Docstoc

USGCB-Windows-Settings

Document Sample
USGCB-Windows-Settings Powered By Docstoc
					                                                                      USGCB Setting
This spreadsheet captures the USGCB defined configuration settings.
Tab Name
Revision History




Windows Settings
Internet Explorer Settings
USGCB Settings
    Tab Description
    Tab capturing information relating to the revisions of this spreadsheet.




    Tab capturing the USGCB settings for Windows 7, Windows Vista, and Windows XP. These settings are the
    same for both x86 and x64 architectures.
    Tab capturing the USGCB settings for Internet Explorer 8 and Internet Explorer 7.
2010.04.23   alpha release
             All Tabs          Initial release of USGCB Content.
2010.05.19   Win7 and Win7 Firewall settings and IE8 Settings tabs, enabled text wrapping, resized columns, resorted by Polic
             Win7 and Win7 Firewall settings, capitalized 's' in 'settings'
             NOTE: 800-53 mappings added to setting tabs, these will be removed once XML versions of mappings are availab
2010.08.27   Beta release
             All Tabs          Corrected minor typographical errors.
             All Tabs          Added a 'Category' column where
                               some settings are specified as being
                               'pending' or 'conditional.' Pending
                               settings are settings that are currently
                               optional but will become mandatory in
                               the future. Conditional settings are
                               settings that are mandatory in most
                               situations, however under specific
                               conditions agencies may adjust those
                               settings. For example, the IPv6
                               transitional technologies are disabled
                               in the USGCB, but agencies that are
                               using IPv6 may enable one or more of
                               these transitional technologies if
                               necessary. The current SCAP 1.0
                               content does not support conditional
                               logic therefor agencies must manually
                               track these as deviations, in the future
                               SCP 1.1 content will support
                               conditional logic.



             All Tabs           Formatted content as a table to
                                facilitate sorting by columns.
             CCE                Path                                   Name
                                Computer Configuration\Windows         Core Networking -
                                Settings\Security Settings\Windows     Dynamic Host
                                Firewall with Advanced                 Configuration
                                Security\Windows Firewall with         Protocol (DHCP-In)
                                Advanced Security\Inbound Rules

                                Computer Configuration\Windows         Core Networking -
                                Settings\Security Settings\Windows     Dynamic Host
                                Firewall with Advanced                 Configuration
                                Security\Windows Firewall with         Protocol (DHCPV6-
                                Advanced Security\Inbound Rules        In)
CCE-8583-7    Computer Configuration\Windows        Interactive Logon:
              Settings\Security Settings\Local      message text for
              Policies\Security Options             users attempting to
                                                    log on




CCE-8583-7    Computer Configuration\Windows        Debug programs
              Settings\Security Settings\Local
              Policies\User Rights Assignment
CCE-10658-3   User Configuration\Administrative     Turn off handwriting
              Templates\System\Internet             personalization data
              Communication Management\Internet     sharing
              Communication Settings

CCE-10645-0   Computer Configuration\Administrative Turn off handwriting
              Templates\System\Internet             personalization data
              Communication Management\Internet sharing
              Communication Settings


CCE-8813-8    Computer Configuration\Windows        User Account
              Settings\Security Settings\Local      Control: Behavior of
              Policies\Security Options             the elevation prompt
                                                    for standard users

CCE-10266-5   Computer Configuration\Administrative 6to4 State
              Templates\Network\TCPIP
              Settings\IPv6 Transition Technologies


CCE-10764-9   Computer Configuration\Administrative IP-HTTPS State
              Templates\Network\TCPIP
              Settings\IPv6 Transition Technologies
CCE-10130-3   Computer Configuration\Administrative ISATAP State
              Templates\Network\TCPIP
              Settings\IPv6 Transition Technologies


CCE-10011-5   Computer Configuration\Administrative Teredo State
              Templates\Network\TCPIP
              Settings\IPv6 Transition Technologies


CCE-10441-4   Computer Configuration\Administrative Turn off Windows
              Templates\System\Internet             Error Reporting
              Communication Management\Internet
              Communication settings


CCE-9960-6    Computer Configuration\Administrative Offer Remote
              Templates\System\Remote               Assistance
              Assistance

CCE-9506-7    Computer Configuration\Administrative Solicited Remote
              Templates\System\Remote               Assistance
              Assistance

CCE-9985-3    Computer Configuration\Administrative   Allow users to
              Templates\Windows                       connect remotely
              Components\Remote Desktop               using Remote
              Services\Remote Desktop Session         Desktop Services
              Host\Connections

CCE-10608-8   Computer Configuration\Administrative   Set time limit for
              Templates\Windows                       active but idle
              Components\Remote Desktop               Remote Desktop
              Services\Remote Desktop Session         Services sessions
              Host\Session Time Limits

CCE-9403-7    Computer Configuration\Administrative Configure Automatic
              Templates\Windows                     Updates
              Components\Windows Update

CCE-9464-9    Computer Configuration\Administrative Do not display
              Templates\Windows                     'Install Updates and
              Components\Windows Update             Shut Down' option in
                                                    Shut Down
                                                    Windows dialog box


CCE-9672-7    Computer Configuration\Administrative No auto-restart with
              Templates\Windows                     logged on users for
              Components\Windows Update             scheduled automatic
                                                    updates installations
CCE-10205-3   Computer Configuration\Administrative Reschedule
              Templates\Windows                     Automatic Updates
              Components\Windows Update             scheduled
                                                    installations



CCE-9301-3    Computer Configuration\Windows          User Account
              Settings\Security Settings\Local        Control: Allow
              Policies\Security Options               UIAccess
                                                      applications to
                                                      prompt for elevation
                                                      without using the
                                                      secure desktop




CCE-9253-6    Computer Configuration\Windows          Access this
              Settings\Security Settings\Local        computer from the
              Policies\User Rights Assignment         network




CCE-10661-7   Computer Configuration\Windows          Bluetooth Support
              Settings\Security Settings\System       Service
              Services
CCE-9419-3    Computer Configuration\Windows          Profile system
              Settings\Security Settings\Local        performance
              Policies\User Rights Assignment
              Computer Configuration\Administrative   Specify the System
              Templates\System\Power                  Hibernate Timeout
              Management\Sleep Settings               (On Battery)




              Computer Configuration\Administrative Specify the System
              Templates\System\Power                Hibernate Timeout
              Management\Sleep Settings             (Plugged In)
              Computer Configuration\Administrative Turn off the Display
              Templates\System\Power                (On Battery)
              Management\Video and Display
              Settings

              Computer Configuration\Administrative Turn off the Display
              Templates\System\Power                (Plugged In)
              Management\Video and Display
              Settings

CCE-10092-5   Computer Configuration\Administrative Require trusted path
              
              Templates\Windows                     for credential entry
              Components\Credential User Interface




CCE-10694-8   Computer Configuration\Administrative Turn off Windows
              Templates\System\Driver Installation Update device driver
                                                    search prompt

CCE-10681-5   Computer Configuration\Administrative Turn off Automatic
              Templates\System\Internet             Root Certificates
              Communication Management\Internet Update
              Communication settings


CCE-10093-3   Computer Configuration\Administrative Turn off Windows
              Templates\System\Internet             Update device driver
              Communication Management\Internet searching
              Communication settings


CCE-9983-8    Computer Configuration\Administrative Do not process the
              Templates\System\Logon                legacy run list


CCE-10540-3   Computer Configuration\Administrative Turn off Managing
              Templates\Windows                     Phishing filter
              Components\Internet Explorer

CCE-9987-9    Computer Configuration\Administrative Disable Automatic
              Templates\Windows                     Install of Internet
              Components\Internet Explorer\         Explorer
                                                    components
CCE-10634-4   Computer Configuration\Administrative Disable Periodic
              Templates\Windows                     Check for Internet
              Components\Internet Explorer\         Explorer software
                                                    updates
CCE-10632-8   Computer Configuration\Administrative Disable showing the
              Templates\Windows                     splash screen
              Components\Internet Explorer\
              Computer Configuration\Administrative Allow status bar
              Templates\Windows                     updates via script
              Components\Internet Explorer\Internet
              Control Panel\Security Page\Locked-
              Down Trusted Sites Zone


CCE-10007-3   Computer Configuration\Administrative Turn on Basic feed
              Templates\Windows                     authentication over
              Components\RSS Feeds                  HTTP

CCE-8868-2    Computer Configuration\Windows          Devices: Allowed to
              Settings\Security Settings\Local        format and eject
              Policies\Security Options               removable media
CCE-8784-1    Computer Configuration\Windows          MSS:
              Settings\Security Settings\Local        (NtfsDisable8dot3N
              Policies\Security Options               ameCreation)
                                                      Enable the
                                                      computer to stop
                                                      generating 8.3 style
                                                      filenames
                                                      (recommended)
CCE-10844-9   Computer Configuration\Windows          WLAN AutoConfig
              Settings\Security Settings\System
              Services
CCE-10207-9   Computer Configuration\Windows          IPv6 Block of
              Settings\Security Settings\Windows      Protocols 41
              Firewall with Advanced
              Security\Windows Firewall with
              Advanced Security\Outbound Rules




CCE-10488-5   Computer Configuration\Windows          IPv6 Block of UDP
              Settings\Security Settings\Windows      3544
              Firewall with Advanced
              Security\Windows Firewall with
              Advanced Security\Outbound Rules




              HKEY_LOCAL_MACHINE\SYSTEM\C             Disable ISATAP,
              urrentControlSet\Services\tcpip6\Para   Teredo, and 6to4
              meters\DisableComponents                tunneling protocols
              User Configuration\Administrative       Configure Outlook
              Templates\Windows                       Express
              Components\Internet Explorer
                                User Configuration\Administrative        Disable the Reset
                                Templates\Windows                        Web Settings
                                Components\Internet Explorer             feature
                                User Configuration\Administrative        Turn on the Internet
                                Templates\Windows                        Connection Wizard
                                Components\Internet Explorer             Auto Detect

                                Computer Configuration\Administrative Prohibit use of
                                Templates\Network\Network             Internet Connection
                                Connections                           Firewall on your
                                                                      DNS domain
                                                                      network

             CCE-9797-2         Computer Configuration\Administrative Prohibit use of
                                Templates\Network\Network             Internet Connection
                                Connections                           Sharing on your
                                                                      DNS domain
                                                                      network

                                User Configuration\Administrative        Prompt for
                                Templates\System\Power                   password on
                                Management                               resume from
                                                                         hibernate / suspend

2010.09.27   1.0 Release
                                Corrected policy path for features that should not be installed, since these are not controlled t
                                                                         Internet Information Services
                                Control Panel\Programs and Features\Turn Windows features on or off
                                                                         Simple TCP Services
                                Control Panel\Programs and Features\Turn Windows features on or off
                                                                         Specify the System Hibernate Timeout (On Battery)
                                Computer Configuration\Administrative Templates\System\Power Management\Sleep Setting
                                                                         Specify the System Hibernate Timeout (Plugged In)
                                Computer Configuration\Administrative Templates\System\Power Management\Sleep Setting
                                                                         Turn off the Display (On Battery)
                                Computer Configuration\Administrative Templates\System\Power Management\Video and Dis
                                                                         Turn off the Display (Plugged In)
                                Computer Configuration\Administrative Templates\System\Power Management\Video and Dis
2010.11.16   1.0 Release
                               Corrected minor
             Win7 and Win7 Firewall settings tab typographical errors.
2011.1.31    1.1 Release
             IE8 settings tab  Corrected minor typographical errors and updated the following CCE IDs.
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explore
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explore
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explore
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explore
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explore
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explore
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explore
                                                                    Make proxy settings per-machine (rather than per-us
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explore
                               Corrected minor
             Win7 and Win7 Firewall settings tab typographical errors and updated the following CCE IDs.
                                                                   Audit File System
                                Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configu
                                                                   Audit Registry
                                Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configu
                                                                   Audit IPsec Main Mode
                                Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configu
             CCE-10658-3                                              Turn off handwriting personalization data sharing
                                Computer Configuration\Administrative Templates\System\Internet Communication Managem
2011.6.21    1.2 Beta Release
             IE settings tab    FDCC settings that have not been carried forward to the USGCB baselines.
                                                                       Configure Outlook Express
                                User Configuration\Administrative Templates\Windows Components\Internet Explorer
                                                                       Disable the Reset Web Settings feature
                                User Configuration\Administrative Templates\Windows Components\Internet Explorer
                                                                        Turn on the Internet Connection Wizard Auto Detect
                                User Configuration\Administrative Templates\Windows Components\Internet Explorer\Interne
                                                                        Disable Automatic Install of Internet Explorer compon
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
                                                                        Disable Periodic Check for Internet Explorer software
                                Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
                                                                        Disable showing the Components\Internet Explorer
                                Computer Configuration\Administrative Templates\Windows splash screen
                                                                        Disable software update shell notifications Explorer
                                Computer Configuration\Administrative Templates\Windows Components\Internet on program
                                Added columns to document the Internet Explorer setting values and CCE-IDs.
                                Added a comment column to provide information about changes made in order to better align
                                F
             Windows settings tab DCC settings that have not been carried forward to the USGCB baselines.
                                                                        Prevent IIS installation
                                Computer Configuration\Administrative Templates\Windows Components\Internet Information
                                                                        Turn off Untrusted Content
                                Computer Configuration\Administrative Templates\Windows Components\Online Assistance
                                                                        Do not allow drive redirection
                                Computer Configuration\Administrative Templates\Windows Components\Terminal Services\
                                                                        Turn off Windows Meeting Space
                                Computer Configuration\Administrative Templates\Windows Components\Windows Meeting S
                                                                        Do not allow Windows Messenger to be run
                                Computer Configuration\Administrative Templates\Windows Components\Windows Messeng
                                                                        Do not automatically start Windows Messenger initiall
                                Computer Configuration\Administrative Templates\Windows Components\Windows Messeng
                                                                        Audit: Shut Settings\Local Policies\Security Options
                                Computer Configuration\Windows Settings\Securitydown system immediately if unable to log
                                                                        Devices: Allowed to format and eject removable medi
                                Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
                                                                        MSS: (NtfsDisable8dot3NameCreation) Enable the co
                                Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
                                                                        Synchronize directory service data
                                Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assig
                                                                        WLAN AutoConfig
                                Computer Configuration\Windows Settings\Security Settings\System Services
                                                                        Turn off Help Experience Improvement Program
                                User Configuration\Administrative Templates\System\Internet Communication Management\I
                                                                        Turn off Help Ratings
                                User Configuration\Administrative Templates\System\Internet Communication Management\I
                                                                        Prompt for password on resume from hibernate / susp
                                User Configuration\Administrative Templates\System\Power Management
                                                                        Turn off Windows
                                Computer Configuration\Administrative Templates\SystemUpdate device driver search promp
                                                                        Display Error Notification
                                Computer Configuration\Administrative Templates\System\Error Reporting
                                                                        Turn off Automatic Root Certificates Update
                                Computer Configuration\Administrative Templates\System\Internet Communication Managem
                                                                        Turn off Windows Movie Maker automatic codec dow
                                Computer Configuration\Administrative Templates\System\Internet Communication Managem
                                                                        Turn off Windows Movie Maker online Web links
                                Computer Configuration\Administrative Templates\System\Internet Communication Managem
                                                                        Turn off Windows Movie Maker saving to online video
                                Computer Configuration\Administrative Templates\System\Internet Communication Managem
                                                                        Turn off Windows Update device driver searching
                                Computer Configuration\Administrative Templates\System\Internet Communication Managem
                                                                        Don't display the Getting
                                Computer Configuration\Administrative Templates\System\LogonStarted welcome screen at lo
                                Added columns to document the Windows XP and Windows Vista setting values and CCE-ID
                                Added a comment column to provide information about changes made in order to better align
2011.8.26    1.2 Beta 2 release
                                A
             Windows settings tab dded CCE IDs for several settings
                                                                        Games
                                Control Panel\Programs and Features\Turn Windows features on or off
                                                                        Internet Information Services
                                Control Panel\Programs and Features\Turn Windows features on or off
                                                                        SimpleTCP Services
                                Control Panel\Programs and Features\Turn Windows features on or off
                                                                        Telnet Client
                                Control Panel\Programs and Features\Turn Windows features on or off
                                                                        Telnet Server
                                Control Panel\Programs and Features\Turn Windows features on or off
                                                                        TFTP Client
                                Control Panel\Programs and Features\Turn Windows features on or off
                                                                        Windows Media Center
                                Control Panel\Programs and Features\Turn Windows features on or off

2011.10.17   1.2 Release
                                A
             Windows settings tab dded details under the comments column about how the conditional logic has been impleme
wrapping, resized columns, resorted by Policy Path column

d once XML versions of mappings are available.




            USGCB Alpha Value         USGCB Beta Value      Comments
                                      Enabled - yes         To allow the client to receive DHCP responses that
                                                            would otherwise be blocked by CCE-9069-6.




                                      Enabled - yes         To allow the client to receive DHCP responses that
                                                            would otherwise be blocked by CCE-9069-6.
This system is for the use    This system is for the use Fix mis-spelling in spreadsheet.
of authorized users only.     of authorized users only.
Individuals using this        Individuals using this      Add language to the spreadsheet to allow flexibility for
computer system without       computer system without settings such as this.
authority or in excess of     authority or in excess of
their authority are subject   their authority are subject
to having all their           to having all their
activities on this system     activities on this system
monitored and recorded        monitored and recorded
by system personnel.          by system personnel.
Anyone using this system      Anyone using this system
expressly consents to         expressly consents to
such monitoring and is        such monitoring and is
advised that if such          advised that if such
monitoring reveals            monitoring reveals
possible evidence of          possible evidence of
criminal activity system      criminal activity system
personal may provide the      personal may provide the
evidence of such              evidence of such
monitoring to law             monitoring to law
enforcement officials.        enforcement officials.


(None)                        Administrators             Add 'Administrators' group in order to allow the use of
                                                         legitimate management tools.

Enabled                       Not Configured             Change to the machine setting, CCE-10645-0.




Not Configured                Enabled




Prompt for credentials        Prompt for credentials on To reduce the risk of malware tricking an administrator
                              the secure desktop        into entering their credentials at a false UAC prompt.



Enabled: Disabled State       Conditional                If they use IPv6 and require this transitional
                                                         technology



Enabled: Disabled State       Conditional                If they use IPv6 and require this transitional
                                                         technology
Enabled: Disabled State   Conditional   If they use IPv6 and require this transitional
                                        technology



Enabled: Disabled State   Conditional   If they use IPv6 and require this transitional
                                        technology



Enabled                   Conditional   Allow for internal error collection. Deny for Microsoft
                                        error collection.




Disabled                  Conditional   If RDS is used by help desk, then allow. The end user
                                        shouldn't be able to do this.


Disabled                  Conditional   If RDS is used by help desk, then allow. The end user
                                        shouldn't be able to do this.


Disabled                  Conditional   Applicable to those using RDS




Enabled: 15 minutes       Conditional   This setting is mandated by SP 800-53 requirements
                                        for network timeouts. Agencies should only adjust it on
                                        systems that require a longer timeout



Enabled: 3 - Auto         Conditional   Add language to the spreadsheet to allow flexibility for
download and notify for                 settings such as this when agencies are using an
install                                 enterprise solution for patch management.

Disabled                  Conditional   Software distribution should be centrally managed,
                                        only administrators and enterprise management tools
                                        should be able to install updates. However, Add
                                        language to the spreadsheet to allow flexibility for
                                        settings such as this when agencies are using an
                                        enterprise solution for patch management.

Disabled                  Conditional   Add language to the spreadsheet to allow flexibility for
                                        settings such as this when agencies are using an
                                        enterprise solution for patch management.
Enabled                 Conditional             Software distribution should be centrally managed,
                                                only administrators and enterprise management tools
                                                should be able to determine when updates are
                                                installed. However, Add language to the spreadsheet
                                                to allow flexibility for settings such as this when
                                                agencies are using an enterprise solution for patch
                                                management.
Disabled                Conditional             If agencies use remote assistance then they can
                                                reconfigure this setting. This setting was added to
                                                Windows Vista SP1 specifically to enable Remote
                                                Assistance. It allows certain applications stored in
                                                secure folders, such as system32, to bypass the
                                                secure desktop so that they can function as designed.
                                                Enabling this setting will lower security slightly but
                                                enable Remote Assistance. For more information see
                                                http://technet.microsoft.com/en-
                                                us/library/dd835564(WS.10).aspx.

Administrators          Conditional             Add information to the settings spreadsheet explaining
                                                how IPsec including many VPN solutions are impacted
                                                and that agencies can grant this user right to the built-
                                                in 'Users' group or they could implement a more
                                                precise solution by creating a group for IPsec and
                                                adding the affected accounts to it.
                                                DoD: won't change

Disabled                Conditional             Organizations can enable this service if they want to
                                                allow the use of Bluetooth devices.

Administrators, NT      Administrators, NT      Added reference to KB article KB974639 to the
SERVICE\WdiServiceHos   SERVICE\WdiServiceHos   spreadsheet, this includes a patch for win7 to address
t                       t                       the problem raised by some agencies.
Not specified           Pending, 3600 seconds   In support of administration efforts to reduce the use
                                                of electricity by inactive computers. This setting may
                                                impact the ability of enterprise management tools to
                                                push patches and configuration changes to managed
                                                computers therefor organizations should research the
                                                power management features of Windows and the
                                                capabilities of their management tools to leverage
                                                Wake-on-LAN and other features to remotely
                                                administer computers.

Not specified           Pending, 3600 seconds   In support of administration efforts to reduce the use
                                                of electricity by inactive computers. This setting may
                                                impact the ability of enterprise management tools to
                                                push patches and configuration changes to managed
                                                computers therefor organizations should research the
                                                power management features of Windows and the
                                                capabilities of their management tools to leverage
                                                Wake-on-LAN and other features to remotely
                                                administer computers.
Not specified   Pending, 1200 seconds   In support of administration efforts to reduce the use
                                        of electricity by inactive computers.



Not specified   Pending, 1200 seconds   In support of administration efforts to reduce the use
                                        of electricity by inactive computers.



Enabled         Remove                  This adds 2 additional steps for each elevation
                                        prompt, the threats related to this setting are mitigated
                                        by the value now required by the "User Account
                                        Control: Behavior of the elevation prompt for standard
                                        users" the USGCB will prompt for credentials on the
                                        secure desktop for standard users but not for admins.

Enabled         Remove                  Allow organizations to define this policy setting.



Enabled         Remove                  Allow organizations to define this policy setting.




Enabled         Remove                  Allow organizations to define this policy setting.




Enabled         Remove                  This setting will be added in the future, application
                                        developers are encouraged to find alternative
                                        methods for automatically launching components
                                        during the boot and logon processes.
Enabled:Off     Remove                  Not applicable to IE8.



Enabled         Remove                  Not applicable to IE8.



Enabled         Remove                  Not applicable to IE8.



Enabled         Remove                  Not applicable to IE8.
Disabled                Remove     Allow organizations to define this policy setting.




Enabled                 Remove     Required setting less secure than default



Administrators,         Remove     The current requires the weakest configuration so
Interactive Users                  there's no reason to include it.

Enabled                 Remove     Removed due to application compatibility issues




Disabled                Remove     Allow organizations to define this policy setting.


General: Enabled and      Remove   Redundant
Block the connections;
Programs and Services:
All programs that meet
the specified conditions;
Protocols and Ports:
Protocols type IPv6;
Scope: Any IP addresses;
Advanced: All profiles

General: Enabled and      Remove   Redundant
Block the connections;
Programs and Services:
All programs that meet
the specified conditions;
Protocols and Ports:
Protocols type UDP,
Local port 3544, Remote
port All Ports ; Scope:
Any IP addresses;
Advanced: All profiles

Enabled                 Remove     Not applicable


Not defined             Remove     Not applicable to IE8.
            Not defined               Remove                    Not applicable to IE8.


            Disabled                  Remove                    Not applicable to IE8.



            Enabled                   Remove                    Not applicable




            Enabled                   Remove                    Not applicable




            Enabled                   Remove                    Not applicable




be installed, since these are not controlled through group policy the path now points to the location within Control Panel.
             Not installed              Updated registry info to HKLM\SYSTEM\CurrentControlSet\Services\W3Svc\DisplayName
             Not installed              Updated registry info to HKLM\SYSTEM\CurrentControlSet\Services\SimpTCP\DisplayName
             Enabled:3600               Removed pending category
             Enabled:3600               Removed pending category
             Enabled:1200               Removed pending category
             Enabled:1200               Removed pending category



d the following CCE IDs.
            CCE-10138-6
            CCE-10635-1
            CCE-10265-7
            CCE-10574-2
            CCE-10405-9
            CCE-10578-3
            CCE-10604-7
            CCE-9870-7
d the following CCE IDs.
            CCE-9811-1_CCE-9217-1.
            CCE-10078-4_CCE-9737-8.
            CCE-9715-4_CCE-8956-5
            Enabled                   Added this setting that was mistakenly deleted during the Beta review period

d to the USGCB baselines.
            CCE-3275-5                CCE-3275-5                Not applicable to IE7 or later.
            CCE-4226-7                CCE-4226-7                Not applicable to IE7 or later.
              CCE-4036-0               CCE-4036-0                  Not applicable to IE, nor Windows Vista or later.
              CCE-3518-8               CCE-3518-8                  Not applicable to IE7 or later.
              CCE-3576-6               CCE-3576-6                  Not applicable to IE7 or later.
              CCE-3706-9               CCE-3706-9                  Not applicable to IE7 or later.
              CCE-4118-6               CCE-4118-6                  Not applicable to IE7 or later.
r setting values and CCE-IDs.
 about changes made in order to better align the settings across each version of Internet Explorer.
d to the USGCB baselines.
              CCE-3288-8               CCE-4262-2                  Only applicable to Windows Server 2003.
              CCE-3046-0               (Not Applicable)            Its not present in the Windows 7 baseline and it is not applicable to XP.
              CCE-2874-6               (Not Applicable)            Its not present in the Windows 7 baseline.
              CCE-2557-7               (Not Applicable)            Its not present in the Windows 7 baseline.
              (Not Applicable)         CCE-2684-9                  Its not present in the Windows 7 baseline.
              CCE-4797-7               CCE-2455-4                  Its not present in the Windows 7 baseline.
              CCE-3001-5               CCE-2851-4                  Its not present in the Windows 7 baseline.
              CCE-3225-0               CCE-3111-2                  Its not present in the Windows 7 baseline.
              CCE-3244-1               CCE-2683-1                  Its not present in the Windows 7 baseline.
              CCE-4970-0               CCE-2810-0                  Its not applicable to any of the client operating systems, only domain contr
                                                                   Its not present in the Windows 7 baseline.
              CCE-5239-9               (Not Applicable)            Its not present in the Windows 7 baseline.
              CCE-4851-2               (Not Applicable)            Its not present in the Windows 7 baseline.
              CCE-3169-0               CCE-4390-1                  Only applicable to Windows XP.
              CCE-3278-9               CCE-5014-6                  Its not present in the win7 baseline or the Microsoft baselines for either wi
              (Not Applicable)         CCE-5136-7                  It was removed from Windows in Vista. Also, the USGCB settings were ch
              CCE-3454-6               CCE-5054-2                  Previously removed from the USGCB.
              CCE-3403-3               CCE-4242-4                  This was never included in the USGCB, and it appears that it was remove
              CCE-3297-9               CCE-4732-4                  This was never included in the USGCB, and it appears that it was remove
              CCE-3385-2               CCE-4997-3                  This was never included in the USGCB, and it appears that it was remove
              CCE-3278-9               CCE-5014-6                  Previously removed from the USGCB.
              CCE-2781-3               CCE-5160-7                  This only applied to Windows 2000.
 d Windows Vista setting values and CCE-IDs.
 about changes made in order to better align the settings across each version of Windows.

             Vista CCE ID               XP CCE ID
             CCE-18891-2                CCE-18796-3
             CCE-18279-0                CCE-18870-6
             CCE-18624-7                CCE-18307-9
             CCE-18129-7                (Not Applicable)
             CCE-18284-0                (Not Applicable)
             CCE-18700-5                (Not Applicable)
             CCE-18689-0                (Not Applicable)


 how the conditional logic has been implemented in the SCAP 1.2 content
W3Svc\DisplayName
 impTCP\DisplayName
 nd it is not applicable to XP.




 ng systems, only domain controllers.




Microsoft baselines for either win7 or Vista.
 o, the USGCB settings were changed to allow agencies to use Error Reporting internally.

 d it appears that it was removed from Windows 7.
 d it appears that it was removed from Windows 7.
 d it appears that it was removed from Windows 7.
 CCE ID v5    CCE ID v5     CCE ID v5    CCE ID v4                  Policy Path
   Win7       Win Vista      Win XP
CCE-9783-2   CCE-4992-4   (Not          CCE-947      Computer Configuration\Administrative
                          Applicable)                Templates\Network\Link-Layer Topology
                                                     Discovery




CCE-10059-4 CCE-4077-4    (Not          CCE-1134     Computer Configuration\Administrative
                          Applicable)                Templates\Network\Link-Layer Topology
                                                     Discovery




CCE-10438-0 CCE-3270-6    CCE-5194-6    CCE-86       Computer Configuration\Administrative
                                                     Templates\Network\Microsoft Peer-to-Peer
                                                     Networking Services


CCE-9953-1   CCE-4152-5   CCE-2173-3    CCE-896      Computer Configuration\Administrative
                                                     Templates\Network\Network Connections
(Not          CCE-5020-3   CCE-5022-9   CCE-241   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network Connections




(Not          CCE-4078-2   CCE-3026-2   CCE-672   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network Connections
CCE-10359-8 (Not           (Not          (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Applicable)   Templates\Network\Network Connections




CCE-10509-8 (Not           (Not          (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Applicable)   Templates\Network\Network Connections




(Not          CCE-3431-4   CCE-3247-4    CCE-555       Computer Configuration\Administrative
Applicable)                                            Templates\Network\Network
                                                       Connections\Windows Firewall\Domain Profile
(Not          (Not          CCE-3141-9   CCE-277   Computer Configuration\Administrative
Applicable)   Applicable)                          Templates\Network\Network
                                                   Connections\Windows Firewall\Domain Profile




(Not          CCE-3180-7    CCE-3258-1   CCE-370   Computer Configuration\Administrative
Applicable)                                        Templates\Network\Network
                                                   Connections\Windows Firewall\Domain Profile


(Not          CCE-3405-8    CCE-2828-2   CCE-502   Computer Configuration\Administrative
Applicable)                                        Templates\Network\Network
                                                   Connections\Windows Firewall\Domain Profile
(Not          (Not          CCE-2965-2,   CCE-251,   Computer Configuration\Administrative
Applicable)   Applicable)   CCE-3090-8,   CCE-617,   Templates\Network\Network
                            CCE-2923-1,   CCE-793,   Connections\Windows Firewall\Domain Profile
                            CCE-2958-7    CCE-57




(Not          CCE-3158-3    CCE-2476-0    CCE-771    Computer Configuration\Administrative
Applicable)                                          Templates\Network\Network
                                                     Connections\Windows Firewall\Domain Profile




(Not          CCE-3458-7    CCE-3304-3    CCE-832    Computer Configuration\Administrative
Applicable)                                          Templates\Network\Network
                                                     Connections\Windows Firewall\Domain Profile
(Not          CCE-2964-5   CCE-3176-5   CCE-590   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network
                                                  Connections\Windows Firewall\Domain Profile




(Not          CCE-3365-4   CCE-3198-9   CCE-762   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network
                                                  Connections\Windows Firewall\Domain Profile



(Not          CCE-3436-3   CCE-2972-8   CCE-696   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network
                                                  Connections\Windows Firewall\Domain Profile




(Not          CCE-3054-4   CCE-3154-2   CCE-806   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network
                                                  Connections\Windows Firewall\Domain Profile




(Not          CCE-3369-6   CCE-3262-3   CCE-626   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network
                                                  Connections\Windows Firewall\Standard
                                                  Profile
(Not          (Not          CCE-3081-7   CCE-797   Computer Configuration\Administrative
Applicable)   Applicable)                          Templates\Network\Network
                                                   Connections\Windows Firewall\Standard
                                                   Profile




(Not          CCE-3356-3    CCE-2989-2   CCE-77    Computer Configuration\Administrative
Applicable)                                        Templates\Network\Network
                                                   Connections\Windows Firewall\Standard
                                                   Profile

(Not          CCE-3334-0    CCE-3183-1   CCE-352   Computer Configuration\Administrative
Applicable)                                        Templates\Network\Network
                                                   Connections\Windows Firewall\Standard
                                                   Profile
(Not          CCE-3352-2   CCE-2954-6   CCE-467   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network
                                                  Connections\Windows Firewall\Standard
                                                  Profile




(Not          CCE-3387-8   CCE-3213-6   CCE-354   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network
                                                  Connections\Windows Firewall\Standard
                                                  Profile




(Not          CCE-3268-0   CCE-3235-9   CCE-266   Computer Configuration\Administrative
Applicable)                                       Templates\Network\Network
                                                  Connections\Windows Firewall\Standard
                                                  Profile
(Not          CCE-3347-2   CCE-3179-9    CCE-440       Computer Configuration\Administrative
Applicable)                                            Templates\Network\Network
                                                       Connections\Windows Firewall\Standard
                                                       Profile

(Not          CCE-3409-0   CCE-3134-4    CCE-901       Computer Configuration\Administrative
Applicable)                                            Templates\Network\Network
                                                       Connections\Windows Firewall\Standard
                                                       Profile


(Not          CCE-3440-5   CCE-3103-9    CCE-632       Computer Configuration\Administrative
Applicable)                                            Templates\Network\Network
                                                       Connections\Windows Firewall\Standard
                                                       Profile




(Not          CCE-3329-0   CCE-3284-7    CCE-273       Computer Configuration\Administrative
Applicable)                                            Templates\Network\Network
                                                       Connections\Windows Firewall\Standard
                                                       Profile




CCE-10266-5 (Not           (Not          (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Applicable)   Templates\Network\TCPIP Settings\IPv6
                                                       Transition Technologies
CCE-10764-9 (Not          (Not          (Not          Computer Configuration\Administrative
            Applicable)   Applicable)   Applicable)   Templates\Network\TCPIP Settings\IPv6
                                                      Transition Technologies




