Was ist das Audit Report Modul?

Das Audit Report Modul vom Hamburger-IT-Service* überprüfen verschiedene Standard-Produkte auf die Konfiguration wichtiger und relevanter Sicherheitseinstellungen. Die Referenzen, gegen die geprüft wird, sind grundlegend etablierte und erprobte Sicherheitsstandards – zum Beispiel die Härtungsempfehlungen und Konfigurationsvorgaben von:

  • DISA (Defense Information Systems Agency)
  • CIS (Center for Internet Security)
  • BSI (Bundesamt für Sicherheit in der Informationstechnik)
  • ACSC (Australian Cyber Security Center)
  • Herstellerempfehlungen, bspw. von Microsoft

Mit dem AuditTAP erzeugen Sie schnell und mit geringem Aufwand eine einfache und übersichtliche, HTML-basierte Dokumentation Ihrer Systeme.

AuditTAP: Download & Installation

Das Audit Test Automation Package (AuditTAP) der FB Pro GmbH können Sie kostenlos bei Github herunterladen und konform der angegebenen Lizenzbedingungen kostenfrei nutzen. Hier erhalten Sie auch detaillierte Informationen zum Produkt, beispielsweise für die Installation und Einrichtung.

Download des Audit-Standalone Programms

Audit Report Modul: die Features

Entsprechen Ihre Produkte den aktuellen Empfehlungen zur sicherheitstechnischen Konfiguration? Sind die Dokumentationen Ihrer IT-Systeme vorhanden? Wie sieht der Compliance-Status der Einstellungen aus? Diese und weitere Fragen beantworten Ihnen unser Audit TAP-Reports ganz schnell und einfach.

Das Audit TAP führt ein automatisiertes Audit durch, indem es – je nach Produkt – bis zu mehrere hundert Konfigurationseinstellung überprüft. Hierbei werden unter anderem die genutzten Algorithmen und Schlüssel, der Speicherort von Log-Daten, die Nutzung von TLS 1.2 (oder höher), die aktivierten Services oder vorhandene, separierte Service-Accounts gecheckt.

Nach dem Audit erzeugt das Audit Test Automation Package einen Report im HTML-Format. In diesem sehen Sie, welche Settings den Empfehlungen entsprechen und welche nicht.

Audits gemäß der Datenschutz-Grundverordnung

Das AuditTAP bietet ebenso einen Windows 10 GDPR / DS-GVO Report an. Bei diesem werden über 100 Windows 10-Einstellungen auf ihre Datenschutz-Konformität überprüft. Mehr Informationen dazu gibt es in unserem Beitrag “AuditTAP: GDPR Compliance Checks für Windows 10“.

Report Beispiel eines Windows 11 gehärteten Computers

Report Beispiel eines Windows 11 gehärteten Computers [07/20/2022 16:59:28]

Report Beispiel eines Windows 11 gehärteten Computers

Generated by the ATAPAuditor Module Version 5.0 by Hamburger-IT-Service. Are you seeing a lot of red sections? Check out our hardening solution:

  • Security baseline for Microsoft Windows 11, Version: 20H2, Date: 2020-12-17
  • CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14

This report was generated on 07/20/2022 16:59:29 on Hostname1DomainName with TAPHtmlReport version 1.8.

Hostname Hostname1DomainName
Build Number 22000
Free physical memory (GB) 5,216
Operating System Microsoft Windows 11 Pro
Domain role Member Workstation
Free disk space (GB) 885,6
Installation Language English (United States)

Summary

A total of 892 tests have been executed.

  1. True 672 test(s) ≙ 75.34%
  2. False 217 test(s) ≙ 24.33%
  3. Warning 2 test(s) ≙ 0.22%
  4. None 0 test(s) ≙ 0.00%
  5. Error 1 test(s) ≙ 0.11%

General Benchmarks

A total of 22 tests have been executed in section General Benchmarks.

  1. True 14 test(s) ≙ 63.64%
  2. False 5 test(s) ≙ 22.73%
  3. Warning 2 test(s) ≙ 9.09%
  4. None 0 test(s) ≙ 0.00%
  5. Error 1 test(s) ≙ 4.55%

Microsoft Benchmarks

A total of 347 tests have been executed in section Microsoft Benchmarks.

  1. True 187 test(s) ≙ 53.89%
  2. False 160 test(s) ≙ 46.11%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

CIS Benchmarks

A total of 523 tests have been executed in section CIS Benchmarks.

  1. True 471 test(s) ≙ 90.06%
  2. False 52 test(s) ≙ 9.94%
  3. Warning 0 test(s) ≙ 0.00%
  4. None 0 test(s) ≙ 0.00%
  5. Error 0 test(s) ≙ 0.00%

Table of Contents

Click the link(s) below for quick access to a report section.

General Benchmarks

This section contains general benchmarks

Security Base Data

This section contains basic recommendations for a secure Microsoft Windows configuration.

Id Task Message Status
SBD-001 Ensure the system is booting in ‚UEFI‘ mode. Compliant True
SBD-002 Ensure the system is using SecureBoot. SecureBoot is supported but disabled. False
SBD-003 Ensure the TPM Chip is ‚present‘. Compliant True
SBD-004 Ensure the TPM Chip is ‚ready‘. Compliant True
SBD-005 Ensure the TPM Chip is ‚enabled‘. Compliant True
SBD-006 Ensure the TPM Chip is ‚activated‘. Compliant True
SBD-007 Ensure the TPM Chip is ‚owned‘. Compliant True
SBD-008 Ensure the TPM Chip is implementing specification version 2.0 or higher. Compliant True
SBD-009 Get the count of local users on the system. System has 3-5 local users. Warning
SBD-010 Get the count of admin users on the system. System has 3-5 admin users. Warning
SBD-011 Ensure the status of the Bitlocker service is ‚Running‘. Compliant True
SBD-012 Ensure that Bitlocker is activated on all volumes. Bitlocker status is unknown. Error
SBD-013 Ensure the status of the Windows Defender service is ‚Running‘. Compliant True
SBD-014 Ensure the status of the Microsoft Defender for Endpoint service is ‚Running‘. Service is not ‚Running‘ (More info). False
SBD-015 Ensure the Windows Firewall is enabled on all profiles. Compliant True
SBD-016 Check if the last successful search for updates was in the past 24 hours. Compliant True
SBD-017 Check if the last successful installation of updates was in the past 5 days. Compliant True
SBD-018 Ensure Virtualization Based Security is enabled and running. VBS is activated but not running. False
SBD-019 Ensure Hypervisor-protected Code Integrity (HVCI) is running. HVCI is not running. False
SBD-020 Ensure Credential Guard is running. Credential Guard is not running. False
SBD-021 Ensure the Attack Surface Reduction (ASR) rules are enabled. Compliant (12+ rules enabled) True
SBD-022 Ensure Windows Defender Application Guard is enabled. Compliant True

