search

Which component of Windows prompts the user for credentials or permissions to minimize the dangers of Unitended software installations?

1 anos atrás
Comentários: 0
Visualizações: 196

Show
  • Article
  • 160 minutes to read

This article details the configuration settings for Windows guests as applicable in the following implementations:

  • [Preview]: Windows machines should meet requirements for the Azure compute security baseline Azure Policy guest configuration definition
  • Vulnerabilities in security configuration on your machines should be remediated in Azure Security Center

For more information, see Azure Policy guest configuration and Overview of the Azure Security Benchmark (V2).

Account Policies-Password Policy

Name
(ID)		 Details Expected value
(Type)		 Severity
Account Lockout Duration
(AZ-WIN-73312)		 Description: This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them. Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer. The recommended state for this setting is: 15 or more minute(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
Key Path: [System Access]LockoutDuration
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 >= 15
(Policy)		 Warning

Administrative Template - Windows Defender

Name
(ID)		 Details Expected value
(Type)		 Severity
Configure detection for potentially unwanted applications
(AZ-WIN-202219)		 Description: This policy setting controls detection and action for Potentially Unwanted Applications (PUA), which are sneaky unwanted application bundlers or their bundled applications that can deliver adware or malware. The recommended state for this setting is: Enabled: Block. For more information, see this link: Block potentially unwanted applications with Microsoft Defender Antivirus | Microsoft Docs
Key Path: SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Critical
Scan all downloaded files and attachments
(AZ-WIN-202221)		 Description: This policy setting configures scanning for all downloaded files and attachments. The recommended state for this setting is: Enabled.
Key Path: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Warning
Turn off Microsoft Defender AntiVirus
(AZ-WIN-202220)		 Description: This policy setting turns off Microsoft Defender Antivirus. If the setting is configured to Disabled, Microsoft Defender Antivirus runs and computers are scanned for malware and other potentially unwanted software. The recommended state for this setting is: Disabled.
Key Path: Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Critical
Turn off real-time protection
(AZ-WIN-202222)		 Description: This policy setting configures real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. The recommended state for this setting is: Disabled.
Key Path: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Warning
Turn on e-mail scanning
(AZ-WIN-202218)		 Description: This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently supported, for example: pst (Outlook), dbx, mbx, mime (Outlook Express), binhex (Mac). The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows Defender\Scan\DisableEmailScanning
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Warning
Turn on script scanning
(AZ-WIN-202223)		 Description: This policy setting allows script scanning to be turned on/off. Script scanning intercepts scripts then scans them before they are executed on the system. The recommended state for this setting is: Enabled.
Key Path: Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Warning

Administrative Templates - Control Panel

Name
(ID)		 Details Expected value
(Type)		 Severity
Allow Input Personalization
(AZ-WIN-00168)		 Description: This policy enables the automatic learning component of input personalization that includes speech, inking, and typing. Automatic learning enables the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana. Some of this collected information may be stored on the user's OneDrive, in the case of inking and typing; some of the information will be uploaded to Microsoft to personalize speech. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\InputPersonalization\AllowInputPersonalization
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Warning

Administrative Templates - MS Security Guide

Name
(ID)		 Details Expected value
(Type)		 Severity
Disable SMB v1 client (remove dependency on LanmanWorkstation)
(AZ-WIN-00122)		 Description: SMBv1 is a legacy protocol that uses the MD5 algorithm as part of SMB. MD5 is known to be vulnerable to a number of attacks such as collision and preimage attacks as well as not being FIPS compliant.
Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation\DependOnService
OS: WS2008, WS2008R2, WS2012
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = Bowser\0MRxSmb20\0NSI\0\0
(Registry)		 Critical
WDigest Authentication
(AZ-WIN-73497)		 Description: When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. If this setting is not configured, WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server. For more information about local accounts and credential theft, review the "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques" documents. For more information about UseLogonCredential, see Microsoft Knowledge Base article 2871997: Microsoft Security Advisory Update to improve credentials protection and management May 13, 2014. The recommended state for this setting is: Disabled.
Key Path: SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
OS: WS2016, WS2019
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Important

Administrative Templates - MSS

Name
(ID)		 Details Expected value
(Type)		 Severity
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
(AZ-WIN-202213)		 Description: IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should follow through the network. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled.
Key Path: System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 2
(Registry)		 Informational
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
(AZ-WIN-202244)		 Description: IP source routing is a mechanism that allows the sender to determine the IP route that a datagram should take through the network. It is recommended to configure this setting to Not Defined for enterprise environments and to Highest Protection for high security environments to completely disable source routing. The recommended state for this setting is: Enabled: Highest protection, source routing is completely disabled.
Key Path: System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 2
(Registry)		 Informational
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
(AZ-WIN-202214)		 Description: NetBIOS over TCP/IP is a network protocol that among other things provides a way to easily resolve NetBIOS names that are registered on Windows-based systems to the IP addresses that are configured on those systems. This setting determines whether the computer releases its NetBIOS name when it receives a name-release request. The recommended state for this setting is: Enabled.
Key Path: System\CurrentControlSet\Services\Netbt\Parameters\NoNameReleaseOnDemand
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Informational
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
(AZ-WIN-202215)		 Description: The DLL search order can be configured to search for DLLs that are requested by running processes in one of two ways: - Search folders specified in the system path first, and then search the current working folder. - Search current working folder first, and then search the folders specified in the system path. When enabled, the registry value is set to 1. With a setting of 1, the system first searches the folders that are specified in the system path and then searches the current working folder. When disabled the registry value is set to 0 and the system first searches the current working folder and then searches the folders that are specified in the system path. Applications will be forced to search for DLLs in the system path first. For applications that require unique versions of these DLLs that are included with the application, this entry could cause performance or stability problems. The recommended state for this setting is: Enabled. Note: More information on how Safe DLL search mode works is available at this link: Dynamic-Link Library Search Order - Windows applications | Microsoft Docs
Key Path: SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
(AZ-WIN-202212)		 Description: This setting can generate a security audit in the Security event log when the log reaches a user-defined threshold. The recommended state for this setting is: Enabled: 90% or less. Note: If log settings are configured to Overwrite events as needed or Overwrite events older than x days, this event will not be generated.
Key Path: SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 90
(Registry)		 Informational
Windows Server must be configured to prevent Internet Control Message Protocol (ICMP) redirects from overriding Open Shortest Path First (OSPF)-generated routes.
(AZ-WIN-73503)		 Description: Internet Control Message Protocol (ICMP) redirects cause the IPv4 stack to plumb host routes. These routes override the Open Shortest Path First (OSPF) generated routes. The recommended state for this setting is: Disabled.
Key Path: SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Informational

Administrative Templates - Network

Name
(ID)		 Details Expected value
(Type)		 Severity
Enable insecure guest logons
(AZ-WIN-00171)		 Description: This policy setting determines if the SMB client will allow insecure guest logons to an SMB server. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\LanmanWorkstation\AllowInsecureGuestAuth
OS: WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
Hardened UNC Paths - NETLOGON
(AZ_WIN_202250)		 Description: This policy setting configures secure access to UNC paths. This policy setting configures secure access to UNC paths
Key Path: SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths?ValueName=\*\NETLOGON
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = RequireMutualAuthentication=1, RequireIntegrity=1
(Registry)		 Warning
Hardened UNC Paths - SYSVOL
(AZ_WIN_202251)
Key Path: SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths?ValueName=\*\SYSVOL
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = RequireMutualAuthentication=1, RequireIntegrity=1
(Registry)		 Warning
Minimize the number of simultaneous connections to the Internet or a Windows Domain
(CCE-38338-0)		 Description: This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fMinimizeConnections
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Warning
Prohibit installation and configuration of Network Bridge on your DNS domain network
(CCE-38002-2)		 Description: You can use this procedure to control user's ability to install and configure a network bridge. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Warning
Prohibit use of Internet Connection Sharing on your DNS domain network
(AZ-WIN-00172)		 Description: Although this "legacy" setting traditionally applied to the use of Internet Connection Sharing (ICS) in Windows 2000, Windows XP & Server 2003, this setting now freshly applies to the Mobile Hotspot feature in Windows 10 & Server 2016. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_ShowSharedAccessUI
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Warning
Turn off multicast name resolution
(AZ-WIN-00145)		 Description: LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\EnableMulticast
OS: WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 = 0
(Registry)		 Warning

Administrative Templates - Security Guide

Name
(ID)		 Details Expected value
(Type)		 Severity
Enable Structured Exception Handling Overwrite Protection (SEHOP)
(AZ-WIN-202210)		 Description: Windows includes support for Structured Exception Handling Overwrite Protection (SEHOP). We recommend enabling this feature to improve the security profile of the computer. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Control\Session Manager\kernel\DisableExceptionChainValidation
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Critical
NetBT NodeType configuration
(AZ-WIN-202211)		 Description: This setting determines which method NetBIOS over TCP/IP (NetBT) uses to register and resolve names. The available methods are: - The B-node (broadcast) method only uses broadcasts. - The P-node (point-to-point) method only uses name queries to a name server (WINS). - The M-node (mixed) method broadcasts first, then queries a name server (WINS) if broadcast failed. - The H-node (hybrid) method queries a name server (WINS) first, then broadcasts if the query failed. The recommended state for this setting is: Enabled: P-node (recommended) (point-to-point). Note: Resolution through LMHOSTS or DNS follows these methods. If the NodeType registry value is present, it overrides any DhcpNodeType registry value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node (broadcast) if there are no WINS servers configured for the network, or H-node (hybrid) if there is at least one WINS server configured.
Key Path: SYSTEM\CurrentControlSet\Services\NetBT\Parameters\NodeType
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 2
(Registry)		 Warning

Administrative Templates - System

Name
(ID)		 Details Expected value
(Type)		 Severity
Block user from showing account details on sign-in
(AZ-WIN-00138)		 Description: This policy prevents the user from showing account details (email address or user name) on the sign-in screen. If you enable this policy setting, the user cannot choose to show account details on the sign-in screen. If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen.
Key Path: Software\Policies\Microsoft\Windows\System\BlockUserFromShowingAccountDetailsOnSignin
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Boot-Start Driver Initialization Policy
(CCE-37912-3)		 Description: This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
Key Path: SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 3
(Registry)		 Warning
Configure Offer Remote Assistance
(CCE-36388-7)		 Description: This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. Help desk and support personnel will not be able to proactively offer assistance, although they can still respond to user assistance requests. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Configure Solicited Remote Assistance
(CCE-37281-3)		 Description: This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
Do not display network selection UI
(CCE-38353-9)		 Description: This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.
Key Path: SOFTWARE\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Do not enumerate connected users on domain-joined computers
(AZ-WIN-202216)		 Description: This policy setting prevents connected users from being enumerated on domain-joined computers. The recommended state for this setting is: Enabled.
Key Path: Software\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning
Enable RPC Endpoint Mapper Client Authentication
(CCE-37346-4)		 Description: This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. Note: This policy will not be applied until the system is rebooted.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Enable Windows NTP Client
(CCE-37843-0)		 Description: This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\Enabled
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Workgroup Member		 = 1
(Registry)		 Critical
Encryption Oracle Remediation for CredSSP protocol
(AZ-WIN-201910)		 Description: Some versions of the CredSSP protocol that is used by some applications (such as Remote Desktop Connection) are vulnerable to an encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers and allows you to set the level of protection desired for the encryption oracle vulnerability. The recommended state for this setting is: Enabled: Force Updated Clients.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters\AllowEncryptionOracle
OS: WS2016, WS2019
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'
(CCE-36169-1)		 Description: The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The recommended state for this setting is: Enabled: FALSE (unchecked).
Key Path: SOFTWARE\Policies\Microsoft\Windows\Group Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Critical
Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'
(CCE-36169-1a)		 Description: The "Process even if the Group Policy objects have not changed" option updates and reapplies policies even if the policies have not changed. The recommended state for this setting is: Enabled: TRUE (checked).
Key Path: SOFTWARE\Policies\Microsoft\Windows\Group Policy{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Critical
Ensure 'Continue experiences on this device' is set to 'Disabled'
(AZ-WIN-00170)		 Description: This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences). The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\System\EnableCdp
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Enumerate local users on domain-joined computers
(AZ_WIN_202204)		 Description: This policy setting allows local users to be enumerated on domain-joined computers. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\System\EnumerateLocalUsers
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member		 Doesn't exist or = 0
(Registry)		 Warning
Include command line in process creation events
(CCE-36925-6)		 Description: This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. Default: Not configured Note: When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information such as passwords or user data.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled
OS: WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Prevent device metadata retrieval from the Internet
(AZ-WIN-202251)		 Description: This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. The recommended state for this setting is: Enabled. Note: This will not prevent the installation of basic hardware drivers, but does prevent associated 3rd-party utility software from automatically being installed under the context of the SYSTEM account.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Device Metadata\PreventDeviceMetadataFromNetwork
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Informational
Remote host allows delegation of non-exportable credentials
(AZ-WIN-20199)		 Description: Remote host allows delegation of non-exportable credentials. When you use credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. The Restricted Admin Mode and Windows Defender Remote Credential Guard features are two options to help protect against this risk. The recommended state for this setting is: Enabled. Note: More detailed information on Windows Defender Remote Credential Guard and how it compares to Restricted Admin Mode can be found at this link: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10) | Microsoft Docs
Key Path: SOFTWARE\Policies\Microsoft\Windows\CredentialsDelegation\AllowProtectedCreds
OS: WS2016, WS2019
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Turn off app notifications on the lock screen
(CCE-35893-7)		 Description: This policy setting allows you to prevent app notifications from appearing on the lock screen. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\System\DisableLockScreenAppNotifications
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Turn off background refresh of Group Policy
(CCE-14437-8)		 Description: This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users and Domain Controllers. The recommended state for this setting is: Disabled.
Key Path: Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Warning
Turn off downloading of print drivers over HTTP
(CCE-36625-2)		 Description: This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Printers\DisableWebPnPDownload
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
(CCE-37163-3)		 Description: This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Internet Connection Wizard\ExitOnMSICW
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Turn on convenience PIN sign-in
(CCE-37528-7)		 Description: This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Passport, which has stronger security properties. To configure Passport for domain users, use the policies under Computer configuration\Administrative Templates\Windows Components\Microsoft Passport for Work. Note: The user's domain password will be cached in the system vault when using this feature. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\System\AllowDomainPINLogon
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning

