Das Audit Report Modul vom Hamburger-IT-Service* überprüfen verschiedene Standard-Produkte auf die Konfiguration wichtiger und relevanter Sicherheitseinstellungen. Die Referenzen, gegen die geprüft wird, sind grundlegend etablierte und erprobte Sicherheitsstandards – zum Beispiel die Härtungsempfehlungen und Konfigurationsvorgaben von:
- DISA (Defense Information Systems Agency)
- CIS (Center for Internet Security)
- BSI (Bundesamt für Sicherheit in der Informationstechnik)
- ACSC (Australian Cyber Security Center)
- Herstellerempfehlungen, bspw. von Microsoft
Mit dem AuditTAP erzeugen Sie schnell und mit geringem Aufwand eine einfache und übersichtliche, HTML-basierte Dokumentation Ihrer Systeme.
AuditTAP: Download & Installation
Das Audit Test Automation Package (AuditTAP) können Sie kostenlos bei Github herunterladen und konform der angegebenen Lizenzbedingungen kostenfrei nutzen. Hier erhalten Sie auch detaillierte Informationen zum Produkt, beispielsweise für die Installation und Einrichtung.
Audit Report Modul: die Features
Entsprechen Ihre Produkte den aktuellen Empfehlungen zur sicherheitstechnischen Konfiguration? Sind die Dokumentationen Ihrer IT-Systeme vorhanden? Wie sieht der Compliance-Status der Einstellungen aus? Diese und weitere Fragen beantworten Ihnen unser Audit TAP-Reports ganz schnell und einfach.
Das Audit TAP führt ein automatisiertes Audit durch, indem es – je nach Produkt – bis zu mehrere hundert Konfigurationseinstellung überprüft. Hierbei werden unter anderem die genutzten Algorithmen und Schlüssel, der Speicherort von Log-Daten, die Nutzung von TLS 1.2 (oder höher), die aktivierten Services oder vorhandene, separierte Service-Accounts gecheckt.
Nach dem Audit erzeugt das Audit Test Automation Package einen Report im HTML-Format. In diesem sehen Sie, welche Settings den Empfehlungen entsprechen und welche nicht.
Audits gemäß der Datenschutz-Grundverordnung
Das AuditTAP bietet ebenso einen Windows 10 GDPR / DS-GVO Report an. Bei diesem werden über 100 Windows 10-Einstellungen auf ihre Datenschutz-Konformität überprüft. Mehr Informationen dazu gibt es in unserem Beitrag “AuditTAP: GDPR Compliance Checks für Windows 10“.
Report Beispiel eines Windows 11 gehärteten Computers
Report Beispiel eines Windows 11 gehärteten Computers
Generated by the ATAPAuditor Module Version 5.0 by Hamburger-IT-Service. Are you seeing a lot of red sections? Check out our hardening solution:
- Security baseline for Microsoft Windows 11, Version: 20H2, Date: 2020-12-17
- CIS Microsoft Windows 11 Enterprise Release 21H2 Benchmark, Version: 21H2, Date: 2022-02-14
This report was generated on 07/20/2022 16:59:29 on Hostname1DomainName with TAPHtmlReport version 1.8.
Hostname | Hostname1DomainName |
---|---|
Build Number | 22000 |
Free physical memory (GB) | 5,216 |
Operating System | Microsoft Windows 11 Pro |
Domain role | Member Workstation |
Free disk space (GB) | 885,6 |
Installation Language | English (United States) |
Summary
A total of 892 tests have been executed.
- True 672 test(s) ≙ 75.34%
- False 217 test(s) ≙ 24.33%
- Warning 2 test(s) ≙ 0.22%
- None 0 test(s) ≙ 0.00%
- Error 1 test(s) ≙ 0.11%
General Benchmarks
A total of 22 tests have been executed in section General Benchmarks.
- True 14 test(s) ≙ 63.64%
- False 5 test(s) ≙ 22.73%
- Warning 2 test(s) ≙ 9.09%
- None 0 test(s) ≙ 0.00%
- Error 1 test(s) ≙ 4.55%
Microsoft Benchmarks
A total of 347 tests have been executed in section Microsoft Benchmarks.
- True 187 test(s) ≙ 53.89%
- False 160 test(s) ≙ 46.11%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
CIS Benchmarks
A total of 523 tests have been executed in section CIS Benchmarks.
- True 471 test(s) ≙ 90.06%
- False 52 test(s) ≙ 9.94%
- Warning 0 test(s) ≙ 0.00%
- None 0 test(s) ≙ 0.00%
- Error 0 test(s) ≙ 0.00%
Table of Contents
Click the link(s) below for quick access to a report section.
General Benchmarks–↑
This section contains general benchmarks
Security Base Data–↑
This section contains basic recommendations for a secure Microsoft Windows configuration.
Id | Task | Message | Status |
---|---|---|---|
SBD-001 | Ensure the system is booting in ‚UEFI‘ mode. | Compliant | True |
SBD-002 | Ensure the system is using SecureBoot. | SecureBoot is supported but disabled. | False |
SBD-003 | Ensure the TPM Chip is ‚present‘. | Compliant | True |
SBD-004 | Ensure the TPM Chip is ‚ready‘. | Compliant | True |
SBD-005 | Ensure the TPM Chip is ‚enabled‘. | Compliant | True |
SBD-006 | Ensure the TPM Chip is ‚activated‘. | Compliant | True |
SBD-007 | Ensure the TPM Chip is ‚owned‘. | Compliant | True |
SBD-008 | Ensure the TPM Chip is implementing specification version 2.0 or higher. | Compliant | True |
SBD-009 | Get the count of local users on the system. | System has 3-5 local users. | Warning |
SBD-010 | Get the count of admin users on the system. | System has 3-5 admin users. | Warning |
SBD-011 | Ensure the status of the Bitlocker service is ‚Running‘. | Compliant | True |
SBD-012 | Ensure that Bitlocker is activated on all volumes. | Bitlocker status is unknown. | Error |
SBD-013 | Ensure the status of the Windows Defender service is ‚Running‘. | Compliant | True |
SBD-014 | Ensure the status of the Microsoft Defender for Endpoint service is ‚Running‘. | Service is not ‚Running‘ (More info). | False |
SBD-015 | Ensure the Windows Firewall is enabled on all profiles. | Compliant | True |
SBD-016 | Check if the last successful search for updates was in the past 24 hours. | Compliant | True |
SBD-017 | Check if the last successful installation of updates was in the past 5 days. | Compliant | True |
SBD-018 | Ensure Virtualization Based Security is enabled and running. | VBS is activated but not running. | False |
SBD-019 | Ensure Hypervisor-protected Code Integrity (HVCI) is running. | HVCI is not running. | False |
SBD-020 | Ensure Credential Guard is running. | Credential Guard is not running. | False |
SBD-021 | Ensure the Attack Surface Reduction (ASR) rules are enabled. | Compliant (12+ rules enabled) | True |
SBD-022 | Ensure Windows Defender Application Guard is enabled. | Compliant | True |
Microsoft Benchmarks–↑
This section contains all benchmarks from Microsoft
Registry Settings/Group Policies–↑
Id | Task | Message | Status |
---|---|---|---|
Registry-009 | Set registry value ‚UseEnhancedPin‘ to 1. | Compliant | True |
Registry-010 | Set registry value ‚RDVDenyCrossOrg‘ to 0. | Compliant | True |
Registry-011 | Set registry value ‚DisableExternalDMAUnderLock‘ to 1. | Compliant | True |
Registry-012 | Set registry value ‚DCSettingIndex‘ to 0. | Compliant | True |
Registry-013 | Set registry value ‚ACSettingIndex‘ to 0. | Compliant | True |
Registry-014 | Set registry value ‚DenyDeviceClasses‘ to 1. | Compliant | True |
Registry-015 | Set registry value ‚DenyDeviceClassesRetroactive‘ to 1. | Compliant | True |
Registry-016 | Set registry value ‚1‘ to ‚Prevent installation of drivers matching these device setup classes‘. | Compliant | True |
Registry-017 | Ensure ‚Deny write access to removable drives not protected by BitLocker‘ is set to ‚Enabled‘. | Compliant | True |
Registry-018 | Set registry value ‚PUAProtection‘ to 1. | Compliant | True |
Registry-019 | Set registry value ‚MpCloudBlockLevel‘ to 2. | Registry value not found. | False |
Registry-020 | Ensure ‚Scan all downloaded files and attachments‘ is set to ‚Enabled‘. | Compliant | True |
Registry-021 | Ensure ‚Turn off real-time protection‘ is set to ‚Disabled‘. | Compliant | True |
Registry-022 | Set registry value ‚DisableScriptScanning‘ to 0. | Compliant | True |
Registry-023 | Ensure ‚Scan removable drives‘ is set to ‚Enabled‘. | Compliant | True |
Registry-024 | Ensure ‚Send file samples when further analysis is required‘ is set to ‚Send safe samples‘. | Registry value is ‚2‘. Expected: 1 | False |
Registry-025 | Ensure ‚Join Microsoft MAPS‘ is set to ‚Advanced MAPS‘. | Registry value is ‚0‘. Expected: 2 | False |
Registry-026 | Ensure ‚Configure the ‚Block at First Sight‘ feature‘ is set to ‚Enabled‘. | Registry value not found. | False |
Registry-027 | Set registry value ‚ExploitGuard_ASR_Rules‘ to 1. | Compliant | True |
Registry-028 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-029 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-030 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-031 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-032 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-033 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-034 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-035 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-036 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-037 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-038 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-039 | Use advanced protection against ransomware | Registry value not found. | False |
Registry-040 | (L1) Ensure ‚Configure Attack Surface Reduction rules: Set the state for each ASR rule‘ is configured | Compliant | True |
Registry-041 | Set registry value ‚EnableNetworkProtection‘ to 1. | Compliant | True |
Registry-042 | Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled‘. | Compliant | True |
Registry-043 | Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Secure Boot‘. | Registry value is ‚3‘. Expected: 1 | False |
Registry-044 | Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled with UEFI lock‘. | Compliant | True |
Registry-045 | Set registry value ‚HVCIMATRequired‘ to 1. | Compliant | True |
Registry-046 | Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled with UEFI lock‘. | Compliant | True |
Registry-047 | Set registry value ‚ConfigureSystemGuardLaunch‘ to 1. | Compliant | True |
Registry-048 | Ensure ‚Do not suggest third-party content in Windows spotlight‘ is set to ‚Enabled‘. | Registry key not found. | False |
Registry-049 | Set registry value ‚NoToastApplicationNotificationOnLockScreen‘ to 1. | Registry key not found. | False |
Registry-050 | Set registry value ‚AutoConnectAllowedOEM‘ to 0. | Compliant | True |
Registry-051 | Ensure ‚Enumerate administrator accounts on elevation‘ is set to ‚Disabled‘. | Compliant | True |
Registry-052 | Ensure ‚Turn off Autoplay‘ is set to ‚All drives‘. | Compliant | True |
Registry-053 | Set registry value ‚NoWebServices‘ to 1. | Compliant | True |
Registry-054 | Ensure ‚Set the default behavior for AutoRun‘ is set to ‚Do not execute any autorun commands‘. | Compliant | True |
Registry-055 | Ensure ‚Allow Microsoft accounts to be optional‘ is set to ‚Enabled‘. | Compliant | True |
Registry-056 | Ensure ‚Sign-in last interactive user automatically after a system-initiated restart‘ is set to ‚Disabled‘. | Compliant | True |
Registry-057 | Set registry value ‚LocalAccountTokenFilterPolicy‘ to 0. | Compliant | True |
Registry-058 | Set registry value ‚AllowEncryptionOracle‘ to 0. | Compliant | True |
Registry-059 | Set registry value ‚EnhancedAntiSpoofing‘ to 1. | Compliant | True |
Registry-060 | Ensure ‚Prevent downloading of enclosures‘ is set to ‚Enabled‘. | Registry key not found. | False |
Registry-061 | Ensure ‚Require a password when a computer wakes (on battery)‘ is set to ‚Enabled‘. | Compliant | True |
Registry-062 | Ensure ‚Require a password when a computer wakes (plugged in)‘ is set to ‚Enabled‘. | Compliant | True |
Registry-063 | Set registry value ‚LetAppsActivateWithVoiceAboveLock‘ to 2. | Compliant | True |
Registry-064 | Ensure ‚Turn off Microsoft consumer experiences‘ is set to ‚Enabled‘. | Compliant | True |
Registry-065 | Set registry value ‚AllowProtectedCreds‘ to 1. | Compliant | True |
Registry-066 | Ensure ‚Specify the maximum log file size (KB)‘ is set to ‚32768‘. | Compliant | True |
Registry-067 | Ensure ‚Specify the maximum log file size (KB)‘ is set to ‚196608‘. | Compliant | True |
Registry-068 | Ensure ‚Specify the maximum log file size (KB)‘ is set to ‚32768‘. | Compliant | True |
Registry-069 | Ensure ‚Disallow Autoplay for non-volume devices‘ is set to ‚Enabled‘. | Compliant | True |
Registry-070 | Set registry value ‚AllowGameDVR‘ to 0. | Compliant | True |
Registry-071 | Ensure ‚Configure registry policy processing‘ is set to ‚0‘. | Compliant | True |
Registry-072 | Ensure ‚Configure registry policy processing‘ is set to ‚0‘. | Compliant | True |
Registry-073 | Set registry value ‚AlwaysInstallElevated‘ to 0. | Compliant | True |
Registry-074 | Ensure ‚Allow user control over installs‘ is set to ‚Disabled‘. | Compliant | True |
Registry-075 | Set registry value ‚DeviceEnumerationPolicy‘ to 0. | Compliant | True |
Registry-076 | Ensure ‚Enable insecure guest logons‘ is set to ‚Disabled‘. | Compliant | True |
Registry-077 | Ensure ‚Prohibit use of Internet Connection Sharing on your DNS domain network‘ is set to ‚Enabled‘. | Compliant | True |
Registry-078 | Set registry value ‚\\*\SYSVOL‘ to RequireMutualAuthentication=1,RequireIntegrity=1. | Registry value is “. Expected: RequireMutualAuthentication=1,RequireIntegrity=1 | False |
Registry-079 | Set registry value ‚\\*\NETLOGON‘ to RequireMutualAuthentication=1,RequireIntegrity=1. | Registry value is ‚RequireMutualAuthentication=1, RequireIntegrity=1‘. Expected: RequireMutualAuthentication=1,RequireIntegrity=1 | False |
Registry-080 | Set registry value ‚NoLockScreenCamera‘ to 1. | Compliant | True |
Registry-081 | Set registry value ‚NoLockScreenSlideshow‘ to 1. | Compliant | True |
Registry-082 | Ensure ‚Turn on PowerShell Script Block Logging‘ is set to ‚Enabled‘. | Registry value is ‚0‘. Expected: 1 | False |
Registry-083 | Ensure ‚Turn on PowerShell Script Block Logging‘ is not set. | Compliant. Registry value not found. | True |