CCE-10130-3 (Not          (Not          (Not          Computer Configuration\Administrative
            Applicable)   Applicable)   Applicable)   Templates\Network\TCPIP Settings\IPv6
                                                      Transition Technologies




CCE-10011-5 (Not          (Not          (Not          Computer Configuration\Administrative
            Applicable)   Applicable)   Applicable)   Templates\Network\TCPIP Settings\IPv6
                                                      Transition Technologies
CCE-9879-8   CCE-5061-7   (Not          CCE-734       Computer Configuration\Administrative
                          Applicable)                 Templates\Network\Windows Connect Now




CCE-10778-9 CCE-3045-2    (Not          CCE-629       Computer Configuration\Administrative
                          Applicable)                 Templates\Network\Windows Connect Now




CCE-10782-1 CCE-18881-3 (Not            (Not          Computer Configuration\Administrative
                        Applicable)     Applicable)   Templates\Printers



CCE-10769-8 CCE-3331-6    (Not          CCE-593       Computer Configuration\Administrative
                          Applicable)                 Templates\System\Device Installation


CCE-9901-0   CCE-3468-6   (Not          CCE-571       Computer Configuration\Administrative
                          Applicable)                 Templates\System\Device Installation



CCE-10553-6 CCE-3464-5    (Not          CCE-849       Computer Configuration\Administrative
                          Applicable)                 Templates\System\Device Installation
CCE-10165-9 (Not           (Not          (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Applicable)   Templates\System\Device Installation




CCE-9919-2   (Not          (Not          (Not          Computer Configuration\Administrative
             Applicable)   Applicable)   Applicable)   Templates\System\Device Installation



CCE-9361-7   CCE-3452-0    CCE-5053-4    CCE-584       Computer Configuration\Administrative
                                                       Templates\System\Group Policy




CCE-9195-9   CCE-2754-0    CCE-5200-1    CCE-887       Computer Configuration\Administrative
                                                       Templates\System\Internet Communication
                                                       Management\Internet Communication settings




CCE-9819-4   CCE-3348-0    CCE-4953-6    CCE-263       Computer Configuration\Administrative
                                                       Templates\System\Internet Communication
                                                       Management\Internet Communication settings


CCE-10658-3 (Not           (Not          (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Applicable)   Templates\System\Internet Communication
                                                       Management\Internet Communication settings

CCE-10645-0 CCE-2868-8     (Not          CCE-430       Computer Configuration\Administrative
                           Applicable)                 Templates\System\Internet Communication
                                                       Management\Internet Communication settings

CCE-10649-2 CCE-3432-2     CCE-4707-6    CCE-1055      Computer Configuration\Administrative
                                                       Templates\System\Internet Communication
                                                       Management\Internet Communication settings
CCE-9674-3   CCE-3364-7   CCE-5099-7   CCE-691    Computer Configuration\Administrative
                                                  Templates\System\Internet Communication
                                                  Management\Internet Communication settings




CCE-10795-3 CCE-2697-1    CCE-5121-9   CCE-1064   Computer Configuration\Administrative
                                                  Templates\System\Internet Communication
                                                  Management\Internet Communication settings



CCE-10061-0 CCE-3421-5    CCE-4513-8   CCE-852    Computer Configuration\Administrative
                                                  Templates\System\Internet Communication
                                                  Management\Internet Communication settings




CCE-10160-0 CCE-3093-2    CCE-4641-7   CCE-88     Computer Configuration\Administrative
                                                  Templates\System\Internet Communication
                                                  Management\Internet Communication settings

CCE-10140-2 CCE-2778-9    CCE-5055-9   CCE-818    Computer Configuration\Administrative
                                                  Templates\System\Internet Communication
                                                  Management\Internet Communication settings



CCE-9823-6   CCE-3115-3   CCE-5072-4   CCE-375    Computer Configuration\Administrative
                                                  Templates\System\Internet Communication
                                                  Management\Internet Communication settings



CCE-9643-8   CCE-2477-8   CCE-4887-6   CCE-1009   Computer Configuration\Administrative
                                                  Templates\System\Internet Communication
                                                  Management\Internet Communication settings


CCE-9559-6   CCE-3259-9   CCE-4224-2   CCE-722    Computer Configuration\Administrative
                                                  Templates\System\Internet Communication
                                                  Management\Internet Communication settings
CCE-10441-4 CCE-4694-6    CCE-3038-7    CCE-592    Computer Configuration\Administrative
                                                   Templates\System\Internet Communication
                                                   Management\Internet Communication settings




CCE-10591-6 CCE-4813-2    CCE-3100-5    CCE-231    Computer Configuration\Administrative
                                                   Templates\System\Logon


CCE-10154-3 CCE-3086-6    CCE-5032-8    CCE-583    Computer Configuration\Administrative
                                                   Templates\System\Logon


CCE-9829-3   CCE-2821-7   (Not          CCE-346    Computer Configuration\Administrative
                          Applicable)              Templates\System\Power Management\Sleep
                                                   Settings



CCE-9670-1   CCE-3469-4   (Not          CCE-1011   Computer Configuration\Administrative
                          Applicable)              Templates\System\Power Management\Sleep
                                                   Settings
CCE-13091-4 CCE-18938-1 (Not          (Not          Computer Configuration\Administrative
                        Applicable)   Applicable)   Templates\System\Power Management\Sleep
                                                    Settings




CCE-13668-9 CCE-18358-2 (Not          (Not          Computer Configuration\Administrative
                        Applicable)   Applicable)   Templates\System\Power Management\Sleep
                                                    Settings




CCE-12924-7 CCE-18686-6 (Not          (Not          Computer Configuration\Administrative
                        Applicable)   Applicable)   Templates\System\Power Management\Video
                                                    and Display Settings



CCE-12393-5 CCE-18303-8 (Not          (Not          Computer Configuration\Administrative
                        Applicable)   Applicable)   Templates\System\Power Management\Video
                                                    and Display Settings
CCE-9960-6   CCE-3217-7   CCE-3012-2    CCE-434   Computer Configuration\Administrative
                                                  Templates\System\Remote Assistance




CCE-9506-7   CCE-3323-3   CCE-3007-2    CCE-859   Computer Configuration\Administrative
                                                  Templates\System\Remote Assistance




CCE-10344-0 CCE-3271-4    (Not          CCE-835   Computer Configuration\Administrative
                          Applicable)             Templates\System\Remote Assistance
CCE-9396-3   CCE-3160-9    CCE-3273-0    CCE-423       Computer Configuration\Administrative
                                                       Templates\System\Remote Procedure Call


CCE-10181-6 CCE-3394-4     CCE-2956-1    CCE-145       Computer Configuration\Administrative
                                                       Templates\System\Remote Procedure Call




CCE-9842-6   (Not          (Not          (Not          Computer Configuration\Administrative
             Applicable)   Applicable)   Applicable)   Templates\System\Troubleshooting and
                                                       Diagnostics\Microsoft Support Diagnostic Tool


CCE-10606-2 (Not           (Not          (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Applicable)   Templates\System\Troubleshooting and
                                                       Diagnostics\Scripted Diagnostics




CCE-10219-4 CCE-18388-9 (Not             (Not          Computer Configuration\Administrative
                        Applicable)      Applicable)   Templates\System\Troubleshooting and
                                                       Diagnostics\Windows Performance PerfTrack


Multiple CCE CCE-18220-4 CCE-18099-2 (Not              Computer Configuration\Administrative
IDs, 7 in total,                     Applicable)       Templates\System\Windows Time
see                                                    Service\Time Providers
subsequent
rows




CCE-9892-1   CCE-18356-6 CCE-18173-5 (Not              Computer Configuration\Administrative
                                     Applicable)       Templates\System\Windows Time
                                                       Service\Time Providers
CCE-10408-3 CCE-18589-2 CCE-18559-5 (Not              Computer Configuration\Administrative
                                    Applicable)       Templates\System\Windows Time
                                                      Service\Time Providers
CCE-10500-7 CCE-18626-2 CCE-18149-5 (Not              Computer Configuration\Administrative
                                    Applicable)       Templates\System\Windows Time
                                                      Service\Time Providers
CCE-10531-2 CCE-18386-3 CCE-18962-1 (Not              Computer Configuration\Administrative
                                    Applicable)       Templates\System\Windows Time
                                                      Service\Time Providers

CCE-10756-5 CCE-18324-4 CCE-18306-1 (Not              Computer Configuration\Administrative
                                    Applicable)       Templates\System\Windows Time
                                                      Service\Time Providers

CCE-10774-8 CCE-18594-2 CCE-18692-4 (Not              Computer Configuration\Administrative
                                    Applicable)       Templates\System\Windows Time
                                                      Service\Time Providers

CCE-10368-9 CCE-18115-6 CCE-18634-6 (Not              Computer Configuration\Administrative
                                    Applicable)       Templates\System\Windows Time
                                                      Service\Time Providers
CCE-10787-0 (Not          (Not          (Not          Computer Configuration\Administrative
            Applicable)   Applicable)   Applicable)   Templates\Windows Components\Application
                                                      Compatibility

CCE-10527-0 CCE-8404-6    (Not          (Not          Computer Configuration\Administrative
                          Applicable)   Applicable)   Templates\Windows Components\AutoPlay
                                                      Policies




CCE-9528-1   CCE-2719-3   CCE-2710-2    CCE-44        Computer Configuration\Administrative
                                                      Templates\Windows Components\AutoPlay
                                                      Policies



CCE-10655-9 (Not          (Not          (Not          Computer Configuration\Administrative
            Applicable)   Applicable)   Applicable)   Templates\Windows Components\AutoPlay
                                                      Policies


CCE-9938-2   CCE-2471-1   (Not          CCE-935       Computer Configuration\Administrative
                          Applicable)                 Templates\Windows Components\Credential
                                                      User Interface
CCE-9857-4   CCE-3214-4   (Not          CCE-702       Computer Configuration\Administrative
                          Applicable)                 Templates\Windows Components\Desktop
                                                      Gadgets

CCE-10811-8 CCE-3456-1    (Not          CCE-297       Computer Configuration\Administrative
                          Applicable)                 Templates\Windows Components\Desktop
                                                      Gadgets

CCE-10586-6 CCE-3500-6    (Not          CCE-644       Computer Configuration\Administrative
                          Applicable)                 Templates\Windows Components\Desktop
                                                      Gadgets



CCE-10759-9 CCE-2471-1    (Not          CCE-935       Computer Configuration\Administrative
                          Applicable)                 Templates\Windows Components\Digital
                                                      Locker

CCE-9603-2   CCE-3015-5   CCE-2904-1    CCE-185       Computer Configuration\Administrative
                                                      Templates\Windows Components\Event Log
                                                      Service\Application


CCE-9967-1   CCE-3302-7   CCE-2693-0    CCE-757       Computer Configuration\Administrative
                                                      Templates\Windows Components\Event Log
                                                      Service\Security


CCE-10714-4 CCE-4086-5    (Not          CCE-262       Computer Configuration\Administrative
                          Applicable)                 Templates\Windows Components\Event Log
                                                      Service\Setup


CCE-10156-8 CCE-3165-8    CCE-3006-4    CCE-735       Computer Configuration\Administrative
                                                      Templates\Windows Components\Event Log
                                                      Service\System


CCE-10828-2 CCE-2471-1    (Not          CCE-935       Computer Configuration\Administrative
                          Applicable)                 Templates\Windows Components\Game
                                                      Explorer

CCE-10850-6 CCE-18987-8 (Not            (Not          Computer Configuration\Administrative
                        Applicable)     Applicable)   Templates\Windows Components\Game
                                                      Explorer
CCE-10183-2 (Not           (Not          (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Applicable)   Templates\Windows
                                                       Components\HomeGroup




(Not          CCE-4036-0   CCE-4036-0    CCE-258       User Configuration\Administrative
Applicable)                                            Templates\Windows Components\Internet
                                                       Explorer\Internet Settings\Advanced
                                                       Settings\Internet Connection Wizard Settings




CCE-10763-1 CCE-3082-5     CCE-2896-9    CCE-232       Computer Configuration\Administrative
                                                       Templates\Windows Components\NetMeeting


CCE-10090-9 CCE-2975-1     CCE-4849-6    CCE-976       Computer Configuration\Administrative
                                                       Templates\Windows Components\Remote
                                                       Desktop Services\Remote Desktop
                                                       Connection Client
CCE-9985-3   CCE-18715-3 CCE-18782-3 (Not          Computer Configuration\Administrative
                                     Applicable)   Templates\Windows Components\Remote
                                                   Desktop Services\Remote Desktop Session
                                                   Host\Connections




CCE-10103-0 CCE-3429-8    CCE-2949-6   CCE-855     Computer Configuration\Administrative
                                                   Templates\Windows Components\Remote
                                                   Desktop Services\Remote Desktop Session
                                                   Host\Security

CCE-9764-2   CCE-4866-0   CCE-3116-1   CCE-397     Computer Configuration\Administrative
                                                   Templates\Windows Components\Remote
                                                   Desktop Services\Remote Desktop Session
                                                   Host\Security
CCE-10608-8 CCE-4267-1    CCE-3124-5    CCE-123       Computer Configuration\Administrative
                                                      Templates\Windows Components\Remote
                                                      Desktop Services\Remote Desktop Session
                                                      Host\Session Time Limits




CCE-9858-2   CCE-5007-0   CCE-2961-1    CCE-920       Computer Configuration\Administrative
                                                      Templates\Windows Components\Remote
                                                      Desktop Services\Remote Desktop Session
                                                      Host\Session Time Limits


CCE-10856-3 CCE-18414-3 (Not            (Not          Computer Configuration\Administrative
                        Applicable)     Applicable)   Templates\Windows Components\Remote
                                                      Desktop Services\Remote Desktop Session
                                                      Host\Temporary Folders

CCE-9864-0   CCE-18913-4 (Not           (Not          Computer Configuration\Administrative
                         Applicable)    Applicable)   Templates\Windows Components\Remote
                                                      Desktop Services\Remote Desktop Session
                                                      Host\Temporary Folders

CCE-10730-0 CCE-3477-7    CCE-4581-5    CCE-767       Computer Configuration\Administrative
                                                      Templates\Windows Components\RSS Feeds


CCE-10496-8 CCE-3376-1    (Not          CCE-1049      Computer Configuration\Administrative
                          Applicable)                 Templates\Windows Components\Search
CCE-9866-5   CCE-3143-5    (Not          CCE-1058      Computer Configuration\Administrative
                           Applicable)                 Templates\Windows Components\Search



CCE-10137-8 (Not           (Not          (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Applicable)   Templates\Windows Components\Windows
                                                       Anytime Upgrade
CCE-9868-1   CCE-4761-3    (Not          CCE-312       Computer Configuration\Administrative
                           Applicable)                 Templates\Windows Components\Windows
                                                       Defender
CCE-10157-6 CCE-4915-5     (Not          CCE-959       Computer Configuration\Administrative
                           Applicable)                 Templates\Windows Components\Windows
                                                       Error Reporting

CCE-9914-3   CCE-5034-4    (Not          CCE-803       Computer Configuration\Administrative
                           Applicable)                 Templates\Windows Components\Windows
                                                       Error Reporting
CCE-10709-4 CCE-5136-7     (Not          CCE-259       Computer Configuration\Administrative
                           Applicable)                 Templates\Windows Components\Windows
                                                       Error Reporting


CCE-10824-1 CCE-4089-9     (Not          CCE-798       Computer Configuration\Administrative
                           Applicable)                 Templates\Windows Components\Windows
                                                       Error Reporting



CCE-9918-4   (Not          (Not          (Not          Computer Configuration\Administrative
             Applicable)   Applicable)   Applicable)   Templates\Windows Components\Windows
                                                       Explorer


CCE-9874-9   CCE-2962-9    (Not          CCE-384       Computer Configuration\Administrative
                           Applicable)                 Templates\Windows Components\Windows
                                                       Explorer



CCE-10623-7 CCE-3125-2     CCE-4270-5    CCE-480       Computer Configuration\Administrative
                                                       Templates\Windows Components\Windows
                                                       Explorer
CCE-9875-6   CCE-4991-6   CCE-2830-8    CCE-261    Computer Configuration\Administrative
                                                   Templates\Windows Components\Windows
                                                   Installer




CCE-9876-4   CCE-4629-2   CCE-3094-0    CCE-415    Computer Configuration\Administrative
                                                   Templates\Windows Components\Windows
                                                   Installer
CCE-9888-9   CCE-3398-5   CCE-5025-2    CCE-612    Computer Configuration\Administrative
                                                   Templates\Windows Components\Windows
                                                   Installer

CCE-9907-7   CCE-3341-5   (Not          CCE-392    Computer Configuration\Administrative
                          Applicable)              Templates\Windows Components\Windows
                                                   Logon Options


CCE-11252-4 CCE-2521-3    (Not          CCE-96     Computer Configuration\Administrative
                          Applicable)              Templates\Windows Components\Windows
                                                   Mail

CCE-10882-9 CCE-2525-4    (Not          CCE-331    Computer Configuration\Administrative
                          Applicable)              Templates\Windows Components\Windows
                                                   Mail
CCE-9908-5   CCE-3486-8   (Not          CCE-1089   Computer Configuration\Administrative
                          Applicable)              Templates\Windows Components\Windows
                                                   Media Digital Rights Management

CCE-10692-2 CCE-4405-7    CCE-4791-0    CCE-1140   Computer Configuration\Administrative
                                                   Templates\Windows Components\Windows
                                                   Media Player



CCE-10602-1 CCE-4898-3    CCE-2826-6    CCE-455    Computer Configuration\Administrative
                                                   Templates\Windows Components\Windows
                                                   Media Player
CCE-9403-7   CCE-3358-9   CCE-7528-3   CCE-306   Computer Configuration\Administrative
                                                 Templates\Windows Components\Windows
                                                 Update




CCE-9464-9   CCE-3363-9   CCE-8400-4   CCE-1     Computer Configuration\Administrative
                                                 Templates\Windows Components\Windows
                                                 Update
CCE-9672-7   CCE-2462-0   CCE-8375-8   CCE-641   Computer Configuration\Administrative
                                                 Templates\Windows Components\Windows
                                                 Update




CCE-10205-3 CCE-2852-2    CCE-8406-1   CCE-804   Computer Configuration\Administrative
                                                 Templates\Windows Components\Windows
                                                 Update
CCE-9308-8   CCE-2363-0   CCE-2928-0   CCE-980   Computer Configuration\Windows
                                                 Settings\Security Settings\Account
                                                 Policies\Account Lockout Policy




CCE-9136-3   CCE-3177-3   CCE-2986-8   CCE-658   Computer Configuration\Windows
                                                 Settings\Security Settings\Account
                                                 Policies\Account Lockout Policy




CCE-9400-3   CCE-2715-1   CCE-2466-1   CCE-733   Computer Configuration\Windows
                                                 Settings\Security Settings\Account
                                                 Policies\Account Lockout Policy




CCE-8912-8   CCE-2323-4   CCE-2994-2   CCE-60    Computer Configuration\Windows
                                                 Settings\Security Settings\Account
                                                 Policies\Password Policy



CCE-9193-4   CCE-2967-8   CCE-2920-7   CCE-871   Computer Configuration\Windows
                                                 Settings\Security Settings\Account
                                                 Policies\Password Policy




CCE-9330-2   CCE-3240-9   CCE-2439-8   CCE-324   Computer Configuration\Windows
                                                 Settings\Security Settings\Account
                                                 Policies\Password Policy
CCE-9357-5   CCE-2883-7   CCE-2981-9   CCE-100       Computer Configuration\Windows
                                                     Settings\Security Settings\Account
                                                     Policies\Password Policy




CCE-9370-8   CCE-3033-8   CCE-2735-9   CCE-633       Computer Configuration\Windows
                                                     Settings\Security Settings\Account
                                                     Policies\Password Policy



CCE-9260-1   CCE-3311-8   CCE-2889-4   CCE-479       Computer Configuration\Windows
                                                     Settings\Security Settings\Account
                                                     Policies\Password Policy




CCE-9725-   CCE-18588-4 (Not           (Not          Computer Configuration\Windows
3_CCE-9718-             Applicable)    Applicable)   Settings\Security Settings\Advanced Audit
8                                                    Policy Configuration\System Audit
                                                     Policies\Account Logon
CCE-9258-     (Not          (Not          Computer Configuration\Windows
5_CCE-9502-   Applicable)   Applicable)   Settings\Security Settings\Advanced Audit
6                                         Policy Configuration\System Audit
                                          Policies\Account Logon




CCE-9148-     (Not          (Not          Computer Configuration\Windows
8_CCE-9269-   Applicable)   Applicable)   Settings\Security Settings\Advanced Audit
2                                         Policy Configuration\System Audit
                                          Policies\Account Logon
CCE-9808-                (Not          (Not          Computer Configuration\Windows
7_CCE-9445-              Applicable)   Applicable)   Settings\Security Settings\Advanced Audit
8                                                    Policy Configuration\System Audit
                                                     Policies\Account Logon




CCE-8822-   CCE-4938-   (Not           CCE-          Computer Configuration\Windows
9_CCE-9591- 7_CCE-4700- Applicable)    801_CCE-      Settings\Security Settings\Advanced Audit
9           1                          1016          Policy Configuration\System Audit
                                                     Policies\Account Management
CCE-9498-   CCE-4093-   (Not          CCE-        Computer Configuration\Windows
7_CCE-9608- 1_CCE-4228- Applicable)   1070_CCE-   Settings\Security Settings\Advanced Audit
1           3                         840         Policy Configuration\System Audit
                                                  Policies\Account Management




CCE-9644-   CCE-4115-   (Not          CCE-        Computer Configuration\Windows
6_CCE-8829- 2_CCE-4140- Applicable)   515_CCE-    Settings\Security Settings\Advanced Audit
4           0                         1048        Policy Configuration\System Audit
                                                  Policies\Account Management
CCE-9657-   CCE-4916-   (Not          CCE-        Computer Configuration\Windows
8_CCE-9668- 3_CCE-4783- Applicable)   206_CCE-    Settings\Security Settings\Advanced Audit
5           7                         1202        Policy Configuration\System Audit
                                                  Policies\Account Management




CCE-9692-   CCE-5048-   (Not          CCE-        Computer Configuration\Windows
5_CCE-9056- 4_CCE-4142- Applicable)   1118_CCE-   Settings\Security Settings\Advanced Audit
3           6                         369         Policy Configuration\System Audit
                                                  Policies\Account Management
CCE-9542-   CCE-4833-   (Not          CCE-        Computer Configuration\Windows
2_CCE-9800- 0_CCE-5097- Applicable)   1043_CCE-   Settings\Security Settings\Advanced Audit
4           1                         924         Policy Configuration\System Audit
                                                  Policies\Account Management




CCE-9735-   CCE-5000-   (Not          CCE-        Computer Configuration\Windows
2_CCE-9412- 5_CCE-4493- Applicable)   1413_CCE-   Settings\Security Settings\Advanced Audit
8           3                         699         Policy Configuration\System Audit
                                                  Policies\Detailed Tracking
CCE-9562-   CCE-4166-   (Not          CCE-       Computer Configuration\Windows
0_CCE-9805- 5_CCE-5094- Applicable)   913_CCE-   Settings\Security Settings\Advanced Audit
3           8                         1079       Policy Configuration\System Audit
                                                 Policies\Detailed Tracking




CCE-9227-   CCE-4869-   (Not          CCE-       Computer Configuration\Windows
0_CCE-9818- 4_CCE-4363- Applicable)   416_CCE-   Settings\Security Settings\Advanced Audit
6           8                         1250       Policy Configuration\System Audit
                                                 Policies\Detailed Tracking
CCE-9492-   CCE-4891-   (Not          CCE-        Computer Configuration\Windows
0_CCE-9364- 8_CCE-4759- Applicable)   1219_CCE-   Settings\Security Settings\Advanced Audit
1           7                         1365        Policy Configuration\System Audit
                                                  Policies\Detailed Tracking




CCE-9628-   CCE-5023-   (Not          CCE-        Computer Configuration\Windows
9_CCE-9526- 7_CCE-4658- Applicable)   207_CCE-    Settings\Security Settings\Advanced Audit
5           1                         1186        Policy Configuration\System Audit Policies\DS
                                                  Access
CCE-9765-   CCE-5028-   (Not          CCE-        Computer Configuration\Windows
9_CCE-9791- 6_CCE-4931- Applicable)   1199_CCE-   Settings\Security Settings\Advanced Audit
5           2                         459         Policy Configuration\System Audit Policies\DS
                                                  Access




CCE-9734-   CCE-5067-   (Not          CCE-        Computer Configuration\Windows
5_CCE-8850- 4_CCE-4808- Applicable)   317_CCE-    Settings\Security Settings\Advanced Audit
0           2                         982         Policy Configuration\System Audit Policies\DS
                                                  Access
CCE-9637-   CCE-5089-   (Not            CCE-          Computer Configuration\Windows
0_CCE-9755- 8_CCE-4176- Applicable)     881_CCE-      Settings\Security Settings\Advanced Audit
0           4                           247           Policy Configuration\System Audit Policies\DS
                                                      Access




CCE-9811-   (Not          (Not          (Not          Computer Configuration\Windows
1_CCE-9217- Applicable)   Applicable)   Applicable)   Settings\Security Settings\Advanced Audit
1                                                     Policy Configuration\System Audit
                                                      Policies\Global Object Access Auditing
CCE-10078- (Not           (Not          (Not          Computer Configuration\Windows
4_CCE-9737- Applicable)   Applicable)   Applicable)   Settings\Security Settings\Advanced Audit
8                                                     Policy Configuration\System Audit
                                                      Policies\Global Object Access Auditing




CCE-8853-   CCE-2363-0    (Not          CCE-980       Computer Configuration\Windows
4_CCE-9023-               Applicable)                 Settings\Security Settings\Advanced Audit
3                                                     Policy Configuration\System Audit
                                                      Policies\Logon/Logoff
CCE-9661-   CCE-5011-   (Not          CCE-        Computer Configuration\Windows
0_CCE-8857- 2_CCE-4505- Applicable)   1028_CCE-   Settings\Security Settings\Advanced Audit
5           4                         362         Policy Configuration\System Audit
                                                  Policies\Logon/Logoff




CCE-9715-   CCE-5016-   (Not          CCE-        Computer Configuration\Windows
4_CCE-8956- 1_CCE-4650- Applicable)   1207_CCE-   Settings\Security Settings\Advanced Audit
5           8                         351         Policy Configuration\System Audit
                                                  Policies\Logon/Logoff
CCE-9632-   CCE-5038-   (Not          CCE-        Computer Configuration\Windows
1_CCE-9671- 5_CCE-4928- Applicable)   1257_CCE-   Settings\Security Settings\Advanced Audit
9           8                         1274        Policy Configuration\System Audit
                                                  Policies\Logon/Logoff




CCE-8856-   CCE-4703-   (Not          CCE-        Computer Configuration\Windows
7_CCE-9058- 5_CCE-4183- Applicable)   493_CCE-    Settings\Security Settings\Advanced Audit
9           0                         996         Policy Configuration\System Audit
                                                  Policies\Logon/Logoff
CCE-9683-   CCE-5018-   (Not            CCE-          Computer Configuration\Windows
4_CCE-9213- 7_CCE-4423- Applicable)     1284_CCE-     Settings\Security Settings\Advanced Audit
0           0                           1097          Policy Configuration\System Audit
                                                      Policies\Logon/Logoff




CCE-9076-   (Not          (Not          (Not          Computer Configuration\Windows
1_CCE-9741- Applicable)   Applicable)   Applicable)   Settings\Security Settings\Advanced Audit
0                                                     Policy Configuration\System Audit
                                                      Policies\Logon/Logoff
CCE-9622-   CCE-5163-   (Not          CCE-       Computer Configuration\Windows
2_CCE-9631- 1_CCE-5066- Applicable)   378_CCE-   Settings\Security Settings\Advanced Audit
3           6                         1208       Policy Configuration\System Audit
                                                 Policies\Logon/Logoff




CCE-9763-   CCE-4956-   (Not          CCE-       Computer Configuration\Windows
4_CCE-9521- 9_CCE-4824- Applicable)   371_CCE-   Settings\Security Settings\Advanced Audit
6           9                         1038       Policy Configuration\System Audit
                                                 Policies\Logon/Logoff
CCE-9816-   CCE-5084-   (Not          CCE-        Computer Configuration\Windows
0_CCE-8860- 9_CCE-4829- Applicable)   1322_CCE-   Settings\Security Settings\Advanced Audit
9           8                         379         Policy Configuration\System Audit
                                                  Policies\Object Access




CCE-9460-   CCE-4714-   (Not          CCE-        Computer Configuration\Windows
7_CCE-9488- 2_CCE-4868- Applicable)   1345_CCE-   Settings\Security Settings\Advanced Audit
8           6                         1261        Policy Configuration\System Audit
                                                  Policies\Object Access
CCE-9720-   (Not          (Not          (Not          Computer Configuration\Windows
4_CCE-8861- Applicable)   Applicable)   Applicable)   Settings\Security Settings\Advanced Audit
7                                                     Policy Configuration\System Audit
                                                      Policies\Object Access




CCE-9376-   CCE-4200-   (Not            CCE-          Computer Configuration\Windows
5_CCE-9405- 2_CCE-5145- Applicable)     1372_CCE-     Settings\Security Settings\Advanced Audit
2           8                           1033          Policy Configuration\System Audit
                                                      Policies\Object Access
CCE-9217-   CCE-4921-   (Not          CCE-        Computer Configuration\Windows
1_CCE-9811- 3_CCE-5039- Applicable)   1085_CCE-   Settings\Security Settings\Advanced Audit
1           3                         1340        Policy Configuration\System Audit
                                                  Policies\Object Access




CCE-9728-   CCE-4568-   (Not          CCE-        Computer Configuration\Windows
7_CCE-9569- 2_CCE-5079- Applicable)   717_CCE-    Settings\Security Settings\Advanced Audit
5           9                         744         Policy Configuration\System Audit
                                                  Policies\Object Access
CCE-9133-0   CCE-4947-   (Not          CCE-        Computer Configuration\Windows
             8_CCE-4335- Applicable)   385_CCE-    Settings\Security Settings\Advanced Audit
             6                         589         Policy Configuration\System Audit
                                                   Policies\Object Access




CCE-9789-    CCE-4828-   (Not          CCE-        Computer Configuration\Windows
9_CCE-       0_CCE-4965- Applicable)   1363_CCE-   Settings\Security Settings\Advanced Audit
10098-2      0                         1244        Policy Configuration\System Audit
                                                   Policies\Object Access
CCE-9803-   CCE-4996-   (Not          CCE-        Computer Configuration\Windows
8_CCE-9137- 5_CCE-4885- Applicable)   1288_CCE-   Settings\Security Settings\Advanced Audit
1           0                         1305        Policy Configuration\System Audit
                                                  Policies\Object Access




CCE-9455-   CCE-5132-   (Not          CCE-        Computer Configuration\Windows
7_CCE-9545- 6_CCE-4691- Applicable)   642_CCE-    Settings\Security Settings\Advanced Audit
5           2                         1026        Policy Configuration\System Audit
                                                  Policies\Object Access
CCE-9737-   CCE-4594-   (Not          CCE-        Computer Configuration\Windows
8_CCE-      8_CCE-5087- Applicable)   1138_CCE-   Settings\Security Settings\Advanced Audit
10078-4     2                         1283        Policy Configuration\System Audit
                                                  Policies\Object Access




CCE-9856-   CCE-4616-   (Not          CCE-        Computer Configuration\Windows
6_CCE-9845- 9_CCE-4982- Applicable)   446_CCE-    Settings\Security Settings\Advanced Audit
9           5                         451         Policy Configuration\System Audit
                                                  Policies\Object Access
CCE-10021- CCE-4201-    (Not          CCE-        Computer Configuration\Windows
4_CCE-9235- 0_CCE-5137- Applicable)   1110_CCE-   Settings\Security Settings\Advanced Audit
3           5                         991         Policy Configuration\System Audit
                                                  Policies\Policy Change




CCE-9976-   CCE-4877-   (Not          CCE-        Computer Configuration\Windows
2_CCE-      7_CCE-4516- Applicable)   388_CCE-    Settings\Security Settings\Advanced Audit
10014-9     1                         180         Policy Configuration\System Audit
                                                  Policies\Policy Change
CCE-9633-   CCE-5172-   (Not          CCE-        Computer Configuration\Windows
9_CCE-      2_CCE-5058- Applicable)   187_CCE-    Settings\Security Settings\Advanced Audit
10050-3     3                         448         Policy Configuration\System Audit
                                                  Policies\Policy Change




CCE-9902-   CCE-5177-   (Not          CCE-        Computer Configuration\Windows
8_CCE-      1_CCE-4939- Applicable)   1042_CCE-   Settings\Security Settings\Advanced Audit
10081-8     5                         1112        Policy Configuration\System Audit
                                                  Policies\Policy Change
CCE-9153-   CCE-5181-   (Not          CCE-       Computer Configuration\Windows
8_CCE-9913- 3_CCE-4204- Applicable)   203_CCE-   Settings\Security Settings\Advanced Audit
5           4                         879        Policy Configuration\System Audit
                                                 Policies\Policy Change




CCE-9596-   CCE-4479-   (Not          CCE-       Computer Configuration\Windows
8_CCE-      2_CCE-4995- Applicable)   205_CCE-   Settings\Security Settings\Advanced Audit
10049-5     7                         787        Policy Configuration\System Audit
                                                 Policies\Policy Change
CCE-9190-   CCE-5114-   (Not          CCE-        Computer Configuration\Windows
0_CCE-9159- 4_CCE-4990- Applicable)   391_CCE-    Settings\Security Settings\Advanced Audit
5           8                         404         Policy Configuration\System Audit
                                                  Policies\Privilege Use




CCE-9988-   CCE-5131-   (Not          CCE-        Computer Configuration\Windows
7_CCE-9314- 8_CCE-4205- Applicable)   1203_CCE-   Settings\Security Settings\Advanced Audit
6           1                         406         Policy Configuration\System Audit
                                                  Policies\Privilege Use
CCE-9878-   CCE-4300-   (Not          CCE-        Computer Configuration\Windows
0_CCE-9172- 0_CCE-4734- Applicable)   488_CCE-    Settings\Security Settings\Advanced Audit
8           0                         1258        Policy Configuration\System Audit
                                                  Policies\Privilege Use