Administrative Templates - Windows Component

Name
(ID)		 Details Expected value
(Type)		 Severity
Turn off cloud consumer account state content
(AZ-WIN-202217)		 Description: This policy setting determines whether cloud consumer account state content is allowed in all Windows experiences. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableConsumerAccountStateContent
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning

Administrative Templates - Windows Components

Name
(ID)		 Details Expected value
(Type)		 Severity
Do not allow drive redirection
(AZ-WIN-73569)		 Description: This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning
Turn on PowerShell Transcription
(AZ-WIN-202208)		 Description: This Policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Warning

Administrative Templates - Windows Security

Name
(ID)		 Details Expected value
(Type)		 Severity
Prevent users from modifying settings
(AZ-WIN-202209)		 Description: This policy setting prevent users from making changes to the Exploit protection settings area in the Windows Security settings. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection\DisallowExploitProtectionOverride
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning

Administrative Templates - Windows Defender

Name
(ID)		 Details Expected value
(Type)		 Severity
Configure Attack Surface Reduction rules
(AZ_WIN_202205)		 Description: This policy setting controls the state for the Attack Surface Reduction (ASR) rules. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\ExploitGuard_ASR_Rules
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning
Prevent users and apps from accessing dangerous websites
(AZ_WIN_202207)		 Description: This policy setting controls Microsoft Defender Exploit Guard network protection. The recommended state for this setting is: Enabled: Block.
Key Path: SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning

Audit Computer Account Management

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit Computer Account Management
(CCE-38004-8)		 Description: This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: - 4741: A computer account was created. - 4742: A computer account was changed. - 4743: A computer account was deleted. The recommended state for this setting is to include: Success.
Key Path: {0CCE9236-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller		 = Success
(Audit)		 Critical

Secured Core

Name
(ID)		 Details Expected value
(Type)		 Severity
Enable boot DMA protection
(AZ-WIN-202250)		 Description: Secured-core capable servers support system firmware which provides protection against malicious and unintended Direct Memory Access (DMA) attacks for all DMA-capable devices during the boot process.
Key Path: BootDMAProtection
OS: Ex= [WSASHCI22H2
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(OsConfig)		 Critical
Enable hypervisor enforced code integrity
(AZ-WIN-202246)		 Description: HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. HVCI is a critical component that protects and hardens the isolated virtual environment created by VBS by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Key Path: HypervisorEnforcedCodeIntegrityStatus
OS: Ex= [WSASHCI22H2
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(OsConfig)		 Critical
Enable secure boot
(AZ-WIN-202248)		 Description: Secure boot is a security standard developed by members of the PC industry to help make sure that a device boots using only software that is trusted by the Original Equipment Manufacturer (OEM).
Key Path: SecureBootState
OS: Ex= [WSASHCI22H2
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(OsConfig)		 Critical
Enable system guard
(AZ-WIN-202247)		 Description: Using processor support for Dynamic Root of Trust of Measurement (DRTM) technology, System Guard puts firmware in a hardware-based sandbox helping to limit the impact of vulnerabilities in millions of lines of highly privileged firmware code.
Key Path: SystemGuardStatus
OS: Ex= [WSASHCI22H2
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(OsConfig)		 Critical
Enable virtualization based security
(AZ-WIN-202245)		 Description: Virtualization-based security, or VBS, uses hardware virtualization features to create and isolate a secure region of memory from the normal operating system. This helps to ensure that servers remain devoted to running critical workloads and helps protect related applications and data from attack and exfiltration. VBS is enabled and locked by default on Azure Stack HCI.
Key Path: VirtualizationBasedSecurityStatus
OS: Ex= [WSASHCI22H2
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(OsConfig)		 Critical
Set TPM version
(AZ-WIN-202249)		 Description: Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. TPM2.0 is required for the Secured-core features.
Key Path: TPMVersion
OS: Ex= [WSASHCI22H2
Server Type: Domain Controller, Domain Member, Workgroup Member		 2.0
(OsConfig)		 Critical

Security Options - Accounts

Name
(ID)		 Details Expected value
(Type)		 Severity
Accounts: Block Microsoft accounts
(AZ-WIN-202201)		 Description: This policy setting prevents users from adding new Microsoft accounts on this computer. The recommended state for this setting is: Users can't add or log on with Microsoft accounts.
Key Path: Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 3
(Registry)		 Warning
Accounts: Guest account status
(CCE-37432-2)		 Description: This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. The recommended state for this setting is: Disabled. Note: This setting will have no impact when applied to the domain controller organizational unit via group policy because domain controllers have no local account database. It can be configured at the domain level via group policy, similar to account lockout and password policy settings.
Key Path: [System Access]EnableGuestAccount
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Policy)		 Critical
Accounts: Limit local account use of blank passwords to console logon only
(CCE-37615-2)		 Description: This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have blank passwords will not be able to log on to the network from remote client computers. Such accounts will only be able to log on at the keyboard of the computer. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Accounts: Rename guest account
(AZ-WIN-202255)		 Description: The built-in local guest account is another well-known name to attackers. It is recommended to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. On Domain Controllers, since they do not have their own local accounts, this rule refers to the built-in Guest account that was established when the domain was first created.
Key Path: [System Access]NewGuestName
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Guest
(Policy)		 Warning
Network access: Allow anonymous SID/Name translation
(CCE-10024-8)		 Description: This policy setting determines whether an anonymous user can request security identifier (SID) attributes for another user, or use a SID to obtain its corresponding user name. The recommended state for this setting is: Disabled.
Key Path: [System Access]LSAAnonymousNameLookup
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Policy)		 Warning

Security Options - Audit

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings
(CCE-37850-5)		 Description: This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active Directory do not yet contain settings for managing the new auditing subcategories. To properly apply the auditing policies prescribed in this baseline, the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings setting needs to be configured to Enabled.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Audit: Shut down system immediately if unable to log security audits
(CCE-35907-5)		 Description: This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them. Microsoft has chosen to meet this requirement by halting the system and displaying a stop message if the auditing system experiences a failure. When this policy setting is enabled, the system will be shut down if a security audit cannot be logged for any reason. If the Audit: Shut down system immediately if unable to log security audits setting is enabled, unplanned system failures can occur. The administrative burden can be significant, especially if you also configure the Retention method for the Security log to Do not overwrite events (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability, because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the Security log. Also, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system guarantees its integrity when an ungraceful computer shutdown occurs, it cannot guarantee that every data file for every application will still be in a usable form when the computer restarts. The recommended state for this setting is: Disabled.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical

Security Options - Devices

Name
(ID)		 Details Expected value
(Type)		 Severity
Devices: Allowed to format and eject removable media
(CCE-37701-0)		 Description: This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administrator privileges.
Key Path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Devices: Prevent users from installing printer drivers
(CCE-37942-0)		 Description: For a computer to print to a shared printer, the driver for that shared printer must be installed on the local computer. This security setting determines who is allowed to install a printer driver as part of connecting to a shared printer. The recommended state for this setting is: Enabled. Note: This setting does not affect the ability to add a local printer. This setting does not affect Administrators.
Key Path: SYSTEM\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Warning
Limits print driver installation to Administrators
(AZ_WIN_202202)		 Description: This policy setting controls whether users that aren't Administrators can install print drivers on the system. The recommended state for this setting is: Enabled. Note: On August 10, 2021, Microsoft announced a Point and Print Default Behavior Change which modifies the default Point and Print driver installation and update behavior to require Administrator privileges. This is documented in KB5005652-Manage new Point and Print default driver installation behavior (CVE-2021-34481).
Key Path: Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning

Security Options - Domain member

Name
(ID)		 Details Expected value
(Type)		 Severity
Ensure 'Domain member: Digitally encrypt or sign secure channel data (always)' is set to 'Enabled'
(CCE-36142-8)		 Description: This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 Doesn't exist or = 1
(Registry)		 Critical
Ensure 'Domain member: Digitally encrypt secure channel data (when possible)' is set to 'Enabled'
(CCE-37130-2)		 Description: This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 Doesn't exist or = 1
(Registry)		 Critical
Ensure 'Domain member: Digitally sign secure channel data (when possible)' is set to 'Enabled'
(CCE-37222-7)		 Description:

This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone who captures the data as it traverses the network. The recommended state for this setting is: 'Enabled'.


Key Path: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 Doesn't exist or = 1
(Registry)		 Critical
Ensure 'Domain member: Disable machine account password changes' is set to 'Disabled'
(CCE-37508-9)		 Description:

This policy setting determines whether a domain member can periodically change its computer account password. Computers that cannot automatically change their account passwords are potentially vulnerable, because an attacker might be able to determine the password for the system's domain account. The recommended state for this setting is: 'Disabled'.


Key Path: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 Doesn't exist or = 0
(Registry)		 Critical
Ensure 'Domain member: Maximum machine account password age' is set to '30 or fewer days, but not 0'
(CCE-37431-4)		 Description: This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly so that the computers no longer change their passwords, an attacker would have more time to undertake a brute force attack against one of the computer accounts. The recommended state for this setting is: 30 or fewer days, but not 0. Note: A value of 0 does not conform to the benchmark as it disables maximum password age.
Key Path: System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 In 1-30
(Registry)		 Critical
Ensure 'Domain member: Require strong (Windows 2000 or later) session key' is set to 'Enabled'
(CCE-37614-5)		 Description: When this policy setting is enabled, a secure channel can only be established with Domain Controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all Domain Controllers in the domain must be able to encrypt secure channel data with a strong key, which means all Domain Controllers must be running Microsoft Windows 2000 or newer. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 Doesn't exist or = 1
(Registry)		 Critical

Security Options - Interactive Logon

Name
(ID)		 Details Expected value
(Type)		 Severity
Caching of logon credentials must be limited
(AZ-WIN-73651)		 Description: This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even if a Domain Controller cannot be contacted. This policy setting determines the number of unique users for whom logon information is cached locally. If this value is set to 0, the logon cache feature is disabled. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to determine user passwords. The recommended state for this setting is: 4 or fewer logon(s).
Key Path: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 In 1-4
(Registry)		 Informational
Interactive logon: Do not display last user name
(CCE-36056-0)		 Description: This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from collecting account names visually from the screens of desktop or laptop computers in your organization. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Interactive logon: Do not require CTRL+ALT+DEL
(CCE-37637-6)		 Description: This policy setting determines whether users must press CTRL+ALT+DEL before they log on. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Interactive logon: Machine inactivity limit
(AZ-WIN-73645)		 Description: Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session. The recommended state for this setting is: 900 or fewer second(s), but not 0. Note: A value of 0 does not conform to the benchmark as it disables the machine inactivity limit.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 In 1-900
(Registry)		 Important
Interactive logon: Message text for users attempting to log on
(AZ-WIN-202253)		 Description: This policy setting specifies a text message that displays to users when they log on. Configure this setting in a manner that is consistent with the security and operational requirements of your organization.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member
(Registry)		 Warning
Interactive logon: Message title for users attempting to log on
(AZ-WIN-202254)		 Description: This policy setting specifies the text displayed in the title bar of the window that users see when they log on to the system. Configure this setting in a manner that is consistent with the security and operational requirements of your organization.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member
(Registry)		 Warning
Interactive logon: Prompt user to change password before expiration
(CCE-10930-6)		 Description: This policy setting determines how far in advance users are warned that their password will expire. It is recommended that you configure this policy setting to at least 5 days but no more than 14 days to sufficiently warn users when their passwords will expire. The recommended state for this setting is: between 5 and 14 days.
Key Path: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 In 5-14
(Registry)		 Informational

Security Options - Microsoft Network Client

Name
(ID)		 Details Expected value
(Type)		 Severity
Microsoft network client: Digitally sign communications (always)
(CCE-36325-9)		 Description:

This policy setting determines whether packet signing is required by the SMB client component. Note: When Windows Vista-based computers have this policy setting enabled and they connect to file or print shares on remote servers, it is important that the setting is synchronized with its companion setting, Microsoft network server: Digitally sign communications (always), on those servers. For more information about these settings, see the "Microsoft network client and server: Digitally sign communications (four related settings)" section in Chapter 5 of the Threats and Countermeasures guide. The recommended state for this setting is: 'Enabled'.


Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Microsoft network client: Digitally sign communications (if server agrees)
(CCE-36269-9)		 Description: This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. Note: Enabling this policy setting on SMB clients on your network makes them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Microsoft network client: Send unencrypted password to third-party SMB servers
(CCE-37863-8)		 Description:

This policy setting determines whether the SMB redirector will send plaintext passwords during authentication to third-party SMB servers that do not support password encryption. It is recommended that you disable this policy setting unless there is a strong business case to enable it. If this policy setting is enabled, unencrypted passwords will be allowed across the network. The recommended state for this setting is: 'Disabled'.


Key Path: SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Microsoft network server: Amount of idle time required before suspending session
(CCE-38046-9)		 Description: This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished. A value of 0 appears to allow sessions to persist indefinitely. The maximum value is 99999, which is over 69 days; in effect, this value disables the setting. The recommended state for this setting is: 15 or fewer minute(s), but not 0.
Key Path: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 In 1-15
(Registry)		 Critical
Microsoft network server: Digitally sign communications (always)
(CCE-37864-6)		 Description: This policy setting determines whether packet signing is required by the SMB server component. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Microsoft network server: Digitally sign communications (if client agrees)
(CCE-35988-5)		 Description: This policy setting determines whether the SMB server will negotiate SMB packet signing with clients that request it. If no signing request comes from the client, a connection will be allowed without a signature if the Microsoft network server: Digitally sign communications (always) setting is not enabled. Note: Enable this policy setting on SMB clients on your network to make them fully effective for packet signing with all clients and servers in your environment. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Microsoft network server: Disconnect clients when logon hours expire
(CCE-37972-7)		 Description: This security setting determines whether to disconnect users who are connected to the local computer outside their user account's valid logon hours. This setting affects the Server Message Block (SMB) component. If you enable this policy setting you should also enable Network security: Force logoff when logon hours expire (Rule 2.3.11.6). If your organization configures logon hours for users, this policy setting is necessary to ensure they are effective. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogoff
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Microsoft network server: Server SPN target name validation level
(CCE-10617-9)		 Description: This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the server message block (SMB) protocol. The server message block (SMB) protocol provides the basis for file and print sharing and other networking operations, such as remote Windows administration. The SMB protocol supports validating the SMB server service principal name (SPN) within the authentication blob provided by a SMB client; this behavior prevents SMB relay attacks. This setting will affect both SMB1 and SMB2. The recommended state for this setting is: Accept if provided by client. Configuring this setting to Required from client also conforms to the benchmark. Note: Since the release of the MS KB3161561 security patch, this setting can cause significant issues (such as replication problems, group policy editing issues and blue screen crashes) on Domain Controllers when used simultaneously with UNC path hardening (i.e. Rule 18.5.14.1). CIS therefore recommends against deploying this setting on Domain Controllers.
Key Path: System\CurrentControlSet\Services\LanManServer\Parameters\SMBServerNameHardeningLevel
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member		 = 1
(Registry)		 Warning

Security Options - Microsoft Network Server

Name
(ID)		 Details Expected value
(Type)		 Severity
Disable SMB v1 server
(AZ-WIN-00175)		 Description: Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.) Enabling this setting enables server-side processing of the SMBv1 protocol. (Default.) Changes to this setting require a reboot to take effect. For more information, see https://support.microsoft.com/kb/2696547
Key Path: SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical

Security Options - Network Access

Name
(ID)		 Details Expected value
(Type)		 Severity
Accounts: Rename administrator account
(CCE-10976-9)		 Description: The built-in local administrator account is a well-known account name that attackers will target. It is recommended to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change the default description for the local administrator (through the Computer Management console). On Domain Controllers, since they do not have their own local accounts, this rule refers to the built-in Administrator account that was established when the domain was first created.
Key Path: [System Access]NewAdministratorName
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 Administrator
(Policy)		 Warning
Network access: Do not allow anonymous enumeration of SAM accounts
(CCE-36316-8)		 Description: This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections will not be able to enumerate domain account user names on the systems in your environment. This policy setting also allows additional restrictions on anonymous connections. The recommended state for this setting is: Enabled. Note: This policy has no effect on domain controllers.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Network access: Do not allow anonymous enumeration of SAM accounts and shares
(CCE-36077-6)		 Description: This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and network share names on the systems in your environment. The recommended state for this setting is: Enabled. Note: This policy has no effect on domain controllers.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Network access: Let Everyone permissions apply to anonymous users
(CCE-36148-5)		 Description: This policy setting determines what additional permissions are assigned for anonymous connections to the computer. The recommended state for this setting is: Disabled.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Network access: Remotely accessible registry paths
(CCE-37194-8)		 Description: This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, but it is called "Network access: Remotely accessible registry paths and subpaths" in Windows Server 2003, Windows Vista, and Windows Server 2008. Note: When you configure this setting, you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value.
Key Path: SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = System\CurrentControlSet\Control\ProductOptions\0System\CurrentControlSet\Control\Server Applications\0Software\Microsoft\Windows NT\CurrentVersion\0\0
(Registry)		 Critical
Network access: Remotely accessible registry paths and sub-paths
(CCE-36347-3)		 Description: This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this setting is called "Network access: Remotely accessible registry paths," the setting with that same name in Windows Vista, Windows Server 2008, and Windows Server 2003 does not exist in Windows XP. Note: When you configure this setting, you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value.
Key Path: SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Doesn't exist or = System\CurrentControlSet\Control\Print\Printers\0System\CurrentControlSet\Services\Eventlog\0Software\Microsoft\OLAP Server\0Software\Microsoft\Windows NT\CurrentVersion\Print\0Software\Microsoft\Windows NT\CurrentVersion\Windows\0System\CurrentControlSet\Control\ContentIndex\0System\CurrentControlSet\Control\Terminal Server\0System\CurrentControlSet\Control\Terminal Server\UserConfig\0System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration\0Software\Microsoft\Windows NT\CurrentVersion\Perflib\0System\CurrentControlSet\Services\SysmonLog\0\0
(Registry)		 Critical
Network access: Restrict anonymous access to Named Pipes and Shares
(CCE-36021-4)		 Description: When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymously settings. This policy setting controls null session access to shares on your computers by adding RestrictNullSessAccess with the value 1 in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters registry key. This registry value toggles null session shares on or off to control whether the server service restricts unauthenticated clients' access to named resources. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Network access: Restrict clients allowed to make remote calls to SAM
(AZ-WIN-00142)		 Description: This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used. This policy is supported on at least Windows Server 2016.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
OS: WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Doesn't exist or = O:BAG:BAD:(A;;RC;;;BA)
(Registry)		 Critical
Network access: Shares that can be accessed anonymously
(CCE-38095-6)		 Description: This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on the server. Note: It can be very dangerous to add other shares to this Group Policy setting. Any network user can access any shares that are listed, which could exposure or corrupt sensitive data. Note: When you configure this setting, you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, that is, type the first object on the list, press the Enter button, type the next object, press Enter again, etc. The setting value is stored as a comma-delimited list in group policy security templates. It is also rendered as a comma-delimited list in Group Policy Editor's display pane and the Resultant Set of Policy console. It is recorded in the registry as a line-feed delimited list in a REG_MULTI_SZ value.
Key Path: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or =
(Registry)		 Critical
Network access: Sharing and security model for local accounts
(CCE-37623-6)		 Description: This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users for the same resource. The Guest only option allows you to treat all users equally. In this context, all users authenticate as Guest only to receive the same access level to a given resource. The recommended state for this setting is: Classic - local users authenticate as themselves. Note: This setting does not affect interactive logons that are performed remotely by using such services as Telnet or Remote Desktop Services (formerly called Terminal Services).
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\ForceGuest
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical

Security Options - Network Security

Name
(ID)		 Details Expected value
(Type)		 Severity
Network security: Allow Local System to use computer identity for NTLM
(CCE-38341-4)		 Description: When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\UseMachineId
OS: WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Network security: Allow LocalSystem NULL session fallback
(CCE-37035-3)		 Description: This policy setting determines whether NTLM is allowed to fall back to a NULL session when used with LocalSystem. The recommended state for this setting is: Disabled.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\AllowNullSessionFallback
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Network Security: Allow PKU2U authentication requests to this computer to use online identities
(CCE-38047-7)		 Description: This setting determines if online identities are able to authenticate to this computer. The Public Key Cryptography Based User-to-User (PKU2U) protocol introduced in Windows 7 and Windows Server 2008 R2 is implemented as a security support provider (SSP). The SSP enables peer-to-peer authentication, particularly through the Windows 7 media and file sharing feature called Homegroup, which permits sharing between computers that are not members of a domain. With PKU2U, a new extension was introduced to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decided whether to use Kerberos or NTLM for authentication. The extension SSP for Negotiate, Negoexts.dll, which is treated as an authentication protocol by Windows, supports Microsoft SSPs including PKU2U. When computers are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation and associates the user's certificate to a security token and the logon process completes. The recommended state for this setting is: Disabled.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Network Security: Configure encryption types allowed for Kerberos
(CCE-37755-6)		 Description: This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes
OS: WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 2147483640
(Registry)		 Critical
Network security: Do not store LAN Manager hash value on next password change
(CCE-36326-7)		 Description: This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stronger Microsoft Windows NT hash. Since LM hashes are stored on the local computer in the security database, passwords can then be easily compromised if the database is attacked. Note: Older operating systems and some third-party applications may fail when this policy setting is enabled. Also, note that the password will need to be changed on all accounts after you enable this setting to gain the proper benefit. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Network security: LAN Manager authentication level
(CCE-36173-3)		 Description: LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network administration tools. In Active Directory domains, the Kerberos protocol is the default authentication protocol. However, if the Kerberos protocol is not negotiated for some reason, Active Directory will use LM, NTLM, or NTLMv2. LAN Manager authentication includes the LM, NTLM, and NTLM version 2 (NTLMv2) variants, and is the protocol that is used to authenticate all Windows clients when they perform the following operations: - Join a domain - Authenticate between Active Directory forests - Authenticate to down-level domains - Authenticate to computers that do not run Windows 2000, Windows Server 2003, or Windows XP) - Authenticate to computers that are not in the domain The possible values for the Network security: LAN Manager authentication level settings are: - Send LM & NTLM responses - Send LM & NTLM — use NTLMv2 session security if negotiated - Send NTLM responses only - Send NTLMv2 responses only - Send NTLMv2 responses only\refuse LM - Send NTLMv2 responses only\refuse LM & NTLM - Not Defined The Network security: LAN Manager authentication level setting determines which challenge/response authentication protocol is used for network logons. This choice affects the authentication protocol level that clients use, the session security level that the computers negotiate, and the authentication level that servers accept as follows: - Send LM & NTLM responses. Clients use LM and NTLM authentication and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Send LM & NTLM — use NTLMv2 session security if negotiated. Clients use LM and NTLM authentication and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Send NTLM response only. Clients use NTLM authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Send NTLMv2 response only. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Send NTLMv2 response only\refuse LM. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM (accept only NTLM and NTLMv2 authentication). - Send NTLMv2 response only\refuse LM & NTLM. Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it. Domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). These settings correspond to the levels discussed in other Microsoft documents as follows: - Level 0 — Send LM and NTLM response; never use NTLMv2 session security. Clients use LM and NTLM authentication, and never use NTLMv2 session security. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Level 1 — Use NTLMv2 session security if negotiated. Clients use LM and NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Level 2 — Send NTLM response only. Clients use only NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Level 3 — Send NTLMv2 response only. Clients use NTLMv2 authentication, and use NTLMv2 session security if the server supports it. Domain controllers accept LM, NTLM, and NTLMv2 authentication. - Level 4 — Domain controllers refuse LM responses. Clients use NTLM authentication, and use NTLMv2 session security if the server supports it. Domain controllers refuse LM authentication, that is, they accept NTLM and NTLMv2. - Level 5 — Domain controllers refuse LM and NTLM responses (accept only NTLMv2). Clients use NTLMv2 authentication, use and NTLMv2 session security if the server supports it. Domain controllers refuse NTLM and LM authentication (they accept only NTLMv2).
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 5
(Registry)		 Critical
Network security: LDAP client signing requirements
(CCE-36858-9)		 Description: This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests. Note: This policy setting does not have any impact on LDAP simple bind (ldap_simple_bind) or LDAP simple bind through SSL (ldap_simple_bind_s). No Microsoft LDAP clients that are included with Windows XP Professional use ldap_simple_bind or ldap_simple_bind_s to communicate with a domain controller. The recommended state for this setting is: Negotiate signing. Configuring this setting to Require signing also conforms with the benchmark.
Key Path: SYSTEM\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients
(CCE-37553-5)		 Description: This policy setting determines which behaviors are allowed by clients for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level security setting value.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 537395200
(Registry)		 Critical
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers
(CCE-37835-6)		 Description: This policy setting determines which behaviors are allowed by servers for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services. The setting does not modify how the authentication sequence works but instead require certain behaviors in applications that use the SSPI. The recommended state for this setting is: Require NTLMv2 session security, Require 128-bit encryption. Note: These values are dependent on the Network security: LAN Manager Authentication Level security setting value.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 537395200
(Registry)		 Critical

