvcml0aWVzMSgwJgYDVQQLEx9FbnRydXN0IE1hbmFnZWQgU2VydmljZXMgU1NQIENBMRAwDgYD VQQDEwdDUkw3NDYwMCsGA1UdEAQkMCKADzIwMTUwMTE0MTIzMjU5WoEPMjAxNzAyMTkxNzAyNTla MB8GA1UdIwQYMBaAFNPO51uJp81skcZnNqlYcgns4jnzMB0GA1UdDgQWBBS/lKBztBNeHDQk45XX hVmFiUUBBzAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAobBFY4LjEDAgSwMA0GCSqGSIb3DQEB CwUAA4IBAQCL7RYH5zCwAzajOH/U+/UOfZCbTnfhdJF0kxlaSnghJydbbTRzNALJhMv5hz8DeQ1T O2V+ZaOGyaoeGpTD5Y5cX1du9srQ0CnMQ7LH1RgZ4i9nLUPIPk9Ahctyb4ADuqtJjdK56VUZlTZT pez5KGFCaab63BFS7m8j9ZcS9PwDQNFk67vMatdRZlFJMUFS6aIvRBcciHRaKi9hNa6T5kWZ9XEO 16G/SzjoAo2XEbD3l9zLtSOFSDIrRrHX9cvFpvKEni4fUh+hgjLgY7+YUXunNd2opjK95eWiijwL 64fE5+yuEZNTdHiR9SRCqNnB8Q1Bghx6RqApYLf8+HH80oc4 OU=Entrust Managed Services SSP CA,OU=Certification Authorities,O=Entrust,C=US BBYEFNPO51uJp81skcZnNqlYcgns4jnz OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US 514 MIIHBDCCBeygAwIBAgIERH+dHzANBgkqhkiG9w0BAQUFADBuMQswCQYDVQQGEwJVUzEQMA4GA1UE ChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEpMCcGA1UECxMg RW50cnVzdCBNYW5hZ2VkIFNlcnZpY2VzIFJvb3QgQ0EwHhcNMDkwNTA5MTUzMjA2WhcNMTkwNTA5 MTQwMjMxWjBtMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEiMCAGA1UECxMZQ2VydGlm aWNhdGlvbiBBdXRob3JpdGllczEoMCYGA1UECxMfRW50cnVzdCBNYW5hZ2VkIFNlcnZpY2VzIFNT UCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4Y6xZWI7Bkvhi+89HwIW5REGez eZthIq5dJoUYkrwDlbFBXZTxn9E4PnPEmZcznpNE5ru20jXFRBzsFOlkNKCFH1NborQoC8WDnc42 qCNzHXRBS0mJYxivkRH6abt1m7QvpVXNOrtLgVAAwyu748m+IBP7uPUlHqGyAV0ePih/z+AeYmuZ YxZtAoev6HKohyW2e9ZR2bXqWp6tcM0HF+czsWGAVPZ1h3hVU+CNCvudPTYCnI2BrT7t6b1pYG5j c8UO1dnABKvNPvERNgi4HSoTMMhzvHFVT9WXDp4endEoXjc0pzsEjV4J0pJz11Sck0TQ+IAroDw3 PzfTGOgzg10CAwEAAaOCA6kwggOlMA4GA1UdDwEB/wQEAwIBBjBPBgNVHSAESDBGMAwGCmCGSAFl AwIBAwYwDAYKYIZIAWUDAgEDBzAMBgpghkgBZQMCAQMIMAwGCmCGSAFlAwIBAw0wDAYKYIZIAWUD AgEDETAPBgNVHRMBAf8EBTADAQH/MIIBYwYIKwYBBQUHAQEEggFVMIIBUTCBugYIKwYBBQUHMAKG ga1sZGFwOi8vcm9vdGRpci5tYW5hZ2VkLmVudHJ1c3QuY29tL291PUVudHJ1c3QlMjBNYW5hZ2Vk JTIwU2VydmljZXMlMjBSb290JTIwQ0Esb3U9Q2VydGlmaWNhdGlvbiUyMEF1dGhvcml0aWVzLG89 