Microsoft Benchmarks

This section contains all benchmarks from Microsoft

Registry Settings/Group Policies

Id Task Message Status
Registry-009 Set registry value ‚UseEnhancedPin‘ to 1. Compliant True
Registry-010 Set registry value ‚RDVDenyCrossOrg‘ to 0. Compliant True
Registry-011 Set registry value ‚DisableExternalDMAUnderLock‘ to 1. Compliant True
Registry-012 Set registry value ‚DCSettingIndex‘ to 0. Compliant True
Registry-013 Set registry value ‚ACSettingIndex‘ to 0. Compliant True
Registry-014 Set registry value ‚DenyDeviceClasses‘ to 1. Compliant True
Registry-015 Set registry value ‚DenyDeviceClassesRetroactive‘ to 1. Compliant True
Registry-016 Set registry value ‚1‘ to ‚Prevent installation of drivers matching these device setup classes‘. Compliant True
Registry-017 Ensure ‚Deny write access to removable drives not protected by BitLocker‘ is set to ‚Enabled‘. Compliant True
Registry-018 Set registry value ‚PUAProtection‘ to 1. Compliant True
Registry-019 Set registry value ‚MpCloudBlockLevel‘ to 2. Registry value not found. False
Registry-020 Ensure ‚Scan all downloaded files and attachments‘ is set to ‚Enabled‘. Compliant True
Registry-021 Ensure ‚Turn off real-time protection‘ is set to ‚Disabled‘. Compliant True
Registry-022 Set registry value ‚DisableScriptScanning‘ to 0. Compliant True
Registry-023 Ensure ‚Scan removable drives‘ is set to ‚Enabled‘. Compliant True
Registry-024 Ensure ‚Send file samples when further analysis is required‘ is set to ‚Send safe samples‘. Registry value is ‚2‘. Expected: 1 False
Registry-025 Ensure ‚Join Microsoft MAPS‘ is set to ‚Advanced MAPS‘. Registry value is ‚0‘. Expected: 2 False
Registry-026 Ensure ‚Configure the ‚Block at First Sight‘ feature‘ is set to ‚Enabled‘. Registry value not found. False
Registry-027 Set registry value ‚ExploitGuard_ASR_Rules‘ to 1. Compliant True
Registry-028 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-029 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-030 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-031 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-032 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-033 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-034 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-035 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-036 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-037 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-038 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-039 Use advanced protection against ransomware Registry value not found. False
Registry-040 (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured Compliant True
Registry-041 Set registry value ‚EnableNetworkProtection‘ to 1. Compliant True
Registry-042 Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled‘. Compliant True
Registry-043 Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Secure Boot‘. Registry value is ‚3‘. Expected: 1 False
Registry-044 Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled with UEFI lock‘. Compliant True
Registry-045 Set registry value ‚HVCIMATRequired‘ to 1. Compliant True
Registry-046 Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled with UEFI lock‘. Compliant True
Registry-047 Set registry value ‚ConfigureSystemGuardLaunch‘ to 1. Compliant True
Registry-048 Ensure ‚Do not suggest third-party content in Windows spotlight‘ is set to ‚Enabled‘. Registry key not found. False
Registry-049 Set registry value ‚NoToastApplicationNotificationOnLockScreen‘ to 1. Registry key not found. False
Registry-050 Set registry value ‚AutoConnectAllowedOEM‘ to 0. Compliant True
Registry-051 Ensure ‚Enumerate administrator accounts on elevation‘ is set to ‚Disabled‘. Compliant True
Registry-052 Ensure ‚Turn off Autoplay‘ is set to ‚All drives‘. Compliant True
Registry-053 Set registry value ‚NoWebServices‘ to 1. Compliant True
Registry-054 Ensure ‚Set the default behavior for AutoRun‘ is set to ‚Do not execute any autorun commands‘. Compliant True
Registry-055 Ensure ‚Allow Microsoft accounts to be optional‘ is set to ‚Enabled‘. Compliant True
Registry-056 Ensure ‚Sign-in last interactive user automatically after a system-initiated restart‘ is set to ‚Disabled‘. Compliant True
Registry-057 Set registry value ‚LocalAccountTokenFilterPolicy‘ to 0. Compliant True
Registry-058 Set registry value ‚AllowEncryptionOracle‘ to 0. Compliant True
Registry-059 Set registry value ‚EnhancedAntiSpoofing‘ to 1. Compliant True
Registry-060 Ensure ‚Prevent downloading of enclosures‘ is set to ‚Enabled‘. Registry key not found. False
Registry-061 Ensure ‚Require a password when a computer wakes (on battery)‘ is set to ‚Enabled‘. Compliant True
Registry-062 Ensure ‚Require a password when a computer wakes (plugged in)‘ is set to ‚Enabled‘. Compliant True
Registry-063 Set registry value ‚LetAppsActivateWithVoiceAboveLock‘ to 2. Compliant True
Registry-064 Ensure ‚Turn off Microsoft consumer experiences‘ is set to ‚Enabled‘. Compliant True
Registry-065 Set registry value ‚AllowProtectedCreds‘ to 1. Compliant True
Registry-066 Ensure ‚Specify the maximum log file size (KB)‘ is set to ‚32768‘. Compliant True
Registry-067 Ensure ‚Specify the maximum log file size (KB)‘ is set to ‚196608‘. Compliant True
Registry-068 Ensure ‚Specify the maximum log file size (KB)‘ is set to ‚32768‘. Compliant True
Registry-069 Ensure ‚Disallow Autoplay for non-volume devices‘ is set to ‚Enabled‘. Compliant True
Registry-070 Set registry value ‚AllowGameDVR‘ to 0. Compliant True
Registry-071 Ensure ‚Configure registry policy processing‘ is set to ‚0‘. Compliant True
Registry-072 Ensure ‚Configure registry policy processing‘ is set to ‚0‘. Compliant True
Registry-073 Set registry value ‚AlwaysInstallElevated‘ to 0. Compliant True
Registry-074 Ensure ‚Allow user control over installs‘ is set to ‚Disabled‘. Compliant True
Registry-075 Set registry value ‚DeviceEnumerationPolicy‘ to 0. Compliant True
Registry-076 Ensure ‚Enable insecure guest logons‘ is set to ‚Disabled‘. Compliant True
Registry-077 Ensure ‚Prohibit use of Internet Connection Sharing on your DNS domain network‘ is set to ‚Enabled‘. Compliant True
Registry-078 Set registry value ‚\\*\SYSVOL‘ to RequireMutualAuthentication=1,RequireIntegrity=1. Registry value is “. Expected: RequireMutualAuthentication=1,RequireIntegrity=1 False
Registry-079 Set registry value ‚\\*\NETLOGON‘ to RequireMutualAuthentication=1,RequireIntegrity=1. Registry value is ‚RequireMutualAuthentication=1, RequireIntegrity=1‘. Expected: RequireMutualAuthentication=1,RequireIntegrity=1 False
Registry-080 Set registry value ‚NoLockScreenCamera‘ to 1. Compliant True
Registry-081 Set registry value ‚NoLockScreenSlideshow‘ to 1. Compliant True
Registry-082 Ensure ‚Turn on PowerShell Script Block Logging‘ is set to ‚Enabled‘. Registry value is ‚0‘. Expected: 1 False
Registry-083 Ensure ‚Turn on PowerShell Script Block Logging‘ is not set. Compliant. Registry value not found. True
Registry-084 Ensure ‚Turn on convenience PIN sign-in‘ is set to ‚Disabled‘. Compliant True
Registry-085 Ensure ‚Enumerate local users on domain-joined computers‘ is set to ‚Disabled‘. Compliant True
Registry-086 Ensure ‚Configure Windows SmartScreen‘ is set to ‚Enabled‘. Compliant True
Registry-087 Set registry value ‚ShellSmartScreenLevel‘ to Block. Registry value not found. False
Registry-088 Ensure ‚Prohibit connection to non-domain networks when connected to domain authenticated network‘ is set to ‚Enabled‘. Compliant True
Registry-089 Set registry value ‚AllowIndexingEncryptedStoresOrItems‘ to 0. Compliant True
Registry-090 Ensure ‚Disallow Digest authentication‘ is set to ‚Enabled‘. Compliant True
Registry-091 Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘. Compliant True
Registry-092 Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘. Compliant True
Registry-093 Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘. Compliant True
Registry-094 Ensure ‚Disallow WinRM from storing RunAs credentials‘ is set to ‚Enabled‘. Compliant True
Registry-095 Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘. Compliant True
Registry-096 Ensure ‚Turn off multicast name resolution‘ is set to ‚Enabled‘. Compliant True
Registry-097 Set registry value ‚DisableWebPnPDownload‘ to 1. Compliant True
Registry-098 Set registry value ‚RestrictDriverInstallationToAdministrators‘ to 1. Compliant True
Registry-099 Ensure ‚Restrict Unauthenticated RPC clients‘ is set to ‚Authenticated‘. Compliant True
Registry-100 Set registry value ‚fUseMailto‘ to . Compliant. Registry value not found. True
Registry-101 Set registry value ‚fAllowToGetHelp‘ to 0. Compliant True
Registry-102 Set registry value ‚fAllowFullControl‘ to . Compliant. Registry value not found. True
Registry-103 Set registry value ‚MaxTicketExpiry‘ to . Compliant. Registry value not found. True
Registry-104 Set registry value ‚MaxTicketExpiryUnits‘ to . Compliant. Registry value not found. True
Registry-105 Set registry value ‚MinEncryptionLevel‘ to 3. Compliant True
Registry-106 Set registry value ‚fPromptForPassword‘ to 1. Compliant True
Registry-107 Set registry value ‚fDisableCdm‘ to 1. Compliant True
Registry-108 Set registry value ‚DisablePasswordSaving‘ to 1. Compliant True
Registry-109 Set registry value ‚fEncryptRPCTraffic‘ to 1. Compliant True
Registry-110 Set registry value ‚PolicyVersion‘ to 538. Registry value not found. False
Registry-111 Set registry value ‚DefaultOutboundAction‘ to 0. Compliant True
Registry-112 Set registry value ‚DisableNotifications‘ to 1. Compliant True
Registry-113 Set registry value ‚EnableFirewall‘ to 1. Compliant True
Registry-114 Set registry value ‚DefaultInboundAction‘ to 1. Compliant True
Registry-115 Set registry value ‚LogDroppedPackets‘ to 1. Compliant True
Registry-116 Set registry value ‚LogFileSize‘ to 16384. Compliant True
Registry-117 Set registry value ‚LogSuccessfulConnections‘ to 1. Compliant True
Registry-118 Set registry value ‚EnableFirewall‘ to 1. Compliant True
Registry-119 Set registry value ‚DisableNotifications‘ to 1. Compliant True
Registry-120 Set registry value ‚DefaultInboundAction‘ to 1. Compliant True
Registry-121 Set registry value ‚DefaultOutboundAction‘ to 0. Compliant True
Registry-122 Set registry value ‚LogSuccessfulConnections‘ to 1. Compliant True
Registry-123 Set registry value ‚LogDroppedPackets‘ to 1. Compliant True
Registry-124 Set registry value ‚LogFileSize‘ to 16384. Compliant True
Registry-125 Set registry value ‚DefaultOutboundAction‘ to 0. Compliant True
Registry-126 Set registry value ‚EnableFirewall‘ to 1. Compliant True
Registry-127 Set registry value ‚DisableNotifications‘ to 1. Compliant True
Registry-128 Set registry value ‚AllowLocalIPsecPolicyMerge‘ to 0. Compliant True
Registry-129 Set registry value ‚AllowLocalPolicyMerge‘ to 0. Compliant True
Registry-130 Set registry value ‚DefaultInboundAction‘ to 1. Compliant True
Registry-131 Set registry value ‚LogFileSize‘ to 16384. Compliant True
Registry-132 Set registry value ‚LogDroppedPackets‘ to 1. Compliant True
Registry-133 Set registry value ‚LogSuccessfulConnections‘ to 1. Compliant True
Registry-134 Ensure ‚Allow Windows Ink Workspace‘ is set to ‚On, but disallow access above lock‘. Registry value is ‚0‘. Expected: 1 False
Registry-135 Set registry value ‚AdmPwdEnabled‘ to 1. Registry key not found. False
Registry-136 Ensure ‚WDigest Authentication (disabling may require KB2871997)‘ is set to ‚Disabled‘. Compliant True
Registry-137 Ensure ‚Enable Structured Exception Handling Overwrite Protection (SEHOP)‘ is set to ‚Enabled‘. Compliant True
Registry-138 Set registry value ‚DriverLoadPolicy‘ to 3. Compliant True
Registry-139 Ensure ‚Configure SMB v1 server‘ is set to ‚Disabled‘. Compliant True
Registry-140 Ensure ‚Configure SMB v1 client driver‘ is set to ‚Disable driver (recommended)‘. Compliant True
Registry-141 Set registry value ‚NoNameReleaseOnDemand‘ to 1. Compliant True
Registry-142 Set registry value ‚NodeType‘ to 2. Compliant True
Registry-143 Set registry value ‚EnableICMPRedirect‘ to 0. Compliant True
Registry-144 Set registry value ‚DisableIPSourceRouting‘ to 2. Compliant True
Registry-145 Set registry value ‚DisableIPSourceRouting‘ to 2. Compliant True
Registry-146 Set registry value ‚ScRemoveOption‘ to 1. Compliant True
Registry-147 Set registry value ‚InactivityTimeoutSecs‘ to 900. Compliant True
Registry-148 Set registry value ‚NoLMHash‘ to 1. Compliant True
Registry-149 Set registry value ‚EnablePlainTextPassword‘ to 0. Compliant True
Registry-150 Set registry value ‚LimitBlankPasswordUse‘ to 1. Compliant True
Registry-151 Set registry value ‚RestrictAnonymousSAM‘ to 1. Compliant True
Registry-152 Set registry value ‚RestrictAnonymous‘ to 1. Compliant True
Registry-153 Set registry value ‚RestrictNullSessAccess‘ to 1. Compliant True
Registry-154 Set registry value ‚SCENoApplyLegacyAuditPolicy‘ to 1. Compliant True
Registry-155 Set registry value ‚NTLMMinClientSec‘ to 537395200. Compliant True
Registry-156 Set registry value ‚LmCompatibilityLevel‘ to 5. Compliant True
Registry-157 Set registry value ‚allownullsessionfallback‘ to 0. Compliant True
Registry-158 Set registry value ‚NTLMMinServerSec‘ to 537395200. Compliant True
Registry-159 Set registry value ‚requirestrongkey‘ to 1. Compliant True
Registry-160 Set registry value ‚RequireSecuritySignature‘ to 1. Registry value is ‚0‘. Expected: 1 False
Registry-161 Set registry value ’sealsecurechannel‘ to 1. Compliant True
Registry-162 Set registry value ‚requiresignorseal‘ to 1. Compliant True
Registry-163 Set registry value ’signsecurechannel‘ to 1. Compliant True
Registry-164 Set registry value ‚requiresecuritysignature‘ to 1. Registry value is ‚0‘. Expected: 1 False
Registry-165 Set registry value ‚ProtectionMode‘ to 1. Compliant True
Registry-166 Set registry value ‚ConsentPromptBehaviorAdmin‘ to 2. Compliant True
Registry-167 Set registry value ‚EnableSecureUIAPaths‘ to 1. Compliant True
Registry-168 Set registry value ‚EnableLUA‘ to 1. Compliant True
Registry-169 Set registry value ‚ConsentPromptBehaviorUser‘ to 0. Registry value is ‚3‘. Expected: 0 False
Registry-170 Set registry value ‚EnableInstallerDetection‘ to 1. Compliant True
Registry-171 Set registry value ‚FilterAdministratorToken‘ to 1. Compliant True
Registry-172 Set registry value ‚EnableVirtualization‘ to 1. Compliant True
Registry-173 Set registry value ‚LDAPClientIntegrity‘ to 1. Compliant True
Registry-174 Remote calls to the Security Account Manager (SAM) must be restricted to Administrators. Compliant True
Registry-222 Set registry value ‚FormSuggest Passwords‘ to 1. Registry key not found. False
Registry-223 Ensure ‚Turn on the auto-complete feature for user names and passwords on forms‘ is set to ’no‘. Registry key not found. False
Registry-224 Set registry value ‚FormSuggest Passwords‘ to no. Registry key not found. False
Registry-225 Ensure ‚Remove „Run this time“ button for outdated ActiveX controls in Internet Explorer ‚ is set to ‚Enabled‘. Registry value not found. False
Registry-226 Ensure ‚Turn off blocking of outdated ActiveX controls for Internet Explorer‘ is set to ‚Disabled‘. Registry value not found. False
Registry-227 Ensure ‚Allow software to run or install even if the signature is invalid‘ is set to ‚Disabled‘. Registry key not found. False
Registry-228 Set registry value ‚CheckExeSignatures‘ to yes. Registry key not found. False
Registry-229 Ensure ‚Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows‘ is set to ‚Enabled‘. Registry value not found. False
Registry-230 Ensure ‚Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled‘ is set to ‚Enabled‘. Registry value not found. False
Registry-231 Set registry value ‚Isolation‘ to PMEM. Registry value not found. False
Registry-232 Set registry value ‚(Reserved)‘ to 1. Registry key not found. False
Registry-234 Set registry value ‚explorer.exe‘ to 1. Registry key not found. False
Registry-235 Set registry value ‚explorer.exe‘ to 1. Registry key not found. False
Registry-237 Set registry value ‚(Reserved)‘ to 1. Registry key not found. False
Registry-238 Set registry value ‚explorer.exe‘ to 1. Registry key not found. False
Registry-240 Set registry value ‚(Reserved)‘ to 1. Registry key not found. False
Registry-241 Set registry value ‚(Reserved)‘ to 1. Registry key not found. False
Registry-242 Set registry value ‚explorer.exe‘ to 1. Registry key not found. False
Registry-244 Set registry value ‚(Reserved)‘ to 1. Registry key not found. False
Registry-246 Set registry value ‚explorer.exe‘ to 1. Registry key not found. False
Registry-247 Set registry value ‚(Reserved)‘ to 1. Registry key not found. False
Registry-249 Set registry value ‚explorer.exe‘ to 1. Registry key not found. False
Registry-251 Set registry value ‚(Reserved)‘ to 1. Registry key not found. False
Registry-252 Set registry value ‚explorer.exe‘ to 1. Registry key not found. False
Registry-253 Set registry value ‚(Reserved)‘ to 1. Registry key not found. False
Registry-254 Set registry value ‚explorer.exe‘ to 1. Registry key not found. False
Registry-255 Set registry value ‚iexplore.exe‘ to 1. Registry key not found. False
Registry-256 Set registry value ‚PreventOverrideAppRepUnknown‘ to 1. Registry key not found. False
Registry-257 Set registry value ‚PreventOverride‘ to 1. Registry key not found. False
Registry-258 Ensure ‚Prevent managing SmartScreen Filter‘ is set to ‚On‘. Registry key not found. False
Registry-259 Set registry value ‚NoCrashDetection‘ to 1. Registry key not found. False
Registry-260 Ensure ‚Turn off the Security Settings Check feature‘ is set to ‚Disabled‘. Registry key not found. False
Registry-261 Ensure ‚Prevent per-user installation of ActiveX controls‘ is set to ‚Enabled‘. Registry key not found. False
Registry-262 Ensure ‚Specify use of ActiveX Installer Service for installation of ActiveX controls‘ is set to ‚Enabled‘. Registry key not found. False
Registry-263 Set registry value ‚Security_zones_map_edit‘ to 1. Registry value not found. False
Registry-264 Set registry value ‚Security_options_edit‘ to 1. Registry value not found. False
Registry-265 Set registry value ‚Security_HKLM_only‘ to 1. Registry value not found. False
Registry-266 Ensure ‚Check for server certificate revocation‘ is set to ‚Enabled‘. Registry value not found. False
Registry-267 Ensure ‚Prevent ignoring certificate errors‘ is set to ‚Enabled‘. Registry value not found. False
Registry-268 Set registry value ‚WarnOnBadCertRecving‘ to 1. Registry value not found. False
Registry-269 Ensure ‚Allow fallback to SSL 3.0 (Internet Explorer)‘ is set to ‚No Sites‘. Registry value not found. False
Registry-270 Ensure ‚Turn off encryption support‘ is set to ‚Use TLS 1.1 and TLS 1.2‘. Registry value not found. False
Registry-271 Ensure ‚Java permissions‘ is set to ‚Disable Java‘. Registry key not found. False
Registry-272 Ensure ‚Java permissions‘ is set to ‚Disable Java‘. Registry key not found. False
Registry-273 Ensure ‚Java permissions‘ is set to ‚Disable Java‘. Registry key not found. False
Registry-274 Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘. Registry key not found. False
Registry-275 Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘. Registry key not found. False
Registry-276 Ensure ‚Java permissions‘ is set to ‚Disable Java‘. Registry key not found. False
Registry-277 Ensure ‚Intranet Sites: Include all network paths (UNCs)‘ is set to ‚Disabled‘. Registry key not found. False
Registry-278 Ensure ‚Java permissions‘ is set to ‚Disable Java‘. Registry key not found. False
Registry-279 Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-280 Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-281 Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘. Registry key not found. False
Registry-282 Ensure ‚Java permissions‘ is set to ‚High safety‘. Registry key not found. False
Registry-283 Ensure ‚Java permissions‘ is set to ‚High safety‘. Registry key not found. False
Registry-284 Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-285 Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘. Registry key not found. False
Registry-286 Ensure ‚Run .NET Framework-reliant components signed with Authenticode‘ is set to ‚Disable‘. Registry key not found. False
Registry-287 Ensure ‚Allow script-initiated windows without size or position constraints‘ is set to ‚Disable‘. Registry key not found. False
Registry-288 Ensure ‚Allow drag and drop or copy and paste files‘ is set to ‚Disable‘. Registry key not found. False
Registry-289 Ensure ‚Include local path when user is uploading files to a server‘ is set to ‚Disable‘. Registry key not found. False
Registry-290 Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘. Registry key not found. False
Registry-291 Ensure ‚Access data sources across domains‘ is set to ‚Disable‘. Registry key not found. False
Registry-292 Ensure ‚Launching applications and files in an IFRAME‘ is set to ‚Disable‘. Registry key not found. False
Registry-293 Ensure ‚Automatic prompting for file downloads‘ is set to ‚Disable‘. Registry key not found. False
Registry-294 Ensure ‚Allow scriptlets‘ is set to ‚Disable‘. Registry key not found. False
Registry-295 Ensure ‚Allow scripting of Internet Explorer WebBrowser controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-296 Ensure ‚Use Pop-up Blocker‘ is set to ‚Enable‘. Registry key not found. False
Registry-297 Ensure ‚Turn on Protected Mode‘ is set to ‚Enable‘. Registry key not found. False
Registry-298 Ensure ‚Allow updates to status bar via script‘ is set to ‚Disable‘. Registry key not found. False
Registry-299 Ensure ‚Userdata persistence‘ is set to ‚Disable‘. Registry key not found. False
Registry-300 Ensure ‚Allow loading of XAML files‘ is set to ‚Disable‘. Registry key not found. False
Registry-301 Ensure ‚Run .NET Framework-reliant components not signed with Authenticode‘ is set to ‚Disable‘. Registry key not found. False
Registry-302 Ensure ‚Java permissions‘ is set to ‚Disable Java‘. Registry key not found. False
Registry-303 Ensure ‚Download signed ActiveX controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-304 Ensure ‚Logon options‘ is set to ‚Prompt for user name and password‘. Registry key not found. False
Registry-305 Ensure ‚Enable dragging of content from different domains within a window‘ is set to ‚Disable‘. Registry key not found. False
Registry-306 Ensure ‚Download unsigned ActiveX controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-307 Ensure ‚Allow only approved domains to use ActiveX controls without prompt‘ is set to ‚Enable‘. Registry key not found. False
Registry-308 Ensure ‚Allow cut, copy or paste operations from the clipboard via script‘ is set to ‚Disable‘. Registry key not found. False
Registry-309 Ensure ‚Turn on Cross-Site Scripting Filter‘ is set to ‚Enable‘. Registry key not found. False
Registry-310 Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-311 Ensure ‚Navigate windows and frames across different domains‘ is set to ‚Disable‘. Registry key not found. False
Registry-312 Ensure ‚Enable dragging of content from different domains across windows‘ is set to ‚Disable‘. Registry key not found. False
Registry-313 Ensure ‚Web sites in less privileged Web content zones can navigate into this zone‘ is set to ‚Disable‘. Registry key not found. False
Registry-314 Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘. Registry key not found. False
Registry-315 Ensure ‚Show security warning for potentially unsafe files‘ is set to ‚Prompt‘. Registry key not found. False
Registry-316 Ensure ‚Allow only approved domains to use the TDC ActiveX control‘ is set to ‚Enable‘. Registry key not found. False
Registry-317 Set registry value ‚140C‘ to 3. Registry key not found. False
Registry-318 Ensure ‚Allow META REFRESH‘ is set to ‚Disable‘. Registry key not found. False
Registry-319 Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘. Registry key not found. False
Registry-320 Ensure ‚Download signed ActiveX controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-321 Ensure ‚Navigate windows and frames across different domains‘ is set to ‚Disable‘. Registry key not found. False
Registry-322 Ensure ‚Allow only approved domains to use ActiveX controls without prompt‘ is set to ‚Enable‘. Registry key not found. False
Registry-323 Ensure ‚Use Pop-up Blocker‘ is set to ‚Enable‘. Registry key not found. False
Registry-324 Ensure ‚Download unsigned ActiveX controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-325 Ensure ‚Userdata persistence‘ is set to ‚Disable‘. Registry key not found. False
Registry-326 Ensure ‚Allow cut, copy or paste operations from the clipboard via script‘ is set to ‚Disable‘. Registry key not found. False
Registry-327 Ensure ‚Include local path when user is uploading files to a server‘ is set to ‚Disable‘. Registry key not found. False
Registry-328 Ensure ‚Access data sources across domains‘ is set to ‚Disable‘. Registry key not found. False
Registry-329 Ensure ‚Allow script-initiated windows without size or position constraints‘ is set to ‚Disable‘. Registry key not found. False
Registry-330 Ensure ‚Run .NET Framework-reliant components not signed with Authenticode‘ is set to ‚Disable‘. Registry key not found. False
Registry-331 Ensure ‚Automatic prompting for file downloads‘ is set to ‚Disable‘. Registry key not found. False
Registry-332 Ensure ‚Allow binary and script behaviors‘ is set to ‚Disable‘. Registry key not found. False
Registry-333 Ensure ‚Scripting of Java applets‘ is set to ‚Disable‘. Registry key not found. False
Registry-334 Ensure ‚Allow file downloads‘ is set to ‚Disable‘. Registry key not found. False
Registry-335 Ensure ‚Allow loading of XAML files‘ is set to ‚Disable‘. Registry key not found. False
Registry-336 Ensure ‚Allow active scripting‘ is set to ‚Disable‘. Registry key not found. False
Registry-337 Ensure ‚Logon options‘ is set to ‚Anonymous logon‘. Registry key not found. False
Registry-338 Ensure ‚Run .NET Framework-reliant components signed with Authenticode‘ is set to ‚Disable‘. Registry key not found. False
Registry-339 Ensure ‚Turn on Protected Mode‘ is set to ‚Enable‘. Registry key not found. False
Registry-340 Ensure ‚Turn on Cross-Site Scripting Filter‘ is set to ‚Enable‘. Registry key not found. False
Registry-341 Ensure ‚Java permissions‘ is set to ‚Disable Java‘. Registry key not found. False
Registry-342 Ensure ‚Allow scriptlets‘ is set to ‚Disable‘. Registry key not found. False
Registry-343 Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-344 Ensure ‚Allow scripting of Internet Explorer WebBrowser controls‘ is set to ‚Disable‘. Registry key not found. False
Registry-345 Ensure ‚Enable dragging of content from different domains within a window‘ is set to ‚Disable‘. Registry key not found. False
Registry-346 Ensure ‚Allow drag and drop or copy and paste files‘ is set to ‚Disable‘. Registry key not found. False
Registry-347 Ensure ‚Allow updates to status bar via script‘ is set to ‚Disable‘. Registry key not found. False
Registry-348 Ensure ‚Enable dragging of content from different domains across windows‘ is set to ‚Disable‘. Registry key not found. False
Registry-349 Ensure ‚Script ActiveX controls marked safe for scripting‘ is set to ‚Disable‘. Registry key not found. False
Registry-350 Ensure ‚Web sites in less privileged Web content zones can navigate into this zone‘ is set to ‚Disable‘. Registry key not found. False
Registry-351 Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘. Registry key not found. False
Registry-352 Ensure ‚Run ActiveX controls and plugins‘ is set to ‚Disable‘. Registry key not found. False
Registry-353 Ensure ‚Launching applications and files in an IFRAME‘ is set to ‚Disable‘. Registry key not found. False
Registry-354 Ensure ‚Show security warning for potentially unsafe files‘ is set to ‚Disable‘. Registry key not found. False
Registry-355 Ensure ‚Allow only approved domains to use the TDC ActiveX control‘ is set to ‚Enable‘. Registry key not found. False
Registry-356 Set registry value ‚140C‘ to 3. Registry key not found. False