Security Options - Shutdown

Name
(ID)		 Details Expected value
(Type)		 Severity
Shutdown: Allow system to be shut down without having to log on
(CCE-36788-8)		 Description: This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. It is recommended to disable this policy setting to restrict the ability to shut down the computer to users with credentials on the system. The recommended state for this setting is: Disabled. Note: In Server 2008 R2 and older versions, this setting had no impact on Remote Desktop (RDP) / Terminal Services sessions - it only affected the local console. However, Microsoft changed the behavior in Windows Server 2012 (non-R2) and above, where if set to Enabled, RDP sessions are also allowed to shut down or restart the server.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Shutdown: Clear virtual memory pagefile
(AZ-WIN-00181)		 Description: This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. If you enable this security setting, the hibernation file (Hiberfil.sys) is zeroed out when hibernation is disabled on a portable computer system. It will take longer to shut down and restart the computer, and will be especially noticeable on computers with large paging files.
Key Path: System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical

Security Options - System cryptography

Name
(ID)		 Details Expected value
(Type)		 Severity
Users must be required to enter a password to access private keys stored on the computer.
(AZ-WIN-73699)		 Description: If the private key is discovered, an attacker can use the key to authenticate as an authorized user and gain access to the network infrastructure. The cornerstone of the PKI is the private key used to encrypt or digitally sign information. If the private key is stolen, this will lead to the compromise of the authentication and non-repudiation gained through PKI because the attacker can use the private key to digitally sign documents and pretend to be the authorized user. Both the holders of a digital certificate and the issuing authority must protect the computers, storage devices, or whatever they use to keep the private keys.
Key Path: SOFTWARE\Policies\Microsoft\Cryptography\ForceKeyProtection
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 2
(Registry)		 Important
Windows Server must be configured to use FIPS-compliant algorithms for encryption, hashing, and signing.
(AZ-WIN-73701)		 Description: This setting ensures the system uses algorithms that are FIPS-compliant for encryption, hashing, and signing. FIPS-compliant algorithms meet specific standards established by the U.S. Government and must be the algorithms used for all OS encryption functions.
Key Path: SYSTEM\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled
OS: WS2016, WS2019, WS2022
Server Type: Domain Member		 = 1
(Registry)		 Important

Security Options - System objects

Name
(ID)		 Details Expected value
(Type)		 Severity
System objects: Require case insensitivity for non-Windows subsystems
(CCE-37885-1)		 Description: This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32 subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portable Operating System Interface for UNIX (POSIX). Because Windows is case insensitive (but the POSIX subsystem will support case sensitivity), failure to enforce this policy setting makes it possible for a user of the POSIX subsystem to create a file with the same name as another file by using mixed case to label it. Such a situation can block access to these files by another user who uses typical Win32 tools, because only one of the files will be available. The recommended state for this setting is: Enabled.
Key Path: System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Warning
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)
(CCE-37644-2)		 Description: This policy setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. The recommended state for this setting is: Enabled.
Key Path: SYSTEM\CurrentControlSet\Control\Session Manager\ProtectionMode
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical

Security Options - System settings

Name
(ID)		 Details Expected value
(Type)		 Severity
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
(AZ-WIN-00155)		 Description: This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. It enables or disables certificate rules (a type of software restriction policies rule). With software restriction policies, you can create a certificate rule that will allow or disallow the execution of Authenticode ®-signed software, based on the digital certificate that is associated with the software. For certificate rules to take effect in software restriction policies, you must enable this policy setting.
Key Path: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 = 1
(Registry)		 Warning

Security Options - User Account Control

Name
(ID)		 Details Expected value
(Type)		 Severity
User Account Control: Admin Approval Mode for the Built-in Administrator account
(CCE-36494-3)		 Description: This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
(CCE-36863-9)		 Description: This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
(CCE-37029-6)		 Description: This policy setting controls the behavior of the elevation prompt for administrators. The recommended state for this setting is: Prompt for consent on the secure desktop.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 2
(Registry)		 Critical
User Account Control: Behavior of the elevation prompt for standard users
(CCE-36864-7)		 Description: This policy setting controls the behavior of the elevation prompt for standard users. The recommended state for this setting is: Automatically deny elevation requests.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
User Account Control: Detect application installations and prompt for elevation
(CCE-36533-8)		 Description: This policy setting controls the behavior of application installation detection for the computer. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
User Account Control: Only elevate UIAccess applications that are installed in secure locations
(CCE-37057-7)		 Description: This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\Program Files\, including subfolders - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
User Account Control: Run all administrators in Admin Approval Mode
(CCE-36869-6)		 Description: This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The recommended state for this setting is: Enabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
User Account Control: Switch to the secure desktop when prompting for elevation
(CCE-36866-2)		 Description: This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
User Account Control: Virtualize file and registry write failures to per-user locations
(CCE-37064-3)		 Description: This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to: - %ProgramFiles%, - %Windir%, - %Windir%\system32, or - HKEY_LOCAL_MACHINE\Software. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical

Security Settings - Account Policies

Name
(ID)		 Details Expected value
(Type)		 Severity
Account lockout threshold
(AZ-WIN-73311)		 Description: This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform to the benchmark as doing so disables the account lockout threshold. The recommended state for this setting is: 5 or fewer invalid logon attempt(s), but not 0. Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
Key Path: [System Access]LockoutBadCount
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 In 1-3
(Policy)		 Important
Enforce password history
(CCE-37166-6)		 Description:

This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password. The recommended state for this setting is: '24 or more password(s)'.


Key Path: [System Access]PasswordHistorySize
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= 24
(Policy)		 Critical
Maximum password age
(CCE-37167-4)		 Description: This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current. The recommended state for this setting is 60 or fewer days, but not 0.
Key Path: [System Access]MaximumPasswordAge
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 In 1-70
(Policy)		 Critical
Minimum password age
(CCE-37073-4)		 Description: This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days. The recommended state for this setting is: 1 or more day(s).
Key Path: [System Access]MinimumPasswordAge
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= 1
(Policy)		 Critical
Minimum password length
(CCE-36534-6)		 Description: This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "pass phrase" is a better term than "password." In Microsoft Windows 2000 or later, pass phrases can be quite long and can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is a valid pass phrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements. The recommended state for this setting is: 14 or more character(s).
Key Path: [System Access]MinimumPasswordLength
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= 14
(Policy)		 Critical
Password must meet complexity requirements
(CCE-37063-5)		 Description: This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Does not contain the user's account name or parts of the user's full name that exceed two consecutive characters - Be at least six characters in length - Contain characters from three of the following four categories: - English uppercase characters (A through Z) - English lowercase characters (a through z) - Base 10 digits (0 through 9) - Non-alphabetic characters (for example, !, $, #, %) - A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific. Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@". Proper use of the password settings can help make it difficult to mount a brute force attack. The recommended state for this setting is: Enabled.
Key Path: [System Access]PasswordComplexity
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Policy)		 Critical
Reset account lockout counter after
(AZ-WIN-73309)		 Description: This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting. If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically. The recommended state for this setting is: 15 or more minute(s). Note: Password Policy settings (section 1.1) and Account Lockout Policy settings (section 1.2) must be applied via the Default Domain Policy GPO in order to be globally in effect on domain user accounts as their default behavior. If these settings are configured in another GPO, they will only affect local user accounts on the computers that receive the GPO. However, custom exceptions to the default password policy and account lockout policy rules for specific domain users and/or groups can be defined using Password Settings Objects (PSOs), which are completely separate from Group Policy and most easily configured using Active Directory Administrative Center.
Key Path: [System Access]ResetLockoutCount
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 >= 15
(Policy)		 Important
Store passwords using reversible encryption
(CCE-36286-3)		 Description: This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords. The recommended state for this setting is: Disabled.
Key Path: [System Access]ClearTextPassword
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Policy)		 Critical

Security Settings - Windows Firewall

Name
(ID)		 Details Expected value
(Type)		 Severity
Windows Firewall: Domain: Allow unicast response
(AZ-WIN-00088)		 Description:

This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.  

We recommend this setting to ‘Yes’ for Private and Domain profiles, this will set the registry value to 0.


Key Path: Software\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableUnicastResponsesToMulticastBroadcast
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Warning
Windows Firewall: Domain: Firewall state
(CCE-36062-8)		 Description: Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\EnableFirewall
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Windows Firewall: Domain: Inbound connections
(AZ-WIN-202252)		 Description: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default).
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultInboundAction
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Critical
Windows Firewall: Domain: Logging: Log dropped packets
(AZ-WIN-202226)		 Description: Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogDroppedPackets
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Informational
Windows Firewall: Domain: Logging: Log successful connections
(AZ-WIN-202227)		 Description: Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogSuccessfulConnections
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning
Windows Firewall: Domain: Logging: Name
(AZ-WIN-202224)		 Description: Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\System32\logfiles\firewall\domainfw.log.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFilePath
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = %SystemRoot%\System32\logfiles\firewall\domainfw.log
(Registry)		 Informational
Windows Firewall: Domain: Logging: Size limit (KB)
(AZ-WIN-202225)		 Description: Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging\LogFileSize
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 >= 16384
(Registry)		 Warning
Windows Firewall: Domain: Outbound connections
(CCE-36146-9)		 Description: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block the connection.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DefaultOutboundAction
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Critical
Windows Firewall: Domain: Settings: Apply local connection security rules
(CCE-38040-2)		 Description:

This setting controls whether local administrators are allowed to create local connection rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is ‘Yes’, this will set the registry value to 1.


Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalIPsecPolicyMerge
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Critical
Windows Firewall: Domain: Settings: Apply local firewall rules
(CCE-37860-4)		 Description:

This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.

The recommended state for this setting is Yes, this will set the registry value to 1.


Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AllowLocalPolicyMerge
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 Doesn't exist or = 0
(Registry)		 Critical
Windows Firewall: Domain: Settings: Display a notification
(CCE-38041-0)		 Description:

When this option is selected, no notification is displayed to the user when a program is blocked from receiving inbound connections. In a server environment, the popups are not useful as the users is not logged in, popups are not necessary and can add confusion for the administrator.  

Configure this policy setting to ‘No’, this will set the registry value to 1.  Windows Firewall will not display a notification when a program is blocked from receiving inbound connections.


Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\DisableNotifications
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning
Windows Firewall: Private: Allow unicast response
(AZ-WIN-00089)		 Description:

This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.  

We recommend this setting to ‘Yes’ for Private and Domain profiles, this will set the registry value to 0.


Key Path: Software\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableUnicastResponsesToMulticastBroadcast
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Warning
Windows Firewall: Private: Firewall state
(CCE-38239-0)		 Description: Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\EnableFirewall
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Windows Firewall: Private: Inbound connections
(AZ-WIN-202228)		 Description: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default).
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultInboundAction
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Critical
Windows Firewall: Private: Logging: Log dropped packets
(AZ-WIN-202231)		 Description: Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogDroppedPackets
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Informational
Windows Firewall: Private: Logging: Log successful connections
(AZ-WIN-202232)		 Description: Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogSuccessfulConnections
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Warning
Windows Firewall: Private: Logging: Name
(AZ-WIN-202229)		 Description: Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\System32\logfiles\firewall\privatefw.log.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogFilePath
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = %SystemRoot%\System32\logfiles\firewall\privatefw.log
(Registry)		 Informational
Windows Firewall: Private: Logging: Size limit (KB)
(AZ-WIN-202230)		 Description: Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\Logging\LogFileSize
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 >= 16384
(Registry)		 Warning
Windows Firewall: Private: Outbound connections
(CCE-38332-3)		 Description: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DefaultOutboundAction
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
Windows Firewall: Private: Settings: Apply local connection security rules
(CCE-36063-6)		 Description:

This setting controls whether local administrators are allowed to create local connection rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is ‘Yes’, this will set the registry value to 1.


Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalIPsecPolicyMerge
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
Windows Firewall: Private: Settings: Apply local firewall rules
(CCE-37438-9)		 Description:

This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.

The recommended state for this setting is Yes, this will set the registry value to 1.


Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\AllowLocalPolicyMerge
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Windows Firewall: Private: Settings: Display a notification
(CCE-37621-0)		 Description:

When this option is selected, no notification is displayed to the user when a program is blocked from receiving inbound connections. In a server environment, the popups are not useful as the users is not logged in, popups are not necessary and can add confusion for the administrator.  

 Configure this policy setting to ‘No’, this will set the registry value to 1.  Windows Firewall will not display a notification when a program is blocked from receiving inbound connections.


Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile\DisableNotifications
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Windows Firewall: Public: Allow unicast response
(AZ-WIN-00090)		 Description:

This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. This can be done by changing the state for this setting to ‘No’, this will set the registry value to 1.