RW50cnVzdCxjPVVTP2NBQ2VydGlmaWNhdGU7YmluYXJ5LGNyb3NzQ2VydGlmaWNhdGVQYWlyO2Jp bmFyeTBNBggrBgEFBQcwAoZBaHR0cDovL3Jvb3R3ZWIubWFuYWdlZC5lbnRydXN0LmNvbS9TSUEv Q2VydHNJc3N1ZWRUb0VNU1Jvb3RDQS5wN2MwQwYIKwYBBQUHMAGGN2h0dHA6Ly9vY3NwLm1hbmFn ZWQuZW50cnVzdC5jb20vT0NTUC9FTVNSb290Q0FSZXNwb25kZXIwggGIBgNVHR8EggF/MIIBezCB 7qCB66CB6IaBrWxkYXA6Ly9yb290ZGlyLm1hbmFnZWQuZW50cnVzdC5jb20vY249V2luQ29tYmlu ZWQxLG91PUVudHJ1c3QlMjBNYW5hZ2VkJTIwU2VydmljZXMlMjBSb290JTIwQ0Esb3U9Q2VydGlm aWNhdGlvbiUyMEF1dGhvcml0aWVzLG89RW50cnVzdCxjPVVTP2NlcnRpZmljYXRlUmV2b2NhdGlv bkxpc3Q7YmluYXJ5hjZodHRwOi8vcm9vdHdlYi5tYW5hZ2VkLmVudHJ1c3QuY29tL0NSTHMvRU1T Um9vdENBMS5jcmwwgYeggYSggYGkfzB9MQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRW50cnVzdDEi MCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEpMCcGA1UECxMgRW50cnVzdCBNYW5h Z2VkIFNlcnZpY2VzIFJvb3QgQ0ExDTALBgNVBAMTBENSTDEwHwYDVR0jBBgwFoAUnGJmJp1xtqd1 U2ThrLHHJTxEXQ0wHQYDVR0OBBYEFNPO51uJp81skcZnNqlYcgns4jnzMA0GCSqGSIb3DQEBBQUA A4IBAQB1efbjA0HgDMfS7KKmEWnOC5SzYg68tipgd0NXEpsjXLYlJny2JJ0ROZfTWfQwvnYKBita pDFD8SIxJVd5dNnyo+tYhsQec3u6PfgQlBM8lTaJtmKbV1Rf0Iqg+LCFMGno04hf2y6nhKMiDmuR k2BZmP6CBF5Z+2hY1VKcEllTk5klXJcpRZIAMaYAILfC+4w7lYy3E+g7QODA0TSYp0AT/uDZwRrD FbUj2Hzpe/DlrQd1QbU9gOpMz4+XV1BIghkJ9o8n5IL4htk8i1rfaN0JFEiz/FKSsnpPpFmL+7z5 QPR3NAumcSfkae8ZK+tNTIAIXf1W3wFfUpcNigYJlKgj OU=Entrust Managed Services Root CA,OU=Certification Authorities,O=Entrust,C=US BBYEFJxiZiadcbandVNk4ayxxyU8RF0N CN=Federal Common Policy CA,OU=FPKI,O=U.S. Government,C=US 304 MIIGxDCCBaygAwIBAgICAgIwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxGDAWBgNVBAoT D1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJhbCBDb21tb24g UG9saWN5IENBMB4XDTEwMTIxNTIxMTIyNloXDTIwMTIxNTIxMTAyN1owbjELMAkGA1UEBhMCVVMx EDAOBgNVBAoTB0VudHJ1c3QxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxKTAn BgNVBAsTIEVudHJ1c3QgTWFuYWdlZCBTZXJ2aWNlcyBSb290IENBMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAtntz0/7RJGVXZa6iSqs5aLys+CNBBpw/+O5oROQ7rSI4tnz2WPxiqPaC 1ddAvKRWcb2+aUvYMJfRkdpss9xBH6nRZ5l/lwkQzfgTsOQtKlFv+rT2KVdUFXRikp/CAUDkVyiC 