Registry-084 | Ensure ‚Turn on convenience PIN sign-in‘ is set to ‚Disabled‘. | Compliant | True |
Registry-085 | Ensure ‚Enumerate local users on domain-joined computers‘ is set to ‚Disabled‘. | Compliant | True |
Registry-086 | Ensure ‚Configure Windows SmartScreen‘ is set to ‚Enabled‘. | Compliant | True |
Registry-087 | Set registry value ‚ShellSmartScreenLevel‘ to Block. | Registry value not found. | False |
Registry-088 | Ensure ‚Prohibit connection to non-domain networks when connected to domain authenticated network‘ is set to ‚Enabled‘. | Compliant | True |
Registry-089 | Set registry value ‚AllowIndexingEncryptedStoresOrItems‘ to 0. | Compliant | True |
Registry-090 | Ensure ‚Disallow Digest authentication‘ is set to ‚Enabled‘. | Compliant | True |
Registry-091 | Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘. | Compliant | True |
Registry-092 | Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘. | Compliant | True |
Registry-093 | Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘. | Compliant | True |
Registry-094 | Ensure ‚Disallow WinRM from storing RunAs credentials‘ is set to ‚Enabled‘. | Compliant | True |
Registry-095 | Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘. | Compliant | True |
Registry-096 | Ensure ‚Turn off multicast name resolution‘ is set to ‚Enabled‘. | Compliant | True |
Registry-097 | Set registry value ‚DisableWebPnPDownload‘ to 1. | Compliant | True |
Registry-098 | Set registry value ‚RestrictDriverInstallationToAdministrators‘ to 1. | Compliant | True |
Registry-099 | Ensure ‚Restrict Unauthenticated RPC clients‘ is set to ‚Authenticated‘. | Compliant | True |
Registry-100 | Set registry value ‚fUseMailto‘ to . | Compliant. Registry value not found. | True |
Registry-101 | Set registry value ‚fAllowToGetHelp‘ to 0. | Compliant | True |
Registry-102 | Set registry value ‚fAllowFullControl‘ to . | Compliant. Registry value not found. | True |
Registry-103 | Set registry value ‚MaxTicketExpiry‘ to . | Compliant. Registry value not found. | True |
Registry-104 | Set registry value ‚MaxTicketExpiryUnits‘ to . | Compliant. Registry value not found. | True |
Registry-105 | Set registry value ‚MinEncryptionLevel‘ to 3. | Compliant | True |
Registry-106 | Set registry value ‚fPromptForPassword‘ to 1. | Compliant | True |
Registry-107 | Set registry value ‚fDisableCdm‘ to 1. | Compliant | True |
Registry-108 | Set registry value ‚DisablePasswordSaving‘ to 1. | Compliant | True |
Registry-109 | Set registry value ‚fEncryptRPCTraffic‘ to 1. | Compliant | True |
Registry-110 | Set registry value ‚PolicyVersion‘ to 538. | Registry value not found. | False |
Registry-111 | Set registry value ‚DefaultOutboundAction‘ to 0. | Compliant | True |
Registry-112 | Set registry value ‚DisableNotifications‘ to 1. | Compliant | True |
Registry-113 | Set registry value ‚EnableFirewall‘ to 1. | Compliant | True |
Registry-114 | Set registry value ‚DefaultInboundAction‘ to 1. | Compliant | True |
Registry-115 | Set registry value ‚LogDroppedPackets‘ to 1. | Compliant | True |
Registry-116 | Set registry value ‚LogFileSize‘ to 16384. | Compliant | True |
Registry-117 | Set registry value ‚LogSuccessfulConnections‘ to 1. | Compliant | True |
Registry-118 | Set registry value ‚EnableFirewall‘ to 1. | Compliant | True |
Registry-119 | Set registry value ‚DisableNotifications‘ to 1. | Compliant | True |
Registry-120 | Set registry value ‚DefaultInboundAction‘ to 1. | Compliant | True |
Registry-121 | Set registry value ‚DefaultOutboundAction‘ to 0. | Compliant | True |
Registry-122 | Set registry value ‚LogSuccessfulConnections‘ to 1. | Compliant | True |
Registry-123 | Set registry value ‚LogDroppedPackets‘ to 1. | Compliant | True |
Registry-124 | Set registry value ‚LogFileSize‘ to 16384. | Compliant | True |
Registry-125 | Set registry value ‚DefaultOutboundAction‘ to 0. | Compliant | True |
Registry-126 | Set registry value ‚EnableFirewall‘ to 1. | Compliant | True |
Registry-127 | Set registry value ‚DisableNotifications‘ to 1. | Compliant | True |
Registry-128 | Set registry value ‚AllowLocalIPsecPolicyMerge‘ to 0. | Compliant | True |
Registry-129 | Set registry value ‚AllowLocalPolicyMerge‘ to 0. | Compliant | True |
Registry-130 | Set registry value ‚DefaultInboundAction‘ to 1. | Compliant | True |
Registry-131 | Set registry value ‚LogFileSize‘ to 16384. | Compliant | True |
Registry-132 | Set registry value ‚LogDroppedPackets‘ to 1. | Compliant | True |
Registry-133 | Set registry value ‚LogSuccessfulConnections‘ to 1. | Compliant | True |
Registry-134 | Ensure ‚Allow Windows Ink Workspace‘ is set to ‚On, but disallow access above lock‘. | Registry value is ‚0‘. Expected: 1 | False |
Registry-135 | Set registry value ‚AdmPwdEnabled‘ to 1. | Registry key not found. | False |
Registry-136 | Ensure ‚WDigest Authentication (disabling may require KB2871997)‘ is set to ‚Disabled‘. | Compliant | True |
Registry-137 | Ensure ‚Enable Structured Exception Handling Overwrite Protection (SEHOP)‘ is set to ‚Enabled‘. | Compliant | True |
Registry-138 | Set registry value ‚DriverLoadPolicy‘ to 3. | Compliant | True |
Registry-139 | Ensure ‚Configure SMB v1 server‘ is set to ‚Disabled‘. | Compliant | True |
Registry-140 | Ensure ‚Configure SMB v1 client driver‘ is set to ‚Disable driver (recommended)‘. | Compliant | True |
Registry-141 | Set registry value ‚NoNameReleaseOnDemand‘ to 1. | Compliant | True |
Registry-142 | Set registry value ‚NodeType‘ to 2. | Compliant | True |
Registry-143 | Set registry value ‚EnableICMPRedirect‘ to 0. | Compliant | True |
Registry-144 | Set registry value ‚DisableIPSourceRouting‘ to 2. | Compliant | True |
Registry-145 | Set registry value ‚DisableIPSourceRouting‘ to 2. | Compliant | True |
Registry-146 | Set registry value ‚ScRemoveOption‘ to 1. | Compliant | True |
Registry-147 | Set registry value ‚InactivityTimeoutSecs‘ to 900. | Compliant | True |
Registry-148 | Set registry value ‚NoLMHash‘ to 1. | Compliant | True |
Registry-149 | Set registry value ‚EnablePlainTextPassword‘ to 0. | Compliant | True |
Registry-150 | Set registry value ‚LimitBlankPasswordUse‘ to 1. | Compliant | True |
Registry-151 | Set registry value ‚RestrictAnonymousSAM‘ to 1. | Compliant | True |
Registry-152 | Set registry value ‚RestrictAnonymous‘ to 1. | Compliant | True |
Registry-153 | Set registry value ‚RestrictNullSessAccess‘ to 1. | Compliant | True |
Registry-154 | Set registry value ‚SCENoApplyLegacyAuditPolicy‘ to 1. | Compliant | True |
Registry-155 | Set registry value ‚NTLMMinClientSec‘ to 537395200. | Compliant | True |
Registry-156 | Set registry value ‚LmCompatibilityLevel‘ to 5. | Compliant | True |
Registry-157 | Set registry value ‚allownullsessionfallback‘ to 0. | Compliant | True |
Registry-158 | Set registry value ‚NTLMMinServerSec‘ to 537395200. | Compliant | True |
Registry-159 | Set registry value ‚requirestrongkey‘ to 1. | Compliant | True |
Registry-160 | Set registry value ‚RequireSecuritySignature‘ to 1. | Registry value is ‚0‘. Expected: 1 | False |
Registry-161 | Set registry value ’sealsecurechannel‘ to 1. | Compliant | True |
Registry-162 | Set registry value ‚requiresignorseal‘ to 1. | Compliant | True |
Registry-163 | Set registry value ’signsecurechannel‘ to 1. | Compliant | True |
Registry-164 | Set registry value ‚requiresecuritysignature‘ to 1. | Registry value is ‚0‘. Expected: 1 | False |
Registry-165 | Set registry value ‚ProtectionMode‘ to 1. | Compliant | True |
Registry-166 | Set registry value ‚ConsentPromptBehaviorAdmin‘ to 2. | Compliant | True |
Registry-167 | Set registry value ‚EnableSecureUIAPaths‘ to 1. | Compliant | True |
Registry-168 | Set registry value ‚EnableLUA‘ to 1. | Compliant | True |
Registry-169 | Set registry value ‚ConsentPromptBehaviorUser‘ to 0. | Registry value is ‚3‘. Expected: 0 | False |
Registry-170 | Set registry value ‚EnableInstallerDetection‘ to 1. | Compliant | True |
Registry-171 | Set registry value ‚FilterAdministratorToken‘ to 1. | Compliant | True |
Registry-172 | Set registry value ‚EnableVirtualization‘ to 1. | Compliant | True |
Registry-173 | Set registry value ‚LDAPClientIntegrity‘ to 1. | Compliant | True |
Registry-174 | Remote calls to the Security Account Manager (SAM) must be restricted to Administrators. | Compliant | True |
Registry-222 | Set registry value ‚FormSuggest Passwords‘ to 1. | Registry key not found. | False |
Registry-223 | Ensure ‚Turn on the auto-complete feature for user names and passwords on forms‘ is set to ’no‘. | Registry key not found. | False |
Registry-224 | Set registry value ‚FormSuggest Passwords‘ to no. | Registry key not found. | False |
Registry-225 | Ensure ‚Remove „Run this time“ button for outdated ActiveX controls in Internet Explorer ‚ is set to ‚Enabled‘. | Registry value not found. | False |
Registry-226 | Ensure ‚Turn off blocking of outdated ActiveX controls for Internet Explorer‘ is set to ‚Disabled‘. | Registry value not found. | False |
Registry-227 | Ensure ‚Allow software to run or install even if the signature is invalid‘ is set to ‚Disabled‘. | Registry key not found. | False |
Registry-228 | Set registry value ‚CheckExeSignatures‘ to yes. | Registry key not found. | False |
Registry-229 | Ensure ‚Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows‘ is set to ‚Enabled‘. | Registry value not found. | False |
Registry-230 | Ensure ‚Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled‘ is set to ‚Enabled‘. | Registry value not found. | False |
Registry-231 | Set registry value ‚Isolation‘ to PMEM. | Registry value not found. | False |
Registry-232 | Set registry value ‚(Reserved)‘ to 1. | Registry key not found. | False |
Registry-234 | Set registry value ‚explorer.exe‘ to 1. | Registry key not found. | False |
Registry-235 | Set registry value ‚explorer.exe‘ to 1. | Registry key not found. | False |
Registry-237 | Set registry value ‚(Reserved)‘ to 1. | Registry key not found. | False |
Registry-238 | Set registry value ‚explorer.exe‘ to 1. | Registry key not found. | False |
Registry-240 | Set registry value ‚(Reserved)‘ to 1. | Registry key not found. | False |
Registry-241 | Set registry value ‚(Reserved)‘ to 1. | Registry key not found. | False |
Registry-242 | Set registry value ‚explorer.exe‘ to 1. | Registry key not found. | False |
Registry-244 | Set registry value ‚(Reserved)‘ to 1. | Registry key not found. | False |
Registry-246 | Set registry value ‚explorer.exe‘ to 1. | Registry key not found. | False |
Registry-247 | Set registry value ‚(Reserved)‘ to 1. | Registry key not found. | False |
Registry-249 | Set registry value ‚explorer.exe‘ to 1. | Registry key not found. | False |
Registry-251 | Set registry value ‚(Reserved)‘ to 1. | Registry key not found. | False |
Registry-252 | Set registry value ‚explorer.exe‘ to 1. | Registry key not found. | False |
Registry-253 | Set registry value ‚(Reserved)‘ to 1. | Registry key not found. | False |
Registry-254 | Set registry value ‚explorer.exe‘ to 1. | Registry key not found. | False |
Registry-255 | Set registry value ‚iexplore.exe‘ to 1. | Registry key not found. | False |
Registry-256 | Set registry value ‚PreventOverrideAppRepUnknown‘ to 1. | Registry key not found. | False |
Registry-257 | Set registry value ‚PreventOverride‘ to 1. | Registry key not found. | False |
Registry-258 | Ensure ‚Prevent managing SmartScreen Filter‘ is set to ‚On‘. | Registry key not found. | False |
Registry-259 | Set registry value ‚NoCrashDetection‘ to 1. | Registry key not found. | False |
Registry-260 | Ensure ‚Turn off the Security Settings Check feature‘ is set to ‚Disabled‘. | Registry key not found. | False |
Registry-261 | Ensure ‚Prevent per-user installation of ActiveX controls‘ is set to ‚Enabled‘. | Registry key not found. | False |
Registry-262 | Ensure ‚Specify use of ActiveX Installer Service for installation of ActiveX controls‘ is set to ‚Enabled‘. | Registry key not found. | False |
Registry-263 | Set registry value ‚Security_zones_map_edit‘ to 1. | Registry value not found. | False |
Registry-264 | Set registry value ‚Security_options_edit‘ to 1. | Registry value not found. | False |
Registry-265 | Set registry value ‚Security_HKLM_only‘ to 1. | Registry value not found. | False |
Registry-266 | Ensure ‚Check for server certificate revocation‘ is set to ‚Enabled‘. | Registry value not found. | False |
Registry-267 | Ensure ‚Prevent ignoring certificate errors‘ is set to ‚Enabled‘. | Registry value not found. | False |
Registry-268 | Set registry value ‚WarnOnBadCertRecving‘ to 1. | Registry value not found. | False |
Registry-269 | Ensure ‚Allow fallback to SSL 3.0 (Internet Explorer)‘ is set to ‚No Sites‘. | Registry value not found. | False |
Registry-270 | Ensure ‚Turn off encryption support‘ is set to ‚Use TLS 1.1 and TLS 1.2‘. | Registry value not found. | False |
Registry-271 | Ensure ‚Java permissions‘ is set to ‚Disable Java‘. | Registry key not found. | False |
Registry-272 | Ensure ‚Java permissions‘ is set to ‚Disable Java‘. | Registry key not found. | False |
Registry-273 | Ensure ‚Java permissions‘ is set to ‚Disable Java‘. | Registry key not found. | False |
Registry-274 | Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-275 | Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-276 | Ensure ‚Java permissions‘ is set to ‚Disable Java‘. | Registry key not found. | False |
Registry-277 | Ensure ‚Intranet Sites: Include all network paths (UNCs)‘ is set to ‚Disabled‘. | Registry key not found. | False |
Registry-278 | Ensure ‚Java permissions‘ is set to ‚Disable Java‘. | Registry key not found. | False |