User Rights Assignment

Id Task Message Status
UserRight-176 Ensure ‚SeSecurityPrivilege‘ is set to ‚administrator‘ Compliant True
UserRight-177 Ensure ‚SeRestorePrivilege‘ is set to ‚administrator‘ The user right ‚SeRestorePrivilege‘ contains following unexpected users: BUILTIN\Backup Operators False
UserRight-178 Ensure ‚SeTakeOwnershipPrivilege‘ is set to ‚administrator‘ Compliant True
UserRight-179 Ensure ‚SeBackupPrivilege‘ is set to ‚administrator‘ The user right ‚SeBackupPrivilege‘ contains following unexpected users: BUILTIN\Backup Operators False
UserRight-180 Ensure ‚SeDenyRemoteInteractiveLogonRight‘ is set to ‚Local account‘ The user right ‚SeDenyRemoteInteractiveLogonRight‘ contains following unexpected users: BUILTIN\Guests False
UserRight-181 Ensure ‚SeCreatePermanentPrivilege‘ is set to ’none‘ The user ‚SeCreatePermanentPrivilege‘ setting does not contain the following users: NULL SID False
UserRight-182 Ensure ‚SeManageVolumePrivilege‘ is set to ‚administrator‘ Compliant True
UserRight-183 Ensure ‚SeLoadDriverPrivilege‘ is set to ‚administrator‘ Compliant True
UserRight-184 Ensure ‚SeLockMemoryPrivilege‘ is set to ’none‘ Compliant True
UserRight-185 Ensure ‚SeDenyNetworkLogonRight‘ is set to ‚Local account‘ The user right ‚SeDenyNetworkLogonRight‘ contains following unexpected users: LOCAL, BUILTIN\Guests
The user ‚SeDenyNetworkLogonRight‘ setting does not contain the following users: NT AUTHORITY\Local account
False
UserRight-186 Ensure ‚SeNetworkLogonRight‘ is set to ‚administrator, Remote Desktop Users‘ The user right ‚SeNetworkLogonRight‘ contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators
The user ‚SeNetworkLogonRight‘ setting does not contain the following users: BUILTIN\Remote Desktop Users
False
UserRight-187 Ensure ‚SeImpersonatePrivilege‘ is set to ‚administrator, Service, Local Service, Network Service‘ Compliant True
UserRight-188 Ensure ‚SeCreateTokenPrivilege‘ is set to ’none‘ The user ‚SeCreateTokenPrivilege‘ setting does not contain the following users: NULL SID False
UserRight-189 Ensure ‚SeCreateGlobalPrivilege‘ is set to ‚administrator, Service, Local Service, Network Service‘ Compliant True
UserRight-190 Ensure ‚SeSystemEnvironmentPrivilege‘ is set to ‚administrator‘ Compliant True
UserRight-191 Ensure ‚SeCreatePagefilePrivilege‘ is set to ‚administrator‘ Compliant True
UserRight-192 Ensure ‚SeInteractiveLogonRight‘ is set to ‚administrator, Users‘ The user right ‚SeInteractiveLogonRight‘ contains following unexpected users: Hostname1\OldGuest, BUILTIN\Backup Operators False
UserRight-193 Ensure ‚SeRemoteShutdownPrivilege‘ is set to ‚administrator‘ Compliant True
UserRight-194 Ensure ‚SeDebugPrivilege‘ is set to ‚administrator‘ The user ‚SeDebugPrivilege‘ setting does not contain the following users: BUILTIN\Administrators False
UserRight-195 Ensure ‚SeTrustedCredManAccessPrivilege‘ is set to ’none‘ The user ‚SeTrustedCredManAccessPrivilege‘ setting does not contain the following users: NULL SID False
UserRight-196 Ensure ‚SeProfileSingleProcessPrivilege‘ is set to ‚administrator‘ Compliant True
UserRight-197 Ensure ‚SeTcbPrivilege‘ is set to ’none‘ The user ‚SeTcbPrivilege‘ setting does not contain the following users: NULL SID False
UserRight-198 Ensure ‚SeEnableDelegationPrivilege‘ is set to ’none‘ The user ‚SeEnableDelegationPrivilege‘ setting does not contain the following users: NULL SID False

Account Policies

Id Task Message Status
AccountPolicy-001 Ensure ‚MinimumPasswordLength‘ is set to ’14‘. Compliant True
AccountPolicy-002 Ensure ‚PasswordComplexity‘ is set to ‚1‘. Compliant True
AccountPolicy-003 Ensure ‚PasswordHistorySize‘ is set to ’24‘. Compliant True
AccountPolicy-004 Ensure ‚LockoutBadCount‘ is set to ’10‘. ‚LockoutBadCount‘ currently set to: 7. Expected: 10 False
AccountPolicy-005 Ensure ‚ResetLockoutCount‘ is set to ’15‘. Compliant True
AccountPolicy-006 Ensure ‚LockoutDuration‘ is set to ’15‘. Compliant True
AccountPolicy-007 Ensure ‚ClearTextPassword‘ is set to ‚0‘. Compliant True

Advanced Audit Policy Configuration

Id Task Message Status
AuditPolicy-199 Ensure ‚Credential Validation‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-200 Ensure ‚Security Group Management‘ is set to ‚Success‘. Compliant True
AuditPolicy-201 Ensure ‚User Account Management‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-202 Ensure ‚Plug and Play Events‘ is set to ‚Success‘. Compliant True
AuditPolicy-203 Ensure ‚Process Creation‘ is set to ‚Success‘. Compliant True
AuditPolicy-204 Ensure ‚Account Lockout‘ is set to ‚Failure‘. Compliant True
AuditPolicy-205 Ensure ‚Group Membership‘ is set to ‚Success‘. Compliant True
AuditPolicy-206 Ensure ‚Logon‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-207 Ensure ‚Other Logon/Logoff Events‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-208 Ensure ‚Special Logon‘ is set to ‚Success‘. Compliant True
AuditPolicy-209 Ensure ‚Detailed File Share‘ is set to ‚Failure‘. Compliant True
AuditPolicy-210 Ensure ‚File Share‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-211 Ensure ‚Other Object Access Events‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-212 Ensure ‚Removable Storage‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-213 Ensure ‚Audit Policy Change‘ is set to ‚Success‘. Compliant True
AuditPolicy-214 Ensure ‚Authentication Policy Change‘ is set to ‚Success‘. Compliant True
AuditPolicy-215 Ensure ‚MPSSVC Rule-Level Policy Change‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-216 Ensure ‚Other Policy Change Events‘ is set to ‚Failure‘. Compliant True
AuditPolicy-217 Ensure ‚Sensitive Privilege Use‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-218 Ensure ‚Other System Events‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True
AuditPolicy-219 Ensure ‚Security State Change‘ is set to ‚Success‘. Compliant True
AuditPolicy-220 Ensure ‚Security System Extension‘ is set to ‚Success‘. Compliant True
AuditPolicy-221 Ensure ‚System Integrity‘ is set to ‚Success‘ and is set to ‚Failure‘. Compliant True