CCE-9925-   CCE-4976-   (Not          CCE-        Computer Configuration\Windows
9_CCE-9802- 7_CCE-4879- Applicable)   1177_CCE-   Settings\Security Settings\Advanced Audit
0           3                         1314        Policy Configuration\System Audit
                                                  Policies\System
CCE-9586-   CCE-4998-   (Not          CCE-        Computer Configuration\Windows
9_CCE-      1_CCE-4883- Applicable)   1332_CCE-   Settings\Security Settings\Advanced Audit
10088-3     5                         337         Policy Configuration\System Audit
                                                  Policies\System




CCE-9850-   CCE-4535-   (Not          CCE-        Computer Configuration\Windows
9_CCE-9179- 1_CCE-5157- Applicable)   1121_CCE-   Settings\Security Settings\Advanced Audit
3           3                         1139        Policy Configuration\System Audit
                                                  Policies\System
CCE-9863-   CCE-5170-   (Not            CCE-        Computer Configuration\Windows
2_CCE-9998- 6_CCE-4910- Applicable)     1270_CCE-   Settings\Security Settings\Advanced Audit
6           6                           1102        Policy Configuration\System Audit
                                                    Policies\System




CCE-9520-   CCE-5047-   (Not            CCE-        Computer Configuration\Windows
8_CCE-9194- 6_CCE-4822- Applicable)     856_CCE-    Settings\Security Settings\Advanced Audit
2           3                           336         Policy Configuration\System Audit
                                                    Policies\System




(Not          CCE-3015-5   CCE-2904-1   CCE-185     Computer Configuration\Windows
Applicable)                                         Settings\Security Settings\Event Log



(Not          CCE-3302-7   CCE-2693-0   CCE-757     Computer Configuration\Windows
Applicable)                                         Settings\Security Settings\Event Log
(Not          CCE-3165-8    CCE-3006-4   CCE-735   Computer Configuration\Windows
Applicable)                                        Settings\Security Settings\Event Log



(Not          (Not          CCE-2784-7   CCE-997   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2220-2   CCE-547   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2833-2   CCE-865   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2175-8   CCE-795   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2052-9   CCE-600   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2184-0   CCE-393   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2312-7   CCE-166   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2726-8   CCE-977   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2699-7   CCE-201   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-1909-1   CCE-20   Computer Configuration\Windows
Applicable)   Applicable)                         Settings\Security Settings\File System
(Not          (Not          CCE-2145-1   CCE-489   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2436-4   CCE-917   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-4952-8   CCE-1225   Computer Configuration\Windows
Applicable)   Applicable)                           Settings\Security Settings\File System
(Not          (Not          CCE-2178-2   CCE-731   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2672-4   CCE-607   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-1916-6   CCE-158   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2855-5   CCE-543   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2894-4   CCE-657   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2899-3   CCE-274   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2546-0   CCE-168   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2674-0   CCE-353   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2176-6   CCE-516   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2198-0   CCE-922   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2788-8   CCE-921   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2797-9   CCE-225   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-2731-8   CCE-348   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System
(Not          (Not          CCE-1937-2   CCE-718   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\File System




CCE-9321-1, CCE-2820-9, CCE-2867-0, CCE-2628,      Computer Configuration\Windows
CCE-9887-1 CCE-3089-0 CCE-3008-0 CCE-2543          Settings\Security Settings\Local Policies\Audit
                                                   Policy
CCE-9339-3, CCE-3234-2, CCE-2902-5, CCE-2000,   Computer Configuration\Windows
CCE-10169-1 CCE-3287-0 CCE-2906-6 CCE-1646      Settings\Security Settings\Local Policies\Audit
                                                Policy




CCE-9224-7, CCE-3041-1, CCE-2933-0, CCE-2118,   Computer Configuration\Windows
CCE-9214-8 CCE-3309-2 CCE-2206-1 CCE-2390       Settings\Security Settings\Local Policies\Audit
                                                Policy
CCE-9365-8, CCE-3076-7, CCE-2100-6, CCE-1686,   Computer Configuration\Windows
CCE-10118-8 CCE-2970-2 CCE-2343-2 CCE-1744      Settings\Security Settings\Local Policies\Audit
                                                Policy




CCE-9162-9, CCE-2724-3, CCE-2259-0, CCE-2640,   Computer Configuration\Windows
CCE-9629-7 CCE-3243-3 CCE-2766-4 CCE-1991       Settings\Security Settings\Local Policies\Audit
                                                Policy
CCE-9180-1, CCE-2746-6, CCE-2971-0, CCE-2412,   Computer Configuration\Windows
CCE-10144-4 CCE-2653-4 CCE-2759-9 CCE-2347      Settings\Security Settings\Local Policies\Audit
                                                Policy




CCE-9066-2, CCE-2322-6, CCE-2913-2, CCE-2431,   Computer Configuration\Windows
CCE-10175-8 CCE-3257-3 CCE-2918-1 CCE-2584      Settings\Security Settings\Local Policies\Audit
                                                Policy
CCE-9347-6, CCE-3024-7, CCE-2816-7, CCE-2529,   Computer Configuration\Windows
CCE-10082-6 CCE-2927-2 CCE-2939-7 CCE-2617      Settings\Security Settings\Local Policies\Audit
                                                Policy




CCE-8407-9, CCE-2953-8, CCE-2878-7, CCE-2420,   Computer Configuration\Windows
CCE-9990-3 CCE-3222-7 CCE-2843-1 CCE-1680       Settings\Security Settings\Local Policies\Audit
                                                Policy
CCE-9199-1   CCE-3032-0   CCE-2943-9   CCE-499   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-8714-8   CCE-3248-2   CCE-3040-3   CCE-332   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options



CCE-9418-5   CCE-2398-6   CCE-2344-0   CCE-533   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options
CCE-8484-8   CCE-2714-4   CCE-3135-1    CCE-438   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options




CCE-9229-6   CCE-2359-8   CCE-3025-4    CCE-834   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options



CCE-9150-4   CCE-3285-4   CCE-3162-5    CCE-2     Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options


CCE-8789-0   CCE-3303-5   CCE-2955-3    CCE-905   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options


CCE-9432-6   CCE-3450-4   (Not          CCE-111   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Local
                                                  Policies\Security Options



CCE-9026-6   CCE-3325-8   CCE-2789-6    CCE-402   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options
CCE-9304-7    CCE-2858-9    CCE-2974-4   CCE-565   Computer Configuration\Windows
                                                   Settings\Security Settings\Local
                                                   Policies\Security Options




CCE-9440-9    CCE-3168-2    CCE-2873-8   CCE-463   Computer Configuration\Windows
                                                   Settings\Security Settings\Local
                                                   Policies\Security Options




(Not          (Not          CCE-3085-8   CCE-413   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\Local
                                                   Policies\Security Options




CCE-8974-8    CCE-3330-8    CCE-3097-3   CCE-549   Computer Configuration\Windows
                                                   Settings\Security Settings\Local
                                                   Policies\Security Options
CCE-9251-0   CCE-2467-9   CCE-2996-7   CCE-161   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9375-7   CCE-3233-4   CCE-3000-7   CCE-918   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9295-7   CCE-3255-7   CCE-2313-5   CCE-831   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9123-1   CCE-3075-9   CCE-3018-9   CCE-194   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9387-2   CCE-3212-8   CCE-3151-8   CCE-417   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options
CCE-9449-0   CCE-3173-2   CCE-2930-6   CCE-65    Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9317-9   CCE-3307-6   CCE-2891-0   CCE-133   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-8973-0   CCE-3336-5   CCE-2472-9   CCE-829   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options
CCE-8740-3   CCE-3314-2   CCE-2573-4   CCE-23    Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-8487-1   CCE-2376-2   CCE-3106-2   CCE-773   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9307-0   CCE-3230-0   CCE-2701-1   CCE-814   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options



CCE-8818-7   CCE-3220-1   CCE-3172-4   CCE-374   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9067-0   CCE-3251-6   CCE-3133-6   CCE-443   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options
CCE-9327-8   CCE-3252-4   CCE-3027-0   CCE-576   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options


CCE-9344-3   CCE-2380-4   CCE-2802-7   CCE-519   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options


CCE-9265-0   CCE-2838-1   CCE-3049-4   CCE-228   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9406-0   CCE-2519-7   CCE-3157-5   CCE-222   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9040-7   CCE-3023-9   CCE-3053-6   CCE-171   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options


CCE-8825-2   CCE-3164-1   CCE-2688-0   CCE-104   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options


CCE-9358-3   CCE-3361-3   CCE-2692-2   CCE-278   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options
CCE-8503-5    (Not          (Not          (Not          Computer Configuration\Windows
              Applicable)   Applicable)   Applicable)   Settings\Security Settings\Local
                                                        Policies\Security Options




CCE-9342-7    CCE-3072-6    CCE-2776-3    CCE-283       Computer Configuration\Windows
                                                        Settings\Security Settings\Local
                                                        Policies\Security Options


CCE-8655-3    CCE-5101-1    (Not          (Not          Computer Configuration\Windows
                            Applicable)   Applicable)   Settings\Security Settings\Local
                                                        Policies\Security Options



CCE-9496-1    CCE-3261-5    CCE-3132-8    CCE-564       Computer Configuration\Windows
                                                        Settings\Security Settings\Local
                                                        Policies\Security Options



(Not          CCE-3120-3    CCE-2718-5    CCE-897       Computer Configuration\Windows
Applicable)                                             Settings\Security Settings\Local
                                                        Policies\Security Options



CCE-8513-4    CCE-3239-1    CCE-2824-1    CCE-150       Computer Configuration\Windows
                                                        Settings\Security Settings\Local
                                                        Policies\Security Options




CCE-8560-5    CCE-3067-6    CCE-2952-0    CCE-139       Computer Configuration\Windows
                                                        Settings\Security Settings\Local
                                                        Policies\Security Options



CCE-9426-8    CCE-3142-7    CCE-2559-3    CCE-188       Computer Configuration\Windows
                                                        Settings\Security Settings\Local
                                                        Policies\Security Options
CCE-9439-1    CCE-4904-9   CCE-3044-5   CCE-501   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options




(Not          CCE-2719-3   CCE-2710-2   CCE-44    Computer Configuration\Windows
Applicable)                                       Settings\Security Settings\Local
                                                  Policies\Security Options




CCE-8562-1    CCE-2785-4   CCE-3118-7   CCE-817   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options




CCE-9458-1    CCE-3279-7   CCE-2652-6   CCE-952   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options




CCE-9348-4    CCE-3199-7   CCE-2841-5   CCE-271   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options


CCE-8591-0    CCE-7716-4   CCE-2980-1   CCE-830   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options
(Not          CCE-2679-9   CCE-2916-5    CCE-284       Computer Configuration\Windows
Applicable)                                            Settings\Security Settings\Local
                                                       Policies\Security Options




(Not          CCE-3459-5   CCE-2213-7    CCE-577       Computer Configuration\Windows
Applicable)                                            Settings\Security Settings\Local
                                                       Policies\Security Options




CCE-9487-0    CCE-4271-3   (Not          (Not          Computer Configuration\Windows
                           Applicable)   Applicable)   Settings\Security Settings\Local
                                                       Policies\Security Options




CCE-9456-5    CCE-3460-3   CCE-2239-2    CCE-872       Computer Configuration\Windows
                                                       Settings\Security Settings\Local
                                                       Policies\Security Options




CCE-9501-8    CCE-3181-5   CCE-3061-9    CCE-125       Computer Configuration\Windows
                                                       Settings\Security Settings\Local
                                                       Policies\Security Options
CCE-9531-5   CCE-2339-0   CCE-2973-6    CCE-953   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options


CCE-9249-4   CCE-3272-2   CCE-2147-7    CCE-318   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options

CCE-9156-1   CCE-3232-6   CCE-2804-3    CCE-195   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options




CCE-8654-6   CCE-3379-5   CCE-3088-2    CCE-542   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options




CCE-8936-7   CCE-2457-0   CCE-3110-4    CCE-18    Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options

CCE-9218-9   CCE-3380-3   CCE-3150-0    CCE-136   Computer Configuration\Windows
                                                  Settings\Security Settings\Local
                                                  Policies\Security Options




CCE-9121-5   CCE-2825-8   (Not          CCE-189   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Local
                                                  Policies\Security Options
CCE-9386-4   CCE-4781-1   CCE-3155-9   CCE-1185     Computer Configuration\Windows
                                       (CCE-189 for Settings\Security Settings\Local
                                       Windows XP) Policies\Security Options




CCE-9540-6   CCE-3292-0   CCE-2834-0   CCE-638      Computer Configuration\Windows
                                                    Settings\Security Settings\Local
                                                    Policies\Security Options

CCE-9196-7   CCE-3349-8   CCE-3036-1   CCE-942      Computer Configuration\Windows
                                                    Settings\Security Settings\Local
                                                    Policies\Security Options



CCE-9503-4   CCE-3367-0   CCE-3058-5   CCE-343      Computer Configuration\Windows
                                                    Settings\Security Settings\Local
                                                    Policies\Security Options
CCE-9096-9   (Not          (Not          (Not          Computer Configuration\Windows
             Applicable)   Applicable)   Applicable)   Settings\Security Settings\Local
                                                       Policies\Security Options




CCE-8804-7   (Not          (Not          (Not          Computer Configuration\Windows
             Applicable)   Applicable)   Applicable)   Settings\Security Settings\Local
                                                       Policies\Security Options



CCE-9770-9   (Not          (Not          (Not          Computer Configuration\Windows
             Applicable)   Applicable)   Applicable)   Settings\Security Settings\Local
                                                       Policies\Security Options



CCE-9532-3   (Not          (Not          (Not          Computer Configuration\Windows
             Applicable)   Applicable)   Applicable)   Settings\Security Settings\Local
                                                       Policies\Security Options




CCE-8937-5   CCE-3138-5    CCE-2993-4    CCE-233       Computer Configuration\Windows
                                                       Settings\Security Settings\Local
                                                       Policies\Security Options




CCE-9704-8   CCE-3283-9    CCE-3139-3    CCE-775       Computer Configuration\Windows
                                                       Settings\Security Settings\Local
                                                       Policies\Security Options




CCE-8806-2   CCE-4922-1    CCE-2926-4    CCE-719       Computer Configuration\Windows
                                                       Settings\Security Settings\Local
                                                       Policies\Security Options
CCE-9768-3   CCE-4940-3   CCE-2991-8   CCE-732   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options


CCE-9534-9   CCE-4583-1   CCE-3156-7   CCE-674   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options
CCE-9736-0   CCE-4213-5   CCE-2799-5   CCE-766   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-8807-0   CCE-4107-9   CCE-2935-5   CCE-410   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options

CCE-8945-8   CCE-3953-7   CCE-2957-9   CCE-76    Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options



CCE-9707-1   CCE-3954-5   CCE-2983-5   CCE-224   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options




CCE-9222-1   CCE-3969-3   CCE-3128-6   CCE-422   Computer Configuration\Windows
                                                 Settings\Security Settings\Local
                                                 Policies\Security Options
CCE-9266-8    CCE-4774-6    CCE-3084-1   CCE-55    Computer Configuration\Windows
                                                   Settings\Security Settings\Local
                                                   Policies\Security Options




(Not          (Not          CCE-2842-3   CCE-575   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\Local
                                                   Policies\Security Options




CCE-9319-5    CCE-4841-3    CCE-2987-6   CCE-300   Computer Configuration\Windows
                                                   Settings\Security Settings\Local
                                                   Policies\Security Options




CCE-9191-8    CCE-4011-3    CCE-3005-6   CCE-508   Computer Configuration\Windows
                                                   Settings\Security Settings\Local
                                                   Policies\Security Options
CCE-8811-2   CCE-4955-1   (Not          CCE-1078      Computer Configuration\Windows
                          Applicable)                 Settings\Security Settings\Local
                                                      Policies\Security Options




CCE-9301-3   CCE-4467-7   (Not          (Not          Computer Configuration\Windows
                          Applicable)   Applicable)   Settings\Security Settings\Local
                                                      Policies\Security Options




CCE-8958-1   CCE-4016-2   (Not          CCE-1063      Computer Configuration\Windows
                          Applicable)                 Settings\Security Settings\Local
                                                      Policies\Security Options
CCE-8813-8   CCE-4969-2   (Not          CCE-1067   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local
                                                   Policies\Security Options




CCE-9616-4   CCE-4612-8   (Not          CCE-1128   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local
                                                   Policies\Security Options

CCE-9021-7   CCE-5004-7   (Not          CCE-1104   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local
                                                   Policies\Security Options

CCE-9801-2   CCE-4020-4   (Not          CCE-986    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local
                                                   Policies\Security Options


CCE-9189-2   CCE-4907-2   (Not          CCE-1050   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local
                                                   Policies\Security Options




CCE-9395-5   CCE-4925-4   (Not          CCE-230    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local
                                                   Policies\Security Options

CCE-8817-9   CCE-4194-7   (Not          CCE-673    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local
                                                   Policies\Security Options
CCE-9253-6   CCE-4334-9   CCE-2379-6   CCE-532   Computer Configuration\Windows
                                                 Settings\Security Settings\Local Policies\User
                                                 Rights Assignment




CCE-9407-8   CCE-4088-1   CCE-2167-5   CCE-162   Computer Configuration\Windows
                                                 Settings\Security Settings\Local Policies\User
                                                 Rights Assignment



CCE-9068-8   CCE-4854-6   CCE-2547-8   CCE-807   Computer Configuration\Windows
                                                 Settings\Security Settings\Local Policies\User
                                                 Rights Assignment



CCE-9345-0   CCE-4872-8   CCE-2829-0   CCE-965   Computer Configuration\Windows
                                                 Settings\Security Settings\Local Policies\User
                                                 Rights Assignment
CCE-9107-4   CCE-4264-8   CCE-3004-9    CCE-883   Computer Configuration\Windows
                                                  Settings\Security Settings\Local Policies\User
                                                  Rights Assignment



CCE-9389-8   CCE-4827-2   CCE-2299-6    CCE-931   Computer Configuration\Windows
                                                  Settings\Security Settings\Local Policies\User
                                                  Rights Assignment




CCE-8414-5   CCE-4973-4   CCE-2806-8    CCE-376   Computer Configuration\Windows
                                                  Settings\Security Settings\Local Policies\User
                                                  Rights Assignment




CCE-8612-4   CCE-4863-7   CCE-2846-4    CCE-799   Computer Configuration\Windows
                                                  Settings\Security Settings\Local Policies\User
                                                  Rights Assignment




CCE-8423-6   CCE-5008-8   (Not          CCE-470   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Local Policies\User
                                                  Rights Assignment
CCE-9185-0   CCE-4757-1   CCE-2786-2    CCE-895    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment

CCE-9215-5   CCE-4902-3   CCE-2791-2    CCE-926    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment
CCE-8431-9   CCE-4792-8   CCE-3107-0    CCE-383    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment


CCE-9254-4   CCE-4184-8   CCE-1969-5    CCE-335    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment

CCE-8460-8   CCE-4294-5   (Not          CCE-1176   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local Policies\User
                                                   Rights Assignment




CCE-8583-7   CCE-4687-0   CCE-2864-7    CCE-842    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment
CCE-9244-5   CCE-4704-3   CCE-1978-6    CCE-898    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment


CCE-9212-2   CCE-4722-5   CCE-2898-5    CCE-165    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment

CCE-9098-5   CCE-4867-8   CCE-2792-0    CCE-597    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment
CCE-9239-5   CCE-4889-2   CCE-2700-3    CCE-64     Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment

CCE-9274-2   CCE-4656-5   CCE-2814-2    CCE-108    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment


CCE-9336-9   CCE-4673-0   CCE-2886-0    CCE-754    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment
CCE-9226-2   CCE-4488-3   CCE-2767-2    CCE-939    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment

CCE-8467-3   CCE-4382-8   CCE-2737-5    CCE-304    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment

CCE-9048-0   CCE-4651-6   (Not          CCE-1027   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local Policies\User
                                                   Rights Assignment

CCE-8999-5   CCE-4796-9   CCE-2944-7    CCE-349    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment


CCE-9135-5   CCE-4034-5   CCE-2446-3    CCE-860    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment

CCE-9289-0   CCE-4317-4   CCE-2609-6    CCE-749    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment
CCE-9320-3   CCE-4083-2   CCE-2882-9    CCE-177    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment
CCE-9461-5   CCE-4038-6   CCE-2948-8    CCE-216    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment
CCE-9223-9   CCE-4046-9   CCE-2247-5    CCE-850    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment


CCE-9149-6   CCE-4285-3   (Not          CCE-1023   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Local Policies\User
                                                   Rights Assignment
CCE-9417-7   CCE-4048-5   CCE-2657-5    CCE-17     Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment


CCE-8475-6   CCE-4071-7   CCE-2960-3    CCE-314    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment


CCE-9388-0   CCE-4962-7   CCE-2807-6    CCE-260    Computer Configuration\Windows
                                                   Settings\Security Settings\Local Policies\User
                                                   Rights Assignment
CCE-9419-3   CCE-4618-5   CCE-2675-7   CCE-599   Computer Configuration\Windows
                                                 Settings\Security Settings\Local Policies\User
                                                 Rights Assignment

CCE-9326-0   CCE-4861-1   CCE-2335-8   CCE-656   Computer Configuration\Windows
                                                 Settings\Security Settings\Local Policies\User
                                                 Rights Assignment




CCE-8732-0   CCE-4372-9   CCE-2860-5   CCE-667   Computer Configuration\Windows
                                                 Settings\Security Settings\Local Policies\User
                                                 Rights Assignment

CCE-9124-9   CCE-4948-6   CCE-2847-2   CCE-553   Computer Configuration\Windows
                                                 Settings\Security Settings\Local Policies\User
                                                 Rights Assignment




CCE-9014-2   CCE-4569-0   CCE-2366-3   CCE-839   Computer Configuration\Windows
                                                 Settings\Security Settings\Local Policies\User
                                                 Rights Assignment
CCE-9309-6    CCE-4988-2    CCE-2021-4    CCE-492       Computer Configuration\Windows
                                                        Settings\Security Settings\Local Policies\User
                                                        Rights Assignment

(Not          (Not          CCE-3034-6    CCE-487       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services



(Not          (Not          CCE-2818-3    CCE-148       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services




CCE-10661-7 (Not            (Not          (Not          Computer Configuration\Windows
            Applicable)     Applicable)   Applicable)   Settings\Security Settings\System Services




(Not          (Not          CCE-2713-6    CCE-954       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services



(Not          (Not          CCE-2880-3    CCE-294       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services




(Not          (Not          CCE-3236-7    CCE-774       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services
(Not          (Not          CCE-2950-4    CCE-800       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services



CCE-10150-1 (Not            CCE-2849-8    CCE-78        Computer Configuration\Windows
            Applicable)                                 Settings\Security Settings\System Services



(Not          (Not          CCE-2888-6    CCE-712       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services



CCE-10543-7 (Not            (Not          (Not          Computer Configuration\Windows
            Applicable)     Applicable)   Applicable)   Settings\Security Settings\System Services




CCE-9910-1    (Not          (Not          (Not          Computer Configuration\Windows
              Applicable)   Applicable)   Applicable)   Settings\Security Settings\System Services




(Not          (Not          CCE-2910-8    CCE-738       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services



CCE-10699-7 (Not            (Not          (Not          Computer Configuration\Windows
            Applicable)     Applicable)   Applicable)   Settings\Security Settings\System Services



(Not          CCE-3316-7    CCE-2915-7    CCE-729       Computer Configuration\Windows
Applicable)                                             Settings\Security Settings\System Services
(Not          CCE-3082-5    CCE-2896-9    CCE-232       Computer Configuration\Windows
Applicable)                                             Settings\Security Settings\System Services



(Not          (Not          CCE-3131-0    CCE-217       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services



(Not          (Not          CCE-3122-9    CCE-768       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services



CCE-10311-9 (Not            (Not          (Not          Computer Configuration\Windows
            Applicable)     Applicable)   Applicable)   Settings\Security Settings\System Services



(Not          (Not          CCE-3035-3    CCE-223       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services




(Not          (Not          CCE-2661-7    CCE-940       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services




(Not          (Not          CCE-2326-7    CCE-75        Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services



(Not          (Not          CCE-3043-7    CCE-974       Computer Configuration\Windows
Applicable)   Applicable)                               Settings\Security Settings\System Services
(Not          (Not          CCE-3048-6   CCE-608   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\System Services




(Not          (Not          CCE-3291-2   CCE-305   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\System Services




(Not          (Not          CCE-2494-3   CCE-604   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\System Services




(Not          (Not          CCE-3265-6   CCE-745   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\System Services




(Not          (Not          CCE-2942-1   CCE-758   Computer Configuration\Windows
Applicable)   Applicable)                          Settings\Security Settings\System Services
CCE-14986-4 CCE-18320-2 (Not          (Not          Computer Configuration\Windows
                        Applicable)   Applicable)   Settings\Security Settings\Windows Firewall
                                                    with Advanced Security\Windows Firewall with
                                                    Advanced Security\Inbound Rules
CCE-14854-4 (Not           (Not          (Not          Computer Configuration\Windows
            Applicable)    Applicable)   Applicable)   Settings\Security Settings\Windows Firewall
                                                       with Advanced Security\Windows Firewall with
                                                       Advanced Security\Inbound Rules




(Not          CCE-2865-4   (Not          CCE-1795      Computer Configuration\Windows
Applicable)                Applicable)                 Settings\Security Settings\Windows Firewall
                                                       with Advanced Security\Windows Firewall with
                                                       Advanced Security\Outbound Rules
(Not          CCE-3508-9   (Not          CCE-1293   Computer Configuration\Windows
Applicable)                Applicable)              Settings\Security Settings\Windows Firewall
                                                    with Advanced Security\Windows Firewall with
                                                    Advanced Security\Outbound Rules




CCE-10502-3 CCE-3260-7     CCE-2965-2    CCE-251    Computer Configuration\Windows
                                                    Settings\Security Settings\Windows Firewall
                                                    with Advanced Security\Windows Firewall with
                                                    Advanced Security\Windows Firewall
                                                    Properties\Domain Profile Tab\Logging

CCE-10268-1 CCE-3414-0     CCE-3090-8    CCE-617    Computer Configuration\Windows
                                                    Settings\Security Settings\Windows Firewall
                                                    with Advanced Security\Windows Firewall with
                                                    Advanced Security\Windows Firewall
                                                    Properties\Domain Profile Tab\Logging

CCE-10022-2 CCE-2533-8     CCE-2923-1    CCE-793    Computer Configuration\Windows
                                                    Settings\Security Settings\Windows Firewall
                                                    with Advanced Security\Windows Firewall with
                                                    Advanced Security\Windows Firewall
                                                    Properties\Domain Profile Tab\Logging

CCE-9747-7    CCE-3299-5   CCE-2958-7    CCE-57     Computer Configuration\Windows
                                                    Settings\Security Settings\Windows Firewall
                                                    with Advanced Security\Windows Firewall with
                                                    Advanced Security\Windows Firewall
                                                    Properties\Domain Profile Tab\Logging

CCE-9774-1    CCE-4941-1   (Not          CCE-1047   Computer Configuration\Windows
                           Applicable)              Settings\Security Settings\Windows Firewall
                                                    with Advanced Security\Windows Firewall with
                                                    Advanced Security\Windows Firewall
                                                    Properties\Domain Profile
                                                    Tab\Settings\Firewall settings
CCE-9329-4   CCE-2977-7   (Not          CCE-584   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Domain Profile Tab\Settings\Rule
                                                  merging
CCE-9686-7   CCE-3457-9   (Not          CCE-400   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Domain Profile Tab\Settings\Rule
                                                  merging
CCE-9069-6   CCE-3436-3   CCE-2972-8    CCE-696   Computer Configuration\Windows
                                                  Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Domain Profile
                                                  Tab\Settings\Unicast response
CCE-9465-6   CCE-3054-4   CCE-3154-2    CCE-806   Computer Configuration\Windows
                                                  Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Domain Profile Tab\State

CCE-9620-6   CCE-2999-1   (Not          CCE-249   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Domain Profile Tab\State

CCE-9509-1   CCE-3439-7   (Not          CCE-485   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Domain Profile Tab\State

CCE-10215-2 CCE-4597-1    (Not          CCE-325   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Private Profile Tab\Logging

CCE-10611-2 CCE-4963-5    (Not          CCE-327   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Private Profile Tab\Logging
CCE-10386-1 CCE-4206-9    (Not          CCE-999    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Private Profile Tab\Logging

CCE-10250-9 CCE-4207-7    (Not          CCE-1091   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Private Profile Tab\Logging

CCE-8884-9   CCE-3417-3   (Not          CCE-38     Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Private Profile
                                                   Tab\Settings\Firewall settings
CCE-9712-1   CCE-2854-8   (Not          CCE-199    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Private Profile Tab\Settings\Rule
                                                   merging
CCE-9663-6   CCE-3360-5   (Not          CCE-117    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Private Profile Tab\Settings\Rule
                                                   merging
CCE-9522-4   CCE-2924-9   (Not          CCE-70     Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Private Profile
                                                   Tab\Settings\Unicast response
CCE-9739-4   CCE-3373-8   (Not          CCE-7      Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Private Profile Tab\State

CCE-9694-1   CCE-3395-1   (Not          CCE-29     Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Private Profile Tab\State
CCE-8870-8   CCE-3166-6   (Not          CCE-32     Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Private Profile Tab\State

CCE-9749-3   CCE-4507-0   (Not          CCE-1165   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Public Profile Tab\Logging

CCE-9753-5   CCE-5128-4   (Not          CCE-534    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Public Profile Tab\Logging

CCE-9926-7   CCE-4639-1   (Not          CCE-1263   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Public Profile Tab\Logging

CCE-10373-9 CCE-4278-8    (Not          CCE-1313   Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Public Profile Tab\Logging

CCE-9742-8   CCE-2998-3   (Not          CCE-390    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Public Profile Tab\Settings\Firewall
                                                   settings
CCE-9817-8   CCE-3426-4   (Not          CCE-437    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Public Profile Tab\Settings\Rule
                                                   merging
CCE-9786-5   CCE-2650-0   (Not          CCE-421    Computer Configuration\Windows
                          Applicable)              Settings\Security Settings\Windows Firewall
                                                   with Advanced Security\Windows Firewall with
                                                   Advanced Security\Windows Firewall
                                                   Properties\Public Profile Tab\Settings\Rule
                                                   merging
CCE-9773-3   CCE-2641-9   (Not          CCE-414   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Public Profile Tab\Settings\Unicast
                                                  response
CCE-9593-5   CCE-3246-6   (Not          CCE-295   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Public Profile Tab\State

CCE-9007-6   CCE-3263-1   (Not          CCE-338   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Public Profile Tab\State

CCE-9588-5   CCE-3351-4   (Not          CCE-342   Computer Configuration\Windows
                          Applicable)             Settings\Security Settings\Windows Firewall
                                                  with Advanced Security\Windows Firewall with
                                                  Advanced Security\Windows Firewall
                                                  Properties\Public Profile Tab\State

CCE-18880-5 CCE-18891-2 CCE-18796-3               Control Panel\Programs and Features\Turn
                                                  Windows features on or off



CCE-18249-3 CCE-18279-0 CCE-18870-6               Control Panel\Programs and Features\Turn
                                                  Windows features on or off



CCE-18629-6 CCE-18624-7 CCE-18307-9               Control Panel\Programs and Features\Turn
                                                  Windows features on or off



CCE-18659-3 CCE-18129-7 (Not                      Control Panel\Programs and Features\Turn
                        Applicable)               Windows features on or off



CCE-18739-3 CCE-18284-0 (Not                      Control Panel\Programs and Features\Turn
                        Applicable)               Windows features on or off
CCE-18190-9 CCE-18700-5 (Not                           Control Panel\Programs and Features\Turn
                        Applicable)                    Windows features on or off



CCE-18300-4 CCE-18689-0 (Not                           Control Panel\Programs and Features\Turn
                        Applicable)                    Windows features on or off



(Not          CCE-5146-6, (Not           CCE-1227,     HKEY_LOCAL_MACHINE\SYSTEM\CurrentC
Applicable)   CCE-5036-9, Applicable)    CCE-1036,     ontrolSet\Services\tcpip6\Parameters\Disable
              CCE-4811-6                 CCE-1148      Components




CCE-10051-1 CCE-5043-5     CCE-2901-7    CCE-103       User Configuration\Administrative
                                                       Templates\Control Panel\Personalization



CCE-9958-0    CCE-5264-7   CCE-3170-8    CCE-54        User Configuration\Administrative
                                                       Templates\Control Panel\Personalization

CCE-9730-3    CCE-4290-3   CCE-4500-5    CCE-949       User Configuration\Administrative
                                                       Templates\Control Panel\Personalization


CCE-10148-5 CCE-3050-2     CCE-2980-1    CCE-830       User Configuration\Administrative
                                                       Templates\Control Panel\Personalization


CCE-10295-4 CCE-4851-2     (Not          (Not          User Configuration\Administrative
                           Applicable)   Applicable)   Templates\System\Internet Communication
                                                       Management\Internet Communication
                                                       Settings
CCE-10166-7 CCE-3437-1     CCE-4412-3    CCE-12        User Configuration\Administrative
                                                       Templates\Windows Components\Attachment
                                                       Manager

CCE-9684-2    CCE-2979-3   CCE-5042-7    CCE-58        User Configuration\Administrative
                                                       Templates\Windows Components\Attachment
                                                       Manager

CCE-10076-8 CCE-3300-1     CCE-5059-1    CCE-372       User Configuration\Administrative
                                                       Templates\Windows Components\Attachment
                                                       Manager
CCE-10644-3 CCE-5070-8   (Not          CCE-1144   User Configuration\Administrative
                         Applicable)              Templates\Windows Components\Network
                                                  Sharing
 Policy Setting Name         Windows 7     Windows Vista      Windows XP
                             USGCB 1.2       USGCB 2.0         USGCB 2.0
Turn on Mapper I/O       Disabled        Disabled          (Not Applicable)
(LLTDIO) driver




Turn on Responder        Disabled        Disabled          (Not Applicable)
(RSPNDR) driver




Turn Off Microsoft Peer- Enabled         Enabled           Enabled
to-Peer Networking
Services


Prohibit installation and Enabled        Enabled           Enabled
configuration of Network
Bridge on your DNS
domain network
Prohibit use of Internet   (Not Applicable)   (Not Applicable)   Enabled
Connection Firewall on
your DNS domain
network




Prohibit use of Internet   (Not Applicable)   (Not Applicable)   Enabled
Connection Sharing on
your DNS domain
network
Require domain users to Enabled                (Not Applicable)   (Not Applicable)
elevate when setting a
network's location




Route all traffic through   Enabled: Enabled   (Not Applicable)   (Not Applicable)
the internal network        State




Windows Firewall: Allow     (Not Applicable)   (Not Applicable)   Disabled
file and printer sharing
exception
Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Enabled: Allow
ICMP exceptions                                                 inbound echo
                                                                requests




Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Disabled
local port exceptions



Windows Firewall: Allow (Not Applicable)     (Not Applicable)   Disabled
local program exceptions
Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Enabled: Log
logging                                                         dropped
                                                                packets,Log
                                                                successful
                                                                connections,Log file
                                                                path and
                                                                name:%systemroot
                                                                %\domainfw.log,size
                                                                limit:16384




Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Enabled
remote administration
exception




Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Enabled
Remote Desktop
exception
Windows Firewall: Allow    (Not Applicable)   (Not Applicable)   Disabled
UPnP framework
exception




Windows Firewall:          (Not Applicable)   (Not Applicable)   Disabled
Prohibit notifications




Windows Firewall:         (Not Applicable)    (Not Applicable)   Enabled
Prohibit unicast response
to multicast or broadcast
requests




Windows Firewall:          (Not Applicable)   (Not Applicable)   Enabled
Protect all network
connections




Windows Firewall: Allow    (Not Applicable)   (Not Applicable)   Disabled
file and printer sharing
exception
Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Disabled
ICMP exceptions




Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Disabled
local port exceptions



Windows Firewall: Allow (Not Applicable)     (Not Applicable)   Disabled
local program exceptions
Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Disabled
Remote Administration
Exception




Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Disabled
Remote Desktop
exception




Windows Firewall: Allow   (Not Applicable)   (Not Applicable)   Disabled
UPnP framework
exception
Windows Firewall: Do not (Not Applicable)     (Not Applicable)   Enabled
allow exceptions



Windows Firewall:         (Not Applicable)    (Not Applicable)   Disabled
Prohibit notifications




Windows Firewall:         (Not Applicable)    (Not Applicable)   Enabled
Prohibit unicast response
to multicast or broadcast
requests




Windows Firewall:         (Not Applicable)    (Not Applicable)   Enabled
Protect all network
connections




6to4 State                Enabled: Disabled   (Not Applicable)   (Not Applicable)
                          State
IP-HTTPS State   Enabled: Disabled   (Not Applicable)   (Not Applicable)
                 State




ISATAP State     Enabled: Disabled   (Not Applicable)   (Not Applicable)
                 State




Teredo State     Enabled: Disabled   (Not Applicable)   (Not Applicable)
                 State
Configuration of wireless Disabled     Disabled           (Not Applicable)
settings using Windows
Connect Now




Prohibit Access of the     Enabled     Enabled            (Not Applicable)
Windows Connect Now
wizards



Extend Point and Print     Disabled    (Not Applicable)   (Not Applicable)
connection to search
Windows Update


Allow remote access to     Disabled    Disabled           (Not Applicable)
the Plug and Play
interface

Do not send a Windows Enabled          Enabled            (Not Applicable)
Error Report when a
generic driver is installed
on a device

Prevent creation of a       Disabled   Disabled           (Not Applicable)
system restore point
during device activity that
would normally prompt
creation of a restore point
Prevent device metadata Enabled                 (Not Applicable)      (Not Applicable)
retrieval from the Internet




Specify Search Order for Enabled: Do not        (Not Applicable)      (Not Applicable)
device driver source     search Windows
locations                Update


Registry policy           Enabled: Process      Enabled: Process      Enabled: Process
processing                even if the Group     even if the Group     even if the Group
                          Policy objects have   Policy objects have   Policy objects have
                          not changed.          not changed.          not changed.