Registry-279 | Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-280 | Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-281 | Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-282 | Ensure ‚Java permissions‘ is set to ‚High safety‘. | Registry key not found. | False |
Registry-283 | Ensure ‚Java permissions‘ is set to ‚High safety‘. | Registry key not found. | False |
Registry-284 | Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-285 | Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-286 | Ensure ‚Run .NET Framework-reliant components signed with Authenticode‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-287 | Ensure ‚Allow script-initiated windows without size or position constraints‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-288 | Ensure ‚Allow drag and drop or copy and paste files‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-289 | Ensure ‚Include local path when user is uploading files to a server‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-290 | Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-291 | Ensure ‚Access data sources across domains‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-292 | Ensure ‚Launching applications and files in an IFRAME‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-293 | Ensure ‚Automatic prompting for file downloads‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-294 | Ensure ‚Allow scriptlets‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-295 | Ensure ‚Allow scripting of Internet Explorer WebBrowser controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-296 | Ensure ‚Use Pop-up Blocker‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-297 | Ensure ‚Turn on Protected Mode‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-298 | Ensure ‚Allow updates to status bar via script‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-299 | Ensure ‚Userdata persistence‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-300 | Ensure ‚Allow loading of XAML files‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-301 | Ensure ‚Run .NET Framework-reliant components not signed with Authenticode‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-302 | Ensure ‚Java permissions‘ is set to ‚Disable Java‘. | Registry key not found. | False |
Registry-303 | Ensure ‚Download signed ActiveX controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-304 | Ensure ‚Logon options‘ is set to ‚Prompt for user name and password‘. | Registry key not found. | False |
Registry-305 | Ensure ‚Enable dragging of content from different domains within a window‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-306 | Ensure ‚Download unsigned ActiveX controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-307 | Ensure ‚Allow only approved domains to use ActiveX controls without prompt‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-308 | Ensure ‚Allow cut, copy or paste operations from the clipboard via script‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-309 | Ensure ‚Turn on Cross-Site Scripting Filter‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-310 | Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-311 | Ensure ‚Navigate windows and frames across different domains‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-312 | Ensure ‚Enable dragging of content from different domains across windows‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-313 | Ensure ‚Web sites in less privileged Web content zones can navigate into this zone‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-314 | Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-315 | Ensure ‚Show security warning for potentially unsafe files‘ is set to ‚Prompt‘. | Registry key not found. | False |
Registry-316 | Ensure ‚Allow only approved domains to use the TDC ActiveX control‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-317 | Set registry value ‚140C‘ to 3. | Registry key not found. | False |
Registry-318 | Ensure ‚Allow META REFRESH‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-319 | Ensure ‚Initialize and script ActiveX controls not marked as safe‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-320 | Ensure ‚Download signed ActiveX controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-321 | Ensure ‚Navigate windows and frames across different domains‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-322 | Ensure ‚Allow only approved domains to use ActiveX controls without prompt‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-323 | Ensure ‚Use Pop-up Blocker‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-324 | Ensure ‚Download unsigned ActiveX controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-325 | Ensure ‚Userdata persistence‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-326 | Ensure ‚Allow cut, copy or paste operations from the clipboard via script‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-327 | Ensure ‚Include local path when user is uploading files to a server‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-328 | Ensure ‚Access data sources across domains‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-329 | Ensure ‚Allow script-initiated windows without size or position constraints‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-330 | Ensure ‚Run .NET Framework-reliant components not signed with Authenticode‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-331 | Ensure ‚Automatic prompting for file downloads‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-332 | Ensure ‚Allow binary and script behaviors‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-333 | Ensure ‚Scripting of Java applets‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-334 | Ensure ‚Allow file downloads‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-335 | Ensure ‚Allow loading of XAML files‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-336 | Ensure ‚Allow active scripting‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-337 | Ensure ‚Logon options‘ is set to ‚Anonymous logon‘. | Registry key not found. | False |
Registry-338 | Ensure ‚Run .NET Framework-reliant components signed with Authenticode‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-339 | Ensure ‚Turn on Protected Mode‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-340 | Ensure ‚Turn on Cross-Site Scripting Filter‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-341 | Ensure ‚Java permissions‘ is set to ‚Disable Java‘. | Registry key not found. | False |
Registry-342 | Ensure ‚Allow scriptlets‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-343 | Ensure ‚Don’t run antimalware programs against ActiveX controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-344 | Ensure ‚Allow scripting of Internet Explorer WebBrowser controls‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-345 | Ensure ‚Enable dragging of content from different domains within a window‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-346 | Ensure ‚Allow drag and drop or copy and paste files‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-347 | Ensure ‚Allow updates to status bar via script‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-348 | Ensure ‚Enable dragging of content from different domains across windows‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-349 | Ensure ‚Script ActiveX controls marked safe for scripting‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-350 | Ensure ‚Web sites in less privileged Web content zones can navigate into this zone‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-351 | Ensure ‚Turn on SmartScreen Filter scan‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-352 | Ensure ‚Run ActiveX controls and plugins‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-353 | Ensure ‚Launching applications and files in an IFRAME‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-354 | Ensure ‚Show security warning for potentially unsafe files‘ is set to ‚Disable‘. | Registry key not found. | False |
Registry-355 | Ensure ‚Allow only approved domains to use the TDC ActiveX control‘ is set to ‚Enable‘. | Registry key not found. | False |
Registry-356 | Set registry value ‚140C‘ to 3. | Registry key not found. | False |
User Rights Assignment–↑
Id | Task | Message | Status |
---|---|---|---|
UserRight-176 | Ensure ‚SeSecurityPrivilege‘ is set to ‚administrator‘ | Compliant | True |
UserRight-177 | Ensure ‚SeRestorePrivilege‘ is set to ‚administrator‘ | The user right ‚SeRestorePrivilege‘ contains following unexpected users: BUILTIN\Backup Operators | False |
UserRight-178 | Ensure ‚SeTakeOwnershipPrivilege‘ is set to ‚administrator‘ | Compliant | True |
UserRight-179 | Ensure ‚SeBackupPrivilege‘ is set to ‚administrator‘ | The user right ‚SeBackupPrivilege‘ contains following unexpected users: BUILTIN\Backup Operators | False |
UserRight-180 | Ensure ‚SeDenyRemoteInteractiveLogonRight‘ is set to ‚Local account‘ | The user right ‚SeDenyRemoteInteractiveLogonRight‘ contains following unexpected users: BUILTIN\Guests | False |
UserRight-181 | Ensure ‚SeCreatePermanentPrivilege‘ is set to ’none‘ | The user ‚SeCreatePermanentPrivilege‘ setting does not contain the following users: NULL SID | False |
UserRight-182 | Ensure ‚SeManageVolumePrivilege‘ is set to ‚administrator‘ | Compliant | True |
UserRight-183 | Ensure ‚SeLoadDriverPrivilege‘ is set to ‚administrator‘ | Compliant | True |
UserRight-184 | Ensure ‚SeLockMemoryPrivilege‘ is set to ’none‘ | Compliant | True |
UserRight-185 | Ensure ‚SeDenyNetworkLogonRight‘ is set to ‚Local account‘ | The user right ‚SeDenyNetworkLogonRight‘ contains following unexpected users: LOCAL, BUILTIN\Guests The user ‚SeDenyNetworkLogonRight‘ setting does not contain the following users: NT AUTHORITY\Local account |
False |
UserRight-186 | Ensure ‚SeNetworkLogonRight‘ is set to ‚administrator, Remote Desktop Users‘ | The user right ‚SeNetworkLogonRight‘ contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user ‚SeNetworkLogonRight‘ setting does not contain the following users: BUILTIN\Remote Desktop Users |
False |
UserRight-187 | Ensure ‚SeImpersonatePrivilege‘ is set to ‚administrator, Service, Local Service, Network Service‘ | Compliant | True |
UserRight-188 | Ensure ‚SeCreateTokenPrivilege‘ is set to ’none‘ | The user ‚SeCreateTokenPrivilege‘ setting does not contain the following users: NULL SID | False |
UserRight-189 | Ensure ‚SeCreateGlobalPrivilege‘ is set to ‚administrator, Service, Local Service, Network Service‘ | Compliant | True |
UserRight-190 | Ensure ‚SeSystemEnvironmentPrivilege‘ is set to ‚administrator‘ | Compliant | True |
UserRight-191 | Ensure ‚SeCreatePagefilePrivilege‘ is set to ‚administrator‘ | Compliant | True |
UserRight-192 | Ensure ‚SeInteractiveLogonRight‘ is set to ‚administrator, Users‘ | The user right ‚SeInteractiveLogonRight‘ contains following unexpected users: Hostname1\OldGuest, BUILTIN\Backup Operators | False |
UserRight-193 | Ensure ‚SeRemoteShutdownPrivilege‘ is set to ‚administrator‘ | Compliant | True |
UserRight-194 | Ensure ‚SeDebugPrivilege‘ is set to ‚administrator‘ | The user ‚SeDebugPrivilege‘ setting does not contain the following users: BUILTIN\Administrators | False |
UserRight-195 | Ensure ‚SeTrustedCredManAccessPrivilege‘ is set to ’none‘ | The user ‚SeTrustedCredManAccessPrivilege‘ setting does not contain the following users: NULL SID | False |
UserRight-196 | Ensure ‚SeProfileSingleProcessPrivilege‘ is set to ‚administrator‘ | Compliant | True |
UserRight-197 | Ensure ‚SeTcbPrivilege‘ is set to ’none‘ | The user ‚SeTcbPrivilege‘ setting does not contain the following users: NULL SID | False |
UserRight-198 | Ensure ‚SeEnableDelegationPrivilege‘ is set to ’none‘ | The user ‚SeEnableDelegationPrivilege‘ setting does not contain the following users: NULL SID | False |
Account Policies–↑
Id | Task | Message | Status |
---|---|---|---|
AccountPolicy-001 | Ensure ‚MinimumPasswordLength‘ is set to ’14‘. | Compliant | True |
AccountPolicy-002 | Ensure ‚PasswordComplexity‘ is set to ‚1‘. | Compliant | True |
AccountPolicy-003 | Ensure ‚PasswordHistorySize‘ is set to ’24‘. | Compliant | True |
AccountPolicy-004 | Ensure ‚LockoutBadCount‘ is set to ’10‘. | ‚LockoutBadCount‘ currently set to: 7. Expected: 10 | False |
AccountPolicy-005 | Ensure ‚ResetLockoutCount‘ is set to ’15‘. | Compliant | True |
AccountPolicy-006 | Ensure ‚LockoutDuration‘ is set to ’15‘. | Compliant | True |
AccountPolicy-007 | Ensure ‚ClearTextPassword‘ is set to ‚0‘. | Compliant | True |
Advanced Audit Policy Configuration–↑
Id | Task | Message | Status |
---|---|---|---|
AuditPolicy-199 | Ensure ‚Credential Validation‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-200 | Ensure ‚Security Group Management‘ is set to ‚Success‘. | Compliant | True |
AuditPolicy-201 | Ensure ‚User Account Management‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-202 | Ensure ‚Plug and Play Events‘ is set to ‚Success‘. | Compliant | True |
AuditPolicy-203 | Ensure ‚Process Creation‘ is set to ‚Success‘. | Compliant | True |
AuditPolicy-204 | Ensure ‚Account Lockout‘ is set to ‚Failure‘. | Compliant | True |
AuditPolicy-205 | Ensure ‚Group Membership‘ is set to ‚Success‘. | Compliant | True |
AuditPolicy-206 | Ensure ‚Logon‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-207 | Ensure ‚Other Logon/Logoff Events‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-208 | Ensure ‚Special Logon‘ is set to ‚Success‘. | Compliant | True |
AuditPolicy-209 | Ensure ‚Detailed File Share‘ is set to ‚Failure‘. | Compliant | True |