CIS Benchmarks

This section contains all benchmarks from CIS

Registry Settings/Group Policies

Id Task Message Status
1.1.6 (L1) Ensure ‚Relax minimum password length limits‘ is set to ‚Enabled‘ Compliant True
18.1.1.1 (L1) Ensure ‚Prevent enabling lock screen camera‘ is set to ‚Enabled‘ Compliant True
18.1.1.2 (L1) Ensure ‚Prevent enabling lock screen slide show‘ is set to ‚Enabled‘ Compliant True
18.1.2.2 (L1) Ensure ‚Allow users to enable online speech recognition services‘ is set to ‚Disabled‘ Compliant True
18.1.3 (L2) Ensure ‚Allow Online Tips‘ is set to ‚Disabled‘ Compliant True
18.2.2 (L1) Ensure ‚Do not allow password expiration time longer than required by policy‘ is set to ‚Enabled‘ Registry key not found. False
18.2.3 (L1) Ensure ‚Enable Local Admin Password Management‘ is set to ‚Enabled‘ Registry key not found. False
18.2.4 (L1) Ensure ‚Password Settings: Password Complexity‘ is set to ‚Enabled: Large letters + small letters + numbers + special characters‘ Registry key not found. False
18.2.5 (L1) Ensure ‚Password Settings: Password Length‘ is set to ‚Enabled: 15 or more‘ Registry key not found. False
18.2.6 (L1) Ensure ‚Password Settings: Password Age (Days)‘ is set to ‚Enabled: 30 or fewer‘ Registry key not found. False
18.3.1 (L1) Ensure ‚Apply UAC restrictions to local accounts on network logons‘ is set to ‚Enabled‘ Compliant True
18.3.2 (L1) Ensure ‚Configure SMB v1 client driver‘ is set to ‚Enabled: Disable driver (recommended)‘ Compliant True
18.3.3 (L1) Ensure ‚Configure SMB v1 server‘ is set to ‚Disabled‘ Compliant True
18.3.4 (L1) Ensure ‚Enable Structured Exception Handling Overwrite Protection (SEHOP)‘ is set to ‚Enabled‘ Compliant True
18.3.5 (L1) Set registry value ‚RestrictDriverInstallationToAdministrators‘ to 1. Compliant True
18.3.6 (L1) Ensure ‚NetBT NodeType configuration‘ is set to ‚Enabled: P-node (recommended)‘ Compliant True
18.3.7 (L1) Ensure ‚WDigest Authentication‘ is set to ‚Disabled‘ Compliant True
18.4.1 (L1) Ensure ‚MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)‘ is set to ‚Disabled‘ Compliant True
18.4.10 (L1) Ensure ‚MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)‘ is set to ‚Enabled: 5 or fewer seconds‘ Compliant True
18.4.11 (L2) Ensure ‚MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted‘ is set to ‚Enabled: 3‘ Compliant True
18.4.12 (L2) Ensure ‚MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted‘ is set to ‚Enabled: 3‘ Compliant True
18.4.13 (L1) Ensure ‚MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning‘ is set to ‚Enabled: 90% or less‘ Compliant True
18.4.2 (L1) Ensure ‚MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)‘ is set to ‚Enabled: Highest protection, source routing is completely disabled‘ Compliant True
18.4.3 (L1) Ensure ‚MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)‘ is set to ‚Enabled: Highest protection, source routing is completely disabled‘ Compliant True
18.4.4 (L2) Ensure ‚MSS: (DisableSavePassword) Prevent the dial-up password from being saved‘ is set to ‚Enabled‘ Compliant True
18.4.5 (L1) Ensure ‚MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes‘ is set to ‚Disabled‘ Compliant True
18.4.6 (L2) Ensure ‚MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds‘ is set to ‚Enabled: 300,000 or 5 minutes (recommended)‘ Compliant True
18.4.7 (L1) Ensure ‚MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers‘ is set to ‚Enabled‘ Compliant True
18.4.8 (L2) Ensure ‚MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)‘ is set to ‚Disabled‘ Compliant True
18.4.9 (L1) Ensure ‚MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)‘ is set to ‚Enabled‘ Compliant True
18.5.10.2 (L2) Ensure ‚Turn off Microsoft Peer-to-Peer Networking Services‘ is set to ‚Enabled‘ Compliant True
18.5.11.2 (L1) Ensure ‚Prohibit installation and configuration of Network Bridge on your DNS domain network‘ is set to ‚Enabled‘ Compliant True
18.5.11.3 (L1) Ensure ‚Prohibit use of Internet Connection Sharing on your DNS domain network‘ is set to ‚Enabled‘ Compliant True
18.5.11.4 (L1) Ensure ‚Require domain users to elevate when setting a network’s location‘ is set to ‚Enabled‘ Compliant True
18.5.14.1 (L1) Ensure ‚Hardened UNC Paths‘ is set to ‚Enabled, with „Require Mutual Authentication“ and „Require Integrity“ set for all NETLOGON and SYSVOL shares‘ Compliant True
18.5.19.2.1 (L2) Disable IPv6 (Ensure TCPIP6 Parameter ‚DisabledComponents‘ is set to ‚0xff (255)‘) Compliant True
18.5.20.1 (L2) Ensure ‚Configuration of wireless settings using Windows Connect Now‘ is set to ‚Disabled‘ Compliant True
18.5.20.2 (L2) Ensure ‚Prohibit access of the Windows Connect Now wizards‘ is set to ‚Enabled‘ Compliant True
18.5.21.1 (L1) Ensure ‚Minimize the number of simultaneous connections to the Internet or a Windows Domain‘ is set to ‚Enabled: 3 = Prevent Wi-Fi when on Ethernet‘ Registry value not found. False
18.5.21.2 (L1) Ensure ‚Prohibit connection to non-domain networks when connected to domain authenticated network‘ is set to ‚Enabled‘ Compliant True
18.5.23.2.1 (L1) Ensure ‚Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services‘ is set to ‚Disabled‘ Compliant True
18.5.4.1 (L1) Ensure ‚Configure DNS over HTTPS (DoH) name resolution‘ is set to ‚Enabled: Allow DoH‘ or higher (Automated) Compliant True
18.5.4.2 (L1) Ensure ‚Turn off multicast name resolution‘ is set to ‚Enabled‘ Compliant True
18.5.5.1 (L2) Ensure ‚Enable Font Providers‘ is set to ‚Disabled‘ Compliant True
18.5.8.1 (L1) Ensure ‚Enable insecure guest logons‘ is set to ‚Disabled‘ Compliant True
18.5.9.1.1 (L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ (Domain) Compliant True
18.5.9.1.2 (L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ (Public) Compliant True
18.5.9.1.3 (L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ Compliant True
18.5.9.1.4 (L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ (Private) Compliant True
18.5.9.2.1 (L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ (Domain) Compliant True
18.5.9.2.2 (L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ (Public) Compliant True
18.5.9.2.3 (L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ Compliant True
18.5.9.2.4 (L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ (Private) Compliant True
18.6.1 (L1) Ensure ‚Allow Print Spooler to accept client connections‘ is set to ‚Disabled‘ Compliant True
18.6.2 (L1) Ensure ‚Point and Print Restrictions: When installing drivers for a new connection‘ is set to ‚Enabled: Show warning and elevation prompt‘ Compliant True
18.6.3 (L1) Ensure ‚Point and Print Restrictions: When updating drivers for an existing connection‘ is set to ‚Enabled: Show warning and elevation prompt‘ Compliant True
18.7.1.1 (L2) Ensure ‚Turn off notifications network usage‘ is set to ‚Enabled‘ Compliant True
18.8.14.1 (L1) Ensure ‚Boot-Start Driver Initialization Policy‘ is set to ‚Enabled: Good, unknown and bad but critical‘ Compliant True
18.8.21.2 (L1) Ensure ‚Configure registry policy processing: Do not apply during periodic background processing‘ is set to ‚Enabled: FALSE‘ Compliant True
18.8.21.3 (L1) Ensure ‚Configure registry policy processing: Process even if the Group Policy objects have not changed‘ is set to ‚Enabled: TRUE‘ Compliant True
18.8.21.4 (L1) Ensure ‚Continue experiences on this device‘ is set to ‚Disabled‘ Compliant True
18.8.21.5 (L1) Ensure ‚Turn off background refresh of Group Policy‘ is set to ‚Disabled‘ Compliant True
18.8.22.1.1 (L2) Ensure ‚Turn off access to the Store‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.10 (L2) Ensure ‚Turn off the „Order Prints“ picture task‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.11 (L2) Ensure ‚Turn off the „Publish to Web“ task for files and folders‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.12 (L2) Ensure ‚Turn off the Windows Messenger Customer Experience Improvement Program‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.13 (L2) Ensure ‚Turn off Windows Customer Experience Improvement Program‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.14 (L2) Ensure ‚Turn off Windows Error Reporting‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.2 (L1) Ensure ‚Turn off downloading of print drivers over HTTP‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.3 (L2) Ensure ‚Turn off handwriting personalization data sharing‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.4 (L2) Ensure ‚Turn off handwriting recognition error reporting‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.5 (L2) Ensure ‚Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.6 (L1) Ensure ‚Turn off Internet download for Web publishing and online ordering wizards‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.7 (L2) Ensure ‚Turn off printing over HTTP‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.8 (L2) Ensure ‚Turn off Registration if URL connection is referring to Microsoft.com‘ is set to ‚Enabled‘ Compliant True
18.8.22.1.9 (L2) Ensure ‚Turn off Search Companion content file updates‘ is set to ‚Enabled‘ Compliant True
18.8.25.1.1 (L2) Ensure ‚Support device authentication using certificate‘ is set to ‚Enabled: Automatic‘ (DevicePKInitBehavior) Compliant True
18.8.25.1.2 (L2) Ensure ‚Support device authentication using certificate‘ is set to ‚Enabled: Automatic‘ (DevicePKInitEnabled) Compliant True
18.8.26.1 (BL) Ensure ‚Enumeration policy for external devices incompatible with Kernel DMA Protection‘ is set to ‚Enabled: Block All‘ Compliant True
18.8.27.1 (L2) Ensure ‚Disallow copying of user input methods to the system account for sign-in‘ is set to ‚Enabled‘ Compliant True
18.8.28.1 (L1) Ensure ‚Block user from showing account details on sign-in‘ is set to ‚Enabled‘ Compliant True
18.8.28.2 (L1) Ensure ‚Do not display network selection UI‘ is set to ‚Enabled‘ Compliant True
18.8.28.3 (L1) Ensure ‚Do not enumerate connected users on domain-joined computers‘ is set to ‚Enabled‘ Compliant True
18.8.28.4 (L1) Ensure ‚Enumerate local users on domain-joined computers‘ is set to ‚Disabled‘ Compliant True
18.8.28.5 (L1) Ensure ‚Turn off app notifications on the lock screen‘ is set to ‚Enabled‘ Compliant True
18.8.28.6 (L1) Ensure ‚Turn off picture password sign-in‘ is set to ‚Enabled‘ Compliant True
18.8.28.7 (L1) Ensure ‚Turn on convenience PIN sign-in‘ is set to ‚Disabled‘ Compliant True
18.8.3.1 (L1) Ensure ‚Include command line in process creation events‘ is set to ‚Disabled‘ Compliant True
18.8.31.1 (L2) Ensure ‚Allow Clipboard synchronization across devices‘ is set to ‚Disabled‘ Compliant True
18.8.31.2 (L2) Ensure ‚Allow upload of User Activities‘ is set to ‚Disabled‘ Compliant True
18.8.34.6.1 (L1) Ensure ‚Allow network connectivity during connected-standby (on battery)‘ is set to ‚Disabled‘ Compliant True
18.8.34.6.2 (L1) Ensure ‚Allow network connectivity during connected-standby (plugged in)‘ is set to ‚Disabled‘ Compliant True
18.8.34.6.3 (BL) Ensure ‚Allow standby states (S1-S3) when sleeping (on battery)‘ is set to ‚Disabled‘ Compliant True
18.8.34.6.4 (BL) Ensure ‚Allow standby states (S1-S3) when sleeping (plugged in)‘ is set to ‚Disabled‘ Compliant True
18.8.34.6.5 (L1) Ensure ‚Require a password when a computer wakes (on battery)‘ is set to ‚Enabled‘ Compliant True
18.8.34.6.6 (L1) Ensure ‚Require a password when a computer wakes (plugged in)‘ is set to ‚Enabled‘ Compliant True
18.8.36.1 (L1) Ensure ‚Configure Offer Remote Assistance‘ is set to ‚Disabled‘ Compliant True
18.8.36.2 (L1) Ensure ‚Configure Solicited Remote Assistance‘ is set to ‚Disabled‘ Compliant True
18.8.37.1 (L1) Ensure ‚Enable RPC Endpoint Mapper Client Authentication‘ is set to ‚Enabled‘ Compliant True
18.8.37.2 (L1) Ensure ‚Restrict Unauthenticated RPC clients‘ is set to ‚Enabled: Authenticated‘ Compliant True
18.8.4.1 (L1) Ensure ‚Encryption Oracle Remediation‘ is set to ‚Enabled: Force Updated Clients‘ Compliant True
18.8.4.2 (L1) Ensure ‚Remote host allows delegation of non-exportable credentials‘ is set to ‚Enabled‘ Compliant True
18.8.48.11.1 (L2) Ensure ‚Enable/Disable PerfTrack‘ is set to ‚Disabled‘ Compliant True
18.8.48.5.1 (L2) Ensure ‚Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider‘ is set to ‚Disabled‘ Compliant True
18.8.5.1 (NG) Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled‘ Compliant True
18.8.5.2 (NG) Ensure ‚Turn On Virtualization Based Security: Select Platform Security Level‘ is set to ‚Secure Boot and DMA Protection‘ Compliant True
18.8.5.3 (NG) Ensure ‚Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity‘ is set to ‚Enabled with UEFI lock‘ Compliant True
18.8.5.4 (NG) Ensure ‚Turn On Virtualization Based Security: Require UEFI Memory Attributes Table‘ is set to ‚True (checked)‘ Compliant True
18.8.5.5 (NG) Ensure ‚Turn On Virtualization Based Security: Credential Guard Configuration‘ is set to ‚Enabled with UEFI lock‘ Compliant True
18.8.5.6 (NG) Ensure ‚Turn On Virtualization Based Security: Secure Launch Configuration‘ is set to ‚Enabled‘ Compliant True
18.8.50.1 (L2) Ensure ‚Turn off the advertising ID‘ is set to ‚Enabled‘ Compliant True
18.8.53.1.1 (L2) Ensure ‚Enable Windows NTP Client‘ is set to ‚Enabled‘ Compliant True