Key Path: Software\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableUnicastResponsesToMulticastBroadcast
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Windows Firewall: Public: Firewall state
(CCE-37862-0)		 Description: Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rules for this profile.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\EnableFirewall
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Windows Firewall: Public: Inbound connections
(AZ-WIN-202234)		 Description: This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The recommended state for this setting is: Block (default).
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultInboundAction
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Critical
Windows Firewall: Public: Logging: Log dropped packets
(AZ-WIN-202237)		 Description: Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log. The recommended state for this setting is: Yes.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogDroppedPackets
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 1
(Registry)		 Informational
Windows Firewall: Public: Logging: Log successful connections
(AZ-WIN-202233)		 Description: Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log. The recommended state for this setting is: Yes.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogSuccessfulConnections
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Windows Firewall: Public: Logging: Name
(AZ-WIN-202235)		 Description: Use this option to specify the path and name of the file in which Windows Firewall will write its log information. The recommended state for this setting is: %SystemRoot%\System32\logfiles\firewall\publicfw.log.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogFilePath
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = %SystemRoot%\System32\logfiles\firewall\publicfw.log
(Registry)		 Informational
Windows Firewall: Public: Logging: Size limit (KB)
(AZ-WIN-202236)		 Description: Use this option to specify the size limit of the file in which Windows Firewall will write its log information. The recommended state for this setting is: 16,384 KB or greater.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\Logging\LogFileSize
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= 16384
(Registry)		 Informational
Windows Firewall: Public: Outbound connections
(CCE-37434-8)		 Description: This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive the GPO settings cannot receive subsequent Group Policy updates unless you create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying.
Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DefaultOutboundAction
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
Windows Firewall: Public: Settings: Apply local connection security rules
(CCE-36268-1)		 Description:

This setting controls whether local administrators are allowed to create local connection rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is ‘Yes’, this will set the registry value to 1.


Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalIPsecPolicyMerge
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 = 0
(Registry)		 Critical
Windows Firewall: Public: Settings: Apply local firewall rules
(CCE-37861-2)		 Description:

This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.

The recommended state for this setting is Yes, this will set the registry value to 1.


Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\AllowLocalPolicyMerge
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Windows Firewall: Public: Settings: Display a notification
(CCE-38043-6)		 Description:

By selecting this option, no notification is displayed to the user when a program is blocked from receiving inbound connections. In a server environment, the popups are not useful as the users is not logged in, popups are not necessary and can add confusion for the administrator.  

Configure this policy setting to ‘No’, this will set the registry value to 1.  Windows Firewall will not display a notification when a program is blocked from receiving inbound connections.


Key Path: SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile\DisableNotifications
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning

System Audit Policies - Account Logon

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit Credential Validation
(CCE-37741-6)		 Description:

This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on. Events for this subcategory include: - 4774: An account was mapped for logon. - 4775: An account could not be mapped for logon. - 4776: The domain controller attempted to validate the credentials for an account. - 4777: The domain controller failed to validate the credentials for an account. The recommended state for this setting is: 'Success and Failure'.


Key Path: {0CCE923F-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical
Audit Kerberos Authentication Service
(AZ-WIN-00004)		 Description: This subcategory reports the results of events generated after a Kerberos authentication TGT request. Kerberos is a distributed authentication service that allows a client running on behalf of a user to prove its identity to a server without sending data across the network. This helps mitigate an attacker or server from impersonating a user. - 4768: A Kerberos authentication ticket (TGT) was requested. - 4771: Kerberos pre-authentication failed. - 4772: A Kerberos authentication ticket request failed. The recommended state for this setting is: Success and Failure.
Key Path: {0CCE9242-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller		 >= Success and Failure
(Audit)		 Critical

System Audit Policies - Account Management

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit Distribution Group Management
(CCE-36265-7)		 Description: This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of group accounts. Events for this subcategory include: - 4744: A security-disabled local group was created. - 4745: A security-disabled local group was changed. - 4746: A member was added to a security-disabled local group. - 4747: A member was removed from a security-disabled local group. - 4748: A security-disabled local group was deleted. - 4749: A security-disabled global group was created. - 4750: A security-disabled global group was changed. - 4751: A member was added to a security-disabled global group. - 4752: A member was removed from a security-disabled global group. - 4753: A security-disabled global group was deleted. - 4759: A security-disabled universal group was created. - 4760: A security-disabled universal group was changed. - 4761: A member was added to a security-disabled universal group. - 4762: A member was removed from a security-disabled universal group. - 4763: A security-disabled universal group was deleted. The recommended state for this setting is to include: Success.
Key Path: {0CCE9238-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller		 >= Success
(Audit)		 Critical
Audit Other Account Management Events
(CCE-37855-4)		 Description: This subcategory reports other account management events. Events for this subcategory include: — 4782: The password hash an account was accessed. — 4793: The Password Policy Checking API was called. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE923A-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller		 >= Success
(Audit)		 Critical
Audit Security Group Management
(CCE-38034-5)		 Description: This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts. Events for this subcategory include: - 4727: A security-enabled global group was created. - 4728: A member was added to a security-enabled global group. - 4729: A member was removed from a security-enabled global group. - 4730: A security-enabled global group was deleted. - 4731: A security-enabled local group was created. - 4732: A member was added to a security-enabled local group. - 4733: A member was removed from a security-enabled local group. - 4734: A security-enabled local group was deleted. - 4735: A security-enabled local group was changed. - 4737: A security-enabled global group was changed. - 4754: A security-enabled universal group was created. - 4755: A security-enabled universal group was changed. - 4756: A member was added to a security-enabled universal group. - 4757: A member was removed from a security-enabled universal group. - 4758: A security-enabled universal group was deleted. - 4764: A group's type was changed. The recommended state for this setting is: Success and Failure.
Key Path: {0CCE9237-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical
Audit User Account Management
(CCE-37856-2)		 Description: This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user accounts. Events for this subcategory include: - 4720: A user account was created. - 4722: A user account was enabled. - 4723: An attempt was made to change an account's password. - 4724: An attempt was made to reset an account's password. - 4725: A user account was disabled. - 4726: A user account was deleted. - 4738: A user account was changed. - 4740: A user account was locked out. - 4765: SID History was added to an account. - 4766: An attempt to add SID History to an account failed. - 4767: A user account was unlocked. - 4780: The ACL was set on accounts which are members of administrators groups. - 4781: The name of an account was changed: - 4794: An attempt was made to set the Directory Services Restore Mode. - 5376: Credential Manager credentials were backed up. - 5377: Credential Manager credentials were restored from a backup. The recommended state for this setting is: Success and Failure.
Key Path: {0CCE9235-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical

System Audit Policies - Detailed Tracking

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit PNP Activity
(AZ-WIN-00182)		 Description: This policy setting allows you to audit when plug and play detects an external device. The recommended state for this setting is: Success. Note: A Windows 10, Server 2016 or higher OS is required to access and set this value in Group Policy.
Key Path: {0CCE9248-69AE-11D9-BED3-505054503030}
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical
Audit Process Creation
(CCE-36059-4)		 Description: This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: - 4688: A new process has been created. - 4696: A primary token was assigned to process. Refer to Microsoft Knowledge Base article 947226: Description of security events in Windows Vista and in Windows Server 2008 for the most recent information about this setting. The recommended state for this setting is: Success.
Key Path: {0CCE922B-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical

System Audit Policies - DS Access

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit Directory Service Access
(CCE-37433-0)		 Description: This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. This subcategory applies only to Domain Controllers. Events for this subcategory include: - 4662 : An operation was performed on an object. The recommended state for this setting is to include: Failure.
Key Path: {0CCE923B-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller		 >= Failure
(Audit)		 Critical
Audit Directory Service Changes
(CCE-37616-0)		 Description: This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. This subcategory applies only to Domain Controllers. Events for this subcategory include: - 5136 : A directory service object was modified. - 5137 : A directory service object was created. - 5138 : A directory service object was undeleted. - 5139 : A directory service object was moved. The recommended state for this setting is to include: Success.
Key Path: {0CCE923C-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller		 >= Success
(Audit)		 Critical
Audit Directory Service Replication
(AZ-WIN-00093)		 Description: This subcategory reports when replication between two domain controllers begins and ends. Events for this subcategory include: - 4932: Synchronization of a replica of an Active Directory naming context has begun. – 4933: Synchronization of a replica of an Active Directory naming context has ended. Refer to the Microsoft Knowledgebase article “Description of security events in Windows Vista and in Windows Server 2008” for the most recent information about this setting: http:--support.microsoft.com-default.aspx-kb-947226
Key Path: {0CCE923D-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller		 >= No Auditing
(Audit)		 Critical

System Audit Policies - Logon-Logoff

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit Account Lockout
(CCE-37133-6)		 Description: This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: — 4625: An account failed to log on. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows Server 2008' for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE9217-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Failure
(Audit)		 Critical
Audit Group Membership
(AZ-WIN-00026)		 Description: Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer. This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. You must also enable the Audit Logon subcategory. Multiple events are generated if the group membership information cannot fit in a single security audit event. The events that are audited include the following: - 4627(S): Group membership information.
Key Path: {0CCE9249-69AE-11D9-BED3-505054503030}
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical
Audit Logoff
(CCE-38237-4)		 Description:

This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4634: An account was logged off. - 4647: User initiated logoff. The recommended state for this setting is: 'Success'.


Key Path: {0CCE9216-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical
Audit Logon
(CCE-38036-0)		 Description:

This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4624: An account was successfully logged on. - 4625: An account failed to log on. - 4648: A logon was attempted using explicit credentials. - 4675: SIDs were filtered. The recommended state for this setting is: 'Success and Failure'.


Key Path: {0CCE9215-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical
Audit Other Logon/Logoff Events
(CCE-36322-6)		 Description: This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategory include: — 4649: A replay attack was detected. — 4778: A session was reconnected to a Window Station. — 4779: A session was disconnected from a Window Station. — 4800: The workstation was locked. — 4801: The workstation was unlocked. — 4802: The screen saver was invoked. — 4803: The screen saver was dismissed. — 5378: The requested credentials delegation was disallowed by policy. — 5632: A request was made to authenticate to a wireless network. — 5633: A request was made to authenticate to a wired network. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE921C-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical
Audit Special Logon
(CCE-36266-5)		 Description: This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: - 4964 : Special groups have been assigned to a new logon. The recommended state for this setting is: Success.
Key Path: {0CCE921B-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical

System Audit Policies - Object Access

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit Detailed File Share
(AZ-WIN-00100)		 Description: This subcategory allows you to audit attempts to access files and folders on a shared folder. Events for this subcategory include: - 5145: network share object was checked to see whether client can be granted desired access. The recommended state for this setting is to include: Failure
Key Path: {0CCE9244-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Failure
(Audit)		 Critical
Audit File Share
(AZ-WIN-00102)		 Description: This policy setting allows you to audit attempts to access a shared folder. The recommended state for this setting is: Success and Failure. Note: There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared folders on the system is audited.
Key Path: {0CCE9224-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical
Audit Other Object Access Events
(AZ-WIN-00113)		 Description: This subcategory reports other object access-related events such as Task Scheduler jobs and COM+ objects. Events for this subcategory include: — 4671: An application attempted to access a blocked ordinal through the TBS. — 4691: Indirect access to an object was requested. — 4698: A scheduled task was created. — 4699: A scheduled task was deleted. — 4700: A scheduled task was enabled. — 4701: A scheduled task was disabled. — 4702: A scheduled task was updated. — 5888: An object in the COM+ Catalog was modified. — 5889: An object was deleted from the COM+ Catalog. — 5890: An object was added to the COM+ Catalog. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE9227-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical
Audit Removable Storage
(CCE-37617-8)		 Description: This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audit event is generated each time an account accesses a file system object on a removable storage. Success audits record successful attempts and Failure audits record unsuccessful attempts. If you do not configure this policy setting, no audit event is generated when an account accesses a file system object on a removable storage. The recommended state for this setting is: Success and Failure. Note: A Windows 8, Server 2012 (non-R2) or higher OS is required to access and set this value in Group Policy.
Key Path: {0CCE9245-69AE-11D9-BED3-505054503030}
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical

System Audit Policies - Policy Change

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit Authentication Policy Change
(CCE-38327-3)		 Description: This subcategory reports changes in authentication policy. Events for this subcategory include: — 4706: A new trust was created to a domain. — 4707: A trust to a domain was removed. — 4713: Kerberos policy was changed. — 4716: Trusted domain information was modified. — 4717: System security access was granted to an account. — 4718: System security access was removed from an account. — 4739: Domain Policy was changed. — 4864: A namespace collision was detected. — 4865: A trusted forest information entry was added. — 4866: A trusted forest information entry was removed. — 4867: A trusted forest information entry was modified. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE9230-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical
Audit Authorization Policy Change
(CCE-36320-0)		 Description: This subcategory reports changes in authorization policy. Events for this subcategory include: - 4704: A user right was assigned. - 4705: A user right was removed. - 4706: A new trust was created to a domain. - 4707: A trust to a domain was removed. - 4714: Encrypted data recovery policy was changed. The recommended state for this setting is to include: Success.
Key Path: {0CCE9231-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical
Audit MPSSVC Rule-Level Policy Change
(AZ-WIN-00111)		 Description: This subcategory reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe). This service is used by Windows Firewall and by Microsoft OneCare. Events for this subcategory include: — 4944: The following policy was active when the Windows Firewall started. — 4945: A rule was listed when the Windows Firewall started. — 4946: A change has been made to Windows Firewall exception list. A rule was added. — 4947: A change has been made to Windows Firewall exception list. A rule was modified. — 4948: A change has been made to Windows Firewall exception list. A rule was deleted. — 4949: Windows Firewall settings were restored to the default values. — 4950: A Windows Firewall setting has changed. — 4951: A rule has been ignored because its major version number was not recognized by Windows Firewall. — 4952: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. — 4953: A rule has been ignored by Windows Firewall because it could not parse the rule. — 4954: Windows Firewall Group Policy settings have changed. The new settings have been applied. — 4956: Windows Firewall has changed the active profile. — 4957: Windows Firewall did not apply the following rule: — 4958: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE9232-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical
Audit Other Policy Change Events
(AZ-WIN-00114)		 Description: This subcategory contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations. - 5063: A cryptographic provider operation was attempted. - 5064: A cryptographic context operation was attempted. - 5065: A cryptographic context modification was attempted. - 5066: A cryptographic function operation was attempted. - 5067: A cryptographic function modification was attempted. - 5068: A cryptographic function provider operation was attempted. - 5069: A cryptographic function property operation was attempted. - 5070: A cryptographic function property modification was attempted. - 6145: One or more errors occurred while processing security policy in the group policy objects. The recommended state for this setting is to include: Failure.
Key Path: {0CCE9234-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Failure
(Audit)		 Critical
Audit Policy Change
(CCE-38028-7)		 Description: This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: — 4715: The audit policy (SACL) on an object was changed. — 4719: System audit policy was changed. — 4902: The Per-user audit policy table was created. — 4904: An attempt was made to register a security event source. — 4905: An attempt was made to unregister a security event source. — 4906: The CrashOnAuditFail value has changed. — 4907: Auditing settings on object were changed. — 4908: Special Groups Logon table modified. — 4912: Per User Audit Policy was changed. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE922F-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical

System Audit Policies - Privilege Use

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit Sensitive Privilege Use
(CCE-36267-3)		 Description: This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directories, Create a token object, Debug programs, Enable computer and user accounts to be trusted for delegation, Generate security audits, Impersonate a client after authentication, Load and unload device drivers, Manage auditing and security log, Modify firmware environment values, Replace a process-level token, Restore files and directories, and Take ownership of files or other objects. Auditing this subcategory will create a high volume of events. Events for this subcategory include: — 4672: Special privileges assigned to new logon. — 4673: A privileged service was called. — 4674: An operation was attempted on a privileged object. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows Server 2008' for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE9228-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical

System Audit Policies - System

Name
(ID)		 Details Expected value
(Type)		 Severity
Audit IPsec Driver
(CCE-37853-9)		 Description: This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: - 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. - 4961: IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. - 4962: IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. - 4963: IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. - 4965: IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. - 5478: IPsec Services has started successfully. - 5479: IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5480: IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. - 5483: IPsec Services failed to initialize RPC server. IPsec Services could not be started. - 5484: IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. - 5485: IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. The recommended state for this setting is: Success and Failure.
Key Path: {0CCE9213-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success and Failure
(Audit)		 Critical
Audit Other System Events
(CCE-38030-3)		 Description: This subcategory reports on other system events. Events for this subcategory include: - 5024 : The Windows Firewall Service has started successfully. - 5025 : The Windows Firewall Service has been stopped. - 5027 : The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. - 5028 : The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. - 5029: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. - 5030: The Windows Firewall Service failed to start. - 5032: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. - 5033 : The Windows Firewall Driver has started successfully. - 5034 : The Windows Firewall Driver has been stopped. - 5035 : The Windows Firewall Driver failed to start. - 5037 : The Windows Firewall Driver detected critical runtime error. Terminating. - 5058: Key file operation. - 5059: Key migration operation. The recommended state for this setting is: Success and Failure.
Key Path: {0CCE9214-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical
Audit Security State Change
(CCE-38114-5)		 Description: This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: — 4608: Windows is starting up. — 4609: Windows is shutting down. — 4616: The system time was changed. — 4621: Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows Server 2008' for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE9210-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical
Audit Security System Extension
(CCE-36144-4)		 Description: This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: — 4610: An authentication package has been loaded by the Local Security Authority. — 4611: A trusted logon process has been registered with the Local Security Authority. — 4614: A notification package has been loaded by the Security Account Manager. — 4622: A security package has been loaded by the Local Security Authority. — 4697: A service was installed in the system. Refer to the Microsoft Knowledgebase article "Description of security events in Windows Vista and in Windows Server 2008" for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE9211-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Success
(Audit)		 Critical
Audit System Integrity
(CCE-37132-8)		 Description: This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: — 4612: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. — 4615: Invalid use of LPC port. — 4618: A monitored security event pattern has occurred. — 4816 : RPC detected an integrity violation while decrypting an incoming message. — 5038: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. — 5056: A cryptographic self-test was performed. — 5057: A cryptographic primitive operation failed. — 5060: Verification operation failed. — 5061: Cryptographic operation. — 5062: A kernel-mode cryptographic self-test was performed. Refer to the Microsoft Knowledgebase article 'Description of security events in Windows Vista and in Windows Server 2008' for the most recent information about this setting: https://support.microsoft.com/topic/ms16-014-description-of-the-security-update-for-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2-windows-server-2012-windows-8-1-and-windows-server-2012-r2-february-9-2016-1ff344d3-cd1c-cdbd-15b4-9344c7a7e6bd.
Key Path: {0CCE9212-69AE-11D9-BED3-505054503030}
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Success and Failure
(Audit)		 Critical

User Rights Assignment

Name
(ID)		 Details Expected value
(Type)		 Severity
Access Credential Manager as a trusted caller
(CCE-37056-9)		 Description: This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to the Winlogon process. Users' saved credentials might be compromised if this user right is assigned to other entities. The recommended state for this setting is: No One.
Key Path: [Privilege Rights]SeTrustedCredManAccessPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = No One
(Policy)		 Warning
Access this computer from the network
(CCE-35818-4)		 Description:

This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB) based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). - Level 1 - Domain Controller. The recommended state for this setting is: 'Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS'. - Level 1 - Member Server. The recommended state for this setting is: 'Administrators, Authenticated Users'.


Key Path: [Privilege Rights]SeNetworkLogonRight
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Administrators, Authenticated Users
(Policy)		 Critical
Act as part of the operating system
(CCE-36876-1)		 Description: This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. The recommended state for this setting is: No One.
Key Path: [Privilege Rights]SeTcbPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = No One
(Policy)		 Critical
Allow log on locally
(CCE-37659-0)		 Description: This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Services or IIS also require this user right. The Guest account is assigned this user right by default. Although this account is disabled by default, Microsoft recommends that you enable this setting through Group Policy. However, this user right should generally be restricted to the Administrators and Users groups. Assign this user right to the Backup Operators group if your organization requires that they have this capability. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.
Key Path: [Privilege Rights]SeInteractiveLogonRight
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 = Administrators
(Policy)		 Critical
Allow log on through Remote Desktop Services
(CCE-37072-6)		 Description:

This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and assign it this user right through Group Policy. If the help desk in your organization does not use Remote Assistance, assign this user right only to the Administrators group or use the restricted groups feature to ensure that no user accounts are part of the Remote Desktop Users group. Restrict this user right to the Administrators group, and possibly the Remote Desktop Users group, to prevent unwanted users from gaining access to computers on your network by means of the Remote Assistance feature. - Level 1 - Domain Controller. The recommended state for this setting is: 'Administrators'. - Level 1 - Member Server. The recommended state for this setting is: 'Administrators, Remote Desktop Users'. Note: A Member Server that holds the Remote Desktop Services Role with Remote Desktop Connection Broker Role Service will require a special exception to this recommendation, to allow the 'Authenticated Users' group to be granted this user right. Note 2: The above lists are to be treated as allowlists, which implies that the above principals need not be present for assessment of this recommendation to pass.


Key Path: [Privilege Rights]SeRemoteInteractiveLogonRight
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Administrators, Remote Desktop Users
(Policy)		 Critical
Back up files and directories
(CCE-35912-5)		 Description: This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programming interface (API). Otherwise, the assigned file and directory permissions apply. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeBackupPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Administrators, Backup Operators, Server Operators
(Policy)		 Critical
Bypass traverse checking
(AZ-WIN-00184)		 Description: This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.
Key Path: [Privilege Rights]SeChangeNotifyPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Administrators, Authenticated Users, Backup Operators, Local Service, Network Service
(Policy)		 Critical
Change the system time
(CCE-37452-0)		 Description: This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer's time setting is changed, logged events reflect the new time, not the actual time that the events occurred. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers. Note: Discrepancies between the time on the local computer and on the domain controllers in your environment may cause problems for the Kerberos authentication protocol, which could make it impossible for users to log on to the domain or obtain authorization to access domain resources after they are logged on. Also, problems will occur when Group Policy is applied to client computers if the system time is not synchronized with the domain controllers. The recommended state for this setting is: Administrators, LOCAL SERVICE.
Key Path: [Privilege Rights]SeSystemtimePrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Administrators, Server Operators, LOCAL SERVICE
(Policy)		 Critical
Change the time zone
(CCE-37700-2)		 Description: This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers. The recommended state for this setting is: Administrators, LOCAL SERVICE.
Key Path: [Privilege Rights]SeTimeZonePrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Administrators, LOCAL SERVICE
(Policy)		 Critical
Create a pagefile
(CCE-35821-8)		 Description: This policy setting allows users to change the size of the pagefile. By configuring the pagefile to be either extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeCreatePagefilePrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Administrators
(Policy)		 Critical
Create a token object
(CCE-36861-3)		 Description: This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. The recommended state for this setting is: No One.
Key Path: [Privilege Rights]SeCreateTokenPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = No One
(Policy)		 Warning
Create global objects
(CCE-37453-8)		 Description: This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions. This capability could lead to a variety of problems, such as application failure or data corruption. The recommended state for this setting is: Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE. Note: A Member Server with Microsoft SQL Server and its optional "Integration Services" component installed will require a special exception to this recommendation for additional SQL-generated entries to be granted this user right.
Key Path: [Privilege Rights]SeCreateGlobalPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Administrators, SERVICE, LOCAL SERVICE, NETWORK SERVICE
(Policy)		 Warning
Create permanent shared objects
(CCE-36532-0)		 Description: This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. The recommended state for this setting is: No One.
Key Path: [Privilege Rights]SeCreatePermanentPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = No One
(Policy)		 Warning
Create symbolic links
(CCE-35823-4)		 Description:

This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much like a shortcut or .lnk file) to another file system object, which can be a file, folder, shortcut or another symbolic link. The difference between a shortcut and a symbolic link is that a shortcut only works from within the Windows shell. To other programs and applications, shortcuts are just another file, whereas with symbolic links, the concept of a shortcut is implemented as a feature of the NTFS file system. Symbolic links can potentially expose security vulnerabilities in applications that are not designed to use them. For this reason, the privilege for creating symbolic links should only be assigned to trusted users. By default, only Administrators can create symbolic links. - Level 1 - Domain Controller. The recommended state for this setting is: 'Administrators'. - Level 1 - Member Server. The recommended state for this setting is: 'Administrators' and (when the Hyper-V Role is installed) 'NT VIRTUAL MACHINE\Virtual Machines'.


Key Path: [Privilege Rights]SeCreateSymbolicLinkPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Administrators, NT VIRTUAL MACHINE\Virtual Machines
(Policy)		 Critical
Debug programs
(AZ-WIN-73755)		 Description: This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be assigned this user right; however, developers who are debugging new system components will need it. The recommended state for this setting is: Administrators. Note: This user right is considered a "sensitive privilege" for the purposes of auditing.
Key Path: [Privilege Rights]SeDebugPrivilege
OS: WS2016, WS2019
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Administrators
(Policy)		 Critical
Deny access to this computer from the network
(CCE-37954-5)		 Description:

This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on a computer. Instead, file sharing should be accomplished through the use of network servers. - Level 1 - Domain Controller. The recommended state for this setting is to include: 'Guests, Local account'. - Level 1 - Member Server. The recommended state for this setting is to include: 'Guests, Local account and member of Administrators group'. Caution: Configuring a standalone (non-domain-joined) server as described above may result in an inability to remotely administer the server. Note: Configuring a member server or standalone server as described above may adversely affect applications that create a local service account and place it in the Administrators group - in which case you must either convert the application to use a domain-hosted service account, or remove Local account and member of Administrators group from this User Right Assignment. Using a domain-hosted service account is strongly preferred over making an exception to this rule, where possible.