AuditPolicy-210 | Ensure ‚File Share‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-211 | Ensure ‚Other Object Access Events‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-212 | Ensure ‚Removable Storage‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-213 | Ensure ‚Audit Policy Change‘ is set to ‚Success‘. | Compliant | True |
AuditPolicy-214 | Ensure ‚Authentication Policy Change‘ is set to ‚Success‘. | Compliant | True |
AuditPolicy-215 | Ensure ‚MPSSVC Rule-Level Policy Change‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-216 | Ensure ‚Other Policy Change Events‘ is set to ‚Failure‘. | Compliant | True |
AuditPolicy-217 | Ensure ‚Sensitive Privilege Use‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-218 | Ensure ‚Other System Events‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
AuditPolicy-219 | Ensure ‚Security State Change‘ is set to ‚Success‘. | Compliant | True |
AuditPolicy-220 | Ensure ‚Security System Extension‘ is set to ‚Success‘. | Compliant | True |
AuditPolicy-221 | Ensure ‚System Integrity‘ is set to ‚Success‘ and is set to ‚Failure‘. | Compliant | True |
CIS Benchmarks–↑
This section contains all benchmarks from CIS
Registry Settings/Group Policies–↑
Id | Task | Message | Status |
---|---|---|---|
1.1.6 | (L1) Ensure ‚Relax minimum password length limits‘ is set to ‚Enabled‘ | Compliant | True |
18.1.1.1 | (L1) Ensure ‚Prevent enabling lock screen camera‘ is set to ‚Enabled‘ | Compliant | True |
18.1.1.2 | (L1) Ensure ‚Prevent enabling lock screen slide show‘ is set to ‚Enabled‘ | Compliant | True |
18.1.2.2 | (L1) Ensure ‚Allow users to enable online speech recognition services‘ is set to ‚Disabled‘ | Compliant | True |
18.1.3 | (L2) Ensure ‚Allow Online Tips‘ is set to ‚Disabled‘ | Compliant | True |
18.2.2 | (L1) Ensure ‚Do not allow password expiration time longer than required by policy‘ is set to ‚Enabled‘ | Registry key not found. | False |
18.2.3 | (L1) Ensure ‚Enable Local Admin Password Management‘ is set to ‚Enabled‘ | Registry key not found. | False |
18.2.4 | (L1) Ensure ‚Password Settings: Password Complexity‘ is set to ‚Enabled: Large letters + small letters + numbers + special characters‘ | Registry key not found. | False |
18.2.5 | (L1) Ensure ‚Password Settings: Password Length‘ is set to ‚Enabled: 15 or more‘ | Registry key not found. | False |
18.2.6 | (L1) Ensure ‚Password Settings: Password Age (Days)‘ is set to ‚Enabled: 30 or fewer‘ | Registry key not found. | False |
18.3.1 | (L1) Ensure ‚Apply UAC restrictions to local accounts on network logons‘ is set to ‚Enabled‘ | Compliant | True |
18.3.2 | (L1) Ensure ‚Configure SMB v1 client driver‘ is set to ‚Enabled: Disable driver (recommended)‘ | Compliant | True |
18.3.3 | (L1) Ensure ‚Configure SMB v1 server‘ is set to ‚Disabled‘ | Compliant | True |
18.3.4 | (L1) Ensure ‚Enable Structured Exception Handling Overwrite Protection (SEHOP)‘ is set to ‚Enabled‘ | Compliant | True |
18.3.5 | (L1) Set registry value ‚RestrictDriverInstallationToAdministrators‘ to 1. | Compliant | True |
18.3.6 | (L1) Ensure ‚NetBT NodeType configuration‘ is set to ‚Enabled: P-node (recommended)‘ | Compliant | True |
18.3.7 | (L1) Ensure ‚WDigest Authentication‘ is set to ‚Disabled‘ | Compliant | True |
18.4.1 | (L1) Ensure ‚MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)‘ is set to ‚Disabled‘ | Compliant | True |
18.4.10 | (L1) Ensure ‚MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)‘ is set to ‚Enabled: 5 or fewer seconds‘ | Compliant | True |
18.4.11 | (L2) Ensure ‚MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted‘ is set to ‚Enabled: 3‘ | Compliant | True |
18.4.12 | (L2) Ensure ‚MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted‘ is set to ‚Enabled: 3‘ | Compliant | True |
18.4.13 | (L1) Ensure ‚MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning‘ is set to ‚Enabled: 90% or less‘ | Compliant | True |
18.4.2 | (L1) Ensure ‚MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)‘ is set to ‚Enabled: Highest protection, source routing is completely disabled‘ | Compliant | True |
18.4.3 | (L1) Ensure ‚MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)‘ is set to ‚Enabled: Highest protection, source routing is completely disabled‘ | Compliant | True |
18.4.4 | (L2) Ensure ‚MSS: (DisableSavePassword) Prevent the dial-up password from being saved‘ is set to ‚Enabled‘ | Compliant | True |
18.4.5 | (L1) Ensure ‚MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes‘ is set to ‚Disabled‘ | Compliant | True |
18.4.6 | (L2) Ensure ‚MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds‘ is set to ‚Enabled: 300,000 or 5 minutes (recommended)‘ | Compliant | True |
18.4.7 | (L1) Ensure ‚MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers‘ is set to ‚Enabled‘ | Compliant | True |
18.4.8 | (L2) Ensure ‚MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)‘ is set to ‚Disabled‘ | Compliant | True |
18.4.9 | (L1) Ensure ‚MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)‘ is set to ‚Enabled‘ | Compliant | True |
18.5.10.2 | (L2) Ensure ‚Turn off Microsoft Peer-to-Peer Networking Services‘ is set to ‚Enabled‘ | Compliant | True |
18.5.11.2 | (L1) Ensure ‚Prohibit installation and configuration of Network Bridge on your DNS domain network‘ is set to ‚Enabled‘ | Compliant | True |
18.5.11.3 | (L1) Ensure ‚Prohibit use of Internet Connection Sharing on your DNS domain network‘ is set to ‚Enabled‘ | Compliant | True |
18.5.11.4 | (L1) Ensure ‚Require domain users to elevate when setting a network’s location‘ is set to ‚Enabled‘ | Compliant | True |
18.5.14.1 | (L1) Ensure ‚Hardened UNC Paths‘ is set to ‚Enabled, with „Require Mutual Authentication“ and „Require Integrity“ set for all NETLOGON and SYSVOL shares‘ | Compliant | True |
18.5.19.2.1 | (L2) Disable IPv6 (Ensure TCPIP6 Parameter ‚DisabledComponents‘ is set to ‚0xff (255)‘) | Compliant | True |
18.5.20.1 | (L2) Ensure ‚Configuration of wireless settings using Windows Connect Now‘ is set to ‚Disabled‘ | Compliant | True |
18.5.20.2 | (L2) Ensure ‚Prohibit access of the Windows Connect Now wizards‘ is set to ‚Enabled‘ | Compliant | True |
18.5.21.1 | (L1) Ensure ‚Minimize the number of simultaneous connections to the Internet or a Windows Domain‘ is set to ‚Enabled: 3 = Prevent Wi-Fi when on Ethernet‘ | Registry value not found. | False |
18.5.21.2 | (L1) Ensure ‚Prohibit connection to non-domain networks when connected to domain authenticated network‘ is set to ‚Enabled‘ | Compliant | True |
18.5.23.2.1 | (L1) Ensure ‚Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services‘ is set to ‚Disabled‘ | Compliant | True |
18.5.4.1 | (L1) Ensure ‚Configure DNS over HTTPS (DoH) name resolution‘ is set to ‚Enabled: Allow DoH‘ or higher (Automated) | Compliant | True |
18.5.4.2 | (L1) Ensure ‚Turn off multicast name resolution‘ is set to ‚Enabled‘ | Compliant | True |
18.5.5.1 | (L2) Ensure ‚Enable Font Providers‘ is set to ‚Disabled‘ | Compliant | True |
18.5.8.1 | (L1) Ensure ‚Enable insecure guest logons‘ is set to ‚Disabled‘ | Compliant | True |
18.5.9.1.1 | (L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ (Domain) | Compliant | True |
18.5.9.1.2 | (L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ (Public) | Compliant | True |
18.5.9.1.3 | (L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ | Compliant | True |
18.5.9.1.4 | (L2) Ensure ‚Turn on Mapper I/O (LLTDIO) driver‘ is set to ‚Disabled‘ (Private) | Compliant | True |
18.5.9.2.1 | (L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ (Domain) | Compliant | True |
18.5.9.2.2 | (L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ (Public) | Compliant | True |
18.5.9.2.3 | (L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ | Compliant | True |
18.5.9.2.4 | (L2) Ensure ‚Turn on Responder (RSPNDR) driver‘ is set to ‚Disabled‘ (Private) | Compliant | True |
18.6.1 | (L1) Ensure ‚Allow Print Spooler to accept client connections‘ is set to ‚Disabled‘ | Compliant | True |
18.6.2 | (L1) Ensure ‚Point and Print Restrictions: When installing drivers for a new connection‘ is set to ‚Enabled: Show warning and elevation prompt‘ | Compliant | True |
18.6.3 | (L1) Ensure ‚Point and Print Restrictions: When updating drivers for an existing connection‘ is set to ‚Enabled: Show warning and elevation prompt‘ | Compliant | True |
18.7.1.1 | (L2) Ensure ‚Turn off notifications network usage‘ is set to ‚Enabled‘ | Compliant | True |
18.8.14.1 | (L1) Ensure ‚Boot-Start Driver Initialization Policy‘ is set to ‚Enabled: Good, unknown and bad but critical‘ | Compliant | True |
18.8.21.2 | (L1) Ensure ‚Configure registry policy processing: Do not apply during periodic background processing‘ is set to ‚Enabled: FALSE‘ | Compliant | True |
18.8.21.3 | (L1) Ensure ‚Configure registry policy processing: Process even if the Group Policy objects have not changed‘ is set to ‚Enabled: TRUE‘ | Compliant | True |
18.8.21.4 | (L1) Ensure ‚Continue experiences on this device‘ is set to ‚Disabled‘ | Compliant | True |
18.8.21.5 | (L1) Ensure ‚Turn off background refresh of Group Policy‘ is set to ‚Disabled‘ | Compliant | True |
18.8.22.1.1 | (L2) Ensure ‚Turn off access to the Store‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.10 | (L2) Ensure ‚Turn off the „Order Prints“ picture task‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.11 | (L2) Ensure ‚Turn off the „Publish to Web“ task for files and folders‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.12 | (L2) Ensure ‚Turn off the Windows Messenger Customer Experience Improvement Program‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.13 | (L2) Ensure ‚Turn off Windows Customer Experience Improvement Program‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.14 | (L2) Ensure ‚Turn off Windows Error Reporting‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.2 | (L1) Ensure ‚Turn off downloading of print drivers over HTTP‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.3 | (L2) Ensure ‚Turn off handwriting personalization data sharing‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.4 | (L2) Ensure ‚Turn off handwriting recognition error reporting‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.5 | (L2) Ensure ‚Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.6 | (L1) Ensure ‚Turn off Internet download for Web publishing and online ordering wizards‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.7 | (L2) Ensure ‚Turn off printing over HTTP‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.8 | (L2) Ensure ‚Turn off Registration if URL connection is referring to Microsoft.com‘ is set to ‚Enabled‘ | Compliant | True |
18.8.22.1.9 | (L2) Ensure ‚Turn off Search Companion content file updates‘ is set to ‚Enabled‘ | Compliant | True |
18.8.25.1.1 | (L2) Ensure ‚Support device authentication using certificate‘ is set to ‚Enabled: Automatic‘ (DevicePKInitBehavior) | Compliant | True |
18.8.25.1.2 | (L2) Ensure ‚Support device authentication using certificate‘ is set to ‚Enabled: Automatic‘ (DevicePKInitEnabled) | Compliant | True |
18.8.26.1 | (BL) Ensure ‚Enumeration policy for external devices incompatible with Kernel DMA Protection‘ is set to ‚Enabled: Block All‘ | Compliant | True |
18.8.27.1 | (L2) Ensure ‚Disallow copying of user input methods to the system account for sign-in‘ is set to ‚Enabled‘ | Compliant | True |
18.8.28.1 | (L1) Ensure ‚Block user from showing account details on sign-in‘ is set to ‚Enabled‘ | Compliant | True |
18.8.28.2 | (L1) Ensure ‚Do not display network selection UI‘ is set to ‚Enabled‘ | Compliant | True |
18.8.28.3 | (L1) Ensure ‚Do not enumerate connected users on domain-joined computers‘ is set to ‚Enabled‘ | Compliant | True |
18.8.28.4 | (L1) Ensure ‚Enumerate local users on domain-joined computers‘ is set to ‚Disabled‘ | Compliant | True |
18.8.28.5 | (L1) Ensure ‚Turn off app notifications on the lock screen‘ is set to ‚Enabled‘ | Compliant | True |
18.8.28.6 | (L1) Ensure ‚Turn off picture password sign-in‘ is set to ‚Enabled‘ | Compliant | True |
18.8.28.7 | (L1) Ensure ‚Turn on convenience PIN sign-in‘ is set to ‚Disabled‘ | Compliant | True |
18.8.3.1 | (L1) Ensure ‚Include command line in process creation events‘ is set to ‚Disabled‘ | Compliant | True |
18.8.31.1 | (L2) Ensure ‚Allow Clipboard synchronization across devices‘ is set to ‚Disabled‘ | Compliant | True |
18.8.31.2 | (L2) Ensure ‚Allow upload of User Activities‘ is set to ‚Disabled‘ | Compliant | True |
18.8.34.6.1 | (L1) Ensure ‚Allow network connectivity during connected-standby (on battery)‘ is set to ‚Disabled‘ | Compliant | True |
18.8.34.6.2 | (L1) Ensure ‚Allow network connectivity during connected-standby (plugged in)‘ is set to ‚Disabled‘ | Compliant | True |
18.8.34.6.3 | (BL) Ensure ‚Allow standby states (S1-S3) when sleeping (on battery)‘ is set to ‚Disabled‘ | Compliant | True |
18.8.34.6.4 | (BL) Ensure ‚Allow standby states (S1-S3) when sleeping (plugged in)‘ is set to ‚Disabled‘ | Compliant | True |
18.8.34.6.5 | (L1) Ensure ‚Require a password when a computer wakes (on battery)‘ is set to ‚Enabled‘ | Compliant | True |
18.8.34.6.6 | (L1) Ensure ‚Require a password when a computer wakes (plugged in)‘ is set to ‚Enabled‘ | Compliant | True |
18.8.36.1 | (L1) Ensure ‚Configure Offer Remote Assistance‘ is set to ‚Disabled‘ | Compliant | True |
18.8.36.2 | (L1) Ensure ‚Configure Solicited Remote Assistance‘ is set to ‚Disabled‘ | Compliant | True |
18.8.37.1 | (L1) Ensure ‚Enable RPC Endpoint Mapper Client Authentication‘ is set to ‚Enabled‘ | Compliant | True |
18.8.37.2 | (L1) Ensure ‚Restrict Unauthenticated RPC clients‘ is set to ‚Enabled: Authenticated‘ | Compliant | True |