18.8.53.1.2 (L2) Ensure ‚Enable Windows NTP Server‘ is set to ‚Disabled‘ Compliant True
18.8.7.1.1 (BL) Ensure ‚Prevent installation of devices that match any of these device IDs‘ is set to ‚Enabled‘ Registry value not found. False
18.8.7.1.2 (BL) Ensure ‚Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs‘ is set to ‚PCI\CC_0C0A‘ Compliant True
18.8.7.1.3 (BL) Ensure ‚Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.‘ is set to ‚True‘ (checked) Registry value not found. False
18.8.7.1.4 (BL) Ensure ‚Prevent installation of devices using drivers that match these device setup classes‘ is set to ‚Enabled‘ Compliant True
18.8.7.1.5 (BL) Ensure ‚Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup‘ is set to ‚IEEE 1394 device setup classes‘ Compliant True
18.8.7.1.6 (BL) Ensure ‚Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.‘ is set to ‚True‘ (checked) Compliant True
18.8.7.2 (L1) Prevent Windows from retrieving device metadata from the Internet Compliant True
18.9.10.1.1 (L1) Ensure ‚Configure enhanced anti-spoofing‘ is set to ‚Enabled‘ Compliant True
18.9.100.1 (L1) Ensure ‚Turn on PowerShell Script Block Logging‘ is set to ‚Disabled‘ Compliant True
18.9.100.2 (L1) Ensure ‚Turn on PowerShell Transcription‘ is set to ‚Disabled‘ Compliant True
18.9.102.1.1 (L1) Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘ Compliant True
18.9.102.1.2 (L1) Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘ Compliant True
18.9.102.1.3 (L1) Ensure ‚Disallow Digest authentication‘ is set to ‚Enabled‘ Compliant True
18.9.102.2.1 (L1) Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘ Compliant True
18.9.102.2.2 (L2) Ensure ‚Allow remote server management through WinRM‘ is set to ‚Disabled‘ Registry value not found. False
18.9.102.2.3 (L1) Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘ Compliant True
18.9.102.2.4 (L1) Ensure ‚Disallow WinRM from storing RunAs credentials‘ is set to ‚Enabled‘ Compliant True
18.9.103.1 (L2) Ensure ‚Allow Remote Shell Access‘ is set to ‚Disabled‘ Registry key not found. False
18.9.104.1 (L1) Ensure ‚Allow clipboard sharing with Windows Sandbox‘ is set to ‚Disabled‘ Compliant True
18.9.104.2 (L1) Ensure ‚Allow networking in Windows Sandbox‘ is set to ‚Disabled‘ Compliant True
18.9.105.2.1 (L1) Ensure ‚Prevent users from modifying settings‘ is set to ‚Enabled‘ Compliant True
18.9.108.1.1 (L1) Ensure ‚No auto-restart with logged on users for scheduled automatic updates installations‘ is set to ‚Disabled‘ Compliant True
18.9.108.2.1 (L1) Ensure ‚Configure Automatic Updates‘ is set to ‚Enabled‘ Compliant True
18.9.108.2.2 (L1) Ensure ‚Configure Automatic Updates: Scheduled install day‘ is set to ‚0 – Every day‘ Compliant True
18.9.108.2.3 (L1) Ensure ‚Remove access to „Pause updates“ feature‘ is set to ‚Enabled‘ Compliant True
18.9.108.4.1 (L1) Ensure ‚Manage preview builds‘ is set to ‚Enabled: Disable preview builds‘ (ManagePreviewBuildsPolicyValue) Compliant True
18.9.108.4.2.1 (L1) Ensure ‚Select when Preview Builds and Feature Updates are received‘ is set to ‚Enabled: Semi-Annual Channel, 180 or more days‘ (DeferFeatureUpdates) Compliant True
18.9.108.4.2.2 (L1) Ensure ‚Select when Preview Builds and Feature Updates are received‘ is set to ‚Enabled: Semi-Annual Channel, 180 or more days‘ (DeferFeatureUpdatesPeriodInDays) Compliant True
18.9.108.4.3.1 (L1) Ensure ‚Select when Quality Updates are received‘ is set to ‚Enabled: 0 days‘ (DeferQualityUpdates) Compliant True
18.9.108.4.3.2 (L1) Ensure ‚Select when Quality Updates are received‘ is set to ‚Enabled: 0 days‘ (DeferQualityUpdatesPeriodInDays) Compliant True
18.9.11.1.1 (BL) Ensure ‚Allow access to BitLocker-protected fixed data drives from earlier versions of Windows‘ is set to ‚Disabled‘ Compliant True
18.9.11.1.10 (BL) Ensure ‚Configure use of hardware-based encryption for fixed data drives‘ is set to ‚Disabled‘ Compliant True
18.9.11.1.11 (BL) Ensure ‚Configure use of passwords for fixed data drives‘ is set to ‚Disabled‘ Compliant True
18.9.11.1.12 (BL) Ensure ‚Configure use of smart cards on fixed data drives‘ is set to ‚Enabled‘ Compliant True
18.9.11.1.13 (BL) Ensure ‚Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives‘ is set to ‚Enabled: True‘ Compliant True
18.9.11.1.2 (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered‘ is set to ‚Enabled‘ Compliant True
18.9.11.1.3 (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent‘ is set to ‚Enabled: True‘ Compliant True
18.9.11.1.4 (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Recovery Password‘ is set to ‚Enabled: Allow 48-digit recovery password‘ Compliant True
18.9.11.1.5 (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Recovery Key‘ is set to ‚Enabled: Allow 256-bit recovery key‘ Compliant True
18.9.11.1.6 (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard‘ is set to ‚Enabled: True‘ Compliant True
18.9.11.1.7 (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives‘ is set to ‚Enabled: False‘ Compliant True
18.9.11.1.8 (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS‘ is set to ‚Enabled: Backup recovery passwords and key packages‘ Compliant True
18.9.11.1.9 (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives‘ is set to ‚Enabled: False‘ Compliant True
18.9.11.2.1 (BL) Ensure ‚Allow enhanced PINs for startup‘ is set to ‚Enabled‘ Compliant True
18.9.11.2.10 (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives‘ is set to ‚Enabled: True‘ Compliant True
18.9.11.2.11 (BL) Ensure ‚Configure use of hardware-based encryption for operating system drives‘ is set to ‚Disabled‘ Compliant True
18.9.11.2.12 (BL) Ensure ‚Configure use of passwords for operating system drives‘ is set to ‚Disabled‘ Compliant True
18.9.11.2.13 (BL) Ensure ‚Require additional authentication at startup‘ is set to ‚Enabled‘ Compliant True
18.9.11.2.14 (BL) Ensure ‚Require additional authentication at startup: Allow BitLocker without a compatible TPM‘ is set to ‚Enabled: False‘ Registry value is ‚1‘. Expected: 0 False
18.9.11.2.2 (BL) Ensure ‚Allow Secure Boot for integrity validation‘ is set to ‚Enabled‘ Compliant True
18.9.11.2.3 (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered‘ is set to ‚Enabled‘ Compliant True
18.9.11.2.4 (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent‘ is set to ‚Enabled: False‘ Compliant True
18.9.11.2.5 (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Recovery Password‘ is set to ‚Enabled: Require 48-digit recovery password‘ Compliant True
18.9.11.2.6 (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Recovery Key‘ is set to ‚Enabled: Do not allow 256-bit recovery key‘ Compliant True
18.9.11.2.7 (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard‘ is set to ‚Enabled: True‘ Compliant True
18.9.11.2.8 (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives‘ is set to ‚Enabled: True‘ Compliant True
18.9.11.2.9 (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:‘ is set to ‚Enabled: Store recovery passwords and key packages‘ Compliant True
18.9.11.3.1 (BL) Ensure ‚Allow access to BitLocker-protected removable data drives from earlier versions of Windows‘ is set to ‚Disabled‘ Compliant True
18.9.11.3.10 (BL) Ensure ‚Configure use of hardware-based encryption for removable data drives‘ is set to ‚Disabled‘ Compliant True
18.9.11.3.11 (BL) Ensure ‚Configure use of passwords for removable data drives‘ is set to ‚Disabled‘ Registry value is ‚1‘. Expected: 0 False
18.9.11.3.12 (BL) Ensure ‚Configure use of smart cards on removable data drives‘ is set to ‚Enabled‘ Compliant True
18.9.11.3.13 (BL) Ensure ‚Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives‘ is set to ‚Enabled: True‘ Registry value not found. False
18.9.11.3.14 (BL) Ensure ‚Deny write access to removable drives not protected by BitLocker‘ is set to ‚Enabled‘ Compliant True
18.9.11.3.15 (BL) Ensure ‚Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization‘ is set to ‚Enabled: False‘ Compliant True
18.9.11.3.2 (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered‘ is set to ‚Enabled‘ Registry value not found. False
18.9.11.3.3 (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent‘ is set to ‚Enabled: True‘ Compliant True
18.9.11.3.4 (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Recovery Password‘ is set to ‚Enabled: Do not allow 48-digit recovery password‘ Registry value not found. False
18.9.11.3.5 (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Recovery Key‘ is set to ‚Enabled: Do not allow 256-bit recovery key‘ Compliant True
18.9.11.3.6 (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard‘ is set to ‚Enabled: True‘ Compliant True
18.9.11.3.7 (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives‘ is set to ‚Enabled: False‘ Compliant True
18.9.11.3.8 (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:‘ is set to ‚Enabled: Backup recovery passwords and key packages‘ Compliant True
18.9.11.3.9 (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives‘ is set to ‚Enabled: False‘ Compliant True
18.9.11.4 (BL) Ensure ‚Disable new DMA devices when this computer is locked‘ is set to ‚Enabled‘ Compliant True
18.9.12.1 (L2) Ensure ‚Allow Use of Camera‘ is set to ‚Disabled‘ Registry key not found. False
18.9.14.1 (L1) Ensure ‚Turn off cloud consumer account state content‘ is set to ‚Enabled‘ Compliant True
18.9.14.2 (L2) Ensure ‚Turn off cloud optimized content‘ is set to ‚Enabled‘ Compliant True
18.9.14.3 (L1) Ensure ‚Turn off Microsoft consumer experiences‘ is set to ‚Enabled‘ Compliant True
18.9.15.1 (L1) Ensure ‚Require pin for pairing‘ is set to ‚Enabled: First Time‘ OR ‚Enabled: Always‘ Compliant True
18.9.16.1 (L1) Ensure ‚Do not display the password reveal button‘ is set to ‚Enabled‘ Compliant True
18.9.16.2 (L1) Ensure ‚Enumerate administrator accounts on elevation‘ is set to ‚Disabled‘ Compliant True
18.9.16.3 (L1) Ensure ‚Prevent the use of security questions for local accounts‘ is set to ‚Enabled‘ Compliant True
18.9.17.1 (L1) Ensure ‚Allow Telemetry‘ is set to ‚Enabled: 0 – Security [Enterprise Only]‘ or ‚Enabled: 1 – Basic‘ Compliant True
18.9.17.2 (L2) Ensure ‚Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service‘ is set to ‚Enabled: Disable Authenticated Proxy usage‘ Compliant True
18.9.17.3 (L1) Ensure ‚Disable OneSettings Downloads‘ is set to ‚Enabled‘ Compliant True
18.9.17.4 (L1) Ensure ‚Do not show feedback notifications‘ is set to ‚Enabled‘ Compliant True
18.9.17.5 (L1) Ensure ‚Enable OneSettings Auditing‘ is set to ‚Enabled Compliant True
18.9.17.6 (L1) Ensure ‚Limit Diagnostic Log Collection‘ is set to ‚Enabled‘ Compliant True
18.9.17.7 (L1) Ensure ‚Limit Dump Collection‘ is set to ‚Enabled‘ Compliant True
18.9.17.8 (L1) Ensure ‚Toggle user control over Insider builds‘ is set to ‚Disabled‘ Compliant True
18.9.18.1 (L1) Ensure ‚Download Mode‘ is NOT set to ‚Enabled: Internet‘ Compliant True
18.9.27.1.1 (L1) Ensure ‚Application: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘ Compliant True
18.9.27.1.2 (L1) Ensure ‚Application: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 32,768 or greater‘ Compliant True
18.9.27.2.1 (L1) Ensure ‚Security: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘ Compliant True
18.9.27.2.2 (L1) Ensure ‚Security: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 196,608 or greater‘ Compliant True
18.9.27.3.1 (L1) Ensure ‚Setup: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘ Compliant True
18.9.27.3.2 (L1) Ensure ‚Setup: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 32,768 or greater‘ Compliant True
18.9.27.4.1 (L1) Ensure ‚System: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘ Compliant True
18.9.27.4.2 (L1) Ensure ‚System: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 32,768 or greater‘ Compliant True
18.9.31.2 (L1) Ensure ‚Turn off Data Execution Prevention for Explorer‘ is set to ‚Disabled‘ Compliant True
18.9.31.3 (L1) Ensure ‚Turn off heap termination on corruption‘ is set to ‚Disabled‘ Compliant True
18.9.31.4 (L1) Ensure ‚Turn off shell protocol protected mode‘ is set to ‚Disabled‘ Compliant True
18.9.36.1 (L1) Ensure ‚Prevent the computer from joining a homegroup‘ is set to ‚Enabled‘ Compliant True
18.9.4.1 (L2) Ensure ‚Allow a Windows app to share application data between users‘ is set to ‚Disabled‘ Compliant True
18.9.4.2 (L1) Ensure ‚Prevent non-admin users from installing packaged Windows apps‘ is set to ‚Enabled‘ Compliant True
18.9.41.1 (L2) Ensure ‚Turn off location‘ is set to ‚Enabled‘ Compliant True
18.9.45.1 (L2) Ensure ‚Allow Message Service Cloud Sync‘ is set to ‚Disabled‘ Compliant True
18.9.46.1 (L1) Ensure ‚Block all consumer Microsoft account user authentication‘ is set to ‚Enabled‘ Compliant True
18.9.47.11.1 (L2) Ensure ‚Configure Watson events‘ is set to ‚Disabled‘ Compliant True
18.9.47.12.1 (L1) Ensure ‚Scan removable drives‘ is set to ‚Enabled‘ Compliant True
18.9.47.12.2 (L1) Ensure ‚Turn on e-mail scanning‘ is set to ‚Enabled‘ Compliant True
18.9.47.15 (L1) Ensure ‚Configure detection for potentially unwanted applications‘ is set to ‚Enabled: Block‘ Compliant True
18.9.47.16 (L1) Ensure ‚Turn off Microsoft Defender AntiVirus‘ is set to ‚Disabled‘ Compliant True