Turn off downloading of   Enabled               Enabled               Enabled
print drivers over HTTP




Turn off Event Viewer     Disabled              Disabled              Disabled
"Events.asp" links



Turn off handwriting      Enabled               (Not Applicable)      (Not Applicable)
personalization data
sharing

Turn off handwriting      Enabled               Enabled               (Not Applicable)
recognition error
reporting

Turn off Internet         Enabled               Enabled               Enabled
Connection Wizard if
URL connection is
referring to
Microsoft.com
Turn off Internet          Enabled   Enabled   Enabled
download for Web
publishing and online
ordering wizards



Turn off Internet File     Enabled   Enabled   Enabled
Association service




Turn off printing over     Enabled   Enabled   Enabled
HTTP




Turn off Registration if   Enabled   Enabled   Enabled
URL connection is
referring to
Microsoft.com
Turn off Search            Enabled   Enabled   Enabled
Companion content file
updates



Turn off the "Order        Enabled   Enabled   Enabled
Prints" picture task




Turn off the "Publish to   Enabled   Enabled   Enabled
Web" task for files and
folders


Turn off the Windows   Enabled       Enabled   Enabled
Messenger Customer
Experience Improvement
Program
Turn off Windows Error   Enabled   Enabled   Enabled
Reporting




Always use classic logon Enabled   Enabled   Enabled



Do not process the run   Enabled   Enabled   Enabled
once list


Require a Password       Enabled   Enabled   (Not Applicable)
When a Computer
Wakes (On Battery)



Require a Password       Enabled   Enabled   (Not Applicable)
When a Computer
Wakes (Plugged In)
Specify the System         Enabled:3600   Enabled:3600   (Not Applicable)
Hibernate Timeout (On
Battery)




Specify the System         Enabled:3600   Enabled:3600   (Not Applicable)
Hibernate Timeout
(Plugged In)




Turn off the Display (On   Enabled:1200   Enabled:1200   (Not Applicable)
Battery)




Turn off the Display       Enabled:1200   Enabled:1200   (Not Applicable)
(Plugged In)
Offer Remote Assistance Disabled     Disabled   Disabled




Solicited Remote          Disabled   Disabled   Disabled
Assistance




Turn on session logging   Enabled    Enabled    (Not Applicable)
Restrictions for           Enabled:        Enabled:           Enabled:
Unauthenticated RPC        Authenticated   Authenticated      Authenticated
clients

RPC Endpoint Mapper        Enabled         Enabled            Enabled
Client Authentication




Microsoft Support         Disabled         (Not Applicable)   (Not Applicable)
Diagnostic Tool: Turn on
MSDT interactive
communication with
support provider
Troubleshooting: Allow    Disabled         (Not Applicable)   (Not Applicable)
users to access online
troubleshooting content
on Microsoft servers from
the Troubleshooting
Control Panel (via the
Windows Online
Troubleshooting Service -
WOTS)
Enable/Disable PerfTrack Disabled          Disabled           (Not Applicable)




Configure Windows NTP Local approved     Local approved     Local approved
Client                server, not        server, not        server, not
                      "time.windows.com" "time.windows.com" "time.windows.com"




Configure Windows NTP
Client\CrossSiteSyncFlag
s
Configure Windows NTP
Client\EventLogFlags

Configure Windows NTP
Client\NtpServer

Configure Windows NTP
Client\ResolvePeerBacko
ffMaxTimes

Configure Windows NTP
Client\ResolvePeerBacko
ffMinutes

Configure Windows NTP
Client\SpecialPollInterval


Configure Windows NTP
Client\Type

Turn off Program             Enabled              (Not Applicable)     (Not Applicable)
Inventory


Default behavior for         Enabled: Do not     Enabled: Do not     (Not Applicable)
AutoRun                      execute any autorun execute any autorun
                             commands            commands




Turn off Autoplay            Enabled:All drives   Enabled:All Drives   (Not Applicable)




Turn off Autoplay for non- Enabled                (Not Applicable)     (Not Applicable)
volume devices



Enumerate administrator Disabled                  Disabled             (Not Applicable)
accounts on elevation
Override the More         Enabled:      Enabled:        (Not Applicable)
Gadgets link              about:blank   about:blank


Restrict unpacking and    Enabled       Enabled         (Not Applicable)
installation of gadgets
that are not digitally
signed
Turn Off user-installed   Enabled       Enabled         (Not Applicable)
desktop gadgets




Do not allow Digital      Enabled       Enabled         (Not Applicable)
Locker to run


Maximum Log Size (KB) Enabled:32768     Enabled:32768   (Not Applicable)




Maximum Log Size (KB) Enabled:81920     Enabled:81920   (Not Applicable)




Maximum Log Size (KB) Enabled:32768     Enabled:32768   (Not Applicable)




Maximum Log Size (KB) Enabled:32768     Enabled:32768   (Not Applicable)




Turn off downloading of   Enabled       Enabled         (Not Applicable)
game information


Turn off game updates     Enabled       Enabled         (Not Applicable)
Prevent the computer     Enabled          (Not Applicable)   (Not Applicable)
from joining a homegroup




Turn on the Internet   (Not Applicable)   (Not Applicable)   Disabled
Connection Wizard Auto
Detect




Disable remote Desktop   Enabled          Enabled            Enabled
Sharing


Do not allow passwords   Enabled          Enabled            Enabled
to be saved
Allow users to connect   Disabled       Disabled           Disabled
remotely using Remote
Desktop Services




Always prompt for        Enabled        Enabled            (Not Applicable)
password upon
connection


Set client connection    Enabled:High   Enabled:High Level Enabled:High Level
encryption level
Set time limit for active Enabled: 15 minutes Enabled: 15 minutes Enabled: 15 minutes
but idle Remote Desktop
Services sessions




Set time limit for        Enabled: 1 minute   Enabled: 1 minute   Enabled: 1 minute
disconnected sessions




Do not delete temp folder Disabled            Disabled            Disabled
upon exit



Do not use temporary      Disabled            Disabled            Disabled
folders per session



Turn off downloading of   Enabled             Enabled             Enabled
enclosures


Allow indexing of         Disabled            Disabled            (Not Applicable)
encrypted files
Enable indexing           Disabled    Disabled           (Not Applicable)
uncached Exchange
folders


Prevent Windows           Enabled     (Not Applicable)   (Not Applicable)
Anytime Upgrade from
running
Configure Microsoft       Disabled    Disabled           (Not Applicable)
Spynet Reporting

Disable Logging           Disabled    Disabled           (Not Applicable)



Disable Windows Error     Enabled     Enabled            (Not Applicable)
Reporting

Display Error Notification Disabled   Disabled           (Not Applicable)




Do not send additional    Enabled     Enabled            (Not Applicable)
data




Turn off Data Execution   Disabled    (Not Applicable)   (Not Applicable)
Prevention for Explorer



Turn off heap termination Disabled    Disabled           (Not Applicable)
on corruption




Turn off shell protocol   Disabled    Disabled           Disabled
protected mode
Disable IE security        Disabled   Disabled   Disabled
prompt for Windows
Installer scripts




Enable user control over Disabled     Disabled   Disabled
installs

Prohibit non-              Enabled    Enabled    Enabled
administrators from
applying vendor signed
updates
Report when logon          Enabled    Enabled    (Not Applicable)
server was not available
during user logon


Turn off the communities Enabled      Enabled    (Not Applicable)
features


Turn off Windows Mail      Enabled    Enabled    (Not Applicable)
application

Prevent Windows Media Enabled         Enabled    (Not Applicable)
DRM Internet Access


Do Not Show First Use      Enabled    Enabled    Enabled
Dialog Boxes




Prevent Automatic          Enabled    Enabled    Enabled
Updates
Configure Automatic     Enabled: 3 - Auto   Enabled: 3 - Auto   Enabled: 3 - Auto
Updates                 download and notify download and notify download and notify
                        for install         for install         for install




Do not display 'Install Disabled            Disabled            Disabled
Updates and Shut Down'
option in Shut Down
Windows dialog box
No auto-restart with    Disabled   Disabled   Disabled
logged on users for
scheduled automatic
updates installations




Reschedule Automatic    Enabled    Enabled    Enabled
Updates scheduled
installations
Account lockout duration 15 minutes       15 minutes        15 minutes




Account lockout         5 invalid logon   5 invalid logon   5 invalid logon
threshold               attempts          attempts          attempts




Reset lockout counter   15 minutes        15 minutes        15 minutes
after




Enforce password history 24 passwords     24 passwords      24 passwords
                         remembered       remembered        remembered




Maximum password age 60 days              60 days           60 days




Minimum password age    1 day             1 day             1 day
Minimum password         12 characters       12 characters       12 characters
length




Password must meet       Enabled             Enabled             Enabled
complexity requirement




Store passwords using    Disabled            Disabled            Disabled
reversible encryption




Audit Credential         Success and Failure Success and Failure (Not Applicable)
Validation
Audit Kerberos           No auditing   No auditing   (Not Applicable)
Authentication Service




Audit Kerberos Service   No auditing   No auditing   (Not Applicable)
Ticket Operations
Audit Other Account       No auditing   No auditing   (Not Applicable)
Logon Events




Audit Application Group   No auditing   No auditing   (Not Applicable)
Management
Audit Computer Account Success and Failure Success and Failure (Not Applicable)
Management




Audit Distribution Group   No auditing      No auditing         (Not Applicable)
Management
Audit Other Account    Success and Failure Success and Failure (Not Applicable)
Management Events




Audit Security Group   Success and Failure Success and Failure (Not Applicable)
Management
Audit User Account     Success and Failure Success and Failure (Not Applicable)
Management




Audit DPAPI Activity   No Auditing         No auditing         (Not Applicable)
Audit Process Creation   Success       Success       (Not Applicable)




Audit Process            No Auditing   No auditing   (Not Applicable)
Termination
Audit RPC Events           No Auditing   No auditing   (Not Applicable)




Audit Detailed Directory   No auditing   No auditing   (Not Applicable)
Service Replication
Audit Directory Service   No auditing   No auditing   (Not Applicable)
Access




Audit Directory Service   No auditing   No auditing   (Not Applicable)
Changes
Audit Directory Service   No auditing   No auditing   (Not Applicable)
Replication




Audit File System         No auditing   No auditing   (Not Applicable)
Audit Registry          No auditing   No auditing   (Not Applicable)




Audit Account Lockout   No auditing   No auditing   (Not Applicable)
Audit IPsec Extended    No auditing   No auditing   (Not Applicable)
Mode




Audit IPsec Main Mode   No auditing   No auditing   (Not Applicable)
Audit IPsec Quick Mode   No auditing   No auditing   (Not Applicable)




Audit Logoff             Success       Success       (Not Applicable)
Audit Logon            Success and Failure Success and Failure (Not Applicable)




Audit Network Policy   No Auditing         No auditing         (Not Applicable)
Server
Audit Other Logon/Logoff No Auditing   No auditing   (Not Applicable)
Events




Audit Special Logon      Success       Success       (Not Applicable)
Audit Application     No Auditing   No auditing   (Not Applicable)
Generated




Audit Certification   No Auditing   No auditing   (Not Applicable)
Services
Audit Detailed File Share No Auditing   (Not Applicable)   (Not Applicable)




Audit File Share         No Auditing    No auditing        (Not Applicable)
Audit File System          Failure       Failure       (Not Applicable)




Audit Filtering Platform   No Auditing   No auditing   (Not Applicable)
Connection
Audit Filtering Platform   No Auditing   No auditing   (Not Applicable)
Packet Drop




Audit Handle               No Auditing   No auditing   (Not Applicable)
Manipulation
Audit Kernel Object   No Auditing   No auditing   (Not Applicable)




Audit Other Object    No Auditing   No auditing   (Not Applicable)
Access Events
Audit Registry   Failure       Failure       (Not Applicable)




Audit SAM        No Auditing   No auditing   (Not Applicable)
Audit Audit Policy     Success and Failure Success and Failure (Not Applicable)
Change




Audit Authentication   Success             Success             (Not Applicable)
Policy Change
Audit Authorization Policy No auditing   No auditing   (Not Applicable)
Change




Audit Filtering Platform   No auditing   No auditing   (Not Applicable)
Policy Change
Audit MPSSVC Rule-    No auditing   No auditing   (Not Applicable)
Level Policy Change




Audit Other Policy    No auditing   No auditing   (Not Applicable)
Change Events
Audit Non Sensitive      No Auditing    No auditing   (Not Applicable)
Privilege Use




Audit Other Privilege Use No Auditing   No auditing   (Not Applicable)
Events
Audit Sensitive Privilege   Success and Failure Success and Failure (Not Applicable)
Use




Audit IPsec Driver          Success and Failure Success and Failure (Not Applicable)
Audit Other System     No auditing         No auditing         (Not Applicable)
Events




Audit Security State   Success and Failure Success and Failure (Not Applicable)
Change
Audit Security System   Success and Failure Success and Failure (Not Applicable)
Extension




Audit System: System    Success and Failure Success and Failure (Not Applicable)
Integrity




Maximum application log Not Defined         Not Defined         16384 kilobytes
size



Maximum security log    Not Defined         Not Defined         81920 kilobytes
size
Maximum system log   Not Defined      Not Defined      16384 kilobytes
size



%SystemRoot%         Not Configured   Not Configured   Administrators: Full
\system32\rcp.exe                                      System: Full
%SystemRoot%        Not Configured   Not Configured   Administrators: Full
\system32\reg.exe                                     System: Full
%SystemRoot%             Not Configured   Not Configured   Administrators: Full
\system32\regedt32.exe                                     System: Full
%SystemRoot%\regedit.e Not Configured   Not Configured   Administrators: Full
xe                                                       System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\arp.exe                                              System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\at.exe                                               System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\attrib.exe                                           System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\cacls.exe                                            System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\debug.exe                                            System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\edlin.exe                                            System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\eventcreate.exe                                      System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\eventtriggers.exe                                    System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\mshta.exe                                            System: Full
                                                       Users: Read &
                                                       Execute
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\net.exe                                              System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\net1.exe                                             System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\netsh.exe                                            System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\regini.exe                                           System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\regsvr32.exe                                         System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\rexec.exe                                            System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\route.exe                                            System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\rsh.exe                                              System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\sc.exe                                               System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\secedit.exe                                          System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\subst.exe                                            System: Full
%SystemRoot%\System3 Not Configured   Not Configured   Administrators: Full
2\systeminfo.exe                                       System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\tftp.exe                                             System: Full
%SystemRoot%\system3 Not Configured   Not Configured   Administrators: Full
2\tlntsvr.exe                                          System: Full




Audit account logon   Not Defined     Not Defined      Success, Failure
events
Audit account             Not Defined   Not Defined   Success, Failure
management




Audit directory service   Not Defined   Not Defined   Failure
access
Audit logon events    Not Defined   Not Defined   Success, Failure




Audit object access   Not Defined   Not Defined   Failure
Audit policy change   Not Defined   Not Defined   Success




Audit privilege use   Not Defined   Not Defined   Failure
Audit process tracking   Not Defined   Not Defined   No auditing




Audit system events      Not Defined   Not Defined   Success
Accounts: Administrator   Disabled   Disabled   Enabled
account status




Accounts: Guest account Disabled     Disabled   Disabled
status




Accounts: Limit local     Enabled    Enabled    Enabled
account use of blank
passwords to console
logon only
Accounts: Rename            Renamed_Admin   Renamed_Admin   Renamed_Admin
administrator account




Accounts: Rename guest Renamed_Guest        Renamed_Guest   Renamed_Guest
account




Audit: Audit the access of Disabled         Disabled        Disabled
global system objects



Audit: Audit the use of     Disabled        Disabled        Disabled
Backup and Restore
privilege


Audit: Force audit policy   Enabled         Enabled         (Not Applicable)
subcategory settings
(Windows Vista or later)
to override audit policy
category settings

Devices: Prevent users      Disabled        Disabled        Disabled
from installing printer
drivers
Devices: Restrict CD-       Disabled        Disabled           Disabled
ROM access to locally
logged-on user only




Devices: Restrict floppy Disabled           Disabled           Disabled
access to locally logged-
on user only




Devices: Unsigned driver (Not Applicable)   (Not Applicable)   Do not allow
installation behavior                                          installation




Domain member:              Enabled         Enabled            Enabled
Digitally encrypt or sign
secure channel data
(always)
Domain member:             Enabled   Enabled    Enabled
Digitally encrypt secure
channel data (when
possible)



Domain member:             Enabled   Enabled    Enabled
Digitally sign secure
channel data (when
possible)



Domain member: Disable Disabled      Disabled   Disabled
machine account
password changes




Domain member:             30 Days   30 Days    30 Days
Maximum machine
account password age




Domain member:          Enabled      Enabled    Enabled
Require strong (Windows
2000 or later) session
key
Interactive logon: Do not Enabled                Enabled                 Enabled
display last user name




Interactive logon: Do not Disabled               Disabled                Disabled
require
CTRL+ALT+DELETE




Interactive logon:       This system is for      This system is for      This system is for
Message text for users   the use of              the use of              the use of
attempting to logon      authorized users        authorized users        authorized users
                         only. Individuals       only. Individuals       only. Individuals
                         using this computer     using this computer     using this computer
                         system without          system without          system without
                         authority or in         authority or in         authority or in
                         excess of their         excess of their         excess of their
                         authority are subject   authority are subject   authority are subject
                         to having all their     to having all their     to having all their
                         activities on this      activities on this      activities on this
                         system monitored        system monitored        system monitored
                         and recorded by         and recorded by         and recorded by
                         system personnel.       system personnel.       system personnel.
                         Anyone using this       Anyone using this       Anyone using this
                         system expressly        system expressly        system expressly
                         consents to such        consents to such        consents to such
                         monitoring and is       monitoring and is       monitoring and is
                         advised that if such    advised that if such    advised that if such
                         monitoring reveals      monitoring reveals      monitoring reveals
                         possible evidence of    possible evidence of    possible evidence of
                         criminal activity       criminal activity       criminal activity
                         system personal         system personal         system personal
                         may provide the         may provide the         may provide the
                         evidence of such        evidence of such        evidence of such
                         monitoring to law       monitoring to law       monitoring to law
                         enforcement             enforcement             enforcement
                         officials.              officials.              officials.
Interactive logon:         -- WARNING --      -- WARNING --      -- WARNING --
Message title for users
attempting to logon




Interactive logon:       2                    2                  2
Number of previous
logons to cache (in case
domain controller is not
available)




Interactive logon: Prompt 14 days             14 days            14 days
user to change password
before expiration



Interactive logon: Require Disabled           Disabled           Disabled
Domain Controller
authentication to unlock
workstation




Interactive logon: Smart   Lock Workstation   Lock Workstation   Lock Workstation
card removal behavior
Microsoft network client: Enabled      Enabled      Enabled
Digitally sign
communications (always)


Microsoft network client:   Enabled    Enabled      Enabled
Digitally sign
communications (if
server agrees)

Microsoft network client:   Disabled   Disabled     Disabled
Send unencrypted
password to third-party
SMB servers




Microsoft network server: 15 minutes   15 minutes   15 minutes
Amount of idle time
required before
suspending session




Microsoft network server: Enabled      Enabled      Enabled
Digitally sign
communications (always)


Microsoft network server: Enabled      Enabled      Enabled
Digitally sign
communications (if client
agrees)

Microsoft network server: Enabled      Enabled      Enabled
Disconnect clients when
logon hours expire
Microsoft network server: Accept if provided       (Not Applicable)      (Not Applicable)
Server SPN target name by client
validation level




MSS: (AutoAdminLogon) Disabled                     Disabled              Disabled
Enable Automatic Logon
(Not Recommended)


MSS:                       Highest protection, Highest protection, (Not Applicable)
(DisableIPSourceRouting source routing is      source routing is
IPv6) IP source routing    completely disabled completely disabled
protection level (protects
against packet spoofing)

MSS:                         Highest Protection,   Highest Protection,   Highest Protection,
(DisableIPSourceRouting      source routing is     source routing is     source routing is
) IP source routing          automatically         automatically         automatically
protection level (protects   disabled.             disabled.             disabled.
against packet spoofing)

MSS:                      (Not Applicable)         (Not Applicable)      Disabled
(EnableDeadGWDetect)
Allow automatic detection
of dead network
gateways (could lead to
DoS)
MSS:                      Disabled                 Disabled              Disabled
(EnableICMPRedirect)
Allow ICMP redirects to
override OSPF generated
routes



MSS: (Hidden) Hide           Enabled               Enabled               Not defined
computer from the
browse list (Not
Recommended except
for highly secure
environments
MSS: (KeepAliveTime)         300000 or 5           300000 or 5           300000 or 5
How often keep-alive         minutes               minutes               minutes
packets are sent in          (recommended)         (recommended)         (recommended)
milliseconds
MSS: (NoDefaultExempt)     Multicast,          Multicast,          Multicast,
Configure IPSec            Broadcast, and      Broadcast, and      Broadcast, and
exemptions for various     ISAKMP are exempt   ISAKMP are exempt   ISAKMP are exempt
types of network traffic   (Best for Windows   (Best for Windows   (Best for Windows
                           XP)                 XP)                 XP)




MSS:                       Not Defined         Not Defined         255, disable autorun
(NoDriveTypeAutoRun)                                               for all drives
Disable Autorun for all
drives (recommended)




MSS:                     Enabled               Enabled             Enabled
(NoNameReleaseOnDe
mand) Allow the
computer to ignore
NetBIOS name release
requests except from
WINS servers
MSS:                     Disabled              Disabled            Disabled
(PerformRouterDiscovery
) Allow IRDP to detect
and configure
DefaultGateway
addresses (could lead to
DoS)

MSS:                       Enabled             Enabled             Enabled
(SafeDLLSearchMode)
Enable safe DLL search
mode (Recommended)

MSS:                    5                      5                   5
(ScreenSaverGracePerio
d) The time in seconds
before the screen saver
grace period expires (0
Recommended)
MSS: (SynAttackProtect) (Not Applicable)     (Not Applicable)   Enabled:
Syn attack protection                                           Connections
level (protects against                                         timeout sooner if a
DoS)                                                            SYN attack is
                                                                detected




MSS:                      (Not Applicable)   (Not Applicable)   Enabled: 3&6
(TCPMaxConnectRespo                                             second, half-open
nseRetransmissions)                                             connections
SYN-ACK                                                         dropped after 21
retransmissions when a                                          seconds
connection request is not
acknowledged




MSS:                     3                   3                  (Not Applicable)
(TcpMaxDataRetransmis
sions IPv6) How many
times unacknowledged
data is retransmitted (3
recommended, 5 is
default)



MSS:                   Enabled: 3            Enabled: 3         Enabled: 3
(TCPMaxDataRetransmi
ssions) How many times
unacknowledged data is
retransmitted (3
Recommended, 5 is
Default)



MSS: (WarningLevel)       90%                90%                90%
Percentage threshold for
the security event log at
which the system will
generate a warning
Network access: Allow     Disabled               Disabled            Disabled
anonymous SID/Name
translation


Network access: Do not    Enabled                Enabled             Enabled
allow anonymous
enumeration of SAM
accounts
Network access: Do not    Enabled                Enabled             Enabled
allow anonymous
enumeration of SAM
accounts and shares




Network access: Do not    Enabled                Enabled             Enabled
allow storage of
passwords and
credentials for network
authentication


Network access: Let   Disabled                   Disabled            Disabled
Everyone permissions
apply to anonymous
users
Network access: Named (None)                     netlogon, lsarpc,   COMNAP
Pipes that can be                                samr, browser       COMNODE
accessed anonymously                                                 SQL\QUERY
                                                                     SPOOLSS
                                                                     LLSRPC
                                                                     browser

Network access:           System\CurrentCont     System\CurrentCont (Not Applicable)
Remotely accessible       rolSet\Control\Produ   rolSet\Control\Produ
registry paths            ctOptions,             ctOptions,
                          System\CurrentCont     System\CurrentCont
                          rolSet\Control\Serve   rolSet\Control\Serve
                          r Applications,        r Applications,
                          Software\Microsoft\    Software\Microsoft\
                          Windows                Windows
                          NT\CurrentVersion      NT\CurrentVersion
Network access:          System\CurrentCont      System\CurrentCont      System\CurrentCont
Remotely accessible      rolSet\Control\Print\   rolSet\Control\Print\   rolSet\Control\Produ
registry paths and       Printers                Printers                ctOptions
subpaths                 System\CurrentCont      System\CurrentCont      System\CurrentCont
                         rolSet\Services\Eve     rolSet\Services\Eve     rolSet\Control\Print\
                         ntlog                   ntlog                   Printers
                         Software\Microsoft\     Software\Microsoft\     System\CurrentCont
                         OLAP Server             OLAP Server             rolSet\Control\Serve
                         Software\Microsoft\     Software\Microsoft\     r Applications
                         Windows                 Windows                 System\CurrentCont
                         NT\CurrentVersion\      NT\CurrentVersion\      rolSet\Services\Eve
                         Print                   Print                   ntlog
                         Software\Microsoft\     Software\Microsoft\     Software\Microsoft\
                         Windows                 Windows                 OLAP Server
                         NT\CurrentVersion\      NT\CurrentVersion\      Software\Microsoft\
                         Windows                 Windows                 Windows
                         System\CurrentCont      System\CurrentCont      NT\CurrentVersion
                         rolSet\Control\Conte    rolSet\Control\Conte    System\CurrentCont
                         ntIndex                 ntIndex                 rolSet\Control\Conte
                         System\CurrentCont      System\CurrentCont      ntIndex
                         rolSet\Control\Termi    rolSet\Control\Termi    System\CurrentCont
                         nal Server              nal Server              rolSet\Control\Termi
                         System\CurrentCont      System\CurrentCont      nal Server
                         rolSet\Control\Termi    rolSet\Control\Termi    System\CurrentCont
                         nal                     nal                     rolSet\Control\Termi
                         Server\UserConfig       Server\UserConfig       nal
                         System\CurrentCont      System\CurrentCont      Server\UserConfig
                         rolSet\Control\Termi    rolSet\Control\Termi    System\CurrentCont
                         nal                     nal                     rolSet\Control\Termi
                         Server\DefaultUser      Server\DefaultUser      nal
                         Configuration           Configuration           Server\DefaultUser
                         Software\Microsoft\     Software\Microsoft\     Configuration
Network access: Restrict Windows
                         Enabled                 Windows
                                                 Enabled                 (Not Applicable)
anonymous access to
Named Pipes and
Shares
Network access: Shares (None)                    (None)                  COMCFG, DFS$
that can be accessed
anonymously



Network access: Sharing Classic – Local          Classic – Local         Classic - Local
and security model for  users authenticate       users authenticate      users authenticate
local accounts          as themselves            as themselves           as themselves
Network security: Allow   Enabled          (Not Applicable)   (Not Applicable)
Local System to use
computer identity for
NTLM




Network security: Allow   Disabled         (Not Applicable)   (Not Applicable)
LocalSystem NULL
session fallback



Network Security: Allow Disabled           (Not Applicable)   (Not Applicable)
PKU2U authentication
requests to the computer
to use online identities


Network Security:        Enabled:         (Not Applicable)    (Not Applicable)
Configure encryption     RC4_HMAC_MD5
types allowed for        AES128_HMAC_SH
Kerberos                 A1
                         AES256_HMAC_SH
                         A1 Future
                         Encryption Types
Network security: Do not Enabled          Enabled             Enabled
store LAN Manager hash
value on next password
change



Network security: Force   Enabled          Enabled            Enabled
logoff when logon hours
expire




Network security: LAN     Send NTLMv2      Send NTLMv2        Send NTLMv2
Manager authentication    Response only.   Response only.     Response only.
level                     Refuse LM and    Refuse LM and      Refuse LM and
                          NTLM             NTLM               NTLM
Network security: LDAP    Negotiate Signing   Negotiate Signing   Negotiate Signing
client signing
requirements


Network security:         Require NTLMv2      Require NTLMv2      Require message
Minimum session           session security,   session security,   integrity
security for NTLM SSP     Require 128 bit     Require 128 bit     Require message
based (including secure   encryption          encryption          confidentiality
RPC) clients                                                      Require NTLMv2
                                                                  session security
                                                                  Require 128-bit
                                                                  encryption
Network security:         Require NTLMv2      Require NTLMv2      Require message
Minimum session           session security,   session security,   integrity
security for NTLM SSP     Require 128 bit     Require 128 bit     Require message
based (including secure   encryption          encryption          confidentiality
RPC) servers                                                      Require NTLMv2
                                                                  session security
                                                                  Require 128-bit
                                                                  encryption




Recovery console: Allow Disabled              Disabled            Disabled
automatic administrative
logon

Recovery console: Allow Disabled              Disabled            Disabled
floppy copy and access
to all drives and all
folders


Shutdown: Allow system Enabled                Enabled             Enabled
to be shut down without
having to log on




Shutdown: Clear virtual   Disabled            Disabled            Disabled
memory pagefile
System cryptography:       Enabled         Enabled       Enabled
Use FIPS compliant
algorithms for encryption,
hashing, and signing




System objects: Default (Not Applicable)   Not Defined   Object Creator
owner for objects created
by members of the
Administrators group




System objects: Require Enabled            Enabled       Enabled
case insensitivity for non-
Windows subsystems




System objects:           Enabled          Enabled       Enabled
Strengthen default
permissions of internal
system objects (e.g.,
Symbolic Links)
User Account Control:      Enabled           Enabled             (Not applicable)
Admin Approval Mode for
the Built-in Administrator
account




User Account Control:      Disabled          Disabled            (Not Applicable)
Allow UIAccess
applications to prompt for
elevation without using
the secure desktop




User Account Control:     Prompt for consent Prompt for consent (Not applicable)
Behavior of the elevation
prompt for administrators
in Admin Approval Mode
User Account Control:     Prompt for           Prompt for    (Not applicable)
Behavior of the elevation credentials on the   credentials
prompt for standard       secure desktop
users



User Account Control:       Enabled            Enabled       (Not applicable)
Detect application
installations and prompt
for elevation
User Account Control:       Disabled           Disabled      (Not applicable)
Only elevate executables
that are signed and
validated
User Account Control:       Enabled            Enabled       (Not applicable)
Only elevate UIAccess
applications that are
installed in secure
locations
User Account Control:       Enabled            Enabled       (Not applicable)
Run all administrators in
Admin Approval Mode