18.8.4.1 | (L1) Ensure ‚Encryption Oracle Remediation‘ is set to ‚Enabled: Force Updated Clients‘ | Compliant | True |
18.8.4.2 | (L1) Ensure ‚Remote host allows delegation of non-exportable credentials‘ is set to ‚Enabled‘ | Compliant | True |
18.8.48.11.1 | (L2) Ensure ‚Enable/Disable PerfTrack‘ is set to ‚Disabled‘ | Compliant | True |
18.8.48.5.1 | (L2) Ensure ‚Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider‘ is set to ‚Disabled‘ | Compliant | True |
18.8.5.1 | (NG) Ensure ‚Turn On Virtualization Based Security‘ is set to ‚Enabled‘ | Compliant | True |
18.8.5.2 | (NG) Ensure ‚Turn On Virtualization Based Security: Select Platform Security Level‘ is set to ‚Secure Boot and DMA Protection‘ | Compliant | True |
18.8.5.3 | (NG) Ensure ‚Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity‘ is set to ‚Enabled with UEFI lock‘ | Compliant | True |
18.8.5.4 | (NG) Ensure ‚Turn On Virtualization Based Security: Require UEFI Memory Attributes Table‘ is set to ‚True (checked)‘ | Compliant | True |
18.8.5.5 | (NG) Ensure ‚Turn On Virtualization Based Security: Credential Guard Configuration‘ is set to ‚Enabled with UEFI lock‘ | Compliant | True |
18.8.5.6 | (NG) Ensure ‚Turn On Virtualization Based Security: Secure Launch Configuration‘ is set to ‚Enabled‘ | Compliant | True |
18.8.50.1 | (L2) Ensure ‚Turn off the advertising ID‘ is set to ‚Enabled‘ | Compliant | True |
18.8.53.1.1 | (L2) Ensure ‚Enable Windows NTP Client‘ is set to ‚Enabled‘ | Compliant | True |
18.8.53.1.2 | (L2) Ensure ‚Enable Windows NTP Server‘ is set to ‚Disabled‘ | Compliant | True |
18.8.7.1.1 | (BL) Ensure ‚Prevent installation of devices that match any of these device IDs‘ is set to ‚Enabled‘ | Registry value not found. | False |
18.8.7.1.2 | (BL) Ensure ‚Prevent installation of devices that match any of these device IDs: Prevent installation of devices that match any of these device IDs‘ is set to ‚PCI\CC_0C0A‘ | Compliant | True |
18.8.7.1.3 | (BL) Ensure ‚Prevent installation of devices that match any of these device IDs: Also apply to matching devices that are already installed.‘ is set to ‚True‘ (checked) | Registry value not found. | False |
18.8.7.1.4 | (BL) Ensure ‚Prevent installation of devices using drivers that match these device setup classes‘ is set to ‚Enabled‘ | Compliant | True |
18.8.7.1.5 | (BL) Ensure ‚Prevent installation of devices using drivers that match these device setup classes: Prevent installation of devices using drivers for these device setup‘ is set to ‚IEEE 1394 device setup classes‘ | Compliant | True |
18.8.7.1.6 | (BL) Ensure ‚Prevent installation of devices using drivers that match these device setup classes: Also apply to matching devices that are already installed.‘ is set to ‚True‘ (checked) | Compliant | True |
18.8.7.2 | (L1) Prevent Windows from retrieving device metadata from the Internet | Compliant | True |
18.9.10.1.1 | (L1) Ensure ‚Configure enhanced anti-spoofing‘ is set to ‚Enabled‘ | Compliant | True |
18.9.100.1 | (L1) Ensure ‚Turn on PowerShell Script Block Logging‘ is set to ‚Disabled‘ | Compliant | True |
18.9.100.2 | (L1) Ensure ‚Turn on PowerShell Transcription‘ is set to ‚Disabled‘ | Compliant | True |
18.9.102.1.1 | (L1) Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘ | Compliant | True |
18.9.102.1.2 | (L1) Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘ | Compliant | True |
18.9.102.1.3 | (L1) Ensure ‚Disallow Digest authentication‘ is set to ‚Enabled‘ | Compliant | True |
18.9.102.2.1 | (L1) Ensure ‚Allow Basic authentication‘ is set to ‚Disabled‘ | Compliant | True |
18.9.102.2.2 | (L2) Ensure ‚Allow remote server management through WinRM‘ is set to ‚Disabled‘ | Registry value not found. | False |
18.9.102.2.3 | (L1) Ensure ‚Allow unencrypted traffic‘ is set to ‚Disabled‘ | Compliant | True |
18.9.102.2.4 | (L1) Ensure ‚Disallow WinRM from storing RunAs credentials‘ is set to ‚Enabled‘ | Compliant | True |
18.9.103.1 | (L2) Ensure ‚Allow Remote Shell Access‘ is set to ‚Disabled‘ | Registry key not found. | False |
18.9.104.1 | (L1) Ensure ‚Allow clipboard sharing with Windows Sandbox‘ is set to ‚Disabled‘ | Compliant | True |
18.9.104.2 | (L1) Ensure ‚Allow networking in Windows Sandbox‘ is set to ‚Disabled‘ | Compliant | True |
18.9.105.2.1 | (L1) Ensure ‚Prevent users from modifying settings‘ is set to ‚Enabled‘ | Compliant | True |
18.9.108.1.1 | (L1) Ensure ‚No auto-restart with logged on users for scheduled automatic updates installations‘ is set to ‚Disabled‘ | Compliant | True |
18.9.108.2.1 | (L1) Ensure ‚Configure Automatic Updates‘ is set to ‚Enabled‘ | Compliant | True |
18.9.108.2.2 | (L1) Ensure ‚Configure Automatic Updates: Scheduled install day‘ is set to ‚0 – Every day‘ | Compliant | True |
18.9.108.2.3 | (L1) Ensure ‚Remove access to „Pause updates“ feature‘ is set to ‚Enabled‘ | Compliant | True |
18.9.108.4.1 | (L1) Ensure ‚Manage preview builds‘ is set to ‚Enabled: Disable preview builds‘ (ManagePreviewBuildsPolicyValue) | Compliant | True |
18.9.108.4.2.1 | (L1) Ensure ‚Select when Preview Builds and Feature Updates are received‘ is set to ‚Enabled: Semi-Annual Channel, 180 or more days‘ (DeferFeatureUpdates) | Compliant | True |
18.9.108.4.2.2 | (L1) Ensure ‚Select when Preview Builds and Feature Updates are received‘ is set to ‚Enabled: Semi-Annual Channel, 180 or more days‘ (DeferFeatureUpdatesPeriodInDays) | Compliant | True |
18.9.108.4.3.1 | (L1) Ensure ‚Select when Quality Updates are received‘ is set to ‚Enabled: 0 days‘ (DeferQualityUpdates) | Compliant | True |
18.9.108.4.3.2 | (L1) Ensure ‚Select when Quality Updates are received‘ is set to ‚Enabled: 0 days‘ (DeferQualityUpdatesPeriodInDays) | Compliant | True |
18.9.11.1.1 | (BL) Ensure ‚Allow access to BitLocker-protected fixed data drives from earlier versions of Windows‘ is set to ‚Disabled‘ | Compliant | True |
18.9.11.1.10 | (BL) Ensure ‚Configure use of hardware-based encryption for fixed data drives‘ is set to ‚Disabled‘ | Compliant | True |
18.9.11.1.11 | (BL) Ensure ‚Configure use of passwords for fixed data drives‘ is set to ‚Disabled‘ | Compliant | True |
18.9.11.1.12 | (BL) Ensure ‚Configure use of smart cards on fixed data drives‘ is set to ‚Enabled‘ | Compliant | True |
18.9.11.1.13 | (BL) Ensure ‚Configure use of smart cards on fixed data drives: Require use of smart cards on fixed data drives‘ is set to ‚Enabled: True‘ | Compliant | True |
18.9.11.1.2 | (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered‘ is set to ‚Enabled‘ | Compliant | True |
18.9.11.1.3 | (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Allow data recovery agent‘ is set to ‚Enabled: True‘ | Compliant | True |
18.9.11.1.4 | (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Recovery Password‘ is set to ‚Enabled: Allow 48-digit recovery password‘ | Compliant | True |
18.9.11.1.5 | (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Recovery Key‘ is set to ‚Enabled: Allow 256-bit recovery key‘ | Compliant | True |
18.9.11.1.6 | (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Omit recovery options from the BitLocker setup wizard‘ is set to ‚Enabled: True‘ | Compliant | True |
18.9.11.1.7 | (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Save BitLocker recovery information to AD DS for fixed data drives‘ is set to ‚Enabled: False‘ | Compliant | True |
18.9.11.1.8 | (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Configure storage of BitLocker recovery information to AD DS‘ is set to ‚Enabled: Backup recovery passwords and key packages‘ | Compliant | True |
18.9.11.1.9 | (BL) Ensure ‚Choose how BitLocker-protected fixed drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives‘ is set to ‚Enabled: False‘ | Compliant | True |
18.9.11.2.1 | (BL) Ensure ‚Allow enhanced PINs for startup‘ is set to ‚Enabled‘ | Compliant | True |
18.9.11.2.10 | (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for operating system drives‘ is set to ‚Enabled: True‘ | Compliant | True |
18.9.11.2.11 | (BL) Ensure ‚Configure use of hardware-based encryption for operating system drives‘ is set to ‚Disabled‘ | Compliant | True |
18.9.11.2.12 | (BL) Ensure ‚Configure use of passwords for operating system drives‘ is set to ‚Disabled‘ | Compliant | True |
18.9.11.2.13 | (BL) Ensure ‚Require additional authentication at startup‘ is set to ‚Enabled‘ | Compliant | True |
18.9.11.2.14 | (BL) Ensure ‚Require additional authentication at startup: Allow BitLocker without a compatible TPM‘ is set to ‚Enabled: False‘ | Registry value is ‚1‘. Expected: 0 | False |
18.9.11.2.2 | (BL) Ensure ‚Allow Secure Boot for integrity validation‘ is set to ‚Enabled‘ | Compliant | True |
18.9.11.2.3 | (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered‘ is set to ‚Enabled‘ | Compliant | True |
18.9.11.2.4 | (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Allow data recovery agent‘ is set to ‚Enabled: False‘ | Compliant | True |
18.9.11.2.5 | (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Recovery Password‘ is set to ‚Enabled: Require 48-digit recovery password‘ | Compliant | True |
18.9.11.2.6 | (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Recovery Key‘ is set to ‚Enabled: Do not allow 256-bit recovery key‘ | Compliant | True |
18.9.11.2.7 | (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Omit recovery options from the BitLocker setup wizard‘ is set to ‚Enabled: True‘ | Compliant | True |
18.9.11.2.8 | (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Save BitLocker recovery information to AD DS for operating system drives‘ is set to ‚Enabled: True‘ | Compliant | True |
18.9.11.2.9 | (BL) Ensure ‚Choose how BitLocker-protected operating system drives can be recovered: Configure storage of BitLocker recovery information to AD DS:‘ is set to ‚Enabled: Store recovery passwords and key packages‘ | Compliant | True |
18.9.11.3.1 | (BL) Ensure ‚Allow access to BitLocker-protected removable data drives from earlier versions of Windows‘ is set to ‚Disabled‘ | Compliant | True |
18.9.11.3.10 | (BL) Ensure ‚Configure use of hardware-based encryption for removable data drives‘ is set to ‚Disabled‘ | Compliant | True |
18.9.11.3.11 | (BL) Ensure ‚Configure use of passwords for removable data drives‘ is set to ‚Disabled‘ | Registry value is ‚1‘. Expected: 0 | False |
18.9.11.3.12 | (BL) Ensure ‚Configure use of smart cards on removable data drives‘ is set to ‚Enabled‘ | Compliant | True |
18.9.11.3.13 | (BL) Ensure ‚Configure use of smart cards on removable data drives: Require use of smart cards on removable data drives‘ is set to ‚Enabled: True‘ | Registry value not found. | False |
18.9.11.3.14 | (BL) Ensure ‚Deny write access to removable drives not protected by BitLocker‘ is set to ‚Enabled‘ | Compliant | True |
18.9.11.3.15 | (BL) Ensure ‚Deny write access to removable drives not protected by BitLocker: Do not allow write access to devices configured in another organization‘ is set to ‚Enabled: False‘ | Compliant | True |
18.9.11.3.2 | (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered‘ is set to ‚Enabled‘ | Registry value not found. | False |
18.9.11.3.3 | (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Allow data recovery agent‘ is set to ‚Enabled: True‘ | Compliant | True |
18.9.11.3.4 | (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Recovery Password‘ is set to ‚Enabled: Do not allow 48-digit recovery password‘ | Registry value not found. | False |
18.9.11.3.5 | (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Recovery Key‘ is set to ‚Enabled: Do not allow 256-bit recovery key‘ | Compliant | True |
18.9.11.3.6 | (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Omit recovery options from the BitLocker setup wizard‘ is set to ‚Enabled: True‘ | Compliant | True |
18.9.11.3.7 | (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Save BitLocker recovery information to AD DS for removable data drives‘ is set to ‚Enabled: False‘ | Compliant | True |
18.9.11.3.8 | (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Configure storage of BitLocker recovery information to AD DS:‘ is set to ‚Enabled: Backup recovery passwords and key packages‘ | Compliant | True |
18.9.11.3.9 | (BL) Ensure ‚Choose how BitLocker-protected removable drives can be recovered: Do not enable BitLocker until recovery information is stored to AD DS for removable data drives‘ is set to ‚Enabled: False‘ | Compliant | True |
18.9.11.4 | (BL) Ensure ‚Disable new DMA devices when this computer is locked‘ is set to ‚Enabled‘ | Compliant | True |
18.9.12.1 | (L2) Ensure ‚Allow Use of Camera‘ is set to ‚Disabled‘ | Registry key not found. | False |
18.9.14.1 | (L1) Ensure ‚Turn off cloud consumer account state content‘ is set to ‚Enabled‘ | Compliant | True |
18.9.14.2 | (L2) Ensure ‚Turn off cloud optimized content‘ is set to ‚Enabled‘ | Compliant | True |
18.9.14.3 | (L1) Ensure ‚Turn off Microsoft consumer experiences‘ is set to ‚Enabled‘ | Compliant | True |
18.9.15.1 | (L1) Ensure ‚Require pin for pairing‘ is set to ‚Enabled: First Time‘ OR ‚Enabled: Always‘ | Compliant | True |
18.9.16.1 | (L1) Ensure ‚Do not display the password reveal button‘ is set to ‚Enabled‘ | Compliant | True |
18.9.16.2 | (L1) Ensure ‚Enumerate administrator accounts on elevation‘ is set to ‚Disabled‘ | Compliant | True |
18.9.16.3 | (L1) Ensure ‚Prevent the use of security questions for local accounts‘ is set to ‚Enabled‘ | Compliant | True |
18.9.17.1 | (L1) Ensure ‚Allow Telemetry‘ is set to ‚Enabled: 0 – Security [Enterprise Only]‘ or ‚Enabled: 1 – Basic‘ | Compliant | True |
18.9.17.2 | (L2) Ensure ‚Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service‘ is set to ‚Enabled: Disable Authenticated Proxy usage‘ | Compliant | True |