Key Path: [Privilege Rights]SeDenyNetworkLogonRight
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Guests
(Policy)		 Critical
Deny log on as a batch job
(CCE-36923-1)		 Description: This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. The Deny log on as a batch job user right overrides the Log on as a batch job user right, which could be used to allow accounts to schedule jobs that consume excessive system resources. Such an occurrence could cause a DoS condition. Failure to assign this user right to the recommended accounts can be a security risk. The recommended state for this setting is to include: Guests.
Key Path: [Privilege Rights]SeDenyBatchLogonRight
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Guests
(Policy)		 Critical
Deny log on as a service
(CCE-36877-9)		 Description: This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. The recommended state for this setting is to include: Guests. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
Key Path: [Privilege Rights]SeDenyServiceLogonRight
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Guests
(Policy)		 Critical
Deny log on locally
(CCE-37146-8)		 Description: This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies. Important: If you apply this security policy to the Everyone group, no one will be able to log on locally. The recommended state for this setting is to include: Guests.
Key Path: [Privilege Rights]SeDenyInteractiveLogonRight
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= Guests
(Policy)		 Critical
Deny log on through Remote Desktop Services
(CCE-36867-0)		 Description: This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can access the server for administration and end-user processing. The recommended state for this setting is to include: Guests, Local account. Caution: Configuring a standalone (non-domain-joined) server as described above may result in an inability to remotely administer the server.
Key Path: [Privilege Rights]SeDenyRemoteInteractiveLogonRight
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Workgroup Member		 >= Guests
(Policy)		 Critical
Enable computer and user accounts to be trusted for delegation
(CCE-36860-5)		 Description:

This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. - Level 1 - Domain Controller. The recommended state for this setting is: 'Administrators' - Level 1 - Member Server. The recommended state for this setting is: 'No One'.


Key Path: [Privilege Rights]SeEnableDelegationPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 = No One
(Policy)		 Critical
Force shutdown from a remote system
(CCE-37877-8)		 Description: This policy setting allows users to shut down Windows Vista-based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user requests. Therefore, it is recommended that only highly trusted administrators be assigned this user right. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeRemoteShutdownPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Administrators
(Policy)		 Critical
Generate security audits
(CCE-37639-2)		 Description: This policy setting determines which users or processes can generate audit records in the Security log. The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE. Note: A Member Server that holds the Web Server (IIS) Role with Web Server Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right. Note #2: A Member Server that holds the Active Directory Federation Services Role will require a special exception to this recommendation, to allow the NT SERVICE\ADFSSrv and NT SERVICE\DRS services, as well as the associated Active Directory Federation Services service account, to be granted this user right.
Key Path: [Privilege Rights]SeAuditPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Local Service, Network Service, IIS APPPOOL\DefaultAppPool
(Policy)		 Critical
Increase a process working set
(AZ-WIN-00185)		 Description: This privilege determines which user accounts can increase or decrease the size of a process’s working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, users, or computers.
Key Path: [Privilege Rights]SeIncreaseWorkingSetPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Administrators, Local Service
(Policy)		 Warning
Increase scheduling priority
(CCE-38326-5)		 Description: This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the operating system but might be required by software development tools. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeIncreaseBasePriorityPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Administrators
(Policy)		 Warning
Load and unload device drivers
(CCE-36318-4)		 Description: This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer drivers in Windows Vista. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeLoadDriverPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Administrators, Print Operators
(Policy)		 Warning
Lock pages in memory
(CCE-36495-0)		 Description: This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. The recommended state for this setting is: No One.
Key Path: [Privilege Rights]SeLockMemoryPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = No One
(Policy)		 Warning
Manage auditing and security log
(CCE-35906-7)		 Description:

This policy setting determines which users can change the auditing options for files and directories and clear the Security log. For environments running Microsoft Exchange Server, the 'Exchange Servers' group must possess this privilege on Domain Controllers to properly function. Given this, DCs granting the 'Exchange Servers' group this privilege do conform with this benchmark. If the environment does not use Microsoft Exchange Server, then this privilege should be limited to only 'Administrators' on DCs. - Level 1 - Domain Controller. The recommended state for this setting is: 'Administrators and (when Exchange is running in the environment) 'Exchange Servers'. - Level 1 - Member Server. The recommended state for this setting is: 'Administrators'


Key Path: [Privilege Rights]SeSecurityPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Administrators
(Policy)		 Critical
Modify an object label
(CCE-36054-5)		 Description: This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this privilege. The recommended state for this setting is: No One.
Key Path: [Privilege Rights]SeRelabelPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = No One
(Policy)		 Warning
Modify firmware environment values
(CCE-38113-7)		 Description: This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure that would result in a denial of service condition. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeSystemEnvironmentPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Administrators
(Policy)		 Warning
Perform volume maintenance tasks
(CCE-36143-6)		 Description: This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeManageVolumePrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Administrators
(Policy)		 Warning
Profile single process
(CCE-37131-0)		 Description: This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if System Monitor is configured to collect data using Windows Management Instrumentation (WMI). Restricting the Profile single process user right prevents intruders from gaining additional information that could be used to mount an attack on the system. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeProfileSingleProcessPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Administrators
(Policy)		 Warning
Profile system performance
(CCE-36052-9)		 Description: This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer. The recommended state for this setting is: Administrators, NT SERVICE\WdiServiceHost.
Key Path: [Privilege Rights]SeSystemProfilePrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Administrators, NT SERVICE\WdiServiceHost
(Policy)		 Warning
Replace a process level token
(CCE-37430-6)		 Description: This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE. Note: A Member Server that holds the Web Server (IIS) Role with Web Server Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right. Note #2: A Member Server with Microsoft SQL Server installed will require a special exception to this recommendation for additional SQL-generated entries to be granted this user right.
Key Path: [Privilege Rights]SeAssignPrimaryTokenPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 LOCAL SERVICE, NETWORK SERVICE
(Policy)		 Warning
Restore files and directories
(CCE-37613-7)		 Description: This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users can set valid security principals as object owners; it is similar to the Backup files and directories user right. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeRestorePrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Administrators, Backup Operators
(Policy)		 Warning
Shut down the system
(CCE-38328-1)		 Description: This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeShutdownPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Administrators, Backup Operators
(Policy)		 Warning
Take ownership of files or other objects
(CCE-38325-7)		 Description: This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. The recommended state for this setting is: Administrators.
Key Path: [Privilege Rights]SeTakeOwnershipPrivilege
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = Administrators
(Policy)		 Critical
Impersonate a client after authentication
(AZ-WIN-73785)		 Description: The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not be able to convince a client to connect-for example, by remote procedure call (RPC) or named pipes-to a service that they have created to impersonate that client, which could elevate the unauthorized user's permissions to administrative or system levels. Services that are started by the Service Control Manager have the built-in Service group added by default to their access tokens. COM servers that are started by the COM infrastructure and configured to run under a specific account also have the Service group added to their access tokens. As a result, these processes are assigned this user right when they are started. Also, a user can impersonate an access token if any of the following conditions exist: - The access token that is being impersonated is for this user. - The user, in this logon session, logged on to the network with explicit credentials to create the access token. - The requested level is less than Impersonate, such as Anonymous or Identify. An attacker with the Impersonate a client after authentication user right could create a service, trick a client to make them connect to the service, and then impersonate that client to elevate the attacker's level of access to that of the client. The recommended state for this setting is: Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE. Note: This user right is considered a "sensitive privilege" for the purposes of auditing. Note #2: A Member Server with Microsoft SQL Server and its optional "Integration Services" component installed will require a special exception to this recommendation for additional SQL-generated entries to be granted this user right.
Key Path: [Privilege Rights]SeImpersonatePrivilege
OS: WS2016, WS2019
Server Type: Domain Controller, Domain Member, Workgroup Member		 Administrators, Service, Local Service, Network Service
(Policy)		 Important