18.9.47.4.1 (L1) Ensure ‚Configure local setting override for reporting to Microsoft MAPS‘ is set to ‚Disabled‘ Compliant True
18.9.47.4.2 (L2) Ensure ‚Join Microsoft MAPS‘ is set to ‚Disabled‘ Compliant True
18.9.47.5.1.1 (L1) Ensure ‚Configure Attack Surface Reduction rules‘ is set to ‚Enabled‘ Compliant True
18.9.47.5.1.2.1 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Office communication application from creating child processes). Compliant True
18.9.47.5.1.2.10 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block JavaScript or VBScript from launching downloaded executable content). Compliant True
18.9.47.5.1.2.11 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block all Office applications from creating child processes). Compliant True
18.9.47.5.1.2.12 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block persistence through WMI event subscription). Compliant True
18.9.47.5.1.2.2 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Office applications from creating executable content). Compliant True
18.9.47.5.1.2.3 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block execution of potentially obfuscated scripts). Compliant True
18.9.47.5.1.2.4 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Office applications from injecting code into other processes). Compliant True
18.9.47.5.1.2.5 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Adobe Reader from creating child processes). Compliant True
18.9.47.5.1.2.6 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Win32 API calls from Office macros). Compliant True
18.9.47.5.1.2.7 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block credential stealing from the Windows local security authority subsystem (lsass.exe)). Compliant True
18.9.47.5.1.2.8 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block untrusted and unsigned processes that run from USB). Compliant True
18.9.47.5.1.2.9 (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block executable content from email client and webmail). Compliant True
18.9.47.5.3.1 (L1) Ensure ‚Prevent users and apps from accessing dangerous websites‘ is set to ‚Enabled: Block‘ Compliant True
18.9.47.6.1 (L2) Ensure ‚Enable file hash computation feature‘ is set to ‚Enabled‘ Compliant True
18.9.47.9.1 (L1) Ensure ‚Scan all downloaded files and attachments‘ is set to ‚Enabled‘ Compliant True
18.9.47.9.2 (L1) Ensure ‚Turn off real-time protection‘ is set to ‚Disabled‘ Compliant True
18.9.47.9.3 (L1) Ensure ‚Turn on behavior monitoring‘ is set to ‚Enabled‘ Compliant True
18.9.47.9.4 (L1) Ensure ‚Turn on script scanning‘ is set to ‚Enabled‘ Compliant True
18.9.48.1 (NG) Ensure ‚Allow auditing events in Microsoft Defender Application Guard‘ is set to ‚Enabled‘ Compliant True
18.9.48.2 (NG) Ensure ‚Allow camera and microphone access in Microsoft Defender Application Guard‘ is set to ‚Disabled‘ Compliant True
18.9.48.3 (NG) Ensure ‚Allow data persistence for Microsoft Defender Application Guard‘ is set to ‚Disabled‘ Compliant True
18.9.48.4 (NG) Ensure ‚Allow files to download and save to the host operating system from Microsoft Defender Application Guard‘ is set to ‚Disabled‘ Compliant True
18.9.48.5 (NG) Ensure ‚Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting‘ is set to ‚Enabled: Enable clipboard operation from an isolated session to the host‘ Compliant True
18.9.48.6 (NG) Ensure ‚Turn on Microsoft Defender Application Guard in Managed Mode‘ is set to ‚Enabled: 1‘ Compliant True
18.9.5.1 (L1) Ensure ‚Let Windows apps activate with voice while the system is locked‘ is set to ‚Enabled: Force Deny‘ Compliant True
18.9.57.1 (L2) Ensure ‚Enable news and interests on the taskbar‘ is set to ‚Disabled‘ Compliant True
18.9.58.1 (L1) Ensure ‚Prevent the usage of OneDrive for file storage‘ is set to ‚Enabled‘ Registry key not found. False
18.9.6.1 (L1) Ensure ‚Allow Microsoft accounts to be optional‘ is set to ‚Enabled‘ Compliant True
18.9.6.2 (L2) Ensure ‚Block launching Universal Windows apps with Windows Runtime API access from hosted content.‘ is set to ‚Enabled‘ Compliant True
18.9.64.1 (L2) Ensure ‚Turn off Push To Install service‘ is set to ‚Enabled‘ Compliant True
18.9.65.2.2 (L1) Ensure ‚Do not allow passwords to be saved‘ is set to ‚Enabled‘ Compliant True
18.9.65.3.10.1 (L2) Ensure ‚Set time limit for active but idle Remote Desktop Services sessions‘ is set to ‚Enabled: 15 minutes or less, but not Never (0)‘ Compliant True
18.9.65.3.10.2 (L2) Ensure ‚Set time limit for disconnected sessions‘ is set to ‚Enabled: 1 minute‘ Compliant True
18.9.65.3.11.1 (L1) Ensure ‚Do not delete temp folders upon exit‘ is set to ‚Disabled‘ Compliant True
18.9.65.3.2.1 (L2) Ensure ‚Allow users to connect remotely by using Remote Desktop Services‘ is set to ‚Disabled‘ Compliant True
18.9.65.3.3.1 (L2) Ensure ‚Allow UI Automation redirection‘ is set to ‚Disabled‘ Compliant True
18.9.65.3.3.2 (L2) Ensure ‚Do not allow COM port redirection‘ is set to ‚Enabled‘ Compliant True
18.9.65.3.3.3 (L1) Ensure ‚Do not allow drive redirection‘ is set to ‚Enabled‘ Compliant True
18.9.65.3.3.4 (L2) Ensure ‚Do not allow location redirection‘ is set to ‚Enabled‘ Compliant True
18.9.65.3.3.5 (L2) Ensure ‚Do not allow LPT port redirection‘ is set to ‚Enabled‘ Compliant True
18.9.65.3.3.6 (L2) Ensure ‚Do not allow supported Plug and Play device redirection‘ is set to ‚Enabled‘ Compliant True
18.9.65.3.9.1 (L1) Ensure ‚Always prompt for password upon connection‘ is set to ‚Enabled‘ Compliant True
18.9.65.3.9.2 (L1) Ensure ‚Require secure RPC communication‘ is set to ‚Enabled‘ Compliant True
18.9.65.3.9.3 (L1) Ensure ‚Require use of specific security layer for remote (RDP) connections‘ is set to ‚Enabled: SSL‘ Compliant True
18.9.65.3.9.4 (L1) Ensure ‚Require user authentication for remote connections by using Network Level Authentication‘ is set to ‚Enabled‘ Compliant True
18.9.65.3.9.5 (L1) Ensure ‚Set client connection encryption level‘ is set to ‚Enabled: High Level‘ Compliant True
18.9.66.1 (L1) Ensure ‚Prevent downloading of enclosures‘ is set to ‚Enabled‘ Registry key not found. False
18.9.67.2 (L2) Ensure ‚Allow Cloud Search‘ is set to ‚Enabled: Disable Cloud Search‘ Compliant True
18.9.67.3 (L1) Ensure ‚Allow Cortana‘ is set to ‚Disabled‘ Compliant True
18.9.67.4 (L1) Ensure ‚Allow Cortana above lock screen‘ is set to ‚Disabled‘ Compliant True
18.9.67.5 (L1) Ensure ‚Allow indexing of encrypted files‘ is set to ‚Disabled‘ Compliant True
18.9.67.6 (L1) Ensure ‚Allow search and Cortana to use location‘ is set to ‚Disabled‘ Compliant True
18.9.72.1 (L2) Ensure ‚Turn off KMS Client Online AVS Validation‘ is set to ‚Enabled‘ Compliant True
18.9.75.1 (L2) Ensure ‚Disable all apps from Microsoft Store‘ is set to ‚Disabled‘ Compliant True
18.9.75.2 (L1) Ensure ‚Only display the private store within the Microsoft Store‘ is set to ‚Enabled‘ Compliant True
18.9.75.3 (L1) Ensure ‚Turn off Automatic Download and Install of updates‘ is set to ‚Disabled‘ Compliant True
18.9.75.4 (L1) Ensure ‚Turn off the offer to update to the latest version of Windows‘ is set to ‚Enabled‘ Compliant True
18.9.75.5 (L2) Ensure ‚Turn off the Store application‘ is set to ‚Enabled‘ Compliant True
18.9.8.1 (L1) Ensure ‚Disallow Autoplay for non-volume devices‘ is set to ‚Enabled‘ Compliant True
18.9.8.2 (L1) Ensure ‚Set the default behavior for AutoRun‘ is set to ‚Enabled: Do not execute any autorun commands‘ Compliant True
18.9.8.3 (L1) Ensure ‚Turn off Autoplay‘ is set to ‚Enabled: All drives‘ Compliant True
18.9.81.1 (L1) Ensure ‚Allow widgets‘ is set to ‚Disabled‘ Compliant True
18.9.85.1.1 (L1) Ensure ‚Configure Windows Defender SmartScreen‘ is set to ‚Enabled: Warn and prevent bypass‘ Compliant True
18.9.85.2.1 (L1) Ensure ‚Configure Windows Defender SmartScreen‘ is set to ‚Enabled‘ Compliant True
18.9.85.2.2 (L1) Ensure ‚Prevent bypassing Windows Defender SmartScreen prompts for sites‘ is set to ‚Enabled‘ Compliant True
18.9.87.1 (L1) Ensure ‚Enables or disables Windows Game Recording and Broadcasting‘ is set to ‚Disabled‘ Compliant True
18.9.89.1 (L2) Ensure ‚Allow suggested apps in Windows Ink Workspace‘ is set to ‚Disabled‘ Compliant True
18.9.89.2 (L1) Ensure ‚Allow Windows Ink Workspace‘ is set to ‚Enabled: On, but disallow access above lock‘ OR ‚Disabled‘ but not ‚Enabled: On‘ Compliant True
18.9.90.1 (L1) Ensure ‚Allow user control over installs‘ is set to ‚Disabled‘ Compliant True
18.9.90.2 (L1) Ensure ‚Always install with elevated privileges‘ is set to ‚Disabled‘ Compliant True
18.9.90.3 (L2) Ensure ‚Prevent Internet Explorer security prompt for Windows Installer scripts‘ is set to ‚Disabled‘ Compliant True
18.9.91.1 (L1) Ensure ‚Sign-in and lock last interactive user automatically after a restart‘ is set to ‚Disabled‘ Compliant True
19.1.3.1 (L1) Ensure ‚Enable screen saver‘ is set to ‚Enabled‘ Registry key not found. False
19.1.3.2 (L1) Ensure ‚Password protect the screen saver‘ is set to ‚Enabled‘ Registry key not found. False
19.1.3.3 (L1) Ensure ‚Screen saver timeout‘ is set to ‚Enabled: 900 seconds or fewer, but not 0‘ Registry key not found. False
19.5.1.1 (L1) Ensure ‚Turn off toast notifications on the lock screen‘ is set to ‚Enabled‘ Registry key not found. False
19.6.6.1.1 (L2) Ensure ‚Turn off Help Experience Improvement Program‘ is set to ‚Enabled‘ Registry key not found. False
19.7.28.1 (L1) Ensure ‚Prevent users from sharing files within their profile.‘ is set to ‚Enabled‘ Registry key not found. False
19.7.4.1 (L1) Ensure ‚Do not preserve zone information in file attachments‘ is set to ‚Disabled‘ Registry key not found. False
19.7.4.2 (L1) Ensure ‚Notify antivirus programs when opening attachments‘ is set to ‚Enabled‘ Registry key not found. False
19.7.47.2.1 (L2) Ensure ‚Prevent Codec Download‘ is set to ‚Enabled‘ Registry key not found. False
19.7.8.1 (L1) Ensure ‚Configure Windows spotlight on lock screen‘ is set to Disabled‘ Registry key not found. False
19.7.8.2 (L1) Ensure ‚Do not suggest third-party content in Windows spotlight‘ is set to ‚Enabled‘ Registry key not found. False
19.7.8.3 (L2) Ensure ‚Do not use diagnostic data for tailored experiences‘ is set to ‚Enabled‘ Registry key not found. False
19.7.8.4 (L2) Ensure ‚Turn off all Windows spotlight features‘ is set to ‚Enabled‘ Registry key not found. False
19.7.8.5 (L1) Ensure ‚Turn off Spotlight collection on Desktop‘ is set to ‚Enabled‘ Registry key not found. False
2.3.1.2 (L1) Ensure ‚Accounts: Block Microsoft accounts‘ is set to ‚Users can’t add or log on with Microsoft accounts‘ Compliant True
2.3.1.4 (L1) Ensure ‚Accounts: Limit local account use of blank passwords to console logon only‘ is set to ‚Enabled‘ Compliant True
2.3.10.1 (L1) Ensure ‚Network access: Allow anonymous SID/Name translation‘ is set to ‚Disabled‘ Registry value not found. False
2.3.10.10 (L1) Ensure ‚Network access: Restrict clients allowed to make remote calls to SAM‘ is set to ‚Administrators: Remote Access: Allow‘ Compliant True
2.3.10.11 (L1) Ensure ‚Network access: Shares that can be accessed anonymously‘ is set to ‚None‘ Compliant True
2.3.10.12 (L1) Ensure ‚Network access: Sharing and security model for local accounts‘ is set to ‚Classic – local users authenticate as themselves‘ Compliant True
2.3.10.2 (L1) Ensure ‚Network access: Do not allow anonymous enumeration of SAM accounts‘ is set to ‚Enabled‘ Compliant True
2.3.10.3 (L1) Ensure ‚Network access: Do not allow anonymous enumeration of SAM accounts and shares‘ is set to ‚Enabled‘ Compliant True
2.3.10.4 (L1) Ensure ‚Network access: Do not allow storage of passwords and credentials for network authentication‘ is set to ‚Enabled‘ Compliant True
2.3.10.5 (L1) Ensure ‚Network access: Let Everyone permissions apply to anonymous users‘ is set to ‚Disabled‘ Compliant True
2.3.10.6 (L1) Ensure ‚Network access: Named Pipes that can be accessed anonymously‘ is set to ‚None‘ Compliant True
2.3.10.7 (L1) Ensure ‚Network access: Remotely accessible registry paths‘ is configured Compliant True
2.3.10.8 (L1) Ensure ‚Network access: Remotely accessible registry paths and sub-paths‘ is configured Compliant True
2.3.10.9 (L1) Ensure ‚Network access: Restrict anonymous access to Named Pipes and Shares‘ is set to ‚Enabled‘ Compliant True
2.3.11.1 (L1) Ensure ‚Network security: Allow Local System to use computer identity for NTLM‘ is set to ‚Enabled‘ Compliant True
2.3.11.10 (L1) Ensure ‚Network security: Minimum session security for NTLM SSP based (including secure RPC) servers‘ is set to ‚Require NTLMv2 session security, Require 128-bit encryption‘ Compliant True
2.3.11.2 (L1) Ensure ‚Network security: Allow LocalSystem NULL session fallback‘ is set to ‚Disabled‘ Compliant True
2.3.11.3 (L1) Ensure ‚Network Security: Allow PKU2U authentication requests to this computer to use online identities‘ is set to ‚Disabled‘ Compliant True
2.3.11.4 (L1) Ensure ‚Network security: Configure encryption types allowed for Kerberos‘ is set to ‚AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types‘ Compliant True
2.3.11.5 (L1) Ensure ‚Network security: Do not store LAN Manager hash value on next password change‘ is set to ‚Enabled‘ Compliant True