18.9.17.3 | (L1) Ensure ‚Disable OneSettings Downloads‘ is set to ‚Enabled‘ | Compliant | True |
18.9.17.4 | (L1) Ensure ‚Do not show feedback notifications‘ is set to ‚Enabled‘ | Compliant | True |
18.9.17.5 | (L1) Ensure ‚Enable OneSettings Auditing‘ is set to ‚Enabled | Compliant | True |
18.9.17.6 | (L1) Ensure ‚Limit Diagnostic Log Collection‘ is set to ‚Enabled‘ | Compliant | True |
18.9.17.7 | (L1) Ensure ‚Limit Dump Collection‘ is set to ‚Enabled‘ | Compliant | True |
18.9.17.8 | (L1) Ensure ‚Toggle user control over Insider builds‘ is set to ‚Disabled‘ | Compliant | True |
18.9.18.1 | (L1) Ensure ‚Download Mode‘ is NOT set to ‚Enabled: Internet‘ | Compliant | True |
18.9.27.1.1 | (L1) Ensure ‚Application: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘ | Compliant | True |
18.9.27.1.2 | (L1) Ensure ‚Application: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 32,768 or greater‘ | Compliant | True |
18.9.27.2.1 | (L1) Ensure ‚Security: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘ | Compliant | True |
18.9.27.2.2 | (L1) Ensure ‚Security: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 196,608 or greater‘ | Compliant | True |
18.9.27.3.1 | (L1) Ensure ‚Setup: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘ | Compliant | True |
18.9.27.3.2 | (L1) Ensure ‚Setup: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 32,768 or greater‘ | Compliant | True |
18.9.27.4.1 | (L1) Ensure ‚System: Control Event Log behavior when the log file reaches its maximum size‘ is set to ‚Disabled‘ | Compliant | True |
18.9.27.4.2 | (L1) Ensure ‚System: Specify the maximum log file size (KB)‘ is set to ‚Enabled: 32,768 or greater‘ | Compliant | True |
18.9.31.2 | (L1) Ensure ‚Turn off Data Execution Prevention for Explorer‘ is set to ‚Disabled‘ | Compliant | True |
18.9.31.3 | (L1) Ensure ‚Turn off heap termination on corruption‘ is set to ‚Disabled‘ | Compliant | True |
18.9.31.4 | (L1) Ensure ‚Turn off shell protocol protected mode‘ is set to ‚Disabled‘ | Compliant | True |
18.9.36.1 | (L1) Ensure ‚Prevent the computer from joining a homegroup‘ is set to ‚Enabled‘ | Compliant | True |
18.9.4.1 | (L2) Ensure ‚Allow a Windows app to share application data between users‘ is set to ‚Disabled‘ | Compliant | True |
18.9.4.2 | (L1) Ensure ‚Prevent non-admin users from installing packaged Windows apps‘ is set to ‚Enabled‘ | Compliant | True |
18.9.41.1 | (L2) Ensure ‚Turn off location‘ is set to ‚Enabled‘ | Compliant | True |
18.9.45.1 | (L2) Ensure ‚Allow Message Service Cloud Sync‘ is set to ‚Disabled‘ | Compliant | True |
18.9.46.1 | (L1) Ensure ‚Block all consumer Microsoft account user authentication‘ is set to ‚Enabled‘ | Compliant | True |
18.9.47.11.1 | (L2) Ensure ‚Configure Watson events‘ is set to ‚Disabled‘ | Compliant | True |
18.9.47.12.1 | (L1) Ensure ‚Scan removable drives‘ is set to ‚Enabled‘ | Compliant | True |
18.9.47.12.2 | (L1) Ensure ‚Turn on e-mail scanning‘ is set to ‚Enabled‘ | Compliant | True |
18.9.47.15 | (L1) Ensure ‚Configure detection for potentially unwanted applications‘ is set to ‚Enabled: Block‘ | Compliant | True |
18.9.47.16 | (L1) Ensure ‚Turn off Microsoft Defender AntiVirus‘ is set to ‚Disabled‘ | Compliant | True |
18.9.47.4.1 | (L1) Ensure ‚Configure local setting override for reporting to Microsoft MAPS‘ is set to ‚Disabled‘ | Compliant | True |
18.9.47.4.2 | (L2) Ensure ‚Join Microsoft MAPS‘ is set to ‚Disabled‘ | Compliant | True |
18.9.47.5.1.1 | (L1) Ensure ‚Configure Attack Surface Reduction rules‘ is set to ‚Enabled‘ | Compliant | True |
18.9.47.5.1.2.1 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Office communication application from creating child processes). | Compliant | True |
18.9.47.5.1.2.10 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block JavaScript or VBScript from launching downloaded executable content). | Compliant | True |
18.9.47.5.1.2.11 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block all Office applications from creating child processes). | Compliant | True |
18.9.47.5.1.2.12 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block persistence through WMI event subscription). | Compliant | True |
18.9.47.5.1.2.2 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Office applications from creating executable content). | Compliant | True |
18.9.47.5.1.2.3 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block execution of potentially obfuscated scripts). | Compliant | True |
18.9.47.5.1.2.4 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Office applications from injecting code into other processes). | Compliant | True |
18.9.47.5.1.2.5 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Adobe Reader from creating child processes). | Compliant | True |
18.9.47.5.1.2.6 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block Win32 API calls from Office macros). | Compliant | True |
18.9.47.5.1.2.7 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block credential stealing from the Windows local security authority subsystem (lsass.exe)). | Compliant | True |
18.9.47.5.1.2.8 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block untrusted and unsigned processes that run from USB). | Compliant | True |
18.9.47.5.1.2.9 | (L1) Set the state for each Attack Surface Reduction (ASR) rule (Block executable content from email client and webmail). | Compliant | True |
18.9.47.5.3.1 | (L1) Ensure ‚Prevent users and apps from accessing dangerous websites‘ is set to ‚Enabled: Block‘ | Compliant | True |
18.9.47.6.1 | (L2) Ensure ‚Enable file hash computation feature‘ is set to ‚Enabled‘ | Compliant | True |
18.9.47.9.1 | (L1) Ensure ‚Scan all downloaded files and attachments‘ is set to ‚Enabled‘ | Compliant | True |
18.9.47.9.2 | (L1) Ensure ‚Turn off real-time protection‘ is set to ‚Disabled‘ | Compliant | True |
18.9.47.9.3 | (L1) Ensure ‚Turn on behavior monitoring‘ is set to ‚Enabled‘ | Compliant | True |
18.9.47.9.4 | (L1) Ensure ‚Turn on script scanning‘ is set to ‚Enabled‘ | Compliant | True |
18.9.48.1 | (NG) Ensure ‚Allow auditing events in Microsoft Defender Application Guard‘ is set to ‚Enabled‘ | Compliant | True |
18.9.48.2 | (NG) Ensure ‚Allow camera and microphone access in Microsoft Defender Application Guard‘ is set to ‚Disabled‘ | Compliant | True |
18.9.48.3 | (NG) Ensure ‚Allow data persistence for Microsoft Defender Application Guard‘ is set to ‚Disabled‘ | Compliant | True |
18.9.48.4 | (NG) Ensure ‚Allow files to download and save to the host operating system from Microsoft Defender Application Guard‘ is set to ‚Disabled‘ | Compliant | True |
18.9.48.5 | (NG) Ensure ‚Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting‘ is set to ‚Enabled: Enable clipboard operation from an isolated session to the host‘ | Compliant | True |
18.9.48.6 | (NG) Ensure ‚Turn on Microsoft Defender Application Guard in Managed Mode‘ is set to ‚Enabled: 1‘ | Compliant | True |
18.9.5.1 | (L1) Ensure ‚Let Windows apps activate with voice while the system is locked‘ is set to ‚Enabled: Force Deny‘ | Compliant | True |
18.9.57.1 | (L2) Ensure ‚Enable news and interests on the taskbar‘ is set to ‚Disabled‘ | Compliant | True |
18.9.58.1 | (L1) Ensure ‚Prevent the usage of OneDrive for file storage‘ is set to ‚Enabled‘ | Registry key not found. | False |
18.9.6.1 | (L1) Ensure ‚Allow Microsoft accounts to be optional‘ is set to ‚Enabled‘ | Compliant | True |
18.9.6.2 | (L2) Ensure ‚Block launching Universal Windows apps with Windows Runtime API access from hosted content.‘ is set to ‚Enabled‘ | Compliant | True |
18.9.64.1 | (L2) Ensure ‚Turn off Push To Install service‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.2.2 | (L1) Ensure ‚Do not allow passwords to be saved‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.3.10.1 | (L2) Ensure ‚Set time limit for active but idle Remote Desktop Services sessions‘ is set to ‚Enabled: 15 minutes or less, but not Never (0)‘ | Compliant | True |
18.9.65.3.10.2 | (L2) Ensure ‚Set time limit for disconnected sessions‘ is set to ‚Enabled: 1 minute‘ | Compliant | True |
18.9.65.3.11.1 | (L1) Ensure ‚Do not delete temp folders upon exit‘ is set to ‚Disabled‘ | Compliant | True |
18.9.65.3.2.1 | (L2) Ensure ‚Allow users to connect remotely by using Remote Desktop Services‘ is set to ‚Disabled‘ | Compliant | True |
18.9.65.3.3.1 | (L2) Ensure ‚Allow UI Automation redirection‘ is set to ‚Disabled‘ | Compliant | True |
18.9.65.3.3.2 | (L2) Ensure ‚Do not allow COM port redirection‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.3.3.3 | (L1) Ensure ‚Do not allow drive redirection‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.3.3.4 | (L2) Ensure ‚Do not allow location redirection‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.3.3.5 | (L2) Ensure ‚Do not allow LPT port redirection‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.3.3.6 | (L2) Ensure ‚Do not allow supported Plug and Play device redirection‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.3.9.1 | (L1) Ensure ‚Always prompt for password upon connection‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.3.9.2 | (L1) Ensure ‚Require secure RPC communication‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.3.9.3 | (L1) Ensure ‚Require use of specific security layer for remote (RDP) connections‘ is set to ‚Enabled: SSL‘ | Compliant | True |
18.9.65.3.9.4 | (L1) Ensure ‚Require user authentication for remote connections by using Network Level Authentication‘ is set to ‚Enabled‘ | Compliant | True |
18.9.65.3.9.5 | (L1) Ensure ‚Set client connection encryption level‘ is set to ‚Enabled: High Level‘ | Compliant | True |
18.9.66.1 | (L1) Ensure ‚Prevent downloading of enclosures‘ is set to ‚Enabled‘ | Registry key not found. | False |
18.9.67.2 | (L2) Ensure ‚Allow Cloud Search‘ is set to ‚Enabled: Disable Cloud Search‘ | Compliant | True |
18.9.67.3 | (L1) Ensure ‚Allow Cortana‘ is set to ‚Disabled‘ | Compliant | True |
18.9.67.4 | (L1) Ensure ‚Allow Cortana above lock screen‘ is set to ‚Disabled‘ | Compliant | True |
18.9.67.5 | (L1) Ensure ‚Allow indexing of encrypted files‘ is set to ‚Disabled‘ | Compliant | True |
18.9.67.6 | (L1) Ensure ‚Allow search and Cortana to use location‘ is set to ‚Disabled‘ | Compliant | True |
18.9.72.1 | (L2) Ensure ‚Turn off KMS Client Online AVS Validation‘ is set to ‚Enabled‘ | Compliant | True |
18.9.75.1 | (L2) Ensure ‚Disable all apps from Microsoft Store‘ is set to ‚Disabled‘ | Compliant | True |
18.9.75.2 | (L1) Ensure ‚Only display the private store within the Microsoft Store‘ is set to ‚Enabled‘ | Compliant | True |
18.9.75.3 | (L1) Ensure ‚Turn off Automatic Download and Install of updates‘ is set to ‚Disabled‘ | Compliant | True |
18.9.75.4 | (L1) Ensure ‚Turn off the offer to update to the latest version of Windows‘ is set to ‚Enabled‘ | Compliant | True |
18.9.75.5 | (L2) Ensure ‚Turn off the Store application‘ is set to ‚Enabled‘ | Compliant | True |
18.9.8.1 | (L1) Ensure ‚Disallow Autoplay for non-volume devices‘ is set to ‚Enabled‘ | Compliant | True |
18.9.8.2 | (L1) Ensure ‚Set the default behavior for AutoRun‘ is set to ‚Enabled: Do not execute any autorun commands‘ | Compliant | True |
18.9.8.3 | (L1) Ensure ‚Turn off Autoplay‘ is set to ‚Enabled: All drives‘ | Compliant | True |
18.9.81.1 | (L1) Ensure ‚Allow widgets‘ is set to ‚Disabled‘ | Compliant | True |
18.9.85.1.1 | (L1) Ensure ‚Configure Windows Defender SmartScreen‘ is set to ‚Enabled: Warn and prevent bypass‘ | Compliant | True |
18.9.85.2.1 | (L1) Ensure ‚Configure Windows Defender SmartScreen‘ is set to ‚Enabled‘ | Compliant | True |
18.9.85.2.2 | (L1) Ensure ‚Prevent bypassing Windows Defender SmartScreen prompts for sites‘ is set to ‚Enabled‘ | Compliant | True |
18.9.87.1 | (L1) Ensure ‚Enables or disables Windows Game Recording and Broadcasting‘ is set to ‚Disabled‘ | Compliant | True |
18.9.89.1 | (L2) Ensure ‚Allow suggested apps in Windows Ink Workspace‘ is set to ‚Disabled‘ | Compliant | True |
18.9.89.2 | (L1) Ensure ‚Allow Windows Ink Workspace‘ is set to ‚Enabled: On, but disallow access above lock‘ OR ‚Disabled‘ but not ‚Enabled: On‘ | Compliant | True |
18.9.90.1 | (L1) Ensure ‚Allow user control over installs‘ is set to ‚Disabled‘ | Compliant | True |
18.9.90.2 | (L1) Ensure ‚Always install with elevated privileges‘ is set to ‚Disabled‘ | Compliant | True |
18.9.90.3 | (L2) Ensure ‚Prevent Internet Explorer security prompt for Windows Installer scripts‘ is set to ‚Disabled‘ | Compliant | True |
18.9.91.1 | (L1) Ensure ‚Sign-in and lock last interactive user automatically after a restart‘ is set to ‚Disabled‘ | Compliant | True |
19.1.3.1 | (L1) Ensure ‚Enable screen saver‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.1.3.2 | (L1) Ensure ‚Password protect the screen saver‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.1.3.3 | (L1) Ensure ‚Screen saver timeout‘ is set to ‚Enabled: 900 seconds or fewer, but not 0‘ | Registry key not found. | False |
19.5.1.1 | (L1) Ensure ‚Turn off toast notifications on the lock screen‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.6.6.1.1 | (L2) Ensure ‚Turn off Help Experience Improvement Program‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.7.28.1 | (L1) Ensure ‚Prevent users from sharing files within their profile.‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.7.4.1 | (L1) Ensure ‚Do not preserve zone information in file attachments‘ is set to ‚Disabled‘ | Registry key not found. | False |