User Account Control:        Enabled           Enabled       (Not applicable)
Switch to the secure
desktop when prompting
for elevation
User Account Control:        Enabled           Enabled       (Not applicable)
Virtualize file and registry
write failures to per-user
locations
Access this computer   Administrators    Administrators    Administrators
from the network




Act as part of the     (None)            (None)            (None)
operating system




Adjust memory quotas   Administrators,   Administrators,   Administrators,
for a process          Local Service,    Local Service,    Local Service,
                       Network Service   Network Service   Network Service



Allow log on locally   Administrators,   Administrators,   Administrators,
                       Users             Users             Users
Allow log on through   Administrators,    Administrators,    Administrators,
Remote Desktop         Remote Desktop     Remote Desktop     Remote Desktop
Services               Users              Users              Users



Backup files and       Administrators     Administrators     Administrators
directories




Bypass traverse        Administrators,    Administrators,    Administrators,
checking               Users, Local       Users, Local       Users
                       Service, Network   Service, Network
                       Service            Service



Change the system time LOCAL SERVICE,     LOCAL SERVICE,     Administrators
                       Administrators     Administrators




Change the time zone   Local Service,     Local Service,     (Not Applicable)
                       Administrators,    Administrators,
                       Users              Users
Create a pagefile        Administrators    Administrators    Administrators



Create a token object    (None)            (None)            (None)


Create global objects    Administrators,   Administrators,   Administrators,
                         LOCAL SERVICE,    LOCAL SERVICE,    LOCAL SERVICE,
                         NETWORK           NETWORK           NETWORK
                         SERVICE,          SERVICE,          SERVICE,
                         SERVICE           SERVICE           SERVICE
Create permanent         (None)            (None)            (None)
shared objects


Create Symbolic Links    Administrators    Administrators    (Not Applicable)




Debug programs           Administrators    Administrators    Administrators


Deny access to this      Guests            Guests            Guests,
computer from the                                            Support_388945a0
network


Deny log on as a batch   Guests            Guests            Guests,
job                                                          Support_388945a0


Deny log on as a service (None)            (None)            (None)


Deny log on locally      Guests            Guests            Guests,
                                                             Support_388945a0


Deny log on through      Guests            Guests            Guests
Remote Desktop
Services


Force shutdown from a    Administrators    Administrators    Administrators
remote system
Generate security audits Network Service,     Network Service,   Network Service,
                         Local Service        Local Service      Local Service


Impersonate a client after Administrators,    Administrators,    SERVICE,
authentication             SERVICE, Local     SERVICE, Local     Administrators
                           Service, Network   Service, Network
                           Service            Service
Increase a process         Administrators,    Administrators,    (Not Applicable)
working set                Local Service      Local Service


Increase scheduling       Administrators      Administrators     Administrators
priority



Load and unload device    Administrators      Administrators     Administrators
drivers


Lock pages in memory      (None)              (None)             (None)


Log on as a batch job     (None)              (None)             (None)


Log on as a service       (None)              (None)             NETWORK
                                                                 SERVICE, LOCAL
                                                                 SERVICE
Manage auditing and       Administrators      Administrators     Administrators
security log



Modify an object label    (None)              (None)             (Not Applicable)


Modify firmware           Administrators      Administrators     Administrators
environment values



Perform volume            Administrators      Administrators     Administrators
maintenance tasks



Profile single process    Administrators      Administrators     Administrators
Profile system            Administrators,NT Administrators      Administrators
performance               SERVICE\WdiServi
                          ceHost

Remove computer from      Administrators,    Administrators,    Administrators,
docking station           Users              Users              Users




Replace a process level   Network Service,   Network Service,   Network Service,
token                     Local Service      Local Service      Local Service


Restore files and         Administrators     Administrators     Administrators
directories




Shut down the system      Administrators,    Administrators,    Administrators,
                          Users              Users              Users
Take ownership of files   Administrators     Administrators     Administrators
or other objects


Alerter                   (Not Applicable)   (Not Applicable)   Disabled




Background Intelligent    Not Defined        Not Defined        Manual
Transfer Service




Bluetooth Support         Disabled           (Not Applicable)   (Not Applicable)
Service




ClipBook                  (Not Applicable)   (Not Applicable)   Disabled




Computer Browser          Not Defined        Not Defined        Disabled




Error Reporting Service   Not Defined        Not Defined        Disabled
Fast User Switching      (Not Applicable)   (Not Applicable)   Disabled
Compatibility



Fax                      Disabled           Disabled           Disabled




FTP Publishing Service   Not Defined        Not Defined        Disabled




HomeGroup Listener       Disabled           (Not Applicable)   (Not Applicable)




HomeGroup Provider       Disabled           (Not Applicable)   (Not Applicable)




Indexing Service         (Not Applicable)   (Not Applicable)   Disabled




Media Center Extender    Disabled           (Not Applicable)   (Not Applicable)
Service



Messenger                (Not Applicable)   (Not Applicable)   Disabled
NetMeeting Remote      (Not Applicable)   (Not Applicable)   Disabled
Desktop Sharing



Network DDE            (Not Applicable)   (Not Applicable)   Disabled




Network DDE DSDM       (Not Applicable)   (Not Applicable)   Disabled




Parental Controls      Disabled           (Not Applicable)   (Not Applicable)




Routing and Remote     Not Defined        Not Defined        Disabled
Access




SSDP Discovery Service Not Defined        Not Defined        Disabled




Telnet                 Not Defined        Not Defined        Disabled




Terminal Services      Not Defined        Not Defined        Manual
Universal Plug and Play   Not Defined   Not Defined   Disabled
Device Host




WebClient                 Not Defined   Not Defined   Disabled




Wireless Zero             Not Defined   Not Defined   Disabled
Configuration




WMI Performance           Not Defined   Not Defined   Manual
Adapter




World Wide Web            Not Defined   Not Defined   Disabled
Publishing Service
Core Networking -        Enabled - yes   Enabled - yes   (Not Applicable)
Dynamic Host
Configuration Protocol
(DHCP-In)
Core Networking -         Enabled - yes      (Not Applicable)     (Not Applicable)
Dynamic Host
Configuration Protocol
(DHCPV6-In)




IPv6 Block of Protocols   (Not Applicable)   General: Enabled     (Not Applicable)
41                                           and Block the
                                             connections;
                                             Programs and
                                             Services: All
                                             programs that meet
                                             the specified
                                             conditions;
                                             Protocols and Ports:
                                             Protocols type IPv6;
                                             Scope: Any IP
                                             addresses;
                                             Advanced: All
                                             profiles
IPv6 Block of UDP 3544   (Not Applicable)   General: Enabled     (Not Applicable)
                                            and Block the
                                            connections;
                                            Programs and
                                            Services: All
                                            programs that meet
                                            the specified
                                            conditions;
                                            Protocols and Ports:
                                            Protocols type UDP,
                                            Local port 3544,
                                            Remote port All
                                            Ports ; Scope: Any
                                            IP addresses;
                                            Advanced: All
                                            profiles

Log dropped packets      Yes                Yes                  (Not Applicable)




Logged successful        Yes                Yes                  (Not Applicable)
connections




Name                     %windir%\system32 %windir%\system32 (Not Applicable)
                         \logfiles\firewall\dom \logfiles\firewall\dom
                         ainfirewall.log        ainfirewall



Size limit (KB)          16,384             16,384               (Not Applicable)




Display a notification   Yes (default)      Yes (default)        (Not Applicable)
Apply local connection       No                No                (Not Applicable)
security rules




Apply local firewall rules   No                No                (Not Applicable)




Allow unicast response       No                No                (Not Applicable)




Firewall State               On (recommended) On (recommended) (Not Applicable)




Inbound connections          Block (default)   Block (default)   (Not Applicable)




Outbound connections         Allow (default)   Allow (default)   (Not Applicable)




Log dropped packets          Yes               Yes               (Not Applicable)




Logged successful            Yes               Yes               (Not Applicable)
connections
Name                         %windir%\system32 %windir%\system32 (Not Applicable)
                             \logfiles\firewall\priv \logfiles\firewall\priv
                             atefirewall.log         atefirewall



Size limit (KB)              16,384            16,384             (Not Applicable)




Display a notification       Yes (default)     Yes (default)      (Not Applicable)




Apply local connection       No                No                 (Not Applicable)
security rules




Apply local firewall rules   No                No                 (Not Applicable)




Allow unicast response       No                No                 (Not Applicable)




Firewall State               On (recommended) On (recommended) (Not Applicable)




Inbound connections          Block (default)   Block (default)    (Not Applicable)
Outbound connections         Allow (default)   Allow (default)    (Not Applicable)




Log dropped packets          Yes               Yes                (Not Applicable)




Logged successful            Yes               Yes                (Not Applicable)
connections




Name                         %windir%\system32 %windir%\system32 (Not Applicable)
                             \logfiles\firewall\publ \logfiles\firewall\publ
                             icfirewall.log          icfirewall



Size limit (KB)              16,384            16,384             (Not Applicable)




Display a notification       Yes (default)     Yes (default)      (Not Applicable)




Apply local connection       No                No                 (Not Applicable)
security rules




Apply local firewall rules   No                No                 (Not Applicable)
Allow unicast response   No                No                (Not Applicable)




Firewall State           On (recommended) On (recommended) (Not Applicable)




Inbound connections      Block (default)   Block (default)   (Not Applicable)




Outbound connections     Allow (default)   Allow (default)   (Not Applicable)




Games                    Not Installed     Not Installed     Not Installed




Internet Information     Not Installed     Not Installed     Not Installed
Services



SimpleTCP Services       Not Installed     Not Installed     Not Installed




Telnet Client            Not Installed     Not Installed     (Not Applicable)




Telnet Server            Not Installed     Not Installed     (Not Applicable)
TFTP Client              Not Installed     Not Installed   (Not Applicable)




Windows Media Center     Not Installed     Not Installed   (Not Applicable)




Disable ISATAP, Teredo, (Not Applicable)   0x1             (Not Applicable)
and 6to4 tunneling
protocols




Enable screen saver      Enabled           Enabled         Enabled




Force specific screen    Not Defined       Not Defined     Not Defined
saver

Password protect the     Enabled           Enabled         Enabled
screen saver


Screen Saver timeout     Enabled:900       Enabled:900     Enabled:900
                         seconds           seconds         seconds


Turn off Help Ratings    Enabled           Enabled         (Not Applicable)



Do not preserve zone     Disabled          Disabled        Disabled
information in file
attachments

Hide mechanisms to      Enabled            Enabled         Enabled
remove zone information


Notify antivirus programs Enabled          Enabled         Enabled
when opening
attachments
Prevent users from           Enabled   Enabled   (Not Applicable)
sharing files within their
profile.
Rationale                    Impact                       Category   800-53
                                                                     Mapping
To prevent network traffic   The computer will not be                CM-6 CM-7
driven by the Link-Layer     able to discover the
Topology Discovery           network topology or make
feature.                     Quality-of-Service
                             requests.




To prevent the computer      The computer will not be                CM-6 CM-7
from responding to Link-     able to support Link-Layer
Layer Topology Discovery     Topology Discovery
requests.                    requests.




To prevent users from        Users will not be able to               CM-3 CM-7
utilizing the P2P features   join P2P networks based
included with Windows.       on the P2P services
                             available in Windows.

To prevent the computer      The computer will not be                SC-7 SC-22
from forwarding internal     able to act as a layer 2
traffic to other networks.   network bridge while
                             connected to the corporate
                             network.
Prohibits use of Internet       If you enable this setting,
Connection Firewall on          Internet Connection
your DNS domain network.        Firewall cannot be enabled
Determines whether users        or configured by users
can enable the Internet         (including administrators),
Connection Firewall             and the Internet
feature on a connection,        Connection Firewall
and if the Internet             service cannot run on the
Connection Firewall             computer. The option to
service can run on a            enable the Internet
computer. Important: This       Connection Firewall
setting is location aware. It   through the Advanced tab
only applies when a             is removed. In addition,
computer is connected to        the Internet Connection
the same DNS domain             Firewall is not enabled for
network it was connected        remote access
to when the setting was         connections created
refreshed on that               through the Make New
computer.                       Connection Wizard. The
                                Network Setup Wizard is
                                disabled.


Determines whether              If you enable this setting,
administrators can enable       ICS cannot be enabled or
and configure the Internet      configured by
Connection Sharing (ICS)        administrators, and the
feature of an Internet          ICS service cannot run on
connection and if the ICS       the computer. The
service can run on the          Advanced tab in the
computer. Important: This       Properties dialog box for a
setting is location aware. It   LAN or remote access
only applies when a             connection is removed.
computer is connected to        The Internet Connection
the same DNS domain             Sharing page is removed
network it was connected        from the New Connection
to when the setting was         Wizard. The Network
refreshed on that               Setup Wizard is disabled.
computer. If a computer is
connected to a DNS
domain network other than
the one it was connected
to when the setting was
refreshed, this setting
does not apply.
To minimize the risk of     Unprivileged users will not   AC-2
users specifying the work be able to change the
location when connected network location.
to public networks
because the public
network is associated with
the public firewall profile
which has more restrictive
settings than the domain
firewall profile.


To force all traffic from  Remote users will have         AC-4
computers connected to     slower response times and
the corporate network via  possible less available
a VPN to traverse the      bandwidth when
corporate network. This    connecting to servers
                           located on the Internet.
will ensure that the traffic
can be managed and         This setting will also
monitored.                 increase the burden on
                           VPN servers.
To minimize the risk of an The ports for file and
attacker using any of the printer sharing are not
affected protocols to      opened. The shared files
exploit the computer.      and printers on the
                           computer will not be
                           available from other
                           computers.
The Windows Firewall:         When Enabled, the
Allow ICMP exceptions         specified unsolicited
setting allows you to         incoming ICMP traffic is
configure specific types of   allowed. When you select
ICMP messages as              Enabled, you must also
excepted traffic.             specify the specific types
                              of ICMP messages that
                              are allowed. Selecting
                              Enabled overrides the
                              local ICMP settings of
                              Windows Firewall.




To prevent users with         Local administrators
administrative privileges     cannot add port
from creating local rules     exceptions.
that may lower the security
of the firewall.
To prevent users with         Local administrators
administrative privileges     cannot add program
from creating local rules     exceptions.
that may lower the security
of the firewall.
To facilitate determination Logging is enabled with
of the root cause of        the specified log file
system problems or to       settings.
detect unauthorized
activities.




To allow remote            Windows Firewall allows
administration when the    the computer to receive
computer is connected to   the unsolicited incoming
the corporate network.     messages associated with
                           remote administration. In
                           Allow unsolicited incoming
                           messages from, type * to
                           specify traffic originating
                           from any source IPv4
                           address or a comma-
                           separated list of sources.
                           The sources can be
                           LocalSubnet to specify
                           traffic originating from a
                           directly reachable IPv4
                           address or one or more
                           IPv4 addresses or IPv4
                           address ranges separated
                           by commas.

To allow RDP when the      Remote Desktop
computer is connected to   connections are allowed.
the corporate network.     TCP port 3389 is opened.
                           In Allow unsolicited
                           incoming messages from,
                           type * to specify Remote
                           Desktop traffic originating
                           from any source IPv4
                           address or a comma
                           separated list of sources.
To minimize the risk of an   The ports for UPnP traffic
attacker using UPnP traffic  are not opened, which
to deliver malicious         prevents the computer
payloads.                    from receiving unsolicited
                             incoming UPnP
                             messages. Local
                             administrators cannot
                             configure the pre-defined
                             UPnP Framework
                             exception.
To alert the user of         Users will see a
applications that attempt to notification when a
open inbound network         program is blocked from
ports.                       receiving inbound
                             connections in this firewall
                             profile.
To minimize the risk of an The unicast response to a
attacker using broadcast multicast or broadcast
or multicast traffic to      packet sent by the
deliver malicious payloads. computer is dropped.
                             This setting has no effect if
                             the unicast message is a
                             response to a DHCP
                             broadcast message sent
                             by the computer. Windows
                             Firewall always permits
                             DHCP unicast responses.


To ensure that the firewall   Windows Firewall is
is actively protecting the    enabled to protect all
computer from network         network connections and
attacks.                      local administrators cannot
                              enable or disable
                              Windows Firewall locally.
                              The Prohibit use of
                              Internet Connection
                              Firewall on your DNS
                              domain network Group
                              Policy setting is ignored.

To minimize the risk of an    The ports for file and
attacker using any of the     printer sharing are not
affected protocols to         opened. The shared files
exploit the computer.         and printers on the
                              computer will not be
                              available from other
                              computers.
To minimize the risk of an    No unsolicited incoming
attacker using the ICMP       ICMP traffic is allowed.
protocol to exploit the       Local administrators
computer.                     cannot define ICMP
                              exceptions.




To prevent users with         Local administrators
administrative privileges     cannot add port
from creating local rules     exceptions.
that may lower the security
of the firewall.
To prevent users with         Local administrators
administrative privileges     cannot add program
from creating local rules     exceptions.
that may lower the security
of the firewall.
To minimize the risk of an    The Windows Firewall:
attacker using any of the     Allow remote
affected protocols to         administration exception
exploit the computer.         setting allows you to
                              specify whether computers
                              running Windows XP with
                              SP2 can be remotely
                              administered by
                              applications that use TCP
                              ports 135 and 445 (such
                              as MMC and WMI).
                              Services that use these
                              ports to communicate are
                              using remote procedure
                              calls (RPC) and
                              Distributed Component
                              Object Model (DCOM) to
                              access remote hosts. In
                              effect, Windows Firewall
                              adds Svchost.exe and
                              Lsass.exe to the program
                              exceptions list and allows
                              those services to open
                              additional, dynamically
                              assigned ports, typically in
                              the range of 1024 to 1034.
                              Windows Firewall also
                              allows incoming ICMP
                              Echo messages (also
                              known as the ICMP Echo
                              Request messages).

To minimize the risk of an Remote Desktop
attacker using RDP to      connections are not
exploit the computer.      allowed. Local
                           administrators cannot
                           configure the pre-defined
                           Remote Desktop
                           exception.

To minimize the risk of an    The ports for UPnP traffic
attacker using UPnP traffic   are not opened, which
to deliver malicious          prevents the computer
payloads.                     from receiving unsolicited
                              incoming UPnP
                              messages. Local
                              administrators cannot
                              configure the pre-defined
                              UPnP Framework
                              exception.
To prevent users with          Local administrators
administrative privileges      cannot add exceptions.
from creating local rules
that may lower the security
of the firewall.
To alert the user of        Users will see a
applications that attempt tonotification when a
open inbound network        program is blocked from
ports.                      receiving inbound
                            connections in this firewall
                            profile.
To minimize the risk of an The unicast response to a
attacker using broadcast multicast or broadcast
or multicast traffic to     packet sent by the
deliver malicious payloads. computer is dropped.
                            This setting has no effect if
                            the unicast message is a
                            response to a DHCP
                            broadcast message sent
                            by the computer. Windows
                            Firewall always permits
                            DHCP unicast responses.


To ensure that the firewall Windows Firewall is
is actively protecting the  enabled to protect all
computer from network       network connections and
attacks.                    local administrators cannot
                            enable or disable
                            Windows Firewall locally.
                            The Prohibit use of
                            Internet Connection
                            Firewall on your DNS
                            domain network Group
                            Policy setting is ignored.

To lower the risk of           The IPv6 transitional       Conditional   SC-7
exposing computers to          technology 6to4 will be
other networks. The IPv6       blocked. Agencies that are
transitional technologies      using IPv6 and require this
open network tunnels that      technology may change
agencies may not be able       the value of this setting,
to fully monitor.              since the current SCAP
                               content does not support
                               this sort of conditional
                               logic agencies will have to
                               track this setting as a
                               deviation.
To lower the risk of        IP-HTTPS interfaces will Conditional      CM-6
exposing computers to       be disabled. Agencies that
other networks. The IPv6    are using IPv6 and require
transitional technologies   this technology may
open network tunnels that   change the value of this
agencies may not be able    setting, since the current
to fully monitor.           SCAP content does not
                            support this sort of
                            conditional logic agencies
                            will have to track this
                            setting as a deviation.

To lower the risk of        The ISATAP transitional     Conditional   CM-6 CM-7
exposing computers to       technology Teredo will be                 SI-4 SC-9
other networks. The IPv6    blocked. Agencies that are
transitional technologies   using IPv6 and require this
open network tunnels that   technology may change
agencies may not be able    the value of this setting,
to fully monitor.           since the current SCAP
                            content does not support
                            this sort of conditional
                            logic agencies will have to
                            track this setting as a
                            deviation.

To lower the risk of        The IPv6 transitional       Conditional   SC-8
exposing computers to       technology Teredo will be
other networks. The IPv6    blocked. Agencies that are
transitional technologies   using IPv6 and require this
open network tunnels that   technology may change
agencies may not be able    the value of this setting,
to fully monitor.           since the current SCAP
                            content does not support
                            this sort of conditional
                            logic agencies will have to
                            track this setting as a
                            deviation.
To prevent the computer       Universal Plug 'n Play over    AC-17
from automatically            802.11 Wi-Fi will be
allowing Universal Plug 'n    disabled.
Play network devices to
connect to the computer.




To prevent the computer       Windows Connect Now            CM-6 CM-7
from automatically            wizards will not appear.
allowing Universal Plug
and Play network devices
to connect to the
computer.
To prevent the computer       The computer will not          SI-2
from connecting to            search Windows Update
Windows Update when           for Point and Print printer
searching for device          drivers.
drivers.
To prevent the computer       Remote connections to the      AC-3 CM-6
from allowed remote           Plug and Play interface will   AC-17
connections to the Plug       be blocked.
and Play interface.
To lower the risk of a user   Windows error reports will     SI-2 SI-11
unknowingly exposing          not be sent to Microsoft
sensitive data.               when a generic driver is
                              installed.

To increase the reliability   Windows will create a          CM-6
of the computer, restore      system restore point
points make it easier to      during certain driver
revert Windows to a           activity, such as when
previous state if a new       installing an unsigned
device driver fails to        driver.
operate as expected.
To lower the risk of a user    Windows ill not retrieve       CM-6
unknowingly exposing           device metadata for
sensitive data and to          installed devices from the
facilitate centralized         Internet.
management of the
computer.
To lower the risk of an        Windows will not include       CM-6
administrator unknowingly      Windows Update when
installing a device driver     searching for device
from Windows Update.           drivers.

To ensure that any             Group Policies will be         CM-2
unauthorized configuration     reapplied every time they
changes made locally are       are refreshed, which could
overwritten by the centrally   have a slight impact on
managed group policies.        performance.




To minimize the risk of        The computer will not be       CM-3
users downloading drivers      able to download drivers
that include malicious         from printers via HTTP,
code.                          however this policy setting
                               does not prevent the
                               computer from sending
                               print jobs via HTTP.

To enable authorized           Event description URL          CM-3
users to view additional       links will be active and the
information about events       "More Information" text will
in the event logs.             be displayed in the
                               description.
To prevent the computer        Handwriting samples will       SI-2 SI-11
from sharing handwriting       not be sent to Microsoft.
samples with Microsoft.

To lower the risk of a user Windows error reports             SI-2 SI-11
unknowingly exposing        about handwriting
sensitive data.             recognition will not be sent
                            to Microsoft.
To lower the risk of a user Users will not be able to         CM-3
unknowingly exposing        retrieve the list of Internet
sensitive data.             Service Providers located
                            on Microsoft servers.
To lower the risk of a user Windows ill not download        CM-3
downloading malicious       the list of providers from
code.                       Microsoft servers, only the
                            service providers cached
                            in the local registry will be
                            displayed.

To lower the risk of a user Windows will not display        CM-3
unknowingly exposing        the link and dialog box for
sensitive data.             using the Web service for
                            resolving unhandled file
                            associations.

To lower the risk of a user    The computer will not be     CM-3
unknowingly exposing           able to print to Internet
sensitive data, information    printers via HTTP. This
transmitted via HTTP is        setting does not prevent
not encrypted.                 the computer from acting
                               as a print server and
                               making its shared printers
                               available over HTTP.

To lower the risk of a user Users will not be able          CM-6
unknowingly exposing        connect to Microsoft.com
sensitive data.             for online registration.

There is a low risk that       Search Companion will not    CM-6 CM-5
users will unknowingly         download content updates
exposing sensitive data,       during searches.
users can still use Internet
search engines to submit
searches.
To lower the risk of a user    The "Order Prints Online"    CM-6
unknowingly exposing           task will no longer appear
sensitive data.                in the list of tasks
                               associated for pictures in
                               Windows Explorer.

To lower the risk of a user The Web publishing tasks        CM-6
unknowingly exposing        will no longer appear in the
sensitive data.             list of tasks in Windows
                            Explorer.

To lower the risk of a user This data, which Microsoft      SC-7
unknowingly exposing        uses to identify software
sensitive data.             flaws, will not be sent to
                            Microsoft.
To lower the risk of a user Windows error reports will Conditional   SI-2 SI-11
unknowingly exposing        not be sent to Microsoft.
sensitive data.             Agencies that use an
                            internal error reporting
                            server may configure this
                            setting differently, since
                            the current SCAP content
                            does not support this sort
                            of conditional logic
                            agencies will have to track
                            this setting as a deviation.




To prevent the display of     Windows will not display               AC-11 CM-6
the account names of          the simple logon screen.               CM-7
users that can log onto the
computer.
To prevent malicious          Installation programs that             AC-2 CM-6
software or users from        rely on the run once list will
using the run once list to    not install correctly.
install software.
To ensure that anyone         Users will be prompted to              IA-5
who wakes an unattended       enter their logon
computer will have to enter   credentials when the
their credentials before      computer resumes from
they can access it.           sleep.

To ensure that anyone         Users will be prompted to              IA-5
who wakes an unattended       enter their logon
computer will have to enter   credentials when the
their credentials before      computer resumes from
they can access it.           sleep.
In support of               The computer will sleep        CM-6
administration efforts to   after 60 minutes of
reduce the use of           inactivity. This setting may
electricity by inactive     impact the ability of
computers.                  enterprise management
                            tools to push patches and
                            configuration changes to
                            managed computers
                            therefor organizations
                            should research the power
                            management features of
                            Windows and the
                            capabilities of their
                            management tools to
                            leverage Wake-on-LAN
                            and other features to
                            remotely administer
                            computers.

In support of               The computer will sleep        CM-6
administration efforts to   after 60 minutes of
reduce the use of           inactivity. This setting may
electricity by inactive     impact the ability of
computers.                  enterprise management
                            tools to push patches and
                            configuration changes to
                            managed computers
                            therefor organizations
                            should research the power
                            management features of
                            Windows and the
                            capabilities of their
                            management tools to
                            leverage Wake-on-LAN
                            and other features to
                            remotely administer
                            computers.

In support of               The display will turn off      CM-6
administration efforts to   after 20 minutes of
reduce the use of           inactivity.
electricity by inactive
computers.

In support of               The display will turn off      CM-6
administration efforts to   after 20 minutes of
reduce the use of           inactivity.
electricity by inactive
computers.
To prevent users from        Support staff will be        Conditional   AC-17
accepting unsolicited        unable to offer remote
Remote Assistance offers     assistance to help users
from malicious users.        resolve issues. Agencies
                             that wish to use Remote
                             Assistance to support
                             users may change the
                             value of this setting, since
                             the current SCAP content
                             does not support this sort
                             of conditional logic
                             agencies will have to track
                             this setting as a deviation.




To lower the risk of a       Users will not be able to   Conditional    CM-6
malicious user accessing     use email, instant
another user's session.      messaging, or file
This risk is low since the   transfers to ask for help
user will be prompted to     via Remote Assistance.
accept or deny the           Agencies that wish to use
assistance before the        Remote Assistance to
connection is completed.     support users may change
                             the value of this setting,
                             since the current SCAP
                             content does not support
                             this sort of conditional
                             logic agencies will have to
                             track this setting as a
                             deviation.




To ensure that any           Log files will be recorded                 AU-2
Remote Assistance            for Remote Assistance.
sessions are logged.
To prevent                  RPC applications that         CM-6
unauthenticated RPC         require unauthenticated
communications.             inbound connection
                            requests will fail.
To lower the risk of a user RPC clients will have to      CM-6
unknowingly exposing        authenticate in order to
sensitive data.             connect to RPC services
                            on the computer, RPC
                            clients that require
                            unauthenticated inbound
                            connection requests will
                            fail.

To lower the risk of a user MSDT will not collect or      SC-7
unknowingly exposing        send data to the support
sensitive data.             provider.


To lower the risk of a user Only locally stored           CM-6 SC-28
unknowingly exposing        troubleshooting content
sensitive data.             will be available on the
                            computer.




To lower the risk of the  Responsiveness events           CM-6 CM-7
system exposing sensitive will not be processed.
data.


To ensure that the system    The system will
clock is synchronized with   synchronize its clock with
the organization's           the specified time server.
designated time server.      Agencies that use a
                             different method to
                             synchronize time on their
                             network may configure a
                             different value for this
                             policy, since the current
                             SCAP content does not
                             support this sort of
                             conditional logic agencies
                             will have to track this
                             setting as a deviation.


                                                          CM-6 CM-7
                                                          AU-8
                                                         CM-6 CM-7
                                                         AU-8

                                                         CM-6 CM-7
                                                         AU-8

                                                         CM-6 CM-7
                                                         AU-8


                                                         CM-6 CM-7
                                                         AU-8


                                                         CM-6 CM-7
                                                         AU-8


                                                         CM-6 CM-7
                                                         AU-8

To lower the risk of the  Inventory collection will be   CM-6
system exposing sensitive turned off and no data will
data.                     be sent to Microsoft.

To prevent malicious       Autorun will be completely    CM-7 AC-19
software from launching    disabled and users will
automatically when         have to manually launch
removable media is         installation programs
attached to the system.    stored on removable
                           media such as CDs and
                           DVDs.

To prevent malicious      Users will have to             CM-6 CM-7
software from launching   manually launch
automatically when        installation programs
removable media is        stored on removable
attached to the system.   media such as CDs and
                          DVDs.
To prevent malicious      Autoplay will be disabled      CM-6 CM-7
software from launching   on non-volume devices
automatically when a non- such as Media Transfer
volume device is attached Protocol devices.
to the system.
To prevent the display of Administrators will always     AC-2 AC-3
the account names of      have to enter their account
users with administrative name as well as their
privileges on the         password when
computer.                 responding to User
                          Account Control elevation
                          prompts.
To prevent users from      The Gadget Gallery will          CM-3 CM-6
viewing Microsoft's Gadget direct users to the local
Gallery online.            About:Blank web page.

To lower the risk of users   Gadgets that have not          CM-6
installing unauthorized      been digitally signed will
software or malicious        not be unpacked or
software.                    installed.
To lower the risk of users   No user-installed Gadgets      CM-3
installing unauthorized      will run. Agencies are free
software or malicious        to use Gadgets, however
software.                    their installation should be
                             centrally managed.

To lower the risk of users   Digital Locker will not run.   CM-6 CM-7
installing unauthorized
software or malicious
software.
To ensure that events are    The log size will be set to    AU-2
recorded to facilitate       32,768 kilobytes (32
troubleshooting system       megabytes).
problems and tracking
unauthorized activities.
To ensure that events are    The log size will be set to    CM-6 AU-4
recorded to facilitate       81,920 kilobytes (80           AU-5
troubleshooting system       megabytes).
problems and tracking
unauthorized activities.
To ensure that events are    The log size will be set to    CM-6 AU-4
recorded to facilitate       32,768 kilobytes (32           AU-5
troubleshooting system       megabytes).
problems and tracking
unauthorized activities.
To ensure that events are    The log size will be set to    AU-2
recorded to facilitate       32,768 kilobytes (32
troubleshooting system       megabytes).
problems and tracking
unauthorized activities.
To lower the risk of users   Game information such as       CM-3
running unauthorized         ratings will not be
software programs.           downloaded.

To lower the risk of users   Update information about       CM-3
installing unauthorized      games will not be
software or malicious        downloaded.
software.
To lower the risk of users   Users will not be able to      CM-6 CM-7
copying sensitive data       add their computers to a
from their business          homegroup.
computer to their own
personal computers or
exposing information to
unauthorized users.
                             This policy setting
                             determines if the Internet
                             Connection Wizard was
                             completed. If it was not
                             completed, it launches the
                             Internet Connection
                             Wizard. If you disable this
                             policy setting, the Internet
                             Connection Wizard is not
                             launched automatically.
                             The user can launch the
                             wizard manually.


To reduce the risk of        The desktop sharing            CM-7 AC-17
remote compromise by not     feature of NetMeeting will
enabling this network        not be available.
service.
To prevent the caching of    Remote Desktop Services        IA-5
user credentials.            will not save passwords,
                             users will have to enter
                             their credentials each time
                             that they connect.
To reduce the risk of       Terminal Services and        Conditional   AC-3 CM-6
remote compromise by not    Remote Desktop Services                    AC-17
enabling this network       will not be available.
service.                    Agencies that wish to use
                            Remote Desktop Services
                            may change the value of
                            this setting, since the
                            current SCAP content
                            does not support this sort
                            of conditional logic
                            agencies will have to track
                            this setting as a deviation.




To prevent the caching of   Users will have to enter                   AC-11 CM-6
user credentials.           their credentials when they                CM-7
                            connect to Remote
                            Desktop Services.

To lower the risk of an   Clients that do not support                  SC-9
attacker intercepting and 128-bit encryption will not
decrypting Remote         be able to connect.
Desktop Services network
traffic.
To reduce the risk of        Remote sessions will be      Conditional   AC-17
computing resources          forcibly disconnected after
being consumed by large      15 minutes, users will
numbers inactive remote      have to logon again to
sessions.                    establish a new desktop
                             session. Agencies that
                             have users who require a
                             longer time out because
                             their system process long
                             running batch jobs or other
                             functions may change the
                             value of this setting, since
                             the current SCAP content
                             does not support this sort
                             of conditional logic
                             agencies will have to track
                             this setting as a deviation.
                             Note that this type of
                             network timeout is
                             required by FISMA due to
                             network behavior
                             described in SP800-53
                             and SP800-53a.


To reduce the risk of     Remote sessions will be                       AC-11
computing resources       forcibly closed 1 minute
being consumed by large   after disconnection, users
numbers inactive remote   will have to logon again to
sessions.                 establish a new desktop
                          session.
To reduce the risk of an  Remote Desktop Services                       AU-9
unauthorized user viewing will delete user-specific
cached data stored in     temporary folders when
another user's temporary sessions are closed.
folders.
To reduce the risk of an  Per-session temporary                         CM-6
unauthorized user viewing folders will always be
data stored in another    used.
user's temporary folders.