2.3.11.7 (L1) Ensure ‚Network security: LAN Manager authentication level‘ is set to ‚Send NTLMv2 response only. Refuse LM&NTLM‘ Compliant True
2.3.11.8 (L1) Ensure ‚Network security: LDAP client signing requirements‘ is set to ‚Negotiate signing‘ or higher Compliant True
2.3.11.9 (L1) Ensure ‚Network security: Minimum session security for NTLM SSP based (including secure RPC) clients‘ is set to ‚Require NTLMv2 session security, Require 128-bit encryption‘ Compliant True
2.3.14.1 (L2) Ensure ‚System cryptography: Force strong key protection for user keys stored on the computer‘ is set to ‚User is prompted when the key is first used‘ or higher Compliant True
2.3.15.1 (L1) Ensure ‚System objects: Require case insensitivity for non-Windows subsystems‘ is set to ‚Enabled‘ Compliant True
2.3.15.2 (L1) Ensure ‚System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)‘ is set to ‚Enabled‘ Compliant True
2.3.17.1 (L1) Ensure ‚User Account Control: Admin Approval Mode for the Built-in Administrator account‘ is set to ‚Enabled‘ Compliant True
2.3.17.2 (L1) Ensure ‚User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode‘ is set to ‚Prompt for consent on the secure desktop‘ Compliant True
2.3.17.3 (L1) Ensure ‚User Account Control: Behavior of the elevation prompt for standard users‘ is set to ‚Automatically deny elevation requests‘ Registry value is ‚3‘. Expected: 0 False
2.3.17.4 (L1) Ensure ‚User Account Control: Detect application installations and prompt for elevation‘ is set to ‚Enabled‘ Compliant True
2.3.17.5 (L1) Ensure ‚User Account Control: Only elevate UIAccess applications that are installed in secure locations‘ is set to ‚Enabled‘ Compliant True
2.3.17.6 (L1) Ensure ‚User Account Control: Run all administrators in Admin Approval Mode‘ is set to ‚Enabled‘ Compliant True
2.3.17.7 (L1) Ensure ‚User Account Control: Switch to the secure desktop when prompting for elevation‘ is set to ‚Enabled‘ Compliant True
2.3.17.8 (L1) Ensure ‚User Account Control: Virtualize file and registry write failures to per-user locations‘ is set to ‚Enabled‘ Compliant True
2.3.2.1 (L1) Ensure ‚Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings‘ is set to ‚Enabled‘ Compliant True
2.3.2.2 (L1) Ensure ‚Audit: Shut down system immediately if unable to log security audits‘ is set to ‚Disabled‘ Compliant True
2.3.4.1 (L1) Ensure ‚Devices: Allowed to format and eject removable media‘ is set to ‚Administrators and Interactive Users‘ Compliant True
2.3.4.2 (L2) Ensure ‚Devices: Prevent users from installing printer drivers‘ is set to ‚Enabled‘ Compliant True
2.3.6.1 (L1) Ensure ‚Domain member: Digitally encrypt or sign secure channel data (always)‘ is set to ‚Enabled‘ Compliant True
2.3.6.2 (L1) Ensure ‚Domain member: Digitally encrypt secure channel data (when possible)‘ is set to ‚Enabled‘ Compliant True
2.3.6.3 (L1) Ensure ‚Domain member: Digitally sign secure channel data (when possible)‘ is set to ‚Enabled‘ Compliant True
2.3.6.4 (L1) Ensure ‚Domain member: Disable machine account password changes‘ is set to ‚Disabled‘ Compliant True
2.3.6.5 (L1) Ensure ‚Domain member: Maximum machine account password age‘ is set to ’30 or fewer days, but not 0′ Compliant True
2.3.6.6 (L1) Ensure ‚Domain member: Require strong (Windows 2000 or later) session key‘ is set to ‚Enabled‘ Compliant True
2.3.7.1 (L1) Ensure ‚Interactive logon: Do not require CTRL+ALT+DEL‘ is set to ‚Disabled‘ Compliant True
2.3.7.2 (L1) Ensure ‚Interactive logon: Don’t display last signed-in‘ is set to ‚Enabled‘ Compliant True
2.3.7.3 (BL) Ensure ‚Interactive logon: Machine account lockout threshold‘ is set to ’10 or fewer invalid logon attempts, but not 0′ Compliant True
2.3.7.4 (L1) Ensure ‚Interactive logon: Machine inactivity limit‘ is set to ‚900 or fewer second(s), but not 0‘ Compliant True
2.3.7.5 (L1) Configure ‚Interactive logon: Message text for users attempting to log on‘ Compliant True
2.3.7.6 (L1) Configure ‚Interactive logon: Message title for users attempting to log on‘ Compliant True
2.3.7.7 (L2) Ensure ‚Interactive logon: Number of previous logons to cache (in case domain controller is not available)‘ is set to ‚4 or fewer logon(s)‘ Compliant True
2.3.7.8 (L1) Ensure ‚Interactive logon: Prompt user to change password before expiration‘ is set to ‚between 5 and 14 days‘ Compliant True
2.3.7.9 (L1) Ensure ‚Interactive logon: Smart card removal behavior‘ is set to ‚Lock Workstation‘ or higher Compliant True
2.3.8.1 (L1) Ensure ‚Microsoft network client: Digitally sign communications (always)‘ is set to ‚Enabled‘ Registry value is ‚0‘. Expected: 1 False
2.3.8.2 (L1) Ensure ‚Microsoft network client: Digitally sign communications (if server agrees)‘ is set to ‚Enabled‘ Compliant True
2.3.8.3 (L1) Ensure ‚Microsoft network client: Send unencrypted password to third-party SMB servers‘ is set to ‚Disabled‘ Compliant True
2.3.9.1 (L1) Ensure ‚Microsoft network server: Amount of idle time required before suspending session‘ is set to ’15 or fewer minute(s)‘ Compliant True
2.3.9.2 (L1) Ensure ‚Microsoft network server: Digitally sign communications (always)‘ is set to ‚Enabled‘ Registry value is ‚0‘. Expected: 1 False
2.3.9.3 (L1) Ensure ‚Microsoft network server: Digitally sign communications (if client agrees)‘ is set to ‚Enabled‘ Registry value is ‚0‘. Expected: 1 False
2.3.9.4 (L1) Ensure ‚Microsoft network server: Disconnect clients when logon hours expire‘ is set to ‚Enabled‘ Compliant True
2.3.9.5 (L1) Ensure ‚Microsoft network server: Server SPN target name validation level‘ is set to ‚Accept if provided by client‘ or higher Compliant True
5.1 (L2) Ensure ‚Bluetooth Audio Gateway Service (BTAGService)‘ is set to ‚Disabled‘ Registry value is ‚3‘. Expected: 4 False
5.10 (L1) Ensure ‚LxssManager (LxssManager)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.11 (L1) Ensure ‚Microsoft FTP Service (FTPSVC)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.12 (L2) Ensure ‚Microsoft iSCSI Initiator Service (MSiSCSI)‘ is set to ‚Disabled‘ Compliant True
5.13 (L1) Ensure ‚OpenSSH SSH Server (sshd)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.14 (L2) Ensure ‚Peer Name Resolution Protocol (PNRPsvc)‘ is set to ‚Disabled‘ Compliant True
5.15 (L2) Ensure ‚Peer Networking Grouping (p2psvc)‘ is set to ‚Disabled‘ Compliant True
5.16 (L2) Ensure ‚Peer Networking Identity Manager (p2pimsvc)‘ is set to ‚Disabled‘ Compliant True
5.17 (L2) Ensure ‚PNRP Machine Name Publication Service (PNRPAutoReg)‘ is set to ‚Disabled‘ Compliant True
5.18 (L2) Ensure ‚Print Spooler (Spooler)‘ is set to ‚Disabled‘ (MS only) Registry value is ‚2‘. Expected: 4 False
5.19 (L2) Ensure ‚Problem Reports and Solutions Control Panel Support (wercplsupport)‘ is set to ‚Disabled‘ Compliant True
5.2 (L2) Ensure ‚Bluetooth Support Service (bthserv)‘ is set to ‚Disabled‘ Registry value is ‚3‘. Expected: 4 False
5.20 (L2) Ensure ‚Remote Access Auto Connection Manager (RasAuto)‘ is set to ‚Disabled‘ Compliant True
5.21 (L2) Ensure ‚Remote Desktop Configuration (SessionEnv)‘ is set to ‚Disabled‘ Compliant True
5.22 (L2) Ensure ‚Remote Desktop Services (TermService)‘ is set to ‚Disabled‘ Compliant True
5.23 (L2) Ensure ‚Remote Desktop Services UserMode Port Redirector (UmRdpService)‘ is set to ‚Disabled‘ Compliant True
5.24 (L1) Ensure ‚Remote Procedure Call (RPC) Locator (RpcLocator)‘ is set to ‚Disabled‘ Compliant True
5.25 (L2) Ensure ‚Remote Registry (RemoteRegistry)‘ is set to ‚Disabled‘ Compliant True
5.26 (L1) Ensure ‚Routing and Remote Access (RemoteAccess)‘ is set to ‚Disabled‘ Compliant True
5.27 (L2) Ensure ‚Server (LanmanServer)‘ is set to ‚Disabled‘ Compliant True
5.28 (L1) Ensure ‚Simple TCP/IP Services (simptcp)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.29 (L2) Ensure ‚SNMP Service (SNMP)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.3 (L1) Ensure ‚Computer Browser (Browser)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.30 (L1) Ensure ‚Special Administration Console Helper (sacsvr)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.31 (L1) Ensure ‚SSDP Discovery (SSDPSRV)‘ is set to ‚Disabled‘ Compliant True
5.32 (L1) Ensure ‚UPnP Device Host (upnphost)‘ is set to ‚Disabled‘ Compliant True
5.33 (L1) Ensure ‚Web Management Service (WMSvc)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.34 (L2) Ensure ‚Windows Error Reporting Service (WerSvc)‘ is set to ‚Disabled‘ Compliant True
5.35 (L2) Ensure ‚Windows Event Collector (Wecsvc)‘ is set to ‚Disabled‘ Compliant True
5.36 (L1) Ensure ‚Windows Media Player Network Sharing Service (WMPNetworkSvc)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.37 (L1) Ensure ‚Windows Mobile Hotspot Service (icssvc)‘ is set to ‚Disabled‘ Compliant True
5.38 (L2) Ensure ‚Windows Push Notifications System Service (WpnService)‘ is set to ‚Disabled‘ Compliant True
5.39 (L2) Ensure ‚Windows PushToInstall Service (PushToInstall)‘ is set to ‚Disabled‘ Compliant True
5.4 (L2) Ensure ‚Downloaded Maps Manager (MapsBroker)‘ is set to ‚Disabled‘ Compliant True
5.40 (L2) Ensure ‚Windows Remote Management (WS-Management) (WinRM)‘ is set to ‚Disabled‘ Registry value is ‚2‘. Expected: 4 False
5.41 (L1) Ensure ‚World Wide Web Publishing Service (W3SVC)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.42 (L1) Ensure ‚Xbox Accessory Management Service (XboxGipSvc)‘ is set to ‚Disabled‘ Compliant True
5.43 (L1) Ensure ‚Xbox Live Auth Manager (XblAuthManager)‘ is set to ‚Disabled‘ Compliant True
5.44 (L1) Ensure ‚Xbox Live Game Save (XblGameSave)‘ is set to ‚Disabled‘ Compliant True
5.45 (L1) Ensure ‚Xbox Live Networking Service (XboxNetApiSvc)‘ is set to ‚Disabled‘ Compliant True
5.5 (L2) Ensure ‚Geolocation Service (lfsvc)‘ is set to ‚Disabled‘ Compliant True
5.6 (L1) Ensure ‚IIS Admin Service (IISADMIN)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.7 (L1) Ensure ‚Infrared monitor service (irmon)‘ is set to ‚Disabled‘ or ‚Not Installed‘ Compliant True
5.8 (L1) Ensure ‚Internet Connection Sharing (ICS) (SharedAccess)‘ is set to ‚Disabled‘ Compliant True
5.9 (L2) Ensure ‚Link-Layer Topology Discovery Mapper (lltdsvc)‘ is set to ‚Disabled‘ Compliant True
9.1.1 (L1) Ensure ‚Windows Firewall: Domain: Firewall state‘ is set to ‚On (recommended)‘ Compliant True
9.1.2 (L1) Ensure ‚Windows Firewall: Domain: Inbound connections‘ is set to ‚Block (default)‘ Compliant True
9.1.3 (L1) Ensure ‚Windows Firewall: Domain: Outbound connections‘ is set to ‚Allow (default)‘ Compliant True
9.1.4 (L1) Ensure ‚Windows Firewall: Domain: Settings: Display a notification‘ is set to ‚No‘ Compliant True
9.1.5 (L1) Ensure ‚Windows Firewall: Domain: Logging: Name‘ is set to ‚%SystemRoot%\System32\logfiles\firewall\domainfw.log‘ Compliant True
9.1.6 (L1) Ensure ‚Windows Firewall: Domain: Logging: Size limit (KB)‘ is set to ‚16,384 KB or greater‘ Compliant True
9.1.7 (L1) Ensure ‚Windows Firewall: Domain: Logging: Log dropped packets‘ is set to ‚Yes‘ Compliant True
9.1.8 (L1) Ensure ‚Windows Firewall: Domain: Logging: Log successful connections‘ is set to ‚Yes‘ Compliant True
9.2.1 (L1) Ensure ‚Windows Firewall: Private: Firewall state‘ is set to ‚On (recommended)‘ Compliant True
9.2.2 (L1) Ensure ‚Windows Firewall: Private: Inbound connections‘ is set to ‚Block (default)‘ Compliant True
9.2.3 (L1) Ensure ‚Windows Firewall: Private: Outbound connections‘ is set to ‚Allow (default)‘ Compliant True
9.2.4 (L1) Ensure ‚Windows Firewall: Private: Settings: Display a notification‘ is set to ‚No‘ Compliant True
9.2.5 (L1) Ensure ‚Windows Firewall: Private: Logging: Name‘ is set to ‚%SystemRoot%\System32\logfiles\firewall\privatefw.log‘ Compliant True
9.2.6 (L1) Ensure ‚Windows Firewall: Private: Logging: Size limit (KB)‘ is set to ‚16,384 KB or greater‘ Compliant True
9.2.7 (L1) Ensure ‚Windows Firewall: Private: Logging: Log dropped packets‘ is set to ‚Yes‘ Compliant True
9.2.8 (L1) Ensure ‚Windows Firewall: Private: Logging: Log successful connections‘ is set to ‚Yes‘ Compliant True
9.3.1 (L1) Ensure ‚Windows Firewall: Public: Firewall state‘ is set to ‚On (recommended)‘ Compliant True
9.3.10 (L1) Ensure ‚Windows Firewall: Public: Logging: Log successful connections‘ is set to ‚Yes‘ Compliant True
9.3.2 (L1) Ensure ‚Windows Firewall: Public: Inbound connections‘ is set to ‚Block (default)‘ Compliant True
9.3.3 (L1) Ensure ‚Windows Firewall: Public: Outbound connections‘ is set to ‚Allow (default)‘ Compliant True
9.3.4 (L1) Ensure ‚Windows Firewall: Public: Settings: Display a notification‘ is set to ‚No‘ Compliant True
9.3.5 (L1) Ensure ‚Windows Firewall: Public: Settings: Apply local firewall rules‘ is set to ‚No‘ Compliant True
9.3.6 (L1) Ensure ‚Windows Firewall: Public: Settings: Apply local connection security rules‘ is set to ‚No‘ Compliant True
9.3.7 (L1) Ensure ‚Windows Firewall: Public: Logging: Name‘ is set to ‚%SystemRoot%\System32\logfiles\firewall\publicfw.log‘ Compliant True
9.3.8 (L1) Ensure ‚Windows Firewall: Public: Logging: Size limit (KB)‘ is set to ‚16,384 KB or greater‘ Compliant True
9.3.9 (L1) Ensure ‚Windows Firewall: Public: Logging: Log dropped packets‘ is set to ‚Yes‘ Compliant True