19.7.4.2 | (L1) Ensure ‚Notify antivirus programs when opening attachments‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.7.47.2.1 | (L2) Ensure ‚Prevent Codec Download‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.7.8.1 | (L1) Ensure ‚Configure Windows spotlight on lock screen‘ is set to Disabled‘ | Registry key not found. | False |
19.7.8.2 | (L1) Ensure ‚Do not suggest third-party content in Windows spotlight‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.7.8.3 | (L2) Ensure ‚Do not use diagnostic data for tailored experiences‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.7.8.4 | (L2) Ensure ‚Turn off all Windows spotlight features‘ is set to ‚Enabled‘ | Registry key not found. | False |
19.7.8.5 | (L1) Ensure ‚Turn off Spotlight collection on Desktop‘ is set to ‚Enabled‘ | Registry key not found. | False |
2.3.1.2 | (L1) Ensure ‚Accounts: Block Microsoft accounts‘ is set to ‚Users can’t add or log on with Microsoft accounts‘ | Compliant | True |
2.3.1.4 | (L1) Ensure ‚Accounts: Limit local account use of blank passwords to console logon only‘ is set to ‚Enabled‘ | Compliant | True |
2.3.10.1 | (L1) Ensure ‚Network access: Allow anonymous SID/Name translation‘ is set to ‚Disabled‘ | Registry value not found. | False |
2.3.10.10 | (L1) Ensure ‚Network access: Restrict clients allowed to make remote calls to SAM‘ is set to ‚Administrators: Remote Access: Allow‘ | Compliant | True |
2.3.10.11 | (L1) Ensure ‚Network access: Shares that can be accessed anonymously‘ is set to ‚None‘ | Compliant | True |
2.3.10.12 | (L1) Ensure ‚Network access: Sharing and security model for local accounts‘ is set to ‚Classic – local users authenticate as themselves‘ | Compliant | True |
2.3.10.2 | (L1) Ensure ‚Network access: Do not allow anonymous enumeration of SAM accounts‘ is set to ‚Enabled‘ | Compliant | True |
2.3.10.3 | (L1) Ensure ‚Network access: Do not allow anonymous enumeration of SAM accounts and shares‘ is set to ‚Enabled‘ | Compliant | True |
2.3.10.4 | (L1) Ensure ‚Network access: Do not allow storage of passwords and credentials for network authentication‘ is set to ‚Enabled‘ | Compliant | True |
2.3.10.5 | (L1) Ensure ‚Network access: Let Everyone permissions apply to anonymous users‘ is set to ‚Disabled‘ | Compliant | True |
2.3.10.6 | (L1) Ensure ‚Network access: Named Pipes that can be accessed anonymously‘ is set to ‚None‘ | Compliant | True |
2.3.10.7 | (L1) Ensure ‚Network access: Remotely accessible registry paths‘ is configured | Compliant | True |
2.3.10.8 | (L1) Ensure ‚Network access: Remotely accessible registry paths and sub-paths‘ is configured | Compliant | True |
2.3.10.9 | (L1) Ensure ‚Network access: Restrict anonymous access to Named Pipes and Shares‘ is set to ‚Enabled‘ | Compliant | True |
2.3.11.1 | (L1) Ensure ‚Network security: Allow Local System to use computer identity for NTLM‘ is set to ‚Enabled‘ | Compliant | True |
2.3.11.10 | (L1) Ensure ‚Network security: Minimum session security for NTLM SSP based (including secure RPC) servers‘ is set to ‚Require NTLMv2 session security, Require 128-bit encryption‘ | Compliant | True |
2.3.11.2 | (L1) Ensure ‚Network security: Allow LocalSystem NULL session fallback‘ is set to ‚Disabled‘ | Compliant | True |
2.3.11.3 | (L1) Ensure ‚Network Security: Allow PKU2U authentication requests to this computer to use online identities‘ is set to ‚Disabled‘ | Compliant | True |
2.3.11.4 | (L1) Ensure ‚Network security: Configure encryption types allowed for Kerberos‘ is set to ‚AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types‘ | Compliant | True |
2.3.11.5 | (L1) Ensure ‚Network security: Do not store LAN Manager hash value on next password change‘ is set to ‚Enabled‘ | Compliant | True |
2.3.11.7 | (L1) Ensure ‚Network security: LAN Manager authentication level‘ is set to ‚Send NTLMv2 response only. Refuse LM&NTLM‘ | Compliant | True |
2.3.11.8 | (L1) Ensure ‚Network security: LDAP client signing requirements‘ is set to ‚Negotiate signing‘ or higher | Compliant | True |
2.3.11.9 | (L1) Ensure ‚Network security: Minimum session security for NTLM SSP based (including secure RPC) clients‘ is set to ‚Require NTLMv2 session security, Require 128-bit encryption‘ | Compliant | True |
2.3.14.1 | (L2) Ensure ‚System cryptography: Force strong key protection for user keys stored on the computer‘ is set to ‚User is prompted when the key is first used‘ or higher | Compliant | True |
2.3.15.1 | (L1) Ensure ‚System objects: Require case insensitivity for non-Windows subsystems‘ is set to ‚Enabled‘ | Compliant | True |
2.3.15.2 | (L1) Ensure ‚System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)‘ is set to ‚Enabled‘ | Compliant | True |
2.3.17.1 | (L1) Ensure ‚User Account Control: Admin Approval Mode for the Built-in Administrator account‘ is set to ‚Enabled‘ | Compliant | True |
2.3.17.2 | (L1) Ensure ‚User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode‘ is set to ‚Prompt for consent on the secure desktop‘ | Compliant | True |
2.3.17.3 | (L1) Ensure ‚User Account Control: Behavior of the elevation prompt for standard users‘ is set to ‚Automatically deny elevation requests‘ | Registry value is ‚3‘. Expected: 0 | False |
2.3.17.4 | (L1) Ensure ‚User Account Control: Detect application installations and prompt for elevation‘ is set to ‚Enabled‘ | Compliant | True |
2.3.17.5 | (L1) Ensure ‚User Account Control: Only elevate UIAccess applications that are installed in secure locations‘ is set to ‚Enabled‘ | Compliant | True |
2.3.17.6 | (L1) Ensure ‚User Account Control: Run all administrators in Admin Approval Mode‘ is set to ‚Enabled‘ | Compliant | True |
2.3.17.7 | (L1) Ensure ‚User Account Control: Switch to the secure desktop when prompting for elevation‘ is set to ‚Enabled‘ | Compliant | True |
2.3.17.8 | (L1) Ensure ‚User Account Control: Virtualize file and registry write failures to per-user locations‘ is set to ‚Enabled‘ | Compliant | True |
2.3.2.1 | (L1) Ensure ‚Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings‘ is set to ‚Enabled‘ | Compliant | True |
2.3.2.2 | (L1) Ensure ‚Audit: Shut down system immediately if unable to log security audits‘ is set to ‚Disabled‘ | Compliant | True |
2.3.4.1 | (L1) Ensure ‚Devices: Allowed to format and eject removable media‘ is set to ‚Administrators and Interactive Users‘ | Compliant | True |
2.3.4.2 | (L2) Ensure ‚Devices: Prevent users from installing printer drivers‘ is set to ‚Enabled‘ | Compliant | True |
2.3.6.1 | (L1) Ensure ‚Domain member: Digitally encrypt or sign secure channel data (always)‘ is set to ‚Enabled‘ | Compliant | True |
2.3.6.2 | (L1) Ensure ‚Domain member: Digitally encrypt secure channel data (when possible)‘ is set to ‚Enabled‘ | Compliant | True |
2.3.6.3 | (L1) Ensure ‚Domain member: Digitally sign secure channel data (when possible)‘ is set to ‚Enabled‘ | Compliant | True |
2.3.6.4 | (L1) Ensure ‚Domain member: Disable machine account password changes‘ is set to ‚Disabled‘ | Compliant | True |
2.3.6.5 | (L1) Ensure ‚Domain member: Maximum machine account password age‘ is set to ’30 or fewer days, but not 0′ | Compliant | True |
2.3.6.6 | (L1) Ensure ‚Domain member: Require strong (Windows 2000 or later) session key‘ is set to ‚Enabled‘ | Compliant | True |
2.3.7.1 | (L1) Ensure ‚Interactive logon: Do not require CTRL+ALT+DEL‘ is set to ‚Disabled‘ | Compliant | True |
2.3.7.2 | (L1) Ensure ‚Interactive logon: Don’t display last signed-in‘ is set to ‚Enabled‘ | Compliant | True |
2.3.7.3 | (BL) Ensure ‚Interactive logon: Machine account lockout threshold‘ is set to ’10 or fewer invalid logon attempts, but not 0′ | Compliant | True |
2.3.7.4 | (L1) Ensure ‚Interactive logon: Machine inactivity limit‘ is set to ‚900 or fewer second(s), but not 0‘ | Compliant | True |
2.3.7.5 | (L1) Configure ‚Interactive logon: Message text for users attempting to log on‘ | Compliant | True |
2.3.7.6 | (L1) Configure ‚Interactive logon: Message title for users attempting to log on‘ | Compliant | True |
2.3.7.7 | (L2) Ensure ‚Interactive logon: Number of previous logons to cache (in case domain controller is not available)‘ is set to ‚4 or fewer logon(s)‘ | Compliant | True |
2.3.7.8 | (L1) Ensure ‚Interactive logon: Prompt user to change password before expiration‘ is set to ‚between 5 and 14 days‘ | Compliant | True |
2.3.7.9 | (L1) Ensure ‚Interactive logon: Smart card removal behavior‘ is set to ‚Lock Workstation‘ or higher | Compliant | True |
2.3.8.1 | (L1) Ensure ‚Microsoft network client: Digitally sign communications (always)‘ is set to ‚Enabled‘ | Registry value is ‚0‘. Expected: 1 | False |
2.3.8.2 | (L1) Ensure ‚Microsoft network client: Digitally sign communications (if server agrees)‘ is set to ‚Enabled‘ | Compliant | True |
2.3.8.3 | (L1) Ensure ‚Microsoft network client: Send unencrypted password to third-party SMB servers‘ is set to ‚Disabled‘ | Compliant | True |
2.3.9.1 | (L1) Ensure ‚Microsoft network server: Amount of idle time required before suspending session‘ is set to ’15 or fewer minute(s)‘ | Compliant | True |
2.3.9.2 | (L1) Ensure ‚Microsoft network server: Digitally sign communications (always)‘ is set to ‚Enabled‘ | Registry value is ‚0‘. Expected: 1 | False |
2.3.9.3 | (L1) Ensure ‚Microsoft network server: Digitally sign communications (if client agrees)‘ is set to ‚Enabled‘ | Registry value is ‚0‘. Expected: 1 | False |
2.3.9.4 | (L1) Ensure ‚Microsoft network server: Disconnect clients when logon hours expire‘ is set to ‚Enabled‘ | Compliant | True |
2.3.9.5 | (L1) Ensure ‚Microsoft network server: Server SPN target name validation level‘ is set to ‚Accept if provided by client‘ or higher | Compliant | True |
5.1 | (L2) Ensure ‚Bluetooth Audio Gateway Service (BTAGService)‘ is set to ‚Disabled‘ | Registry value is ‚3‘. Expected: 4 | False |
5.10 | (L1) Ensure ‚LxssManager (LxssManager)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.11 | (L1) Ensure ‚Microsoft FTP Service (FTPSVC)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.12 | (L2) Ensure ‚Microsoft iSCSI Initiator Service (MSiSCSI)‘ is set to ‚Disabled‘ | Compliant | True |
5.13 | (L1) Ensure ‚OpenSSH SSH Server (sshd)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.14 | (L2) Ensure ‚Peer Name Resolution Protocol (PNRPsvc)‘ is set to ‚Disabled‘ | Compliant | True |
5.15 | (L2) Ensure ‚Peer Networking Grouping (p2psvc)‘ is set to ‚Disabled‘ | Compliant | True |
5.16 | (L2) Ensure ‚Peer Networking Identity Manager (p2pimsvc)‘ is set to ‚Disabled‘ | Compliant | True |
5.17 | (L2) Ensure ‚PNRP Machine Name Publication Service (PNRPAutoReg)‘ is set to ‚Disabled‘ | Compliant | True |
5.18 | (L2) Ensure ‚Print Spooler (Spooler)‘ is set to ‚Disabled‘ (MS only) | Registry value is ‚2‘. Expected: 4 | False |
5.19 | (L2) Ensure ‚Problem Reports and Solutions Control Panel Support (wercplsupport)‘ is set to ‚Disabled‘ | Compliant | True |
5.2 | (L2) Ensure ‚Bluetooth Support Service (bthserv)‘ is set to ‚Disabled‘ | Registry value is ‚3‘. Expected: 4 | False |
5.20 | (L2) Ensure ‚Remote Access Auto Connection Manager (RasAuto)‘ is set to ‚Disabled‘ | Compliant | True |
5.21 | (L2) Ensure ‚Remote Desktop Configuration (SessionEnv)‘ is set to ‚Disabled‘ | Compliant | True |
5.22 | (L2) Ensure ‚Remote Desktop Services (TermService)‘ is set to ‚Disabled‘ | Compliant | True |
5.23 | (L2) Ensure ‚Remote Desktop Services UserMode Port Redirector (UmRdpService)‘ is set to ‚Disabled‘ | Compliant | True |
5.24 | (L1) Ensure ‚Remote Procedure Call (RPC) Locator (RpcLocator)‘ is set to ‚Disabled‘ | Compliant | True |
5.25 | (L2) Ensure ‚Remote Registry (RemoteRegistry)‘ is set to ‚Disabled‘ | Compliant | True |
5.26 | (L1) Ensure ‚Routing and Remote Access (RemoteAccess)‘ is set to ‚Disabled‘ | Compliant | True |
5.27 | (L2) Ensure ‚Server (LanmanServer)‘ is set to ‚Disabled‘ | Compliant | True |
5.28 | (L1) Ensure ‚Simple TCP/IP Services (simptcp)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.29 | (L2) Ensure ‚SNMP Service (SNMP)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.3 | (L1) Ensure ‚Computer Browser (Browser)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.30 | (L1) Ensure ‚Special Administration Console Helper (sacsvr)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.31 | (L1) Ensure ‚SSDP Discovery (SSDPSRV)‘ is set to ‚Disabled‘ | Compliant | True |
5.32 | (L1) Ensure ‚UPnP Device Host (upnphost)‘ is set to ‚Disabled‘ | Compliant | True |
5.33 | (L1) Ensure ‚Web Management Service (WMSvc)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.34 | (L2) Ensure ‚Windows Error Reporting Service (WerSvc)‘ is set to ‚Disabled‘ | Compliant | True |
5.35 | (L2) Ensure ‚Windows Event Collector (Wecsvc)‘ is set to ‚Disabled‘ | Compliant | True |
5.36 | (L1) Ensure ‚Windows Media Player Network Sharing Service (WMPNetworkSvc)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.37 | (L1) Ensure ‚Windows Mobile Hotspot Service (icssvc)‘ is set to ‚Disabled‘ | Compliant | True |
5.38 | (L2) Ensure ‚Windows Push Notifications System Service (WpnService)‘ is set to ‚Disabled‘ | Compliant | True |
5.39 | (L2) Ensure ‚Windows PushToInstall Service (PushToInstall)‘ is set to ‚Disabled‘ | Compliant | True |
5.4 | (L2) Ensure ‚Downloaded Maps Manager (MapsBroker)‘ is set to ‚Disabled‘ | Compliant | True |
5.40 | (L2) Ensure ‚Windows Remote Management (WS-Management) (WinRM)‘ is set to ‚Disabled‘ | Registry value is ‚2‘. Expected: 4 | False |
5.41 | (L1) Ensure ‚World Wide Web Publishing Service (W3SVC)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.42 | (L1) Ensure ‚Xbox Accessory Management Service (XboxGipSvc)‘ is set to ‚Disabled‘ | Compliant | True |
5.43 | (L1) Ensure ‚Xbox Live Auth Manager (XblAuthManager)‘ is set to ‚Disabled‘ | Compliant | True |
5.44 | (L1) Ensure ‚Xbox Live Game Save (XblGameSave)‘ is set to ‚Disabled‘ | Compliant | True |