Windows Components

Name
(ID)		 Details Expected value
(Type)		 Severity
Allow Basic authentication
(CCE-36254-1)		 Description: This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowBasic
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Allow Diagnostic Data
(AZ-WIN-00169)		 Description: This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A value of 0 will send minimal data to Microsoft. This data includes Malicious Software Removal Tool (MSRT) & Windows Defender data, if enabled, and telemetry client settings. Setting a value of 0 applies to enterprise, EDU, IoT and server devices only. Setting a value of 0 for other devices is equivalent to choosing a value of 1. A value of 1 sends only a basic amount of diagnostic and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device. A value of 2 sends enhanced diagnostic and usage data. A value of 3 sends the same data as a value of 2, plus additional diagnostics data, including the files and content that may have caused the problem. Windows 10 telemetry settings apply to the Windows operating system and some first party apps. This setting does not apply to third party apps running on Windows 10. The recommended state for this setting is: Enabled: 0 - Security [Enterprise Only]. Note: If the "Allow Telemetry" setting is configured to "0 - Security [Enterprise Only]", then the options in Windows Update to defer upgrades and updates will have no effect.
Key Path: SOFTWARE\Policies\Microsoft\Windows\DataCollection\AllowTelemetry
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= 1
(Registry)		 Warning
Allow indexing of encrypted files
(CCE-38277-0)		 Description: This policy setting controls whether encrypted items are allowed to be indexed. When this setting is changed, the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Allow Microsoft accounts to be optional
(CCE-38354-7)		 Description: This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead. If you disable or do not configure this policy setting, users will need to sign in with a Microsoft account.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional
OS: WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Allow unencrypted traffic
(CCE-38223-4)		 Description: This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Allow user control over installs
(CCE-36400-0)		 Description: Permits users to change installation options that typically are available only to system administrators. The security features of Windows Installer prevent users from changing installation options typically reserved for system administrators, such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Installer\EnableUserControl
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Always install with elevated privileges
(CCE-37490-0)		 Description: This setting controls whether or not Windows Installer should use system permissions when it installs any program on the system. Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders. Caution: If enabled, skilled users can take advantage of the permissions this setting grants to change their privileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this setting is not guaranteed to be secure. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Always prompt for password upon connection
(CCE-37929-7)		 Description: This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided the password in the Remote Desktop Connection client. By default, Terminal Services allows users to automatically log on if they enter a password in the Remote Desktop Connection client. Note If you do not configure this policy setting, the local computer administrator can use the Terminal Services Configuration tool to either allow or prevent passwords from being automatically sent.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Application: Control Event Log behavior when the log file reaches its maximum size
(CCE-37775-4)		 Description: This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
Key Path: SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\Retention
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Application: Specify the maximum log file size (KB)
(CCE-37948-7)		 Description: This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
Key Path: SOFTWARE\Policies\Microsoft\Windows\EventLog\Application\MaxSize
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= 32768
(Registry)		 Critical
Block all consumer Microsoft account user authentication
(AZ-WIN-20198)		 Description: This setting determines whether applications and services on the device can utilize new consumer Microsoft account authentication via the Windows OnlineID and WebAccountManager APIs. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\MicrosoftAccount\DisableUserAuth
OS: WS2016, WS2019
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Configure local setting override for reporting to Microsoft MAPS
(AZ-WIN-00173)		 Description: This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.
Key Path: SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\LocalSettingOverrideSpynetReporting
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Configure Windows SmartScreen
(CCE-35859-8)		 Description: This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy setting, Windows SmartScreen behavior may be controlled by setting one of the following options: • Give user a warning before running downloaded unknown software • Turn off SmartScreen. If you disable or do not configure this policy setting, Windows SmartScreen behavior is managed by administrators on the PC by using Windows SmartScreen Settings in Security and Maintenance. Options: • Give user a warning before running downloaded unknown software • Turn off SmartScreen
Key Path: SOFTWARE\Policies\Microsoft\Windows\System\EnableSmartScreen
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Detect change from default RDP port
(AZ-WIN-00156)		 Description: This setting determines whether the network port that listens for Remote Desktop Connections has been changed from the default 3389
Key Path: System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 3389
(Registry)		 Critical
Disable Windows Search Service
(AZ-WIN-00176)		 Description: This registry setting disables the Windows Search Service
Key Path: System\CurrentControlSet\Services\Wsearch\Start
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 4
(Registry)		 Critical
Disallow Autoplay for non-volume devices
(CCE-37636-8)		 Description: This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume
OS: WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Disallow Digest authentication
(CCE-38318-2)		 Description: This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\WinRM\Client\AllowDigest
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
Disallow WinRM from storing RunAs credentials
(CCE-36000-8)		 Description: This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser and RunAsPassword configuration values, the RunAsPassword configuration value will be erased from the credential store on this computer. If you disable or do not configure this policy setting, the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword value will be stored securely. If you enable and then disable this policy setting, any values that were previously configured for RunAsPassword will need to be reset.
Key Path: SOFTWARE\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Do not allow passwords to be saved
(CCE-36223-6)		 Description: This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Services client disconnects from any server.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Do not delete temp folders upon exit
(CCE-37946-1)		 Description: This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Warning
Do not display the password reveal button
(CCE-37534-5)		 Description: This policy setting allows you to configure the display of the password reveal button in password entry user experiences. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\CredUI\DisablePasswordReveal
OS: WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Do not show feedback notifications
(AZ-WIN-00140)		 Description: This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft. If you enable this policy setting, users will no longer see feedback notifications through the Windows Feedback app. If you disable or do not configure this policy setting, users may see notifications through the Windows Feedback app asking users for feedback. Note: If you disable or do not configure this policy setting, users can control how often they receive feedback questions.
Key Path: SOFTWARE\Policies\Microsoft\Windows\DataCollection\DoNotShowFeedbackNotifications
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Do not use temporary folders per session
(CCE-38180-6)		 Description: By default, Remote Desktop Services creates a separate temporary folder on the RD Session Host server for each active session that a user maintains on the RD Session Host server. The temporary folder is created on the RD Session Host server in a Temp folder under the user's profile folder and is named with the session ID. This temporary folder is used to store individual temporary files. To reclaim disk space, the temporary folder is deleted when the user logs off from a session. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Enumerate administrator accounts on elevation
(CCE-36512-2)		 Description: This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Prevent downloading of enclosures
(CCE-37126-0)		 Description: This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. The recommended state for this setting is: Enabled.
Key Path: SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Require secure RPC communication
(CCE-37567-5)		 Description: Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. If the status is set to Not Configured, unsecured communication is allowed. Note: The RPC interface is used for administering and configuring Remote Desktop Services.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Require user authentication for remote connections by using Network Level Authentication
(AZ-WIN-00149)		 Description: Require user authentication for remote connections by using Network Level Authentication
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\UserAuthentication
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Critical
Scan removable drives
(AZ-WIN-00177)		 Description: This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives such as USB flash drives when running a full scan. If you enable this setting removable drives will be scanned during any type of scan. If you disable or do not configure this setting removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
Key Path: SOFTWARE\Policies\Microsoft\Windows Defender\Scan\DisableRemovableDriveScanning
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 0
(Registry)		 Critical
Security: Control Event Log behavior when the log file reaches its maximum size
(CCE-37145-0)		 Description: This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
Key Path: SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\Retention
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Security: Specify the maximum log file size (KB)
(CCE-37695-4)		 Description: This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
Key Path: SOFTWARE\Policies\Microsoft\Windows\EventLog\Security\MaxSize
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= 196608
(Registry)		 Critical
Send file samples when further analysis is required
(AZ-WIN-00126)		 Description: This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x3) Send all samples automatically
Key Path: SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Warning
Set client connection encryption level
(CCE-36627-8)		 Description: This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session.
Key Path: SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 3
(Registry)		 Critical
Set the default behavior for AutoRun
(CCE-38217-6)		 Description: This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: a) Completely disable autorun commands, or b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Setup: Control Event Log behavior when the log file reaches its maximum size
(CCE-38276-2)		 Description: This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
Key Path: SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\Retention
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Setup: Specify the maximum log file size (KB)
(CCE-37526-1)		 Description: This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
Key Path: SOFTWARE\Policies\Microsoft\Windows\EventLog\Setup\MaxSize
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= 32768
(Registry)		 Critical
Sign-in last interactive user automatically after a system-initiated restart
(CCE-36977-7)		 Description: This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn
OS: WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Critical
Specify the interval to check for definition updates
(AZ-WIN-00152)		 Description: This policy setting allows you to specify an interval at which to check for definition updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). If you enable this setting, checking for definition updates will occur at the interval specified. If you disable or do not configure this setting, checking for definition updates will occur at the default interval.
Key Path: SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates\SignatureUpdateInterval
OS: WS2008, WS2008R2, WS2012, WS2012R2
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 8
(Registry)		 Critical
System: Control Event Log behavior when the log file reaches its maximum size
(CCE-36160-0)		 Description: This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
Key Path: SOFTWARE\Policies\Microsoft\Windows\EventLog\System\Retention
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
System: Specify the maximum log file size (KB)
(CCE-36092-5)		 Description: This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2,147,483,647 kilobytes) in kilobyte increments. If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.
Key Path: SOFTWARE\Policies\Microsoft\Windows\EventLog\System\MaxSize
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 >= 32768
(Registry)		 Critical
The Application Compatibility Program Inventory must be prevented from collecting data and sending the information to Microsoft.
(AZ-WIN-73543)		 Description: Some features may communicate with the vendor, sending system information or downloading data or components for the feature. Turning off this capability will prevent potentially sensitive information from being sent outside the enterprise and will prevent uncontrolled updates to the system. This setting will prevent the Program Inventory from collecting data about a system and sending the information to Microsoft.
Key Path: SOFTWARE\Policies\Microsoft\Windows\AppCompat\DisableInventory
OS: WS2016, WS2019, WS2022
Server Type: Domain Member		 = 1
(Registry)		 Informational
Turn off Autoplay
(CCE-36875-3)		 Description: Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Turn off Autoplay setting to disable the Autoplay feature. Autoplay is disabled by default on some removable drive types, such as floppy disk and network drives, but not on CD-ROM drives. Note You cannot use this policy setting to enable Autoplay on computer drives in which it is disabled by default, such as floppy disk and network drives.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 255
(Registry)		 Critical
Turn off Data Execution Prevention for Explorer
(CCE-37809-1)		 Description: Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer. The recommended state for this setting is: Disabled. Note: Some legacy plug-in applications and other software may not function with Data Execution Prevention and will require an exception to be defined for that specific plug-in/software.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention
OS: WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Turn off heap termination on corruption
(CCE-36660-9)		 Description: Without heap termination on corruption, legacy plug-in applications may continue to function when a File Explorer session has become corrupt. Ensuring that heap termination on corruption is active will prevent this. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Critical
Turn off Microsoft consumer experiences
(AZ-WIN-00144)		 Description: This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account. If you enable this policy setting, users will no longer see personalized recommendations from Microsoft and notifications about their Microsoft account. If you disable or do not configure this policy setting, users may see suggestions from Microsoft and notifications about their Microsoft account. Note: This setting only applies to Enterprise and Education SKUs.
Key Path: SOFTWARE\Policies\Microsoft\Windows\CloudContent\DisableWindowsConsumerFeatures
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 1
(Registry)		 Warning
Turn off shell protocol protected mode
(CCE-36809-2)		 Description: This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the protected mode to increase the security of Windows. The recommended state for this setting is: Disabled.
Key Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior
OS: WS2008, WS2008R2, WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Turn on behavior monitoring
(AZ-WIN-00178)		 Description: This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting behavior monitoring will be enabled. If you disable this setting behavior monitoring will be disabled.
Key Path: SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 Doesn't exist or = 0
(Registry)		 Warning
Turn on PowerShell Script Block Logging
(AZ-WIN-73591)		 Description: This policy setting enables logging of all PowerShell script input to the Applications and Services Logs\Microsoft\Windows\PowerShell\Operational Event Log channel. The recommended state for this setting is: Enabled. Note: If logging of Script Block Invocation Start/Stop Events is enabled (option box checked), PowerShell will log additional events when invocation of a command, script block, function, or script starts or stops. Enabling this option generates a high volume of event logs. CIS has intentionally chosen not to make a recommendation for this option, since it generates a large volume of events. If an organization chooses to enable the optional setting (checked), this also conforms to the benchmark.
Key Path: SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging
OS: WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member, Workgroup Member		 = 1
(Registry)		 Important

Windows Settings - Security Settings

Name
(ID)		 Details Expected value
(Type)		 Severity
Adjust memory quotas for a process
(CCE-10849-8)		 Description: This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) attack. The recommended state for this setting is: Administrators, LOCAL SERVICE, NETWORK SERVICE. Note: A Member Server that holds the Web Server (IIS) Role with Web Server Role Service will require a special exception to this recommendation, to allow IIS application pool(s) to be granted this user right. Note #2: A Member Server with Microsoft SQL Server installed will require a special exception to this recommendation for additional SQL-generated entries to be granted this user right.
Key Path: [Privilege Rights]SeIncreaseQuotaPrivilege
OS: WS2012, WS2012R2, WS2016, WS2019, WS2022
Server Type: Domain Controller, Domain Member		 Administrators, Local Service, Network Service
(Policy)		 Warning

Note

Availability of specific Azure Policy guest configuration settings may vary in Azure Government and other national clouds.

Next steps

Additional articles about Azure Policy and guest configuration:

Postagens relacionadas

If 5 men can make 5 flags in 5 minutes how many men are required to make 50 flags in 50 minutes
If 5 men can make 5 flags in 5 minutes how many men are required to make 50 flags in 50 minutes

50 workers can build 50 walls in 25 days how many days will it take for 25 workers to build 25 walls
50 workers can build 50 walls in 25 days how many days will it take for 25 workers to build 25 walls

20 workers need 6 hours to build a wall how many hours will 15 workers need to build the same wall
20 workers need 6 hours to build a wall how many hours will 15 workers need to build the same wall

Which group would be most likely to oppose government intervention to improve the tenements
Which group would be most likely to oppose government intervention to improve the tenements

What is the name of the process in which one company studies the processes of another firm?
What is the name of the process in which one company studies the processes of another firm?

Which one of these represents a firm that seeks to match the benefits of a successful competitor while maintaining its competitive position?
Which one of these represents a firm that seeks to match the benefits of a successful competitor while maintaining its competitive position?

Ferrous sulfate life threatening Considerations
Ferrous sulfate life threatening Considerations

How many liters of water must be added to 21 liters of milk and water contains 20% water to make it 40% water in it?
How many liters of water must be added to 21 liters of milk and water contains 20% water to make it 40% water in it?

Which of the following programs can copy itself and spread from one file to another such as in word processing or spreadsheet programs?
Which of the following programs can copy itself and spread from one file to another such as in word processing or spreadsheet programs?

What is the test for intravascular coagulation?
What is the test for intravascular coagulation?

Jogo do corinthians hoje ao vivo gratis
Jogo do corinthians hoje ao vivo gratis

Qual o pigmento responsável pela fotossíntese?
Qual o pigmento responsável pela fotossíntese?

Qual cidade do estado de São Paulo passa o Trópico de Capricórnio?
Qual cidade do estado de São Paulo passa o Trópico de Capricórnio?

Qual é a principal consequência da automação para a produtividade?
Qual é a principal consequência da automação para a produtividade?

Tem como duas pessoas assistir Netflix ao mesmo tempo no mesmo perfil?
Tem como duas pessoas assistir Netflix ao mesmo tempo no mesmo perfil?

O balanço patrimonial evidencia a situação financeira patrimonial das entidades
O balanço patrimonial evidencia a situação financeira patrimonial das entidades

Quais foram as principais alterações no balanço patrimonial trazidas pela Lei 11638 07 e a Lei das sociedades Anônimas?
Quais foram as principais alterações no balanço patrimonial trazidas pela Lei 11638 07 e a Lei das sociedades Anônimas?

Quantas vacinas O cachorro tem que tomar ao longo da vida?
Quantas vacinas O cachorro tem que tomar ao longo da vida?

Como dividir todos os valores de uma coluna no Excel
Como dividir todos os valores de uma coluna no Excel

Quais eram as condições de trabalho dos imigrantes que vieram para região Sul do Brasil?
Quais eram as condições de trabalho dos imigrantes que vieram para região Sul do Brasil?

Publicidade

ÚLTIMAS NOTÍCIAS

Is defined as two or more interacting and interdependent individuals who come together to achieve specific goals?
1 anos atrás . por InflatedHumility
If 5 men can make 5 flags in 5 minutes how many men are required to make 50 flags in 50 minutes
1 anos atrás . por TropicalPhrasing
50 workers can build 50 walls in 25 days how many days will it take for 25 workers to build 25 walls
1 anos atrás . por DamagedShoplifting
20 workers need 6 hours to build a wall how many hours will 15 workers need to build the same wall
1 anos atrás . por IncredibleLitigation
Which group would be most likely to oppose government intervention to improve the tenements
1 anos atrás . por EscapingAdvice
What is the name of the process in which one company studies the processes of another firm?
1 anos atrás . por PerverseSiding
Which one of these represents a firm that seeks to match the benefits of a successful competitor while maintaining its competitive position?
1 anos atrás . por SatiricalCrossroads
Ferrous sulfate life threatening Considerations
1 anos atrás . por DarkStandpoint
How many liters of water must be added to 21 liters of milk and water contains 20% water to make it 40% water in it?
1 anos atrás . por NostalgicTuesday
Which of the following programs can copy itself and spread from one file to another such as in word processing or spreadsheet programs?
1 anos atrás . por PlanetaryWomanhood

Toplistas

#1
Top 7 remédio para dor de ouvido infantil 6 anos 2022
1 anos atrás
#2
Top 7 folder programa para fazer 2022
1 anos atrás
#3
Top 7 o que é bom para reduzir o colesterol ruim 2022
1 anos atrás
#4
Top 8 o que é cidade local 2022
1 anos atrás
#5
Top 8 distancia entre cidades americanas e canadenses 2022
1 anos atrás
#6
Top 9 o texto apresenta uma relação entre atividade econômica e organização social marcada pelo 2022
1 anos atrás
#7
Top 5 blusas de croche verão 2022
1 anos atrás
#8
Top 6 cha de cordão de frade para que serve 2022
1 anos atrás
#9
Top 8 se a cada hora o planeta percorre 15° de longitude quantos graus ele realiza a cada rotação 2022
1 anos atrás
#10
Top 5 crie um algoritmo que calcule o valor do fatorial de um número fornecido pelo usuário 2022
1 anos atrás

Publicidade

Populer

Publicidade

Sobre

Jurídica

Ajuda

Social

direito autoral © 2024 comojogaruno Inc.