User Rights Assignment

Id Task Message Status
2.2.1 (L1) Ensure ‚Access Credential Manager as a trusted caller‘ is set to ‚No One‘ Compliant True
2.2.10 (L1) Ensure ‚Create a pagefile‘ is set to ‚Administrators‘ Compliant True
2.2.11 (L1) Ensure ‚Create a token object‘ is set to ‚No One‘ Compliant True
2.2.12 (L1) Ensure ‚Create global objects‘ is set to ‚Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE‘ Compliant True
2.2.13 (L1) Ensure ‚Create permanent shared objects‘ is set to ‚No One‘ Compliant True
2.2.14.1 (L1) Configure ‚Create symbolic links‘ The user ‚SeCreateSymbolicLinkPrivilege‘ setting does not contain the following users: NT VIRTUAL MACHINE\Virtual Machines False
2.2.14.2 (L1) Configure ‚Create symbolic links‘ (Hyper-V feature not installed) Compliant True
2.2.15 (L1) Ensure ‚Debug programs‘ is set to ‚Administrators‘ The user ‚SeDebugPrivilege‘ setting does not contain the following users: BUILTIN\Administrators False
2.2.16 (L1) Ensure ‚Deny access to this computer from the network‘ to include ‚Guests, Local account‘ Compliant True
2.2.17 (L1) Ensure ‚Deny log on as a batch job‘ to include ‚Guests‘ Compliant True
2.2.18 (L1) Ensure ‚Deny log on as a service‘ to include ‚Guests‘ Compliant True
2.2.19 (L1) Ensure ‚Deny log on locally‘ to include ‚Guests‘ Compliant True
2.2.2 (L1) Ensure ‚Access this computer from the network‘ is set to ‚Administrators, Remote Desktop Users‘ The user right ‚SeNetworkLogonRight‘ contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators
The user ‚SeNetworkLogonRight‘ setting does not contain the following users: BUILTIN\Remote Desktop Users
False
2.2.20 (L1) Ensure ‚Deny log on through Remote Desktop Services‘ to include ‚Guests, Local account‘ Compliant True
2.2.21 (L1) Ensure ‚Enable computer and user accounts to be trusted for delegation‘ is set to ‚No One‘ Compliant True
2.2.22 (L1) Ensure ‚Force shutdown from a remote system‘ is set to ‚Administrators‘ Compliant True
2.2.23 (L1) Ensure ‚Generate security audits‘ is set to ‚LOCAL SERVICE, NETWORK SERVICE‘ Compliant True
2.2.24 (L1) Ensure ‚Impersonate a client after authentication‘ is set to ‚Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE‘ Compliant True
2.2.25 (L1) Ensure ‚Increase scheduling priority‘ is set to ‚Administrators, Window Manager\Window Manager Group‘ Compliant True
2.2.26 (L1) Ensure ‚Load and unload device drivers‘ is set to ‚Administrators‘ Compliant True
2.2.27 (L1) Ensure ‚Lock pages in memory‘ is set to ‚No One‘ Compliant True
2.2.28 (L2) Ensure ‚Log on as a batch job‘ is set to ‚Administrators‘ The user right ‚SeBatchLogonRight‘ contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users False
2.2.29 A (L2) Configure ‚Log on as a service‘ The user right ‚SeServiceLogonRight‘ contains following unexpected users: NT SERVICE\ALL SERVICES, NT VIRTUAL MACHINE\Virtual Machines False
2.2.29 B (L2) Configure ‚Log on as a service‘ (when the Hyper-V feature is installed) The user ‚SeTrustedCredManAccessPrivilege‘ setting does not contain the following users: NT VIRTUAL MACHINE\Virtual Machines False
2.2.3 (L1) Ensure ‚Act as part of the operating system‘ is set to ‚No One‘ Compliant True
2.2.30 (L1) Ensure ‚Manage auditing and security log‘ is set to ‚Administrators‘ Compliant True
2.2.31 (L1) Ensure ‚Modify an object label‘ is set to ‚No One‘ Compliant True
2.2.32 (L1) Ensure ‚Modify firmware environment values‘ is set to ‚Administrators‘ Compliant True
2.2.33 (L1) Ensure ‚Perform volume maintenance tasks‘ is set to ‚Administrators‘ Compliant True
2.2.34 (L1) Ensure ‚Profile single process‘ is set to ‚Administrators‘ Compliant True
2.2.35 (L1) Ensure ‚Profile system performance‘ is set to ‚Administrators, NT SERVICE\WdiServiceHost‘ Compliant True
2.2.36 (L1) Ensure ‚Replace a process level token‘ is set to ‚LOCAL SERVICE, NETWORK SERVICE‘ Compliant True
2.2.37 (L1) Ensure ‚Restore files and directories‘ is set to ‚Administrators‘ The user right ‚SeRestorePrivilege‘ contains following unexpected users: BUILTIN\Backup Operators False
2.2.38 (L1) Ensure ‚Shut down the system‘ is set to ‚Administrators, Users‘ The user right ‚SeShutdownPrivilege‘ contains following unexpected users: BUILTIN\Backup Operators False
2.2.39 (L1) Ensure ‚Take ownership of files or other objects‘ is set to ‚Administrators‘ Compliant True
2.2.4 (L1) Ensure ‚Adjust memory quotas for a process‘ is set to ‚Administrators, LOCAL SERVICE, NETWORK SERVICE‘ Compliant True
2.2.5 (L1) Ensure ‚Allow log on locally‘ is set to ‚Administrators, Users‘ The user right ‚SeInteractiveLogonRight‘ contains following unexpected users: Hostname1\OldGuest, BUILTIN\Backup Operators False
2.2.6 (L1) Ensure ‚Allow log on through Remote Desktop Services‘ is set to ‚Administrators, Remote Desktop Users‘ Compliant True
2.2.7 (L1) Ensure ‚Back up files and directories‘ is set to ‚Administrators‘ The user right ‚SeBackupPrivilege‘ contains following unexpected users: BUILTIN\Backup Operators False
2.2.8 (L1) Ensure ‚Change the system time‘ is set to ‚Administrators, LOCAL SERVICE‘ Compliant True
2.2.9 (L1) Ensure ‚Change the time zone‘ is set to ‚Administrators, LOCAL SERVICE, Users‘ Compliant True

Account Policies

Id Task Message Status
1.1.1 (L1) Ensure ‚Enforce password history‘ is set to ’24 or more password(s)‘ Compliant True
1.1.2 (L1) Ensure ‚Maximum password age‘ is set to ‚365 or fewer days, but not 0‘ Compliant True
1.1.3 (L1) Ensure ‚Minimum password age‘ is set to ‚1 or more day(s)‘ Compliant True
1.1.4 (L1) Ensure ‚Minimum password length‘ is set to ’14 or more character(s)‘ Compliant True
1.1.5 (L1) Ensure ‚Password must meet complexity requirements‘ is set to ‚Enabled‘ Compliant True
1.1.7 (L1) Ensure ‚Store passwords using reversible encryption‘ is set to ‚Disabled‘ Compliant True
1.2.1 (L1) Ensure ‚Account lockout duration‘ is set to ’15 or more minute(s)‘ Compliant True
1.2.2 (L1) Ensure ‚Account lockout threshold‘ is set to ‚5 or fewer invalid logon attempt(s), but not 0‘ ‚LockoutBadCount‘ currently set to: 7. Expected: x <= 5 and x > 0 False
1.2.3 (L1) Ensure ‚Reset account lockout counter after‘ is set to ’15 or more minute(s)‘ Compliant True

Advanced Audit Policy Configuration

Id Task Message Status
17.1.1 (L1) Ensure ‚Audit Credential Validation‘ is set to ‚Success and Failure‘ Compliant True
17.2.1 (L1) Ensure ‚Audit Application Group Management‘ is set to ‚Success and Failure‘ Compliant True
17.2.2 (L1) Ensure ‚Audit Security Group Management‘ is set to include ‚Success‘ Compliant True
17.2.3 (L1) Ensure ‚Audit User Account Management‘ is set to ‚Success and Failure‘ Compliant True
17.3.1 (L1) Ensure ‚Audit PNP Activity‘ is set to include ‚Success‘ Compliant True
17.3.2 (L1) Ensure ‚Audit Process Creation‘ is set to include ‚Success‘ Compliant True
17.5.1 (L1) Ensure ‚Audit Account Lockout‘ is set to include ‚Failure‘ Compliant True
17.5.2 (L1) Ensure ‚Audit Group Membership‘ is set to include ‚Success‘ Compliant True
17.5.3 (L1) Ensure ‚Audit Logoff‘ is set to include ‚Success‘ Compliant True
17.5.4 (L1) Ensure ‚Audit Logon‘ is set to ‚Success and Failure‘ Compliant True
17.5.5 (L1) Ensure ‚Audit Other Logon/Logoff Events‘ is set to ‚Success and Failure‘ Compliant True
17.5.6 (L1) Ensure ‚Audit Special Logon‘ is set to include ‚Success‘ Compliant True
17.6.1 (L1) Ensure ‚Audit Detailed File Share‘ is set to include ‚Failure‘ Compliant True
17.6.2 (L1) Ensure ‚Audit File Share‘ is set to ‚Success and Failure‘ Compliant True
17.6.3 (L1) Ensure ‚Audit Other Object Access Events‘ is set to ‚Success and Failure‘ Compliant True
17.6.4 (L1) Ensure ‚Audit Removable Storage‘ is set to ‚Success and Failure‘ Compliant True
17.7.1 (L1) Ensure ‚Audit Audit Policy Change‘ is set to include ‚Success‘ Compliant True
17.7.2 (L1) Ensure ‚Audit Authentication Policy Change‘ is set to include ‚Success‘ Compliant True
17.7.3 (L1) Ensure ‚Audit Authorization Policy Change‘ is set to include ‚Success‘ Compliant True
17.7.4 (L1) Ensure ‚Audit MPSSVC Rule-Level Policy Change‘ is set to ‚Success and Failure‘ Compliant True
17.7.5 (L1) Ensure ‚Audit Other Policy Change Events‘ is set to include ‚Failure‘ Compliant True
17.8.1 (L1) Ensure ‚Audit Sensitive Privilege Use‘ is set to ‚Success and Failure‘ Compliant True
17.9.1 (L1) Ensure ‚Audit IPsec Driver‘ is set to ‚Success and Failure‘ Compliant True
17.9.2 (L1) Ensure ‚Audit Other System Events‘ is set to ‚Success and Failure‘ Compliant True
17.9.3 (L1) Ensure ‚Audit Security State Change‘ is set to include ‚Success‘ Compliant True
17.9.4 (L1) Ensure ‚Audit Security System Extension‘ is set to include ‚Success‘ Compliant True
17.9.5 (L1) Ensure ‚Audit System Integrity‘ is set to ‚Success and Failure‘ Compliant True

Was uns auszeichnet

Wenn Sie sich für eine Zusammenarbeit mit dem Hamburger IT Service entscheiden, profitieren Sie von:

professioneller IT-Betreuung
guter Erreichbarkeit
schnellen Reaktionszeiten
Planungssicherheit durch Serviceverträge
individuellen Lösungen, die Ihren Arbeitsalltag erleichtern

Gerne überzeugen wir Sie in einem unverbindlichen Beratungsgespräch!