5.45 | (L1) Ensure ‚Xbox Live Networking Service (XboxNetApiSvc)‘ is set to ‚Disabled‘ | Compliant | True |
5.5 | (L2) Ensure ‚Geolocation Service (lfsvc)‘ is set to ‚Disabled‘ | Compliant | True |
5.6 | (L1) Ensure ‚IIS Admin Service (IISADMIN)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.7 | (L1) Ensure ‚Infrared monitor service (irmon)‘ is set to ‚Disabled‘ or ‚Not Installed‘ | Compliant | True |
5.8 | (L1) Ensure ‚Internet Connection Sharing (ICS) (SharedAccess)‘ is set to ‚Disabled‘ | Compliant | True |
5.9 | (L2) Ensure ‚Link-Layer Topology Discovery Mapper (lltdsvc)‘ is set to ‚Disabled‘ | Compliant | True |
9.1.1 | (L1) Ensure ‚Windows Firewall: Domain: Firewall state‘ is set to ‚On (recommended)‘ | Compliant | True |
9.1.2 | (L1) Ensure ‚Windows Firewall: Domain: Inbound connections‘ is set to ‚Block (default)‘ | Compliant | True |
9.1.3 | (L1) Ensure ‚Windows Firewall: Domain: Outbound connections‘ is set to ‚Allow (default)‘ | Compliant | True |
9.1.4 | (L1) Ensure ‚Windows Firewall: Domain: Settings: Display a notification‘ is set to ‚No‘ | Compliant | True |
9.1.5 | (L1) Ensure ‚Windows Firewall: Domain: Logging: Name‘ is set to ‚%SystemRoot%\System32\logfiles\firewall\domainfw.log‘ | Compliant | True |
9.1.6 | (L1) Ensure ‚Windows Firewall: Domain: Logging: Size limit (KB)‘ is set to ‚16,384 KB or greater‘ | Compliant | True |
9.1.7 | (L1) Ensure ‚Windows Firewall: Domain: Logging: Log dropped packets‘ is set to ‚Yes‘ | Compliant | True |
9.1.8 | (L1) Ensure ‚Windows Firewall: Domain: Logging: Log successful connections‘ is set to ‚Yes‘ | Compliant | True |
9.2.1 | (L1) Ensure ‚Windows Firewall: Private: Firewall state‘ is set to ‚On (recommended)‘ | Compliant | True |
9.2.2 | (L1) Ensure ‚Windows Firewall: Private: Inbound connections‘ is set to ‚Block (default)‘ | Compliant | True |
9.2.3 | (L1) Ensure ‚Windows Firewall: Private: Outbound connections‘ is set to ‚Allow (default)‘ | Compliant | True |
9.2.4 | (L1) Ensure ‚Windows Firewall: Private: Settings: Display a notification‘ is set to ‚No‘ | Compliant | True |
9.2.5 | (L1) Ensure ‚Windows Firewall: Private: Logging: Name‘ is set to ‚%SystemRoot%\System32\logfiles\firewall\privatefw.log‘ | Compliant | True |
9.2.6 | (L1) Ensure ‚Windows Firewall: Private: Logging: Size limit (KB)‘ is set to ‚16,384 KB or greater‘ | Compliant | True |
9.2.7 | (L1) Ensure ‚Windows Firewall: Private: Logging: Log dropped packets‘ is set to ‚Yes‘ | Compliant | True |
9.2.8 | (L1) Ensure ‚Windows Firewall: Private: Logging: Log successful connections‘ is set to ‚Yes‘ | Compliant | True |
9.3.1 | (L1) Ensure ‚Windows Firewall: Public: Firewall state‘ is set to ‚On (recommended)‘ | Compliant | True |
9.3.10 | (L1) Ensure ‚Windows Firewall: Public: Logging: Log successful connections‘ is set to ‚Yes‘ | Compliant | True |
9.3.2 | (L1) Ensure ‚Windows Firewall: Public: Inbound connections‘ is set to ‚Block (default)‘ | Compliant | True |
9.3.3 | (L1) Ensure ‚Windows Firewall: Public: Outbound connections‘ is set to ‚Allow (default)‘ | Compliant | True |
9.3.4 | (L1) Ensure ‚Windows Firewall: Public: Settings: Display a notification‘ is set to ‚No‘ | Compliant | True |
9.3.5 | (L1) Ensure ‚Windows Firewall: Public: Settings: Apply local firewall rules‘ is set to ‚No‘ | Compliant | True |
9.3.6 | (L1) Ensure ‚Windows Firewall: Public: Settings: Apply local connection security rules‘ is set to ‚No‘ | Compliant | True |
9.3.7 | (L1) Ensure ‚Windows Firewall: Public: Logging: Name‘ is set to ‚%SystemRoot%\System32\logfiles\firewall\publicfw.log‘ | Compliant | True |
9.3.8 | (L1) Ensure ‚Windows Firewall: Public: Logging: Size limit (KB)‘ is set to ‚16,384 KB or greater‘ | Compliant | True |
9.3.9 | (L1) Ensure ‚Windows Firewall: Public: Logging: Log dropped packets‘ is set to ‚Yes‘ | Compliant | True |
User Rights Assignment–↑
Id | Task | Message | Status |
---|---|---|---|
2.2.1 | (L1) Ensure ‚Access Credential Manager as a trusted caller‘ is set to ‚No One‘ | Compliant | True |
2.2.10 | (L1) Ensure ‚Create a pagefile‘ is set to ‚Administrators‘ | Compliant | True |
2.2.11 | (L1) Ensure ‚Create a token object‘ is set to ‚No One‘ | Compliant | True |
2.2.12 | (L1) Ensure ‚Create global objects‘ is set to ‚Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE‘ | Compliant | True |
2.2.13 | (L1) Ensure ‚Create permanent shared objects‘ is set to ‚No One‘ | Compliant | True |
2.2.14.1 | (L1) Configure ‚Create symbolic links‘ | The user ‚SeCreateSymbolicLinkPrivilege‘ setting does not contain the following users: NT VIRTUAL MACHINE\Virtual Machines | False |
2.2.14.2 | (L1) Configure ‚Create symbolic links‘ (Hyper-V feature not installed) | Compliant | True |
2.2.15 | (L1) Ensure ‚Debug programs‘ is set to ‚Administrators‘ | The user ‚SeDebugPrivilege‘ setting does not contain the following users: BUILTIN\Administrators | False |
2.2.16 | (L1) Ensure ‚Deny access to this computer from the network‘ to include ‚Guests, Local account‘ | Compliant | True |
2.2.17 | (L1) Ensure ‚Deny log on as a batch job‘ to include ‚Guests‘ | Compliant | True |
2.2.18 | (L1) Ensure ‚Deny log on as a service‘ to include ‚Guests‘ | Compliant | True |
2.2.19 | (L1) Ensure ‚Deny log on locally‘ to include ‚Guests‘ | Compliant | True |
2.2.2 | (L1) Ensure ‚Access this computer from the network‘ is set to ‚Administrators, Remote Desktop Users‘ | The user right ‚SeNetworkLogonRight‘ contains following unexpected users: Everyone, BUILTIN\Users, BUILTIN\Backup Operators The user ‚SeNetworkLogonRight‘ setting does not contain the following users: BUILTIN\Remote Desktop Users |
False |
2.2.20 | (L1) Ensure ‚Deny log on through Remote Desktop Services‘ to include ‚Guests, Local account‘ | Compliant | True |
2.2.21 | (L1) Ensure ‚Enable computer and user accounts to be trusted for delegation‘ is set to ‚No One‘ | Compliant | True |
2.2.22 | (L1) Ensure ‚Force shutdown from a remote system‘ is set to ‚Administrators‘ | Compliant | True |
2.2.23 | (L1) Ensure ‚Generate security audits‘ is set to ‚LOCAL SERVICE, NETWORK SERVICE‘ | Compliant | True |
2.2.24 | (L1) Ensure ‚Impersonate a client after authentication‘ is set to ‚Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE‘ | Compliant | True |
2.2.25 | (L1) Ensure ‚Increase scheduling priority‘ is set to ‚Administrators, Window Manager\Window Manager Group‘ | Compliant | True |
2.2.26 | (L1) Ensure ‚Load and unload device drivers‘ is set to ‚Administrators‘ | Compliant | True |
2.2.27 | (L1) Ensure ‚Lock pages in memory‘ is set to ‚No One‘ | Compliant | True |
2.2.28 | (L2) Ensure ‚Log on as a batch job‘ is set to ‚Administrators‘ | The user right ‚SeBatchLogonRight‘ contains following unexpected users: BUILTIN\Backup Operators, BUILTIN\Performance Log Users | False |
2.2.29 A | (L2) Configure ‚Log on as a service‘ | The user right ‚SeServiceLogonRight‘ contains following unexpected users: NT SERVICE\ALL SERVICES, NT VIRTUAL MACHINE\Virtual Machines | False |
2.2.29 B | (L2) Configure ‚Log on as a service‘ (when the Hyper-V feature is installed) | The user ‚SeTrustedCredManAccessPrivilege‘ setting does not contain the following users: NT VIRTUAL MACHINE\Virtual Machines | False |
2.2.3 | (L1) Ensure ‚Act as part of the operating system‘ is set to ‚No One‘ | Compliant | True |
2.2.30 | (L1) Ensure ‚Manage auditing and security log‘ is set to ‚Administrators‘ | Compliant | True |
2.2.31 | (L1) Ensure ‚Modify an object label‘ is set to ‚No One‘ | Compliant | True |
2.2.32 | (L1) Ensure ‚Modify firmware environment values‘ is set to ‚Administrators‘ | Compliant | True |
2.2.33 | (L1) Ensure ‚Perform volume maintenance tasks‘ is set to ‚Administrators‘ | Compliant | True |
2.2.34 | (L1) Ensure ‚Profile single process‘ is set to ‚Administrators‘ | Compliant | True |
2.2.35 | (L1) Ensure ‚Profile system performance‘ is set to ‚Administrators, NT SERVICE\WdiServiceHost‘ | Compliant | True |
2.2.36 | (L1) Ensure ‚Replace a process level token‘ is set to ‚LOCAL SERVICE, NETWORK SERVICE‘ | Compliant | True |
2.2.37 | (L1) Ensure ‚Restore files and directories‘ is set to ‚Administrators‘ | The user right ‚SeRestorePrivilege‘ contains following unexpected users: BUILTIN\Backup Operators | False |
2.2.38 | (L1) Ensure ‚Shut down the system‘ is set to ‚Administrators, Users‘ | The user right ‚SeShutdownPrivilege‘ contains following unexpected users: BUILTIN\Backup Operators | False |
2.2.39 | (L1) Ensure ‚Take ownership of files or other objects‘ is set to ‚Administrators‘ | Compliant | True |
2.2.4 | (L1) Ensure ‚Adjust memory quotas for a process‘ is set to ‚Administrators, LOCAL SERVICE, NETWORK SERVICE‘ | Compliant | True |
2.2.5 | (L1) Ensure ‚Allow log on locally‘ is set to ‚Administrators, Users‘ | The user right ‚SeInteractiveLogonRight‘ contains following unexpected users: Hostname1\OldGuest, BUILTIN\Backup Operators | False |
2.2.6 | (L1) Ensure ‚Allow log on through Remote Desktop Services‘ is set to ‚Administrators, Remote Desktop Users‘ | Compliant | True |
2.2.7 | (L1) Ensure ‚Back up files and directories‘ is set to ‚Administrators‘ | The user right ‚SeBackupPrivilege‘ contains following unexpected users: BUILTIN\Backup Operators | False |
2.2.8 | (L1) Ensure ‚Change the system time‘ is set to ‚Administrators, LOCAL SERVICE‘ | Compliant | True |
2.2.9 | (L1) Ensure ‚Change the time zone‘ is set to ‚Administrators, LOCAL SERVICE, Users‘ | Compliant | True |
Account Policies–↑
Id | Task | Message | Status |
---|---|---|---|
1.1.1 | (L1) Ensure ‚Enforce password history‘ is set to ’24 or more password(s)‘ | Compliant | True |
1.1.2 | (L1) Ensure ‚Maximum password age‘ is set to ‚365 or fewer days, but not 0‘ | Compliant | True |
1.1.3 | (L1) Ensure ‚Minimum password age‘ is set to ‚1 or more day(s)‘ | Compliant | True |
1.1.4 | (L1) Ensure ‚Minimum password length‘ is set to ’14 or more character(s)‘ | Compliant | True |
1.1.5 | (L1) Ensure ‚Password must meet complexity requirements‘ is set to ‚Enabled‘ | Compliant | True |
1.1.7 | (L1) Ensure ‚Store passwords using reversible encryption‘ is set to ‚Disabled‘ | Compliant | True |
1.2.1 | (L1) Ensure ‚Account lockout duration‘ is set to ’15 or more minute(s)‘ | Compliant | True |
1.2.2 | (L1) Ensure ‚Account lockout threshold‘ is set to ‚5 or fewer invalid logon attempt(s), but not 0‘ | ‚LockoutBadCount‘ currently set to: 7. Expected: x <= 5 and x > 0 | False |
1.2.3 | (L1) Ensure ‚Reset account lockout counter after‘ is set to ’15 or more minute(s)‘ | Compliant | True |
Advanced Audit Policy Configuration–↑
Id | Task | Message | Status |
---|---|---|---|
17.1.1 | (L1) Ensure ‚Audit Credential Validation‘ is set to ‚Success and Failure‘ | Compliant | True |
17.2.1 | (L1) Ensure ‚Audit Application Group Management‘ is set to ‚Success and Failure‘ | Compliant | True |
17.2.2 | (L1) Ensure ‚Audit Security Group Management‘ is set to include ‚Success‘ | Compliant | True |
17.2.3 | (L1) Ensure ‚Audit User Account Management‘ is set to ‚Success and Failure‘ | Compliant | True |
17.3.1 | (L1) Ensure ‚Audit PNP Activity‘ is set to include ‚Success‘ | Compliant | True |
17.3.2 | (L1) Ensure ‚Audit Process Creation‘ is set to include ‚Success‘ | Compliant | True |
17.5.1 | (L1) Ensure ‚Audit Account Lockout‘ is set to include ‚Failure‘ | Compliant | True |
17.5.2 | (L1) Ensure ‚Audit Group Membership‘ is set to include ‚Success‘ | Compliant | True |
17.5.3 | (L1) Ensure ‚Audit Logoff‘ is set to include ‚Success‘ | Compliant | True |
17.5.4 | (L1) Ensure ‚Audit Logon‘ is set to ‚Success and Failure‘ | Compliant | True |
17.5.5 | (L1) Ensure ‚Audit Other Logon/Logoff Events‘ is set to ‚Success and Failure‘ | Compliant | True |
17.5.6 | (L1) Ensure ‚Audit Special Logon‘ is set to include ‚Success‘ | Compliant | True |
17.6.1 | (L1) Ensure ‚Audit Detailed File Share‘ is set to include ‚Failure‘ | Compliant | True |
17.6.2 | (L1) Ensure ‚Audit File Share‘ is set to ‚Success and Failure‘ | Compliant | True |
17.6.3 | (L1) Ensure ‚Audit Other Object Access Events‘ is set to ‚Success and Failure‘ | Compliant | True |
17.6.4 | (L1) Ensure ‚Audit Removable Storage‘ is set to ‚Success and Failure‘ | Compliant | True |
17.7.1 | (L1) Ensure ‚Audit Audit Policy Change‘ is set to include ‚Success‘ | Compliant | True |
17.7.2 | (L1) Ensure ‚Audit Authentication Policy Change‘ is set to include ‚Success‘ | Compliant | True |
17.7.3 | (L1) Ensure ‚Audit Authorization Policy Change‘ is set to include ‚Success‘ | Compliant | True |
17.7.4 | (L1) Ensure ‚Audit MPSSVC Rule-Level Policy Change‘ is set to ‚Success and Failure‘ | Compliant | True |
17.7.5 | (L1) Ensure ‚Audit Other Policy Change Events‘ is set to include ‚Failure‘ | Compliant | True |
17.8.1 | (L1) Ensure ‚Audit Sensitive Privilege Use‘ is set to ‚Success and Failure‘ | Compliant | True |
17.9.1 | (L1) Ensure ‚Audit IPsec Driver‘ is set to ‚Success and Failure‘ | Compliant | True |
17.9.2 | (L1) Ensure ‚Audit Other System Events‘ is set to ‚Success and Failure‘ | Compliant | True |
17.9.3 | (L1) Ensure ‚Audit Security State Change‘ is set to include ‚Success‘ | Compliant | True |
17.9.4 | (L1) Ensure ‚Audit Security System Extension‘ is set to include ‚Success‘ | Compliant | True |
17.9.5 | (L1) Ensure ‚Audit System Integrity‘ is set to ‚Success and Failure‘ | Compliant | True |
Was uns auszeichnet
Wenn Sie sich für eine Zusammenarbeit mit dem Hamburger IT Service entscheiden, profitieren Sie von:
professioneller IT-Betreuung
guter Erreichbarkeit
schnellen Reaktionszeiten
Planungssicherheit durch Serviceverträge
individuellen Lösungen, die Ihren Arbeitsalltag erleichtern
Gerne überzeugen wir Sie in einem unverbindlichen Beratungsgespräch!