To reduce the risk of a      Enclosures will not be                     CM-3
user unknowingly             downloaded in RSS feeds.
downloading malicious
content.
To reduce the risk of the    Search service                             CM-6
exposure of sensitive data   components are expected
in the search index.         to no index encrypted files.
                             Changing this setting will
                             cause the index to be
                             rebuilt from scratch.
To enable indexing of mail    The Exchange servers will    CM-6
on a Microsoft Exchange       have additional client
server when Microsoft         requests.
Outlook is not running in
cached mode.
To prevent users from         Windows Anytime              SI-2
seeing Windows Anytime        Upgrade will not be
Upgrade.                      available.
To lower the risk of a user   Spynet reports will not be   CM-6
unknowingly exposing          sent to Microsoft.
sensitive data.
To ensure that Windows        Windows Error Reporting      AU-2
Error Reporting               events will be recorded in
information is recorded       the system event log.
locally.
To lower the risk of a user   Windows error reports will   SI-2 SI-11
unknowingly exposing          not be sent to Microsoft.
sensitive data.
To avoid confusing users      Windows Error Reporting      SI-2 SI-11
with messages from            messages will not be
Windows Error Reporting.      displayed.


To lower the risk of a user Requests from Microsoft        SI-2 SI-11
unknowingly exposing        for additional data in
sensitive data.             response to a Windows
                            Error Reporting
                            submission will be ignored.

To ensure that data           Some Windows Explorer        CM-3
execution prevention is       plug-ins may fail.
able to block certain
techniques used by
malicious software
To prevent legacy plug-ins    Legacy plug-ins and          CM-3
from continuing to function   Windows Explorer will
when the Windows              immediately terminate
Explorer session has          when corrupted.
become corrupted.

To ensure that             The shell protocol will be      CM-6
applications which use the limited to subset of folders.
shell protocol will not be
able to open files.
To avoid confusing users        Security warnings from        SI-3
with security warnings          Internet Explorer about
from Windows Installer          program installations will
scripts. Since users are        not be displayed.
not allowed to install
applications through
Internet Explorer the
security risk of this setting
is small.
To ensure that users do         Users will not be able to     CM-3
not alter installation          change installation
options.                        options.
To lower the risk of users      Unprivileged users will not   SI-3
installing unauthorized         be able to install signed
software or malicious           updates.
software.
To ensure the user is           When no authentication        AC-2
notified when they logon        server is available users
with cached credentials         will be notified.
because the logon server
is unavailable.
To lower the risk of a user     Windows Mail will not         CM-6
unknowingly exposing            check newsgroup servers
sensitive data.                 for Communities support.

To prevent users from           Windows Mail will be          CM-6
using an unauthorized           disabled.
email client.
To prevent users from           Windows Media DRM will        CM-6 CM-7
accessing DRM-protected         not access the network for
media.                          licenses or security
                                upgrades.
To prevent the user from        The Privacy Options and       CM-6
changing configuration          Installation Options dialog
settings.                       boxes will not be displayed
                                the first time a user runs
                                Windows Media Player.

To lower the risk of the        Automatic updating of         CM-6 SI-2
installation of unauthorized    Windows Media Player will     CM-2
software or malicious           be disabled and the Check
software.                       for Player Updates
                                command will not be
                                displayed on the Help
                                menu.
To ensure the latest     Updates will be            Conditional   CM-3 SI-2
security updates for     downloaded automatically
Windows are installed.   and a notification will be
                         displayed when they are
                         ready to be installed. The
                         mandated value of this
                         setting presupposes that
                         agencies are using
                         Windows Update or
                         Microsoft Update for
                         update management.
                         Agencies that use another
                         enterprise patch
                         management solution may
                         change the value of this
                         setting as appropriate,
                         however since the current
                         SCAP content does not
                         support this sort of
                         conditional logic agencies
                         will have to track this
                         setting as a deviation.



To ensure that updates   Users will be prompted to Conditional    CM-6 SI-2
are aware of pending     allow any available
updates.                 Windows updates to install
                         when they attempt to shut
                         down, reboot, or log off of
                         the computer. The
                         mandated value of this
                         setting presupposes that
                         agencies are using
                         Windows Update or
                         Microsoft Update for
                         update management.
                         Agencies that use another
                         enterprise patch
                         management solution may
                         change the value of this
                         setting as appropriate,
                         however since the current
                         SCAP content does not
                         support this sort of
                         conditional logic agencies
                         will have to track this
                         setting as a deviation.
To ensure that the          The computer will          Conditional   IA-2
computer restarts if        automatically reboot after
required after updates      installing updates that
have been installed.        require a reboot. The
                            mandated value of this
                            setting presupposes that
                            agencies are using
                            Windows Update or
                            Microsoft Update for
                            update management.
                            Agencies that use another
                            enterprise patch
                            management solution may
                            change the value of this
                            setting as appropriate,
                            however since the current
                            SCAP content does not
                            support this sort of
                            conditional logic agencies
                            will have to track this
                            setting as a deviation.


To ensure that users have   Users will be able to     Conditional    SI-2
enough time to save their   postpone scheduled
data and close their        updates. The mandated
applications before         value of this setting
updates are installed.      presupposes that
                            agencies are using
                            Windows Update or
                            Microsoft Update for
                            update management.
                            Agencies that use another
                            enterprise patch
                            management solution may
                            change the value of this
                            setting as appropriat.
To mitigate the impact of       Accounts that have been       AC-7
the account lockout             locked out will
threshold, i.e., this setting   automatically be unlocked
lowers the risk of an           after 15 minutes.
attacker causing a denial
of service (DoS) by
deliberately causing failed
logons for numerous
accounts.
To render infeasible            Locked-out accounts will      AC-11
password guessing               continue to be locked out
attacks.                        until they are reset by an
                                administrator or until the
                                15 minute account lockout
                                duration expires. Its
                                probable that this setting
                                will increase help desk
                                calls.

To mitigate the impact of       Failed logon attempts will    AC-7
the account lockout             be dropped from the list of
threshold, i.e., this setting   limited attempts after 15
lowers the risk of an           minutes.
attacker causing a denial
of service (DoS) by
deliberately causing failed
logons for numerous
accounts.
To make it difficult for        Users will have to think of   CM-6 IA-5
users to reuse old              new passwords each time
passwords, reused               their current one is about
passwords increase the          to expire.
risk of account
compromise.
A user's account is at          Users will have to specify    AC-3 CM-6
greater risk of compromise      a new password every 60       CM-7 SC-5
through brute force attacks     days. Configuring this to a   IA-5
when the same password          lower number of days may
is used for an extended         actually lower security
period of time.                 because it increases the
                                risk that users will write
                                down their passwords in
                                order to be able to
                                remember them.


To make it difficult for        Users will not be able to     IA-5
users to reuse old              quickly cycle through 24
passwords, reused               new passwords so that
passwords increase the          they can reuse the
risk of account                 password they prefer.
compromise.
To make brute force             Requiring long passwords          IA-5
password guessing               increases the risk that
attacks more difficult.         users will write down their
                                passwords in order to
                                remember them. It is
                                recommended that
                                agencies provide users
                                advice on password
                                creating using ideas such
                                as passphrases.

To make brute force             Requiring complex                 IA-5
password guessing               passwords increases the
attacks more difficult.         risk that users will write
                                down their passwords in
                                order to remember them.

Storing passwords using         Certain types of                  IA-5 AU-9
reversible encryption is        authentication will be
much weaker than storing        unavailable. For example,
password hashes.                Routing and Remote
                                Access Services can use
                                CHAP authentication and
                                Internet Information
                                Services can Digest
                                Authentication; both of
                                these will fail if this setting
                                is disabled.

Audit data provide              Enabling audit policies will      AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

For the audit policies          Enabling audit policies will   AU-2
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

For the audit policies          Enabling audit policies will   AU-2
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

For the audit policies          Enabling audit policies will   AU-2
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies          Enabling audit policies will   AU-2
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

For the audit policies          Enabling audit policies will   AU-2
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
For the audit policies          Enabling audit policies will   AU-2
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

For the audit policies          Enabling audit policies will   AU-2
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

For the audit policies          Enabling audit policies will   AU-2
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.

For the audit policies         Enabling audit policies will   AU-2
settings the value of "No      cause more events to be
auditing" is equivalent to     recorded in the Security
"not configured" and           Event Log, enabling
agencies are free to           certain audit policies can
configure policies with that   result in so many events
USGCB value however            being recorded that the log
they see fit.                  is unusable. On a very
                               busy server enabling too
                               many audit policies will
                               degrade system
                               performance. The USGCB
                               audit policies strike a
                               balance between
                               recording useful
                               information while
                               minimizing impact on
                               system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
For the audit policies          Enabling audit policies will   AU-2
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will   AU-2
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Specifies the maximum           The log size will be set to
size of the application         16384 kilobytes.
event log, which has a
maximum of 4 GB.

Specifies the maximum      The log size will be set to
size of the security event 81920 kilobytes.
log, which has a minimum
size of 4 GB.
Specifies the maximum    The log size will be set to
size of the system event 16384 kilobytes.
log, which has a maximum
size of 4 GB.

To prevent users from      Permission to execute and
accessing the file.        read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read given to Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from   Permission to execute and
accessing the file.     read removed from Users
To prevent users from           Permission to execute and
accessing the file.             read removed from Users




Audit data provide              Enabling audit policies will
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Audit data provide              Enabling audit policies will
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Audit data provide              Enabling audit policies will
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Audit data provide              Enabling audit policies will
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
For the audit policies          Enabling audit policies will
settings the value of "No       cause more events to be
auditing" is equivalent to      recorded in the Security
"not configured" and            Event Log, enabling
agencies are free to            certain audit policies can
configure policies with that    result in so many events
USGCB value however             being recorded that the log
they see fit.                   is unusable. On a very
                                busy server enabling too
                                many audit policies will
                                degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.

Audit data provide              Enabling audit policies will
information that may be         cause more events to be
needed in order to              recorded in the Security
determine the root cause        Event Log, enabling
of a security incident. Audit   certain audit policies can
data can also help to           result in so many events
resolve various types of        being recorded that the log
system and application          is unusable. On a very
configuration issues such       busy server enabling too
as incorrect permissions in     many audit policies will
the registry.                   degrade system
                                performance. The USGCB
                                audit policies strike a
                                balance between
                                recording useful
                                information while
                                minimizing impact on
                                system performance.
Account lockout policies        Resolving certain types of    AC-6 AC-3
do not apply to the built-in    issues will be more
local administrator account     difficult, however if you
therefor it is often a target   boot the computer into
of brute force password         Safe Mode the local
guessing attacks. For           administrator account will
many organizations it is        be available regardless of
also very difficult to          how this policy setting is
regularly change the            configured.
passwords of local
accounts, which makes
this account more
vulnerable to password
guessing.

The built-in local guest   Anonymous network                  AC-3 CM-6
account allows             access will not be                 CM-7 SC-5
unauthenticated users to available.
connect to shared
resources via the network.

Blank passwords are             Any account with a blank      AC-3 CM-6
perilous because                password will only be able    CM-7 SC-5
malicious users can log on      to log onto the computer at
with them so easily.            the console.
Although the domain
password policies prohibit
blank passwords
determined users could
bypass them by installing
Windows on a computer,
creating accounts with
blank passwords, and then
joining the computer to the
domain. This policy setting
ensures that in that
situation the local
accounts would not be
able to access the
computer via the network.
Renaming this account     The account will be                   AC-7 CM-6
makes it slightly more    renamed.
difficult for a malicious
user to attempt a brute
force password guessing
attack, the value of this
setting is diminished by
the fact that the account
has a well known security
identifier (SID) and
attackers can use the SID
rather then the account
name when attempting to
log on via the network.


Renaming this account           The account will be             AC-7 CM-6
makes it slightly more          renamed.
difficult for a malicious
user to attempt a brute
force password guessing
attack.
Enabling this setting could     Access to global system         AU-2
cause a very large number       objects will not be audited.
of audit events to be
recorded to the security
event log.
Enabling this setting could     Backup and restore              AU-2
cause a very large number       operations will not be
of audit events to be           audited.
recorded to the security
event log.
The audit subcategories         Configuration of the            AU-2
facilitate granular control     original audit policies will
over what classes of            be ignored.
security events are logged.


Although its more secure        Users will be able to install   AC-3 CM-6
to restrict this privilege to   printer drivers. Note that      CM-7 SC-5
administrators for most         even if you enable this
organizations the impact        setting users can add
on usability is too great.      printers if the drivers are
                                already installed.
Although its more secure      Users logged-on via the          MP-2
to restrict this to local     network will be able to
users, for most               access the CD-ROM drive
organizations the impact      if it is shared.
on usability is too great.
For example, enabling this
setting will cause the
Volume Shadow Copy
service and Windows
backup to fail.
Although its more secure      Users logged-on via the          MP-2
to restrict this to local     network will be able to
users, for most               access the floppy drive if it
organizations the impact      is shared.
on usability is too great.
For example, enabling this
setting will cause the
Volume Shadow Copy
service and Windows
backup to fail.
Determines what happens       When set to Do Not Allow,
when an attempt is made       if certificates are not
to install a device driver    updated on desktops
(by means of Setup API)       regularly, a customer can
that has not been certified   get trapped in a situation
by the Windows Hardware       where key driver updates
Quality Lab (WHQL).           will not be allowed to
The options are:              install since the certificates
-Silently succeed             installed locally have
-Warn but allow               expired. Without a healthy
installation                  Certificate Server structure
-Do not allow installation    and regular
Default: Warn but allow       communications between
installation.                 administrators and
                              package builders,
                              blocking unsigned driver
                              installations can be a
                              serious problem.


Encrypting the secure         Only Windows NT 4.0 with         SC-9
channel protects it against   Service Pack 6a (SP6a)
eavesdropping attacks,        and later versions of
digitally signing the data    Windows support digital
protects it against being     encryption and signing of
altered in transit.           the secure channel the
                              computer will not be able
                              to connect to domain
                              controllers running earlier
                              versions of Windows.
Encrypting the secure         The computer will attempt        SC-9
channel protects it against   to encrypt secure channel
eavesdropping attacks,        data, if it fails it will fall
digitally signing the data    back to less secure
protects it against being     behavior.
altered in transit.

Encrypting the secure         The computer will attempt        CM-6 SC-28
channel protects it against   to sign secure channel
eavesdropping attacks,        data, if it fails it will fall
digitally signing the data    back to less secure
protects it against being     behavior.
altered in transit.

Allowing the computer to None. This is the default             IA-5
automatically change its   configuration.
domain account password
helps protect the account
against brute force
password guessing
attacks. The value of this
setting moderate due to
the fact that machine
account passwords are
extremely long and
random.

Requiring the computer to None. This is the default            AC-3 CM-6
automatically change its   configuration.                      CM-7 SC-5
domain account password                                        IA-5
helps protect the account
against brute force
password guessing
attacks. The value of this
setting moderate due to
the fact that machine
account passwords are
extremely long and
random.

Domain controllers and        The computer will not be         CM-6 SC-28
client computers use          able to join domains with
session keys to establish     domain controllers running
and maintain a secure         versions of Windows prior
channel for                   to Windows 2000.
communications between
the two computers.
Session keys in Windows
2000 are much stronger
than they were in earlier
versions of Windows.
If this setting is not    Users will have to enter        AC-2
enabled a malicious user their usernames when
who has access to the     logging onto the console.
console can leverage the
username as part of a
password guessing attack.

Enabling this setting        Users will either have to    AC-3 CM-6
makes it easier for people   insert a smartcard or        CM-7 SC-5
with certain types of        simultaneously press the
physical impairments to      Control, Alternate, and
log onto the console,        Delete keys.
however it also makes it
easier for malicious
software to intercept the
user's credentials during
logon.
Although its not likely to   Users will be see a          AC-8 CM-6
dissuade a serious           message dialog box           CM-7 SC-5
attacker the warning         before they can complete
message helps reinforce      the logon process.
organizational policy
during the logon process.    Organizations are free to
Agencies should use          use the text provided in
replace the text suggested   this document however
here with text that meets    they should implement text
their business               that meets their
requirements.                organization's business
                             and policy requirements.
Although its not likely to      Users will be see a             AC-8 CM-6
dissuade a serious              message dialog box              CM-7 SC-5
attacker the warning            before they can complete
message helps reinforce         the logon process.
organizational policy
during the logon process.       Organizations are free to
Agencies should use             use the text provided in
replace the text suggested      this document however
here with text that meets       they should implement text
their business                  that meets their
requirements.                   organization's business
                                and policy requirements.

Configuring this policy         Users who logon with a          AC-3 CM-6
setting to two ensures that     domain account will have        CM-7 SC-5
the primary user of the         their credentials cached,
computer can logon even         the computer will allow
if no domain controller is      users with cached
available. Two is specified     credentials to logon if it is
so that even if an              unable to communicate
administrator logs on to        with a domain controller.
the computer to perform
maintenance the primary
user's credentials will still
be cached.

Warning users when their        Users will see a dialog box     IA-5
passwords are about to          each time the log onto the
expire ensures that they        console if their password
have sufficient time to         is going to expire within 14
change it before it actually    days.
expires.
Disabling this policy setting   The computer will allow         AC-3 CM-6
ensures that mobile users       users with cached               CM-7 SC-5
can log onto the computer       credentials to logon if it is
with their cached               unable to communicate
credentials when they are       with a domain controller.
not connected to the
agency network.

Configuring this policy         Users will have to enter        AC-3 CM-6
setting to Lock                 their smart card and PIN        CM-7 SC-5
Workstation ensures that        when they return to their
an users will not be able to    computer.
access the desktop
session of other users.
This configuration also
ensures that user sessions
will not be forcibly logged
off.
To minimize the risk of   The computer will only be         SC-8
session hijacking attacks able to connect to SMB
between the computer and  and CIF shares on servers
SMB or CIF servers.       running Windows 2000 or
                          later.
To minimize the risk of   None, this policy setting         AC-3 CM-6
session hijacking attacks only causes the computer          CM-7 SC-8
between the computer and to request digital signing.
SMB or CIF servers.

To minimize the risk of the   The computer will not be      SC-8
password being                able to connect to shared
intercepted while             resources on servers
traversing the network.       running very old versions
                              of Windows and certain
                              third-party
                              implementations of SMB.

SMB and CIF connections       The impact is minimal         AC-3 CM-6
consume system                because clients will          CM-7 AC-11
resources, by                 automatically re-establish
disconnecting idle            disconnected sessions
sessions the risk of the      when the user resumes
server performance            activity involving the
degrading is minimized.       shared resource.

To minimize the risk of       The computer will only be     CM-6 SC-8
session eavesdropping         able to accept connections    SC-9
attacks between the           from SMB and CIF clients
computer and SMB or CIF       running Windows 2000 or
clients.                      later.
To minimize the risk of       None, this policy setting     AC-3 CM-6
session eavesdropping         only causes the computer      CM-7 SC-5
attacks between the           to request digital signing.
computer and SMB or CIF
clients.
If the agency uses logon      If logon hours are not used   AC-3 CM-6
hours then using this         then this setting will have   CM-7 SC-5
policy setting is logical,    no impact, accounts that      SC-10
otherwise users could         do have logon hours
maintain connections to       configured will be forcibly
shared resources even         disconnected from shared
after the logon hours have    resources on the computer
expired.                      when the hours expire.
To lower the risk of a       This setting affects the      SC-9
computer name being          SMB server component,
spoofed on the network.      so it will only affect
                             attempts to access shared
                             resources on the
                             computer, not when the
                             computer attempts to
                             connect to other servers.

To prevent anyone with       None. This is the default     AC-3 CM-6
physical access to the       configuration.                CM-7 IA-2
console from gaining                                       SC-5
administrative privileges.

To prevent attackers from All incoming source-routed       AC-3 CM-6
obscuring the location and IPv6 packets will be            CM-7 SC-5
address of their computer ignored.
via source routing.


To prevent attackers from All incoming source-routed       AC-3 CM-6
obscuring the location and IPv4 packets will be            CM-7 SC-5
address of their computer ignored.
via source routing.


To prevent the computer      The computer will not
from attempting to route     automatically search for
network traffic through an   another router should the
unauthorized gateway.        default become
                             unavailable for some
                             reason.
To minimize the risk of      ICMP redirects will not       AC-3 CM-6
network routing problems     override OSPF generated       CM-7 SC-5
for the computer.            routes, this should have
                             little impact since the
                             computer is not supposed
                             to be providing routing and
                             remote access services.

To make it harder for a      The computer will not         AC-4 SC-5
malicious user to gain       appear on the browse list
information about the        or in the Network
computer over the            Neighborhood of other
network.                     computers on the network.

To minimize the risk of a    While Windows does not        AC-4 SC-5
denial-of-service attack     use keep-alive packets
succeeding.                  applications running on the
                             computer might.
To prevent attackers from     IPsec policies may have to     AC-4 AC-17
exploiting the default        be modified, see the
exemptions in IPsec for       Microsoft Knowledge Base
the IKE, RSVP, or             article "IPsec Default
Kerberos protocols.           Exemptions Can Be Used
                              to Bypass IPsec Protection
                              in Some Scenarios" at
                              http://support.microsoft.co
                              m/default.aspx?kbid=8118
                              32.

To prevent malicious          Autorun will be completely
software from launching       disabled and users will
automatically when            have to manually launch
removable media is            installation programs
attached to the system.       stored on removable
                              media such as CDs and
                              DVDs.

To minimize the risk of       Problems may arise if 2 or     AC-4 SC-5
spoofing attacks against      more computers on the
the NetBIOS protocol.         network share the same
                              NetBIOS name.



To minimize the risk of an    The computer will not be       AC-3 CM-6
attacker tricking the         able to use IRDP to detect     CM-7 SC-5
computer into routing its     its default gateway, the
traffic to a router on the    impact should be minimal
local network segment         since most client
controlled by the attacker.   computers learn about
                              their default gateway via
                              DHCP.
To block certain kinds of     Applications will be forced    AC-4 SC-5
attacks that trick            to search in the system
applications into loading     path first when looking for
DLLs that contain             a DLL.
malicious code.
To lower the risk of an       When the screensaver           AC-3 AC-11
unauthorized user gaining     activates the user will only   CM-6 CM-7
access to the logon           have 5 seconds to move
session of another user.      the mouse or strike a key
                              before the desktop
                              session will be locked.
This registry value causes Connections timeout more
TCP to adjust                 quickly if a SYN attack is
retransmission of SYN-        detected
ACKs. When you
configure this value, the
connection responses time-
out more quickly in the
event of a connect request
(SYN) attack.
This parameter                Half- open connections will
determines the number of be dropped after 21
times that TCP retransmits seconds.
a SYN before aborting the
attempt. The
retransmission time-out is
doubled with each
successive retransmission
in a given connect attempt.
The initial time-out value is
three seconds.


To minimize the risk of a    A retransmission timer         AC-3 CM-6
denial-of-service attack     starts when each               CM-7 SC-5
succeeding.                  outbound segment passes
                             from the TCP layer to the
                             IP layer of the network
                             stack, if no
                             acknowledgement is
                             received the computer will
                             retransmit the segment up
                             to 3 times.
To minimize the risk of a    A retransmission timer         AC-3 CM-6
denial-of-service attack     starts when each               CM-7 SC-5
succeeding.                  outbound segment passes
                             from the TCP layer to the
                             IP layer of the network
                             stack, if no
                             acknowledgement is
                             received the computer will
                             retransmit the segment up
                             to 3 times.
To lower the risk of the     An audit event will be         AC-4 SC-5
security event log           generated when the             AU-9
completely filling without   security event log reaches
the user's knowledge.        90% capacity, unless the
                             log is configured to
                             overwrite entries as
                             needed.
To prevent a malicious        None. This is the default      CM-6 CM-7
user from using the SID to    configuration for Windows      AC-3
determine the account         client computers.
name of a renamed
account.
To prevent a malicious        It will not be possible to     CM-6 CM-7
user from gathering           establish trust with NT 4.-    AC-3 IA-4
account names via the         based domains.
network.
To prevent a malicious     It will not be possible to        CM-6 CM-7
user from gathering        grant access to users of          AC-3
account and share names    other domains via one-way
via the network.           trusts because
                           administrators in the
                           trusting domain will not be
                           able to enumerate lists of
                           accounts from the other
                           domain.
To minimize the risk of    Users will have to always         IA-4
malicious software gaining enter their username and
access to cached           password when accessing
passwords.                 network resources not
                           accessible to their domain
                           account.

To prevent attacks that       None. This is the default      AC-2 IA-2
exploit anonymous             configuration.
network access.

To prevent attacks that       Applications that relay on     AC-2 IA-2
exploit anonymous             anonymous access to
network access.               named pipes will fail.




To minimize the amount of     This is the default            AC-3 CM-6
information in the system     configuration so the
registry that can be access   impact on Windows should
via the network.              be minimal, however
                              applications that attempt to
                              add additional paths to this
                              list may not function as
                              expected.
To minimize the amount of     This is the default            CM-7
information in the system     configuration so the
registry that can be access   impact on Windows should
via the network.              be minimal, however
                              applications that attempt to
                              add additional paths to this
                              list may not function as
                              expected.




To prevent attacks that       Applications that relay on     CM-7
exploit anonymous             anonymous access to
network access.               named pipes and shares
                              will fail.
To prevent attacks that       Applications that relay on     IA-2 CM-7
exploit anonymous             anonymous access to
network access.               shares will fail.



Although this is a less      None. This is the default       IA-2 CM-7
restrictive value than       configuration.
Guest only it’s the value
that will allow write access
to shared resources for
authorized users.
To ensure that the           Services running as local       IA-2 CM-7
computer authenticates       system that negotiate the
with its own identity when   NTLM authentication
accessing network            method will use the
resources.                   computer identity, this
                             might cause some
                             authentication requests to
                             fail.

To prevent the computer      Applications that require       IA-2 CM-7
from using NULL              NULL sessions for
sessions.                    LocalSystem will fail.



To block the use of the      Online identities will not be   IA-2 CM-7
PKU2U peer-to-peer           able to authenticate to the
protocol.                    domain-joined machine.



To ensure that less robust Computers that do not             SC-9
encryption protocols are   support the specified
not use.                   encryption types will not be
                           able to authenticate with
                           the computer using
                           Kerberos.

To prevent malicious         Certain early versions of       AC-3 CM-6
users who gain physical      Windows such as those in        CM-7 SC-5
access to the computer       the Windows 9x and
from being able to harvest   Windows 3x families will
passwords from the SAM       fail to authenticate with the
database using LAN hash      computer.
tables.
To prevent users from        If logon hours are not used     AC-11
remaining connected after    then this setting will have
their logon hours have       no impact, SMB sessions
expired.                     for accounts that do have
                             logon hours configured will
                             be forcibly disconnected
                             when the hours expire.


To prevent the use of less The computer will not be          AC-3 CM-6
secure authentication      able to authenticate to or
protocols.                 share resource with
                           computers that do not
                           support NTLMv2
                           authentication.
To reduce the risk of man- The impact is minimal           CM-7
in-the-middle network      because the computer will
attacks.                   negotiate rather than
                           require digital signatures.

To reduce the risk of man- The computer will not be        AC-3 CM-6
in-the-middle network and able to authenticate with
eavesdropping attacks.     servers that do not support
                           these security settings.
                           This setting could impact
                           Windows Clustering, see
                           "How to apply more
                           restrictive security settings
                           on a Windows Server
                           2003-based cluster server"
                           at
                           http://support.microsoft.co
                           m/default.aspx?scid=kb;en-
                           us;891597 and "You
                           receive an "Error
                           0x8007042b" error
                           message when you add or
                           join a node to a cluster if
                           you use NTLM version 2 in
                           Windows Server 2003" at
                           http://support.microsoft.co
                           m/kb/890761/ for more
                           information
To reduce the risk of man- Clients that do not support     CM-7
in-the-middle network and these security settings will
eavesdropping attacks.     not be able to authenticate
                           to the computer. This
                           setting could impact
                           Windows Clustering, see
                           "How to apply more
                           restrictive security settings
                           on a Windows Server
                           2003-based cluster server"
                           at
                           http://support.microsoft.co
                           m/default.aspx?scid=kb;en-
                           us;891597 and "You
                           receive an "Error
                           0x8007042b" error
                           message when you add or
                           join a node to a cluster if
                           you use NTLM version 2 in
                           Windows Server 2003" at
                           http://support.microsoft.co
                           m/kb/890761/ for more
                           information

To prevent anyone with         A valid username and        IA-2 AC-14
physical access to the         password will be required
console from gaining           to access the Recovery
administrative privileges.     Console.
To prevent an attacker         Legitimate users of the     CM-2 CM-7
with physical access to the    Recovery Console will not   AC-19
console from using the         be able to use floppy
Recovery Console to copy       drives.
sensitive data to floppy
disks.
While it is more secure to     Users can shut down         CM-7
require that the user log on   Windows without having to
in order to shut down the      enter their credentials.
system many agencies
find that configuration to
have a large impact on
usability.

While it is more secure to     The shutdown process will   CM-7
clear the pagefile during      take less time.
shutdown many agencies
find that configuration to
have a large impact on
usability.
To ensure that the          The computer will not be     SC-9
computer uses strong        able to exchange
cryptographic algorithms    encrypted data with
and to comply with the      computers that do not
requirements of FIPS 140.   support the same
                            protocols. This includes
                            web servers that use SSL
                            but refuse TLS, Remote
                            Desktop Protocol clients
                            that are not configured to
                            support High Encryption,
                            and servers running old
                            Terminal Services.


Determines whether the     The object creator will be
Administrators group or an the owner of newly created
object creator is the      system objects.
default owner of any
system objects that are
created. This supports
determining accountability
for system changes.

Windows is case-             POSIX-based applications    CM-6
insensitive but the optional may fail.
POSIX subsystem is case
sensitive. Without this
setting enabled it would be
possible for a user working
within the POSIX
subsystem to create a file
with the same name as an
existing file but with a
different mix of upper and
lower case letters. This
could confuse users.



To improve the default      None. This is the default    CM-6
ACL for system objects.     configuration.
To prevent someone            Users who logon with the                AC-2 IA-2
logged in with the built-in   local administrator account
Administrator account         will see elevation prompts
running all applications      on the secure desktop
with full administrative      when opening programs
privilege.                    that require administrator
                              privileges.

To prevent UIA programs       This setting was added to Conditional   AC-3 AC-6
such as Remote                Windows Vista SP1
Assistance from disabling     specifically to enable
the secure desktop.           Remote Assistance. It
                              allows certain applications
                              stored in secure folders,
                              such as system32, to
                              bypass the secure desktop
                              so that they can function
                              as designed. Enabling this
                              setting will lower security
                              slightly but enable Remote
                              Assistance. For more
                              information see
                              http://technet.microsoft.co
                              m/en-
                              us/library/dd835564(WS.1
                              0).aspx.

                              Agencies that use remote
                              assistance may
                              reconfigure this setting,
                              since the current SCAP
                              content does not support
                              this sort of conditional
                              logic agencies will have to
                              track this setting as a
                              deviation.



To lessen the burden UAC      Users who logon with                    AC-2 IA-2
has on administrators by      administrator privileges will
not requiring them to enter   always see elevation
their credentials.            prompts on the secure
                              desktop when opening
                              programs that require
                              administrator privileges.
To lower the risk of a user Users who logon without         AC-2 IA-2
installing malicious or     administrator privileges will
unauthorized software.      be prompted to enter
                            credentials when opening
                            programs that require
                            administrator privileges.

To lower the risk of a user Users will be prompted to       AC-3 AC-6
installing malicious or     elevate when installing
unauthorized software.      software.

To lessen the burden UAC Unsigned executables can           AC-3 AC-6
has on administrators.   be elevated.


To lower the risk of a user Only UIA applications that      AC-3 AC-6
installing malicious or     are installed in the
unauthorized software.      specified folders will be
                            able to escalate.

To lower the risk of a user Administrators will always      AC-3 AC-6
installing malicious or     have to enter their account
unauthorized software.      name as well as their
                            password when
                            responding to User
                            Account Control elevation
                            prompts.
To lower the risk of a user None. This is the default       AC-3 AC-6
installing malicious or     configuration.
unauthorized software.

To lower the risk of a user None. This is the default       AC-3 AC-6
installing malicious or     configuration.
unauthorized software.
To limit who is able to    Only administrators will be Conditional   AC-3 CM-6
connect to shared          able to connect to shared
resources via the network. resources such as the
                           registry, folders, and
                           printers.
                           This setting also impacts
                           IPsec including many VPN
                           products. Agencies that
                           use IPsec may change the
                           value of this setting to
                           support their
                           requirements, however the
                           current SCAP content
                           does not support this sort
                           of conditional logic
                           agencies will have to track
                           this setting as a deviation.
                           The simplest workaround
                           to enable affected VPN
                           products is to grant this
                           user right to the built-in
                           Users group, agencies
                           could implement a more
                           restrictive workaround by
                           creating a new group and
                           only adding the accounts
                           required by the VPN
                           software.


This is an extremely          The impact should be                   AC-14 IA-2
powerful user right that is   small since the privilege is
rarely required to perform    rarely required.
typical day-to-day actions
or administrative tasks.

To restrict which accounts    Some optional                          AC-3 CM-6
are able to adjust memory     components may fail, for
quotas because this ability   example, IIS requires that
can be used to cause          the
applications to fail.         IWAM_<ComputerName>
                              have this privilege.
To limit who is able to log   Only members of the local              AC-3
onto the local console.       Administrators and Users
                              groups will be able to log
                              onto the desktop.
To limit who is able to via Only members of the local        AC-17
Remote Desktop Services. Administrators and
                             Remote Desktop Users
                             groups will be able to log
                             on via Remote Desktop
                             Services.
To restrict who is able to Only administrators will be       CP-9
backup data, this privilege able to perform system
allows a user to bypass file backups. While users can
permissions in order to      manually backup files the
backup all files on the      built-in tools will not work
computer so it can be        in Windows Vista and
used maliciously by          Windows 7 if the users do
restoring the files to a     not have this user right.
different computer which Microsoft has created a
that attacker controls.      limited-release tool for this
                             scenario that allows users
                             to automatically backup
                             and restore their own files
                             even if they do not have
                             this user right assigned to
                             their account. Contact your
                             Microsoft support
                             representative for more
                             information, refer them to
                             the following Knowledge
                             Base articles for Windows
                             Vista: KB955637; and for
                             Windows 7: KB974150.