7iPvi8kHgNK4aYgUbfGwxmwrS77n9csB3Nv5a1jjpMJQM8CXdeQ+nZ2wUtiMIMMHJRVwrTn/259O dafLj//GO/rJolAM7E4PNm0O6Ydx06hzHkyxBj3jQa1dwrdxFzvIkwodVA9yVX/i0FVs8veomMZu FiBPsS+eH4ixACr4t/kQk2llA6cpWChrKru8vXNHfJ/4O/NEiLVlKIC7pQIDAQABo4IDfzCCA3sw DwYDVR0TAQH/BAUwAwEB/zBPBgNVHSAESDBGMAwGCmCGSAFlAwIBAwYwDAYKYIZIAWUDAgEDBzAM BgpghkgBZQMCAQMIMAwGCmCGSAFlAwIBAw0wDAYKYIZIAWUDAgEDETCB6QYIKwYBBQUHAQEEgdww gdkwPwYIKwYBBQUHMAKGM2h0dHA6Ly9odHRwLmZwa2kuZ292L2ZjcGNhL2NhQ2VydHNJc3N1ZWRU b2ZjcGNhLnA3YzCBlQYIKwYBBQUHMAKGgYhsZGFwOi8vbGRhcC5mcGtpLmdvdi9jbj1GZWRlcmFs JTIwQ29tbW9uJTIwUG9saWN5JTIwQ0Esb3U9RlBLSSxvPVUuUy4lMjBHb3Zlcm5tZW50LGM9VVM/ Y0FDZXJ0aWZpY2F0ZTtiaW5hcnksY3Jvc3NDZXJ0aWZpY2F0ZVBhaXI7YmluYXJ5MIIBHgYIKwYB BQUHAQsEggEQMIIBDDBNBggrBgEFBQcwBYZBaHR0cDovL3Jvb3R3ZWIubWFuYWdlZC5lbnRydXN0 LmNvbS9TSUEvQ2VydHNJc3N1ZWRCeUVNU1Jvb3RDQS5wN2MwgboGCCsGAQUFBzAFhoGtbGRhcDov L3Jvb3RkaXIubWFuYWdlZC5lbnRydXN0LmNvbS9vdT1FbnRydXN0JTIwTWFuYWdlZCUyMFNlcnZp Y2VzJTIwUm9vdCUyMENBLG91PUNlcnRpZmljYXRpb24lMjBBdXRob3JpdGllcyxvPUVudHJ1c3Qs Yz1VUz9jQUNlcnRpZmljYXRlO2JpbmFyeSxjcm9zc0NlcnRpZmljYXRlUGFpcjtiaW5hcnkwDgYD VR0PAQH/BAQDAgEGMB8GA1UdIwQYMBaAFK0MenVc5fOYxHmYDqwo/Zf05wL8MIG4BgNVHR8EgbAw ga0wKqAooCaGJGh0dHA6Ly9odHRwLmZwa2kuZ292L2ZjcGNhL2ZjcGNhLmNybDB/oH2ge4Z5bGRh cDovL2xkYXAuZnBraS5nb3YvY24lM2RGZWRlcmFsJTIwQ29tbW9uJTIwUG9saWN5JTIwQ0Esb3Ul M2RGUEtJLG8lM2RVLlMuJTIwR292ZXJubWVudCxjJTNkVVM/Y2VydGlmaWNhdGVSZXZvY2F0aW9u TGlzdDAdBgNVHQ4EFgQUnGJmJp1xtqd1U2ThrLHHJTxEXQ0wDQYJKoZIhvcNAQELBQADggEBAF1V nwRwXqw8cXL1cTi+ooEKDlFQJG6ABGpk9wQMMLZNCWY2SlgTubCLsdmDWss/bjwkDZ32X5/SFniT YzOR/R/XQlCdVCrRNuEdTtB7z9GO7zVLusuc53T6yUz6btpK1Es5okLJP0txuwoMKBysSTJ7THum muGaDkEOw5mdlygx0CgulNHrIViHsxDXIEsVpCDNMaMhSglO31oaS+gg+GOkFo6PmtOFlgLL4K6N O9Ujr31SJqxVB9KWPf1s5QiP7/VKkU7YCRh7WbdI4Bmaw7KVTyTU5aScGLe927fayO1onZ/4yRy0 4q+7QJmbcZZvw2D33xJmXlq/UGje3aBmkxM= CN=Federal Common Policy CA,OU=FPKI,O=U.S. Government,C=US BBYEFK0MenVc5fOYxHmYDqwo/Zf05wL8 MIIEYDCCA0igAwIBAgICATAwDQYJKoZIhvcNAQELBQAwWTELMAkGA1UEBhMCVVMxGDAWBgNVBAoT D1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJhbCBDb21tb24g