To ensure that Windows       The Everyone and Backup         AC-3
and applications function    Operators groups will not
as expected. Removing        have this privilege, the
this user right from the     impact should be minimal
Users group will cause       since Users do have the
serious problems.            privilege.

To prevent problems with     Only members of the             CM-7 AU-8
Kerberos authentication      specified groups will be
and to ensure accurate       able to change the system
timestamps on logged         time.
events, new objects, and
modified objects.

To ensure that mobile     Only members of the                CM-7 AU-8
users can change the time specified groups will be
zone when they travel.    able to change the time
                          zone.
To prevent system             Only members of the            AC-3 CM-6
performance issues            specified groups will be
caused by incorrect           able to modify the pagefile
pagefile settings.            settings.
Only the operating system     Only the operating system      AC-3 CM-6
should have this privilege.   will be able to create token
                              objects.
To ensure that users          Only members of the            AC-3 CM-6
cannot create global          specified groups will be
objects that could affect     able to create global
other user sessions.          objects.

Only the operating system Only the operating system          AC-3 CM-6
should have this privilege. will be able to create
                            permanent shared objects

Symbolic links can expose     Only members of the            CM-6 CM-7
security vulnerabilities in   specified groups will be
applications that are not     able to create Symbolic
designed to support them      Links
therefore this user
privilege should be
restricted.

To minimize the risk of       None, this is the default      AC-3
malicious software            configuration.
infecting the system.
To prevent                    Members of the Guests          IA-2
unauthenticated access to     group will not be able to
shared resources.             access shared resources
                              on the computer.

To prevent unauthorized       Members of the Guests          AC-3 CM-6
creation of scheduled         group will not be able to
tasks.                        log on as batch jobs.

To ensure that the            None.                          AC-3 CM-6
computer operates                                            IA-5
smoothly.
To prevent                    Members of the Guests          IA-2
unauthenticated access to     group will not be able to
the local console.            log on locally.

To prevent                    Members of the Guests          AC-17
unauthenticated access to     group will not be able to
Remote Desktop Services       log on through Remote
and Remote Assistance.        Desktop Services

To prevent malicious         Only members of the             AC-17
users from causing a         specified groups will be
denial of service condition. able to shutdown the
                             computer remotely.
To lower the risk of the    Only members of the           AU-2
security event log being    specified groups will be
filled with useless data.   able to generate security
                            audits.
To ensure that only trusted Only members of the           AC-2
accounts can impersonate specified groups will be
other users.                able to impersonate.

To prevent users from        Only members of the          AC-3 CM-6
configuring memory usage specified groups will be
incorrectly.                 able to increase working
                             sets.
To reduce the risk of a      Only members of the          AC-3 CM-6
application having its       specified groups will be
priority raised so high that able to increase
other applications fail.     scheduling priority.

To restrict which accounts Only members of the            CM-5 CM-6
are able to load code into specified groups will be
the kernel.                 able to stop and start
                            device drivers.
Only the operating system Only the operating system       SI-3
should have this privilege. will be able to lock pages
                            in memory
Only the operating system Only the operating system       IA-5
should have this privilege. will be able to log on as a
                            batch job
Only the operating system Only the operating system       IA-5
should have this privilege. will be able to log on as a
                            service
To reduce the risk of audit Only members of the           AU-2
data being deleted by a     specified groups will be
malicious user or of audit able to manage auditing
policies being              and the security event log.
misconfigured.
Only the operating system Only the operating system       AC-3 CM-6
should have this privilege. will be able to modify
                            object labels.
To restrict which accounts Only members of the            CM-3
are able to upgrade         specified groups will be
Windows or make             able to change firmware
changes to firmware         environmental variables.
configuration.
To restrict which accounts Only members of the            AC-3 CP-9
are able to defragment      specified groups will be      CM-6
drives and perform other able to perform volume
storage volume tasks.       maintenance tasks

To restrict which accounts Only members of the            CM-6
are able to monitor        specified groups will be
application performance. able to monitor application
                           performance.
To restrict which accounts Only members of the            CM-6
are able to monitor system specified groups will be
performance.               able to monitor system
                           performance.
To reduce the risk of      Only members of the            PE-3
unauthorized users         specified groups will be
undocking mobile           able to remove computer
computers, but the value from docking station.
of this setting is
diminished because an
attacker with physical
access could steal both
the computer and docking
station together.

To minimize the risk of a Only members of the             CM-6 CM-7
rogue administrator hiding specified groups will be
unauthorized activity.     able to replace a process
                           level token
To reduce the risk of a    Only members of the            CP-9
user accidentally or       specified groups will be
maliciously overwriting    able to restore files and
critical files.            directories. While users
                           can manually restore files
                           the built-in tools will not
                           work in Windows Vista
                           and Windows 7 if the
                           users do not have this
                           user right. Microsoft has
                           created a limited-release
                           tool for this scenario that
                           allows users to
                           automatically backup and
                           restore their own files even
                           if they do not have this
                           user right assigned to their
                           account. Contact your
                           Microsoft support
                           representative for more
                           information, refer them to
                           the following Knowledge
                           Base articles for Windows
                           Vista: KB955637; and for
                           Windows 7: KB974150.



To ensure that authorized Only members of the             AC-3 CM-6
users can shut down       specified groups will be        CM-7
Windows correctly.        able to shut down the
                          system
To restrict which accounts Only members of the                        CM-6
are able to take ownership specified groups will be
of objects.                able to take ownership of
                           files.
Any service is a potential The feature will not be
avenue of attack,          available.
especially services that
provide network services.

The service is needed for    The service should start
core operating system        when needed and the
functions.                   affected features should
                             be available.



Any service is a potential   Bluetooth devices will not Conditional   AC-6 CM-7
avenue of attack,            function. Agencies that                  AC-17
especially services that     want to allow users to
provide network services.    utilize Bluetooth devices
                             may enable this services,
                             since the current SCAP
                             content does not support
                             this sort of conditional
                             logic agencies will have to
                             track this setting as a
                             deviation.




Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.

Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.



Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.
Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.

Any service is a potential   The built-in fax features     CM-6
avenue of attack,            will not be available.
especially services that
provide network services.

Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.

Any service is a potential   Many aspects of               CA-3
avenue of attack,            HomeGroup networking
especially services that     will not function. This
provide network services.    service is responsible for
                             creating and managing the
                             HomeUsers Security
                             Group, print shares, and
                             file shares.
Any service is a potential   Many aspects of               CM-5 CM-6
avenue of attack,            HomeGroup networking
especially services that     will not function. This
provide network services.    service is responsible
                             networking tasks such as
                             joining the homegroup,
                             detecting homegroups,
                             advertising the
                             homegroup, and
                             transmitting homegroup
                             messages between the
                             members of the
                             homegroup.
Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.

Any service is a potential   Media Center Extenders        CM-6
avenue of attack,            will not be able to connect
especially services that     to the computer.
provide network services.

Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.
Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.

Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.

Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.

Any service is a potential   This service is a stub only,   CM-6 CM-7
avenue of attack,            included for backwards
especially services that     compatibility with Windows
provide network services.    Vista.

Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.



Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.



Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.

The service is needed for    The service should start
core operating system        when needed and the
functions.                   affected features should
                             be available.
Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.



Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.



Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.



The service is needed for    The service should start
core operating system        when needed and the
functions.                   affected features should
                             be available.



Any service is a potential   The feature will not be
avenue of attack,            available.
especially services that
provide network services.
To allow the client to    Allows DHCP messages             CM-6
receive DHCP responses    for stateful auto-
that would otherwise be   configuration. This is a
blocked by CCE-9069-6.    built-in rule available in the
                          Windows Firewall with
                          Advanced Security
                          management console, the
                          rule details:

                          Program
                          %SystemRoot%\system32
                          \svchost.exe
                          Action Allow
                          Security Require
                          authentication
                          Authorized computers
                          Authorized users
                          Protocol 17
                          Local port 68
                          Remote port 67
                          ICMP settings Any
                          Local scope Any
                          Remote scope Any
                          Profile All
                          Network interface type All
                          Service dhcp
                          Allow edge traversal False
                          Group Core Networking
To allow the client to    Allows DHCP messages             CM-6
receive DHCP responses    for stateful auto-
that would otherwise be   configuration. This is a
blocked by CCE-9069-6.    built-in rule available in the
                          Windows Firewall with
                          Advanced Security
                          management console, the
                          rule details:

                          Program
                          %SystemRoot%\system32
                          \svchost.exe
                          Action Allow
                          Security Require
                          authentication
                          Authorized computers
                          Authorized users
                          Protocol 17
                          Local port 546
                          Remote port 547
                          ICMP settings Any
                          Local scope Any
                          Remote scope Any
                          Profile All
                          Network interface type All
                          Service dhcp
                          Allow edge traversal False
                          Group Core Networking


Windows Firewall          The IPv6 transitional
Outbound Rules to block   technologies will be
IPv6 transitional         blocked.
technologies
Windows Firewall               The IPv6 transitional
Outbound Rules to block        technologies will be
IPv6 transitional              blocked.
technologies




To facilitate determination    The dropping of network        AU-2
of the root cause of           packets will be recorded in
system problems or to          the log for this firewall
detect unauthorized            profile.
activities.

To facilitate determination    The establishment of new       AU-2
of the root cause of           network connections will
system problems or to          be recorded in the log for
detect unauthorized            this firewall profile.
activities.

To facilitate determination Logging will be enabled for       CM-6
of the root cause of        this firewall profile.
system problems or to
detect unauthorized
activities.

To facilitate determination The firewall log size will be     CM-6
of the root cause of        16 megabytes for this
system problems or to       firewall profile.
detect unauthorized
activities.

To alert the user of           Users will see a               CM-3 CM-6
applications that attempt to   notification when a
open inbound network           program is blocked from
ports.                         receiving inbound
                               connections in this firewall
                               profile.
To prevent users with         Local connection security       CM-6 SC-7
administrative privileges     rules, i.e. IPsec rules, will
from creating local rules     be ignored in this firewall
that may lower the security   profile.
of the firewall.

To prevent users with       Local firewall rules will be      AC-4
administrative privileges   ignored in this firewall
from creating local rules   profile.
that may lower the security
of the firewall.

To minimize the risk of an    Unicast responses will be       SC-5 SC-7
attacker using broadcast      blocked in this profile, this
or multicast traffic to       will cause DHCP to fail for
deliver malicious payloads.   certain DHCP servers.


To ensure that the firewall The firewall will be              AC-4
is actively protecting the  enabled for this firewall
computer from network       profile.
attacks.


To minimize the risk of an Inbound connections will           SC-7 AC-4
attacker exploiting a       be blocked by default for
vulnerable application that this firewall profile.
has opened an inbound
network port.

To minimize potential       Outbound connections will         SC-7
compatibility problems with be enabled by default for
authorized applications     this firewall profile.
that access the network.


To facilitate determination   The dropping of network         AU-2
of the root cause of          packets will be recorded in
system problems or to         the log for this firewall
detect unauthorized           profile.
activities.

To facilitate determination   The establishment of new        AU-2
of the root cause of          network connections will
system problems or to         be recorded in the log for
detect unauthorized           this firewall profile.
activities.
To facilitate determination Logging will be enabled for        CM-6
of the root cause of        this firewall profile.
system problems or to
detect unauthorized
activities.

To facilitate determination The firewall log size will be      CM-6
of the root cause of        16 megabytes for this
system problems or to       firewall profile.
detect unauthorized
activities.

To alert the user of        Users will see a                   CM-3 CM-6
applications that attempt tonotification when a
open inbound network        program is blocked from
ports.                      receiving inbound
                            connections in this firewall
                            profile.
To prevent users with       Local connection security          AC-4
administrative privileges   rules, i.e. IPsec rules, will
from creating local rules   be ignored in this firewall
that may lower the security profile.
of the firewall.

To prevent users with       Local firewall rules will be       AC-4
administrative privileges   ignored in this firewall
from creating local rules   profile.
that may lower the security
of the firewall.

To minimize the risk of an     Unicast responses will be       SC-5 SC-7
attacker using broadcast       blocked in this profile, this
or multicast traffic to        will cause DHCP to fail for
deliver malicious payloads.    certain DHCP servers.


To ensure that the firewall The firewall will be               AC-4
is actively protecting the  enabled for this firewall
computer from network       profile.
attacks.


To minimize the risk of an Inbound connections will            SC-7 AC-4
attacker exploiting a       be blocked by default for
vulnerable application that this firewall profile.
has opened an inbound
network port.
To minimize potential       Outbound connections will        SC-7
compatibility problems with be enabled by default for
authorized applications     this firewall profile.
that access the network.


To facilitate determination    The dropping of network       AU-2
of the root cause of           packets will be recorded in
system problems or to          the log for this firewall
detect unauthorized            profile.
activities.

To facilitate determination    The establishment of new      AU-2
of the root cause of           network connections will
system problems or to          be recorded in the log for
detect unauthorized            this firewall profile.
activities.

To facilitate determination Logging will be enabled for      CM-6
of the root cause of        this firewall profile.
system problems or to
detect unauthorized
activities.

To facilitate determination The firewall log size will be    CM-6
of the root cause of        16 megabytes for this
system problems or to       firewall profile.
detect unauthorized
activities.

To alert the user of        Users will see a                 CM-3 CM-6
applications that attempt tonotification when a
open inbound network        program is blocked from
ports.                      receiving inbound
                            connections in this firewall
                            profile.
To prevent users with       Local connection security        CM-6 SC-7
administrative privileges   rules, i.e. IPsec rules, will
from creating local rules   be ignored in this firewall
that may lower the security profile.
of the firewall.

To prevent users with       Local firewall rules will be     AC-4
administrative privileges   ignored in this firewall
from creating local rules   profile.
that may lower the security
of the firewall.
To minimize the risk of an    Unicast responses will be       SC-5 SC-7
attacker using broadcast      blocked in this profile, this
or multicast traffic to       will cause DHCP to fail for
deliver malicious payloads.   certain DHCP servers.


To ensure that the firewall The firewall will be              AC-4
is actively protecting the  enabled for this firewall
computer from network       profile.
attacks.


To minimize the risk of an Inbound connections will           SC-7 AC-4
attacker exploiting a       be blocked by default for
vulnerable application that this firewall profile.
has opened an inbound
network port.

To minimize potential       Outbound connections will         SC-7
compatibility problems with be enabled by default for
authorized applications     this firewall profile.
that access the network.


Any feature is a potential    The games features will         CM-7
avenue of attack,             not be available.
especially services that
provide network services.

Any feature is a potential    IIS will not be available.      CM-7
avenue of attack,
especially services that
provide network services.

Any feature is a potential    Simple TCP features will        CM-7
avenue of attack,             not be available.
especially services that
provide network services.

Any feature is a potential    The telnet client will not be   CM-7
avenue of attack,             available.
especially services that
provide network services.

Any feature is a potential    The telnet server will not      CM-7
avenue of attack,             be available.
especially services that
provide network services.
Any feature is a potential     The TFTP client will not be   CM-7
avenue of attack,              available.
especially services that
provide network services.

Any feature is a potential     Windows Media Center          CM-7
avenue of attack,              and all features that
especially services that       require it will not be
provide network services.      available.

Registry setting that      The IPv6 transitional
controls the IPv6          technologies will be
transitional technologies, disabled.
ISATAP, Teredo and 6to4.
There is currently no way
to apply this setting via
GPOs, the setting must be
edited in the registry

To ensure that the desktop A screen saver will be            AC-3 AC-11
automatically locks after  enabled, the "Screen              CM-6 CM-7
15 minutes of inactivity.  Saver executable name"
                           setting must also be
                           configured.
                                                             AC-11


To ensure that the desktop The desktop will lock after       AC-11 CM-6
automatically locks after  the screen saver timeout          IA-5
15 minutes of inactivity.  is reached.

To ensure that the desktop The screen saver will time        AC-11
automatically locks after  out after 15 minutes.
15 minutes of inactivity.

To prevent users from        Users will not be able to       CM-6
sending Microsoft            send Microsoft feedback
feedback on Help and         on Help and Support
Support content.             content.
To ensure that Windows       Windows uses the zone           CM-6
tracks the original security information to assess the
zone for files.              level of risk of opening
                             various files.
To ensure that Windows Windows uses the zone                 CM-6
tracks the original security information to assess the
zone for files.              level of risk of opening
                             various files.
To minimize the risk of      Antivirus programs will         SI-3
malicious software           scan attachments before
infecting the system.        users can open them.
To prevent users from       Users will not be able to   AC-6
sharing sensitive data with share files over the
unauthorized users.         network.
Registry Info                          Comments

HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\LLTD!EnableLLTDIO,
HKLM\Software\Policies\Microsoft\Wi
ndows\LLTD!AllowLLTDIOOnDomain,
HKLM\Software\Policies\Microsoft\Wi
ndows\LLTD!AllowLLTDIOOnPublicN
et,
HKLM\Software\Policies\Microsoft\Wi
ndows\LLTD!ProhibitLLTDIOOnPrivat
eNet

HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\LLTD!EnableRspndr,
HKLM\Software\Policies\Microsoft\Wi
ndows\LLTD!AllowRspndrOnDomain,
HKLM\Software\Policies\Microsoft\Wi
ndows\LLTD!AllowRspndrOnPublicNe
t,
HKLM\Software\Policies\Microsoft\Wi
ndows\LLTD!ProhibitRspndrOnPrivate
Net

HKLM\Software\policies\Microsoft\Pee
rnet!Disabled



HKLM\Software\Policies\Microsoft\Wi
ndows\Network
Connections!NC_AllowNetBridge_NL
A
HKLM\Software\Policies\Microsoft\Wi Prveviously this was 'enabled' on Vista
ndows\Network                       however the setting is not applicable
Connections!NC_PersonalFirewallCo to Vista.
nfig




HKLM\Software\Policies\Microsoft\Wi Prveviously this was 'enabled' on Vista
ndows\Network                       however the setting is not applicable
Connections!NC_ShowSharedAccess to Vista.
UI
HKLM\Software\Policies\Microsoft\Wi Not applicable to Vista or XP.
ndows\Network
Connections!NC_StdDomainUserSetL
ocation




HKLM\Software\Policies\Microsoft\Wi Not applicable to Vista or XP.
ndows\TCPIP\v6Transition!Force_Tun
neling




HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile\Servi
ces\FileAndPrint!Enabled,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Servi
ces\FileAndPrint!RemoteAddresses
HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile\Icmp
Settings!AllowOutboundDestinationUn
reachable,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Icmp
Settings!AllowOutboundSourceQuenc
h,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Icmp
Settings!AllowRedirect,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Icmp
Settings!AllowInboundEchoRequest,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Icmp
Settings!AllowInboundRouterRequest,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Icmp
Settings!AllowOutboundTimeExceede
d,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Icmp
Settings!AllowOutboundParameterPro
blem,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Icmp
Settings!AllowInboundTimestampReq
uest,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Icmp
Settings!AllowInboundMaskRequest,
HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile\Glob
allyOpenPorts!AllowUserPrefMerge


HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile\Auth
orizedApplications!AllowUserPrefMerg
e
HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile\Logg
ing!LogDroppedPackets,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Logg
ing!LogSuccessfulConnections,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Logg
ing!LogFilePath,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Logg
ing!LogFileSize

HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile\Rem
oteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Rem
oteAdminSettings!RemoteAddresses




HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile\Servi
ces\RemoteDesktop!Enabled,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Servi
ces\RemoteDesktop!RemoteAddress
es
HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile\Servi
ces\UPnPFramework!Enabled,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Servi
ces\UPnPFramework!RemoteAddress
es



HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile!Disa
bleNotifications



HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile!Disa
bleUnicastResponsesToMulticastBroa
dcast




HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\DomainProfile!Enab
leFirewall




HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile\Ser
vices\FileAndPrint!Enabled,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Ser
vices\FileAndPrint!RemoteAddresses
HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile\Icm
pSettings!AllowOutboundDestinationU
nreachable,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Icm
pSettings!AllowOutboundSourceQuen
ch,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Icm
pSettings!AllowRedirect,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Icm
pSettings!AllowInboundEchoRequest,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Icm
pSettings!AllowInboundRouterReques
t,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Icm
pSettings!AllowOutboundTimeExceed
ed,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Icm
pSettings!AllowOutboundParameterPr
oblem,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Icm
pSettings!AllowInboundTimestampRe
quest,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Icm
pSettings!AllowInboundMaskRequest, Not applicable to Windows 7 or Vista.
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Glo
ballyOpenPorts!AllowUserPrefMerge


HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile\Aut
horizedApplications!AllowUserPrefMer
ge
HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile\Re
moteAdminSettings!Enabled,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Re
moteAdminSettings!RemoteAddresse
s




HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile\Ser
vices\RemoteDesktop!Enabled,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Ser
vices\RemoteDesktop!RemoteAddres
ses

HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile\Ser
vices\UPnPFramework!Enabled,
HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\StandardProfile\Ser
vices\UPnPFramework!RemoteAddre
sses
HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile!Do
NotAllowExceptions


HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile!Dis
ableNotifications



HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile!Dis
ableUnicastResponseToMulticastBroa
dcast




HKLM\SOFTWARE\Policies\Microsoft Not applicable to Windows 7 or Vista.
\WindowsFirewall\StandardProfile!Ena
bleFirewall




HKLM\Software\Policies\Microsoft\Wi In the SCAP 1.2 content, conditional
ndows\TCPIP\v6Transition!6to4_State logic checks to see if the following
                                    registry value
                                    HKLM\SYSTEM\CurrentControlSet\se
                                    rvices\TCPIP6\Parameters!DisabledC
                                    omponents is not equal to 0xfffffff. If
                                    this is true than the setting is checked.
                                    If the value does equal 0xfffffff then
                                    the setting is ignored becuase this
                                    value indicates that IPv6 is disabled
                                    on the computer.
HKLM\Software\Policies\Microsoft\Wi    In the SCAP 1.2 content, conditional
ndows\TCPIP\v6Transition\IPHTTPS\I     logic checks to see if the following
PHTTPSInterface!IPHTTPS_ClientSta      registry value
te,                                    HKLM\SYSTEM\CurrentControlSet\se
HKLM\Software\Policies\Microsoft\Wi    rvices\TCPIP6\Parameters!DisabledC
ndows\TCPIP\v6Transition\IPHTTPS\I     omponents is not equal to 0xfffffff. If
PHTTPSInterface!IPHTTPS_ClientUrl      this is true than the setting is checked.
                                       If the value does equal 0xfffffff then
                                       the setting is ignored becuase this
                                       value indicates that IPv6 is disabled
                                       on the computer.

HKLM\Software\Policies\Microsoft\Wi In the SCAP 1.2 content, conditional
ndows\TCPIP\v6Transition!ISATAP_S logic checks to see if the following
tate                                registry value
                                    HKLM\SYSTEM\CurrentControlSet\se
                                    rvices\TCPIP6\Parameters!DisabledC
                                    omponents is not equal to 0xfffffff. If
                                    this is true than the setting is checked.
                                    If the value does equal 0xfffffff then
                                    the setting is ignored becuase this
                                    value indicates that IPv6 is disabled
                                    on the computer.


HKLM\Software\Policies\Microsoft\Wi In the SCAP 1.2 content, conditional
ndows\TCPIP\v6Transition!Teredo_St logic checks to see if the following
ate                                 registry value
                                    HKLM\SYSTEM\CurrentControlSet\se
                                    rvices\TCPIP6\Parameters!DisabledC
                                    omponents is not equal to 0xfffffff. If
                                    this is true than the setting is checked.
                                    If the value does equal 0xfffffff then
                                    the setting is ignored becuase this
                                    value indicates that IPv6 is disabled
                                    on the computer.
HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\WCN\Registrars!EnableRegistr
ars,
HKLM\Software\Policies\Microsoft\Wi
ndows\WCN\Registrars!DisableUPnP
Registrar,
HKLM\Software\Policies\Microsoft\Wi
ndows\WCN\Registrars!DisableInBan
d802DOT11Registrar,
HKLM\Software\Policies\Microsoft\Wi
ndows\WCN\Registrars!DisableFlash
ConfigRegistrar,
HKLM\Software\Policies\Microsoft\Wi
ndows\WCN\Registrars!DisableWPD
Registrar,
HKLM\Software\Policies\Microsoft\Wi
ndows\WCN\Registrars!MaxWCNDev
iceNumber,
HKLM\Software\Policies\Microsoft\Wi
ndows\WCN\Registrars!HigherPreced
enceRegistrar
HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\WCN\UI!DisableWcnUi




HKLM\Software\Policies\Microsoft\Wi Not applicable to Vista or XP.
ndows
NT\Printers!DoNotInstallCompatibleDr
iverFromWindowsUpdate

HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\DeviceInstall\Settings!AllowRe
moteRPC

HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\DeviceInstall\Settings!DisableS
endGenericDriverNotFoundToWER


HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\DeviceInstall\Settings!DisableS
ystemRestore
HKLM\SOFTWARE\Policies\Microsoft Not applicable to Vista or XP.
\Windows\Device
Metadata!PreventDeviceMetadataFro
mNetwork


HKLM\Software\Policies\Microsoft\Wi Not applicable to Vista or XP.
ndows\DriverSearching!SearchOrder
Config


HKLM\Software\Policies\Microsoft\Wi
ndows\Group Policy\{35378EAC-683F-
11D2-A89A-
00C04FBBCFA2}!NoBackgroundPolic
y,
HKLM\Software\Policies\Microsoft\Wi
ndows\Group Policy\{35378EAC-683F-
11D2-A89A-
00C04FBBCFA2}!NoGPOListChange
s
HKLM\Software\Policies\Microsoft\Wi
ndows
NT\Printers!DisableWebPnPDownloa
d




HKLM\Software\Policies\Microsoft\Eve
ntViewer!MicrosoftEventVwrDisableLi
nks


HKLM\Software\Policies\Microsoft\Wi Not applicable to Vista or XP.
ndows\TabletPC!PreventHandwritingD
ataSharing

HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\HandwritingErrorReports!Prev
entHandwritingErrorReports

HKLM\Software\Policies\Microsoft\Wi
ndows\Internet Connection
Wizard!ExitOnMSICW
HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\Explorer!NoWe
bServices




HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\Explorer!NoInte
rnetOpenWith



HKLM\Software\Policies\Microsoft\Wi
ndows
NT\Printers!DisableHTTPPrinting




HKLM\Software\Policies\Microsoft\Wi
ndows\Registration Wizard
Control!NoRegistration

HKLM\Software\Policies\Microsoft\Se
archCompanion!DisableContentFileU
pdates



HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\Explorer!NoOnl
inePrintsWizard



HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\Explorer!NoPu
blishingWizard


HKLM\Software\Policies\Microsoft\Me
ssenger\Client!CEIP
HKLM\Software\Policies\Microsoft\PC    In the SCAP 1.2 content, conditional
Health\ErrorReporting!DoReport,        logic checks to see if Corporate Error
HKLM\Software\Policies\Microsoft\Wi    Reporting (CER) is enabled. On
ndows\Windows Error                    Windows Vista and Windows 7 the
Reporting!Disabled                     group policy setting "Computer
                                       Configuration\Administrative
                                       Templates\Windows
                                       Components\Windows Error
                                       Reporting\Advanced Error Reporting
                                       Settings\Configure Corporate Error
                                       Reporting" is checked, while on
                                       Windows XP the group policy setting
                                       "Computer
                                       Configuration\Administrative
                                       Templates\Application Error
                                       Reporting\Corporate Error
                                       Reporting\Local error reporting file
                                       path" is checked. If CER is configured
                                       than this setting is ignored, if CER is
                                       not configured than this setting will be
                                       checked.

HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\System!LogonT
ype

HKLM\Software\Microsoft\Windows\C New for XP and Vista.
urrentVersion\Policies\Explorer!Disabl
eLocalMachineRunOnce

HKLM\Software\Policies\Microsoft\Po Not applicable to XP.
wer\PowerSettings\0e796bdb-100d-
47d6-a2d5-
f7d2daa51f51!DCSettingIndex


HKLM\Software\Policies\Microsoft\Po Not applicable to XP.
wer\PowerSettings\0e796bdb-100d-
47d6-a2d5-
f7d2daa51f51!ACSettingIndex
HKEY_LOCAL_MACHINE\SOFTWAR New for Vista.
E\Policies\Microsoft\Power\PowerSetti
ngs\9D7815A6-7EE4-497E-8888-
515A05F02364\DCSettingIndex!3600




HKEY_LOCAL_MACHINE\SOFTWAR New for Vista.
E\Policies\Microsoft\Power\PowerSetti
ngs\9D7815A6-7EE4-497E-8888-
515A05F02364\ACSettingIndex!3600




vHKEY_LOCAL_MACHINE\SOFTWA New for Vista.
RE\Policies\Microsoft\Power\PowerSe
ttings\3C0BC021-C8A8-4E07-A973-
6B14CBCB2B7E\DCSettingIndex!120
0

vHKEY_LOCAL_MACHINE\SOFTWA New for Vista.
RE\Policies\Microsoft\Power\PowerSe
ttings\3C0BC021-C8A8-4E07-A973-
6B14CBCB2B7E\ACSettingIndex!120
0
HKLM\Software\policies\Microsoft\Win     In the SCAP 1.2 content, conditional
dows NT\Terminal                         logic checks to see if 2 group policy
Services!fAllowUnsolicited,              settings, "Offer Remote Assistance"
HKLM\Software\policies\Microsoft\Win     and "Offer Remote Assistance"
dows NT\Terminal                         located at "Computer
Services!fAllowUnsolicitedFullControl,   Configuration\Administrative
HKLM\Software\policies\Microsoft\Win     Templates\System\Remote
dows NT\Terminal                         Assistance" are enabled. If both are
Services\RAUnsolicit                     enabled than this setting is not
                                         checked, if either is not enabled than
                                         this setting will be checked. NIST
                                         realizes this is cirucular logic, however
                                         there is no other way of determining
                                         whether or not remote assistance is
                                         enabled and therefor this is the only
                                         known method for implementing the
                                         conditional logic. Agencies that want
                                         to ensure Remote Assistance is not
                                         enabled should implement another
                                         SCAP datastream for that purpose.



HKLM\Software\policies\Microsoft\Win     In the SCAP 1.2 content, conditional
dows NT\Terminal                         logic checks to see if 2 group policy
Services!fAllowToGetHelp,                settings, "Offer Remote Assistance"
HKLM\Software\policies\Microsoft\Win     and "Offer Remote Assistance"
dows NT\Terminal                         located at "Computer
Services!fAllowFullControl,              Configuration\Administrative
HKLM\Software\policies\Microsoft\Win     Templates\System\Remote
dows NT\Terminal                         Assistance" are enabled. If both are
Services!MaxTicketExpiry,                enabled than this setting is not
HKLM\Software\policies\Microsoft\Win     checked, if either is not enabled than
dows NT\Terminal                         this setting will be checked. NIST
Services!MaxTicketExpiryUnits,           realizes this is cirucular logic, however
HKLM\Software\policies\Microsoft\Win     there is no other way of determining
dows NT\Terminal                         whether or not Remote Assistance is
Services!fUseMailto                      enabled and therefor this is the only
                                         known method for implementing the
                                         conditional logic. Agencies that want
                                         to ensure Remote Assistance is not
                                         enabled should implement another
                                         SCAP datastream for that purpose.



HKLM\Software\policies\Microsoft\Win Not applicable to XP.
dows NT\Terminal
Services!LoggingEnabled
HKLM\Software\Policies\Microsoft\Wi
ndows NT\Rpc!RestrictRemoteClients


HKLM\Software\Policies\Microsoft\Wi
ndows
NT\Rpc!EnableAuthEpResolution




HKLM\SOFTWARE\Policies\Microsoft Not applicable to Vista or XP.
\Windows\ScriptedDiagnosticsProvide
r\Policy!DisableQueryRemoteServer


HKLM\SOFTWARE\Policies\Microsoft Not applicable to Vista or XP.
\Windows\ScriptedDiagnosticsProvide
r\Policy!EnableQueryRemoteServer




HKLM\SOFTWARE\Policies\Microsoft New for Vista.
\Windows\WDI\{9c5a40da-b965-4fc3-
8781-
88dd50a6299d}!ScenarioExecutionEn
abled
Multiple, see subsequent rows     NTP settings are new for Vista and
                                  XP.




HKLM\Software\Policies\Microsoft\W3
2time\TimeProviders\NtpClient!Cross
SiteSyncFlags
HKLM\Software\Policies\Microsoft\W3
2time\TimeProviders\NtpClient!EventL
ogFlags
HKLM\Software\Policies\Microsoft\W3
2time\Parameters!NtpServer

HKLM\Software\Policies\Microsoft\W3
2time\TimeProviders\NtpClient!Resolv
ePeerBackoffMaxTimes

HKLM\Software\Policies\Microsoft\W3
2time\TimeProviders\NtpClient!Resolv
ePeerBackoffMinutes

HKLM\Software\Policies\Microsoft\W3
2time\TimeProviders\NtpClient!Specia
lPollInterval

HKLM\Software\Policies\Microsoft\W3
2time\Parameters!Type

HKLM\Software\Policies\Microsoft\Wi Not applicable to Vista or XP.
ndows\AppCompat!DisableInventory


HKLM\Software\Microsoft\Windows\C New for Vista.
urrentVersion\Policies\Explorer!NoAut
orun




HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\Explorer!NoDri
veTypeAutoRun



HKLM\Software\Policies\Microsoft\Wi Not applicable to Vista or XP.
ndows\Explorer!NoAutoplayfornonVol
ume


HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\CredUI!Enumer
ateAdministrators
HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\Windows\Sideb
ar!OverrideMoreGadgetsLink

HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\Windows\Sideb
ar!TurnOffUnsignedGadgets

HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\Windows\Sideb
ar!TurnOffUserInstalledGadgets



HKLM\SOFTWARE\Policies\Microsoft Not applicable to XP.
\Windows\Digital
Locker!DoNotRunDigitalLocker

HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\EventLog\Application!MaxSize



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\EventLogSecurity!MaxSize



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\EventLog\Setup!MaxSize



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\EventLog\System!MaxSize



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\GameUX!DownloadGameInfo


HKLM\Software\Policies\Microsoft\Wi New for Vista.
ndows\GameUX!GameUpdateOptions
HKLM\Software\Policies\Microsoft\Wi Not applicable to Vista or XP.
ndows\HomeGroup!DisableHomeGro
up




HKCU\Software\Policies\Microsoft\In This setting was moved from the
ternet Connection                   Internet Explorer 7 baseline to the
Wizard!DisableICW                   Windows XP baseline because it is
                                    not applicable to Internet Explorer
                                    nor Windows Vista or later versions
                                    of Windows.