UG9saWN5IENBMB4XDTEwMTIwMTE2NDUyN1oXDTMwMTIwMTE2NDUyN1owWTELMAkGA1UEBhMCVVMx GDAWBgNVBAoTD1UuUy4gR292ZXJubWVudDENMAsGA1UECxMERlBLSTEhMB8GA1UEAxMYRmVkZXJh bCBDb21tb24gUG9saWN5IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2HX7NRY0 WkG/Wq9cMAQUHK14RLXqJup1YcfNNnn4fNi9KVFmWSHjeavUeL6wLbCh1bI1FiPQzB6+Duir3MPJ 1hLXp3JoGDG4FyKyPn66CG3G/dFYLGmgA/Aqo/Y/ISU937cyxY4nsyOl4FKzXZbpsLjFxZ+7xaBu gkC7xScFNknWJidpDDSPzyd6KgqjQV+NHQOGgxXgVcHFmCye7Bpy3EjBPvmE0oSCwRvDdDa3ucc2 Mnr4MrbQNq4iGDGMUHMhnv6DOzCIJOPpwX7e7ZjHH5IQip9bYi+dpLzVhW86/clTpyBLqtsgqyFO HQ1O5piF5asRR12dP8QjwOMUBm7+nQIDAQABo4IBMDCCASwwDwYDVR0TAQH/BAUwAwEB/zCB6QYI KwYBBQUHAQsEgdwwgdkwPwYIKwYBBQUHMAWGM2h0dHA6Ly9odHRwLmZwa2kuZ292L2ZjcGNhL2Nh Q2VydHNJc3N1ZWRCeWZjcGNhLnA3YzCBlQYIKwYBBQUHMAWGgYhsZGFwOi8vbGRhcC5mcGtpLmdv di9jbj1GZWRlcmFsJTIwQ29tbW9uJTIwUG9saWN5JTIwQ0Esb3U9RlBLSSxvPVUuUy4lMjBHb3Zl cm5tZW50LGM9VVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnksY3Jvc3NDZXJ0aWZpY2F0ZVBhaXI7Ymlu YXJ5MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUrQx6dVzl85jEeZgOrCj9l/TnAvwwDQYJKoZI hvcNAQELBQADggEBAI9z2uF/gLGH9uwsz9GEYx728Yi3mvIRte9UrYpuGDco71wb5O9Qt2wmGCMi TR0mRyDpCZzicGJxqxHPkYnos/UqoEfAFMtOQsHdDA4b8Idb7OV316rgVNdF9IU+7LQd3nyKf1tN nJaK0KIyn9psMQz4pO9+c+iR3Ah6cFqgr2KBWfgAdKLI3VTKQVZHvenAT+0g3eOlCd+uKML80cgX 2BLHb94u6b2akfI8WpQukSKAiaGMWMyDeiYZdQKlDn0KJnNR6obLB6jI/WNaNZvSr79PMUjBhHDb NXuaGQ/lj/RqDG8z2esccKIN47lQA2EC/0rskqTcLe4qNJMHtyznGI8= 2015-04-22T12:22:41-0400 52e80c005c797933 7rUxfdlHt7U2NIS+ZZGYv50P1e6vM/zoAhTTDPjifL0= jvLibtQNqLdWB885kkWqetusVy0qx58H9gNoPIxEl/o= vLLc6EGYq8nSAO/iakPhVdiceOPWTYbHzzpmy4GrD3Q= cMw1XYvRSaYmqcXFoj9OIE1SrKFoGmFFMIS0WbJ50lY= lOq3c9BZ4T2HhyvvpxoyD7C28g41x+cLmaS8Y51zZNE= KFYJZZ6/UQkURoyR5t/bRTAqiSTi4Khx8VH77QIXdhE=

image6.emf

tailoring-xccdf.xml

1 United States Government Configuration Baseline 2.0.5.1 [CUSTOMIZED] This profile represents guidance outlined in United States Government Configuration Baseline for desktop systems with Microsoft Windows 7 installed. 1800 172800

image1.jpeg

image2.jpeg