HKLM\Software\Policies\Microsoft\Co
nferencing!NoRDS


HKLM\SOFTWARE\Policies\Microsoft The feature is called "Remote
\Windows NT\Terminal             Desktop Services" in Windows 7 and
Services!DisablePasswordSaving   Windows Server 2008 R2, but
                                 "Terminal Services" in previous
                                 versions of Windows.
HKLM\SOFTWARE\Policies\Microsoft The feature is called "Remote
\Windows NT\Terminal             Desktop Services" in Windows 7 and
Services!fDenyTSConnections      Windows Server 2008 R2, but
                                 "Terminal Services" in previous
                                 versions of Windows.
                                 In the SCAP 1.2 content, conditional
                                 logic checks to see if the group policy
                                 setting "Allow users to connect
                                 remotely using Remote Desktop
                                 Services" located at "Computer
                                 Configuration\Administrative
                                 Templates\Windows
                                 Components\Remote Desktop
                                 Services\Remote Desktop Session
                                 Host\Connections" is enabled. If it is
                                 than this setting is not checked, if it is
                                 not enabled than this setting will be
                                 checked. NIST realizes this is
                                 cirucular logic, however there is no
                                 other way of determining whether or
                                 not Remote Desktop Services is
                                 enabled and therefor this is the only
                                 known method for implementing the
                                 conditional logic. Agencies that want
                                 to ensure Remote Desktop Services is
                                 not enabled should implement another
                                 SCAP datastream for that purpose.


HKLM\SOFTWARE\Policies\Microsoft Not applicable to XP. The feature is
\Windows NT\Terminal             called "Remote Desktop Services" in
Services!fPromptForPassword      Windows 7 and Windows Server 2008
                                 R2, but "Terminal Services" in
                                 previous versions of Windows.
HKLM\SOFTWARE\Policies\Microsoft The feature is called "Remote
\Windows NT\Terminal             Desktop Services" in Windows 7 and
Services!MinEncryptionLevel      Windows Server 2008 R2, but
                                 "Terminal Services" in previous
                                 versions of Windows.
HKLM\SOFTWARE\Policies\Microsoft The feature is called "Remote
\Windows NT\Terminal             Desktop Services" in Windows 7 and
Services!MaxIdleTime             Windows Server 2008 R2, but
                                 "Terminal Services" in previous
                                 versions of Windows.
                                 Note that conditional logic is not
                                 possible for this setting since there's
                                 no way to automatically determine
                                 how the workstaiton is being used.




HKLM\SOFTWARE\Policies\Microsoft The feature is called "Remote
\Windows NT\Terminal             Desktop Services" in Windows 7 and
Services!MaxDisconnectionTime    Windows Server 2008 R2, but
                                 "Terminal Services" in previous
                                 versions of Windows.

HKLM\SOFTWARE\Policies\Microsoft This is new for Vista. The feature is
\Windows NT\Terminal                  called "Remote Desktop Services" in
Services!DeleteTempDirsOnExit         Windows 7 and Windows Server 2008
                                      R2, but "Terminal Services" in
                                      previous versions of Windows.
HKLM\SOFTWARE\Policies\Microsoft This is new for Vista. The feature is
\Windows NT\Terminal                  called "Remote Desktop Services" in
Services!PerSessionTempDir            Windows 7 and Windows Server 2008
                                      R2, but "Terminal Services" in
                                      previous versions of Windows.
HKLM\Software\Policies\Microsoft\Inte
rnet
Explorer\Feeds!DisableEnclosureDow
nload
HKLM\SOFTWARE\Policies\Microsoft Not applicable to XP.
\Windows\Windows
Search!AllowIndexingEncryptedStores
OrItems
HKLM\SOFTWARE\Policies\Microsoft Not applicable to XP.
\Windows\Windows
Search!PreventIndexingUncachedExc
hangeFolders

HKLM\Software\Microsoft\Windows\C Not applicable to Vista or XP.
urrentVersion\Policies\Explorer\WAU!
Disabled
HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows
Defender\SpyNet!SpyNetReporting
HKLM\SOFTWARE\Policies\Microsoft Not applicable to XP.
\Windows\Windows Error
Reporting!LoggingDisabled

HKLM\SOFTWARE\Policies\Microsoft Not applicable to XP.
\Windows\Windows Error
Reporting!Disabled
HKLM\Software\Policies\Microsoft\PC Not applicable to XP.
Health\ErrorReporting!ShowUI,
HKLM\Software\Policies\Microsoft\PC
Health\ErrorReporting\DW!DWAllowH
eadless
HKLM\SOFTWARE\Policies\Microsoft Not applicable to XP.
\Windows\Windows Error
Reporting!DontSendAdditionalData



HKLM\Software\Policies\Microsoft\Wi Not applicable to Vista or XP.
ndows\Explorer!NoDataExecutionPrev
ention


HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndows\Explorer!NoHeapTerminationO
nCorruption



HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\Explorer!PreXP
SP2ShellProtocolBehavior
HKLM\Software\Policies\Microsoft\Wi
ndows\Installer!SafeForScripting




HKLM\Software\Policies\Microsoft\Wi
ndows\Installer!EnableUserControl

HKLM\Software\Policies\Microsoft\Wi
ndows\Installer!DisableLUAPatching


HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System!Report
ControllerMissing


HKLM\SOFTWARE\Policies\Microsoft Not applicable to XP.
\Windows Mail!DisableCommunities


HKLM\SOFTWARE\Policies\Microsoft Not applicable to XP.
\Windows Mail!ManualLaunchAllowed

HKLM\Software\Policies\Microsoft\W    Not applicable to XP.
MDRM!DisableOnline


HKLM\Software\Policies\Microsoft\Wi
ndowsMediaPlayer!GroupPrivacyAcce
ptance



HKLM\Software\Policies\Microsoft\Wi
ndowsMediaPlayer!DisableAutoUpdat
e
HKLM\Software\Policies\Microsoft\Wi    In the SCAP 1.2 content, conditional
ndows\WindowsUpdate\AU!NoAutoUp        logic checks to see if the group policy
date,                                  setting "Configure Automatic Updates"
HKLM\Software\Policies\Microsoft\Wi    located at "Computer
ndows\WindowsUpdate\AU!AUOption        Configuration\Administrative
s,                                     Templates\Windows
HKLM\Software\Policies\Microsoft\Wi    Components\Windows Update" is
ndows\WindowsUpdate\AU!Schedule        enabled. If it is than this setting is not
dInstallDay,                           checked, if it is not enabled than this
HKLM\Software\Policies\Microsoft\Wi    setting will be checked. NIST realizes
ndows\WindowsUpdate\AU!Schedule        this is cirucular logic, however there is
dInstallTime                           no other way of determining whether
                                       or not Windows Update is enabled
                                       and therefor this is the only known
                                       method for implementing the
                                       conditional logic. Agencies that want
                                       to ensure Windows Update is not
                                       enabled should implement another
                                       SCAP datastream for that purpose.




HKLM\Software\Policies\Microsoft\Wi In the SCAP 1.2 content, conditional
ndows\WindowsUpdate\AU!NoAUShu logic checks to see if the group policy
tdownOption                         setting "Configure Automatic Updates"
                                    located at "Computer
                                    Configuration\Administrative
                                    Templates\Windows
                                    Components\Windows Update" is
                                    enabled. If it is than this setting is not
                                    checked, if it is not enabled than this
                                    setting will be checked. NIST realizes
                                    this is cirucular logic, however there is
                                    no other way of determining whether
                                    or not Windows Update is enabled
                                    and therefor this is the only known
                                    method for implementing the
                                    conditional logic. Agencies that want
                                    to ensure Windows Update is not
                                    enabled should implement another
                                    SCAP datastream for that purpose.
HKLM\Software\Policies\Microsoft\Wi In the SCAP 1.2 content, conditional
ndows\WindowsUpdate\AU!NoAutoRe logic checks to see if the group policy
bootWithLoggedOnUsers               setting "Configure Automatic Updates"
                                    located at "Computer
                                    Configuration\Administrative
                                    Templates\Windows
                                    Components\Windows Update" is
                                    enabled. If it is than this setting is not
                                    checked, if it is not enabled than this
                                    setting will be checked. NIST realizes
                                    this is cirucular logic, however there is
                                    no other way of determining whether
                                    or not Windows Update is enabled
                                    and therefor this is the only known
                                    method for implementing the
                                    conditional logic. Agencies that want
                                    to ensure Windows Update is not
                                    enabled should implement another
                                    SCAP datastream for that purpose.




HKLM\Software\Policies\Microsoft\Wi    In the SCAP 1.2 content, conditional
ndows\WindowsUpdate\AU!Reschedu        logic checks to see if the group policy
leWaitTimeEnabled,                     setting "Configure Automatic Updates"
HKLM\Software\Policies\Microsoft\Wi    located at "Computer
ndows\WindowsUpdate\AU!Reschedu        Configuration\Administrative
leWaitTime                             Templates\Windows
                                       Components\Windows Update" is
                                       enabled. If it is than this setting is not
                                       checked, if it is not enabled than this
                                       setting will be checked. NIST realizes
                                       this is cirucular logic, however there is
                                       no other way of determining whether
                                       or not Windows Update is enabled
                                       and therefor this is the only known
                                       method for implementing the
                                       conditional logic. Agencies that want
                                       to ensure Windows Update is not
                                       enabled should implement another
                                       SCAP datastream for that purpose.
Account Lockout Policy security
settings are not registry keys.




Account Lockout Policy security
settings are not registry keys.




Account Lockout Policy security
settings are not registry keys.




Password Policy security settings are
not registry keys.




Password Policy security settings are
not registry keys.




Password Policy security settings are
not registry keys.
Password Policy security settings are
not registry keys.




Password Policy security settings are
not registry keys.




Password Policy security settings are
not registry keys.




Audit Policy security settings are not   Not included in FDCC 1.2, this setting
registry keys.                           requires Vista SP2 or later. Cannot be
                                         implemented in OVAL 5.3 or OVAL
                                         5.4, need to request a CCE ID from
                                         MITRE for the 5.10 content
Audit Policy security settings are not   Not included in FDCC 1.2, this setting
registry keys.                           requires Vista SP2 or later.




Audit Policy security settings are not   Not included in FDCC 1.2, this setting
registry keys.                           requires Vista SP2 or later.
Audit Policy security settings are not   Not included in FDCC 1.2, this setting
registry keys.                           requires Vista SP2 or later.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Requires Windows 7 or later.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.
Audit Policy security settings are not   Not applicable to XP.
registry keys.




Audit Policy security settings are not   Not applicable to XP.
registry keys.




                                         New for USGCB, addressed by the
                                         corresponding setting at Computer
                                         Configuration\Windows
                                         Settings\Security Settings\Event Log
                                         for Vista and Windows 7.
                                         New for USGCB, addressed by the
                                         corresponding setting at Computer
                                         Configuration\Windows
                                         Settings\Security Settings\Event Log
                                         for Vista and Windows 7.
New for USGCB, addressed by the
corresponding setting at Computer
Configuration\Windows
Settings\Security Settings\Event Log
for Vista and Windows 7.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.
Not included in the Vista or Win7
baselines because the security design
and default configuration in those
versions of Windows make the value
of changing the ACLs extremely low:
1. Microsoft applied their Security
Development Lifecycle throughout the
operating system, that led to lots of
design changes and code fixes.
2. None of these binaries will allow the
user to bypass other security controls
to make system-wide changes, e.g.
reg.exe won’t allow users to bypass
the ACLs on the HKLM hive of the
registry.
3. The default ACLs on the entire file
system, registry, and other objects are
more restrictive in Vista and later. Not
every single ACL was changed, but
Microsoft tried to lock things down as
much as possible without making the
OS unusable.
4. Some of the files do not exist in
Vista or later, others are not installed
by default (or allowed by the USGCB
baseline) and unprivileged users will
not be able to install them.




For Vista and Windows 7 the USGCB
uses the Advanced Audit Policy
Settings instead of the legacy Audit
Policy settings.
For Vista and Windows 7 the USGCB
uses the Advanced Audit Policy
Settings instead of the legacy Audit
Policy settings.




For Vista and Windows 7 the USGCB
uses the Advanced Audit Policy
Settings instead of the legacy Audit
Policy settings.
For Vista and Windows 7 the USGCB
uses the Advanced Audit Policy
Settings instead of the legacy Audit
Policy settings.




For Vista and Windows 7 the USGCB
uses the Advanced Audit Policy
Settings instead of the legacy Audit
Policy settings.
For Vista and Windows 7 the USGCB
uses the Advanced Audit Policy
Settings instead of the legacy Audit
Policy settings.




For Vista and Windows 7 the USGCB
uses the Advanced Audit Policy
Settings instead of the legacy Audit
Policy settings.
For Vista and Windows 7 the USGCB
uses the Advanced Audit Policy
Settings instead of the legacy Audit
Policy settings.




For Vista and Windows 7 the USGCB
uses the Advanced Audit Policy
Settings instead of the legacy Audit
Policy settings.
Not a registry key                  Due to design differnces between
                                    Windows XP and later versions of
                                    Windows the built-in Administrator
                                    account shouldn't be disabled until
                                    after a replacement administrator
                                    account has been created.




Not a registry key




HKLM\System\CurrentControlSet\Con
trol\Lsa\LimitBlankPasswordUse
Not a registry key




Not a registry key




HKLM\System\CurrentControlSet\Con
trol\Lsa\AuditBaseObjects



HKLM\System\CurrentControlSet\Con
trol\Lsa\FullPrivilegeAuditing



HKLM\System\CurrentControlSet\Con Not applicable to XP.
trol\Lsa\SCENoApplyLegacyAuditPolic
y



HKLM\System\CurrentControlSet\Con
trol\Print\Providers\LanMan Print
Services\Servers\AddPrinterDrivers
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Allocate
CDRoms




HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Allocate
Floppies




MACHINE\Software\Microsoft\Driver     Not applicable to Windows 7 or Vista.
Signing\Policy




HKLM\System\CurrentControlSet\Serv
ices\Netlogon\Parameters\RequireSig
nOrSeal
HKLM\System\CurrentControlSet\Serv
ices\Netlogon\Parameters\SealSecure
Channel




HKLM\System\CurrentControlSet\Serv
ices\Netlogon\Parameters\SignSecure
Channel




HKLM\System\CurrentControlSet\Serv
ices\Netlogon\Parameters\DisablePas
swordChange




HKLM\System\CurrentControlSet\Serv
ices\Netlogon\Parameters\MaximumP
asswordAge




HKLM\System\CurrentControlSet\Serv
ices\Netlogon\Parameters\RequireStr
ongKey
HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\System\DontDi
splayLastUserName




HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\System\Disable
CAD




HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\System\LegalN
oticeText
HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\System\LegalN
oticeCaption




HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Cached
LogonsCount




HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Passwor
dExpiryWarning



HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ForceUn
lockLogon




HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScRemo
veOption
HKLM\System\CurrentControlSet\Serv
ices\LanmanWorkstation\Parameters\
RequireSecuritySignature


HKLM\System\CurrentControlSet\Serv
ices\LanmanWorkstation\Parameters\
EnableSecuritySignature


HKLM\System\CurrentControlSet\Serv
ices\LanmanWorkstation\Parameters\
EnablePlainTextPassword




HKLM\System\CurrentControlSet\Serv
ices\LanManServer\Parameters\Auto
Disconnect




HKLM\System\CurrentControlSet\Serv
ices\LanManServer\Parameters\Requi
reSecuritySignature


HKLM\System\CurrentControlSet\Serv
ices\LanManServer\Parameters\Enabl
eSecuritySignature


HKLM\System\CurrentControlSet\Serv
ices\LanManServer\Parameters\Enabl
eForcedLogOff
HKLM\System\CurrentControlSet\Serv Only applicable to win7 and win2k8
ices\LanManServer\Parameters\SMB R2:
ServerNameHardeningLevel           http://www.microsoft.com/downloads/
                                   en/details.aspx?FamilyID=18c90c80-
                                   8b0a-4906-a4f5-
                                   ff24cc2030fb&displaylang=en



HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AutoAd
minLogon


HKLM\System\CurrentControlSet\Serv New for Vista.
ices\Tcpip6\Parameters\DisableIPSou
rceRouting



HKLM\System\CurrentControlSet\Serv
ices\Tcpip\Parameters\DisableIPSour
ceRouting



MACHINE\System\CurrentControlSet\ Not applicable to Windows 7 or Vista.
Services\Tcpip\Parameters\EnableDe
adGWDetect



HKLM\System\CurrentControlSet\Serv
ices\Tcpip\Parameters\EnableICMPR
edirect




HKLM\System\CurrentControlSet\Serv Not defined for Windows XP due to
ices\Lanmanserver\Parameters\Hidde impact on SMB and CIFS-based
n                                  networking features.



HKLM\System\CurrentControlSet\Serv
ices\Tcpip\Parameters\KeepAliveTime
HKLM\System\CurrentControlSet\Serv New for XP.
ices\IPSEC\NoDefaultExempt




MACHINE\SOFTWARE\Microsoft\Win New for USGCB, but its removed from
dows\CurrentVersion\Policies\Explorer Vista since the same vulnerability is
\NoDriveTypeAutoRun                   addressedby CCE-10527-0.




HKLM\System\CurrentControlSet\Serv
ices\Netbt\Parameters\NoNameRelea
seOnDemand




HKLM\System\CurrentControlSet\Serv
ices\Tcpip\Parameters\PerformRouter
Discovery




HKLM\SYSTEM\CurrentControlSet\Co
ntrol\Session
Manager\SafeDllSearchMode


HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScreenS
averGracePeriod
MACHINE\System\CurrentControlSet\ Not applicable to Windows 7 or Vista.
Services\Tcpip\Parameters\SynAttack
Protect




MACHINE\System\CurrentControlSet\ Not applicable to Windows 7 or Vista.
Services\Tcpip\Parameters\TcpMaxC
onnectResponseRetransmissions




HKLM\System\CurrentControlSet\Serv New for Vista.
ices\Tcpip6\Parameters\TcpMaxData
Retransmissions




HKLM\System\CurrentControlSet\Serv
ices\Tcpip\Parameters\TcpMaxDataR
etransmissions




HKLM\SYSTEM\CurrentControlSet\Se
rvices\Eventlog\Security\WarningLevel
Not a registry key




HKLM\System\CurrentControlSet\Con
trol\Lsa\RestrictAnonymousSAM


HKLM\System\CurrentControlSet\Con
trol\Lsa\RestrictAnonymous




HKLM\System\CurrentControlSet\Con
trol\Lsa\DisableDomainCreds




HKLM\System\CurrentControlSet\Con
trol\Lsa\EveryoneIncludesAnonymous


HKLM\System\CurrentControlSet\Serv These need to be different to enforce
ices\LanManServer\Parameters\NullS the default value for each version of
essionPipes                        Windows.




HKLM\System\CurrentControlSet\Con These need to be different to enforce
trol\SecurePipeServers\Winreg\Allowe the default value for each version of
dPaths\Machine                       Windows.
HKLM\System\CurrentControlSet\Con These need to be different to enforce
trol\SecurePipeServers\Winreg\Allowe the default value for each version of
dPaths\Machine                       Windows.




HKLM\System\CurrentControlSet\Serv Not applicable to XP.
ices\LanManServer\Parameters\NullS
essionShares

HKLM\System\CurrentControlSet\Serv These need to be different to enforce
ices\LanManServer\Parameters\NullS the default value for each version of
essionShares                       Windows. Configuring this policy
                                   setting to (None) on Windows XP will
                                   break some features.

HKLM\System\CurrentControlSet\Con
trol\Lsa\ForceGuest
HKLM\System\CurrentControlSet\Con Only applicable to win7 and win2k8
trol\Lsa\UseMachineId             R2:
                                  http://www.microsoft.com/downloads/
                                  en/details.aspx?FamilyID=18c90c80-
                                  8b0a-4906-a4f5-
                                  ff24cc2030fb&displaylang=en



HKLM\System\CurrentControlSet\Con Only applicable to win7 and win2k8
trol\Lsa\MSV1_0\allownullsessionfallb R2:
ack                                   http://www.microsoft.com/downloads/
                                      en/details.aspx?FamilyID=18c90c80-
                                      8b0a-4906-a4f5-
                                      ff24cc2030fb&displaylang=en
HKLM\System\CurrentControlSet\Con Only applicable to win7 and win2k8
trol\Lsa\pku2u\AllowOnlineID          R2:
                                      http://www.microsoft.com/downloads/
                                      en/details.aspx?FamilyID=18c90c80-
                                      8b0a-4906-a4f5-
                                      ff24cc2030fb&displaylang=en
HKLM\Software\Microsoft\Windows\C Only applicable to win7 and win2k8
urrentVersion\Policies\System\Kerber R2:
os\Parameters\SupportedEncryptionT http://www.microsoft.com/downloads/
ypes                                  en/details.aspx?FamilyID=18c90c80-
                                      8b0a-4906-a4f5-
                                      ff24cc2030fb&displaylang=en

HKLM\System\CurrentControlSet\Con
trol\Lsa\NoLMHash




Not a registry key




HKLM\System\CurrentControlSet\Con
trol\Lsa\LmCompatibilityLevel
HKLM\System\CurrentControlSet\Serv
ices\LDAP\LDAPClientIntegrity



HKLM\System\CurrentControlSet\Con The "require message integrity" and
trol\Lsa\MSV1_0\NTLMMinClientSec "require message confidentiality"
                                  options were removed in Vista.
HKLM\System\CurrentControlSet\Con The "require message integrity" and
trol\Lsa\MSV1_0\NTLMMinServerSec "require message confidentiality"
                                  options were removed in Vista.




HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryCo
nsole\SecurityLevel

HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryCo
nsole\SetCommand



HKLM\Software\Microsoft\Windows\C
urrentVersion\Policies\System\Shutdo
wnWithoutLogon




HKLM\System\CurrentControlSet\Con
trol\Session Manager\Memory
Management\ClearPageFileAtShutdo
wn
HKLM\System\CurrentControlSet\Con
trol\Lsa\FIPSAlgorithmPolicy




                                      New for USGCB




HKLM\System\CurrentControlSet\Con
trol\Session
Manager\Kernel\ObCaseInsensitive




HKLM\System\CurrentControlSet\Con
trol\Session Manager\ProtectionMode
HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System\FilterAd
ministratorToken




HKLM\SOFTWARE\Microsoft\Window In the SCAP 1.2 content, conditional
s\CurrentVersion\Policies\System\Ena logic checks to see if the group policy
bleUIADesktopToggle                  setting "Allow users to connect
                                     remotely using Remote Desktop
                                     Services" located at "Computer
                                     Configuration\Administrative
                                     Templates\Windows
                                     Components\Remote Desktop
                                     Services\Remote Desktop Session
                                     Host\Connections" is enabled. If it is
                                     than this setting is not checked, if it is
                                     not enabled than this setting will be
                                     checked.




HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System\Consen
tPromptBehaviorAdmin
HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System\Consen
tPromptBehaviorUser




HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System\EnableI
nstallerDetection

HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System\Validat
eAdminCodeSignatures

HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System\Enable
SecureUIAPaths


HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System\Enable
LUA




HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System\Prompt
OnSecureDesktop

HKLM\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\System\Enable
Virtualization
User Rights security settings are not   NIST has been unable to determine
registry keys                           an automated method for verifying
                                        whether or not IPsec is in use therefor
                                        conditional logic has not been
                                        implemented for this setting.




User Rights security settings are not
registry keys




User Rights security settings are not
registry keys




User Rights security settings are not   Called "Log on locally" in Windows
registry keys                           XP.
User Rights security settings are not   Called "Allow log on through Terminal
registry keys                           Services" in Windows XP and
                                        Windows Vista



User Rights security settings are not
registry keys




User Rights security settings are not   These need to be different to enforce
registry keys                           the default value for each version of
                                        Windows.




User Rights security settings are not   These need to be different to enforce
registry keys                           the default value for each version of
                                        Windows.




User Rights security settings are not   Not applicable to XP.
registry keys
User Rights security settings are not
registry keys


User Rights security settings are not
registry keys

User Rights security settings are not
registry keys



User Rights security settings are not
registry keys


User Rights security settings are not   Not applicable to XP.
registry keys




User Rights security settings are not   New value for Windows Vista that
registry keys                           matches the Windows 7 baseline.

User Rights security settings are not   Support_388945a0 does not exist in
registry keys                           Windows Vista or later, see
                                        http://support.microsoft.com/kb/94729
                                        6 for details.

User Rights security settings are not   Support_388945a0 does not exist in
registry keys                           Windows Vista or later, see
                                        http://support.microsoft.com/kb/94729
                                        6 for details.
User Rights security settings are not
registry keys

User Rights security settings are not   Support_388945a0 does not exist in
registry keys                           Windows Vista or later, see
                                        http://support.microsoft.com/kb/94729
                                        6 for details.
User Rights security settings are not
registry keys



User Rights security settings are not
registry keys
User Rights security settings are not
registry keys


User Rights security settings are not   These need to be different to enforce
registry keys                           the default value for each version of
                                        Windows.

User Rights security settings are not   Not applicable to XP.
registry keys


User Rights security settings are not
registry keys



User Rights security settings are not
registry keys


User Rights security settings are not
registry keys

User Rights security settings are not
registry keys

User Rights security settings are not   These need to be different to enforce
registry keys                           the default value for each version of
                                        Windows.
User Rights security settings are not
registry keys



User Rights security settings are not   Not applicable to XP.
registry keys

User Rights security settings are not
registry keys



User Rights security settings are not
registry keys



User Rights security settings are not
registry keys
User Rights security settings are not   These need to be different to enforce
registry keys                           the default value for each version of
                                        Windows.

User Rights security settings are not
registry keys




User Rights security settings are not
registry keys


User Rights security settings are not
registry keys




User Rights security settings are not
registry keys
User Rights security settings are not
registry keys


                                        Not applicable to Windows 7 or Vista.




                                 The potential risks for the service are
                                 lower in Windows Vista and later due
                                 to security improvements such as
                                 outbound filtering for services by the
                                 Windows Firewall with Advanced
                                 Security and limited privileges for
                                 service accounts.
HKLM\SYSTEM\CurrentControlSet\Se In the SCAP 1.2 content, conditional
rvices\bthserv                   logic checks to see if the Bluetooth
                                 Support Service is enabled. If it is than
                                 this setting is not checked, if it is not
                                 enabled than this setting will be
                                 checked. NIST realizes this is
                                 cirucular logic, however there is no
                                 other way of determining whether or
                                 not Bluetooth is enabled and therefor
                                 this is the only known method for
                                 implementing the conditional logic.
                                 Agencies that want to ensure
                                 Bluetooth is not enabled should
                                 implement another SCAP datastream
                                 for that purpose.

                                        Not applicable to Windows 7 or Vista.




                                        The potential risks for the service are
                                        lower in Windows Vista and later due
                                        to security improvements such as
                                        outbound filtering for services by the
                                        Windows Firewall with Advanced
                                        Security and limited privileges for
                                        service accounts.
                                        The potential risks for the service are
                                        lower in Windows Vista and later due
                                        to security improvements such as
                                        outbound filtering for services by the
                                        Windows Firewall with Advanced
                                        Security and limited privileges for
                                        service accounts.
                                    Not applicable to Windows 7 or Vista.




HKLM\SYSTEM\CurrentControlSet\Se New for Vista.
rvices\Fax



                                    Also blocked by feature not being
                                    installed.



HKLM\SYSTEM\CurrentControlSet\Se Not applicable to Vista or XP.
rvices\HomeGroupListener




HKLM\SYSTEM\CurrentControlSet\Se Not applicable to Vista or XP.
rvices\HomeGroupProvider




                                    Not applicable to Windows 7 or Vista.




HKLM\SYSTEM\CurrentControlSet\Se Not applicable to Vista or XP.
rvices\Mcx2Svc



                                    Not applicable to Windows 7 or Vista.
                                    Not applicable to Windows 7 or Vista.




                                    Not applicable to Windows 7 or Vista.




                                    Not applicable to Windows 7 or Vista.




HKLM\SYSTEM\CurrentControlSet\Se Not applicable to Vista or XP.
rvices\WPCSvc



                                    The potential risks for the service are
                                    lower in Windows Vista and later due
                                    to security improvements such as
                                    outbound filtering for services by the
                                    Windows Firewall with Advanced
                                    Security and limited privileges for
                                    service accounts.
                                    The potential risks for the service are
                                    lower in Windows Vista and later due
                                    to security improvements such as
                                    outbound filtering for services by the
                                    Windows Firewall with Advanced
                                    Security and limited privileges for
                                    service accounts.
                                    Also blocked by feature not being
                                    installed.



                                    The potential risks for the service are
                                    lower in Windows Vista and later due
                                    to security improvements such as
                                    outbound filtering for services by the
                                    Windows Firewall with Advanced
                                    Security and limited privileges for
                                    service accounts.
The potential risks for the service are
lower in Windows Vista and later due
to security improvements such as
outbound filtering for services by the
Windows Firewall with Advanced
Security and limited privileges for
service accounts.
The potential risks for the service are
lower in Windows Vista and later due
to security improvements such as
outbound filtering for services by the
Windows Firewall with Advanced
Security and limited privileges for
service accounts.
The potential risks for the service are
lower in Windows Vista and later due
to security improvements such as
outbound filtering for services by the
Windows Firewall with Advanced
Security and limited privileges for
service accounts.
The potential risks for the service are
lower in Windows Vista and later due
to security improvements such as
outbound filtering for services by the
Windows Firewall with Advanced
Security and limited privileges for
service accounts.
Also blocked by feature not being
installed.
HKEY_LOCAL_MACHINE\SOFTWAR New for Vista.
E\Policies\Microsoft\WindowsFirewall\
FirewallRules\CoreNet-DHCP-
In!v2.10|Action=Allow|Active=TRUE|Di
r=In|Protocol=17|Profile=Public|LPort=
68|RPort=67|App=%SystemRoot%\sy
stem32\svchost.exe|Svc=dhcp|Name=
@FirewallAPI.dll,-
25301|Desc=@FirewallAPI.dll,-
25303|EmbedCtxt=@FirewallAPI.dll,-
25000|
HKEY_LOCAL_MACHINE\SOFTWAR There's no comparable built-in rule on
E\Policies\Microsoft\WindowsFirewall\ Vista.
FirewallRules\CoreNet-DHCPV6-
In!v2.10|Action=Allow|Active=TRUE|Di
r=In|Protocol=17|Profile=Public|LPort=
546|RPort=547|App=%SystemRoot%\
system32\svchost.exe|Svc=dhcp|Nam
e=@FirewallAPI.dll,-
25304|Desc=@FirewallAPI.dll,-
25306|EmbedCtxt=@FirewallAPI.dll,-
25000|




                                 New for USGCB
                                     New for USGCB




HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!LogDrop
pedPackets



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!LogSuc
cessfulConnections



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!LogFile
Path



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!LogFile
Size



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!Disable
Notifications
HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!AllowLo
calIPsecPolicyMerge



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!AllowLo
calPolicyMerge



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!Disable
UnicastResponsesToMulticastBroadc
ast


HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!EnableF
irewall



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!DefaultI
nboundAction



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\DomainProfile!Default
OutboundAction



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!LogDrop
pedPackets



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!LogSucc
essfulConnections
HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!LogFileP
ath



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!LogFileSi
ze



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!DisableN
otifications



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!AllowLoc
alIPsecPolicyMerge



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!AllowLoc
alPolicyMerge



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!DisableU
nicastResponsesToMulticastBroadcas
t


HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!EnableFi
rewall



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!DefaultIn
boundAction
HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PrivateProfile!DefaultO
utboundAction



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!LogDropp
edPackets



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!LogSucce
ssfulConnections



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!LogFilePa
th



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!LogFileSi
ze



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!DisableNo
tifications



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!AllowLoca
lIPsecPolicyMerge



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!AllowLoca
lPolicyMerge
HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!DisableUn
icastResponsesToMulticastBroadcast



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!EnableFir
ewall



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!DefaultInb
oundAction



HKLM\Software\Policies\Microsoft\Wi Not applicable to XP.
ndowsFirewall\PublicProfile!DefaultOu
tboundAction



%Program Files%\Microsoft Games      New for XP and Vista.




HKLM\SYSTEM\CurrentControlSet\Se New for XP and Vista.
rvices\W3Svc\DisplayName



HKLM\SYSTEM\CurrentControlSet\Se New for XP and Vista.
rvices\simptcp\DisplayName



%windir%\system32\telnet.exe         New for Vista.




HKLM\SYSTEM\CurrentControlSet\Se New for Vista.
rvices\tlntsvr
%windir%\system32\tftp.exe              Covered by ACLs on XP, New for
                                        Vista.



%windir%\ehome\ehshell.exe              New for Vista.




HKEY_LOCAL_MACHINE\SYSTEM\ In Windows 7 these countermeasures
CurrentControlSet\Services\tcpip6\Par are replaced by CCE-10266-5, CCE-
ameters\DisableComponents             10764-9, CCE-10130-3, and CCE-
                                      10011-5




HKCU\Software\Policies\Microsoft\Wi New for XP and Vista.
ndows\Control
Panel\Desktop!ScreenSaveActive


HKCU\Software\Policies\Microsoft\Wi
ndows\Control
Panel\Desktop!SCRNSAVE.EXE
HKCU\Software\Policies\Microsoft\Wi
ndows\Control
Panel\Desktop!ScreenSaverIsSecure

HKCU\Software\Policies\Microsoft\Wi
ndows\Control
Panel\Desktop!ScreenSaveTimeOut

HKCU\Software\Policies\Microsoft\As New for Vista.
sistance\Client\1.0!NoExplicitFeedbac
k

HKCU\Software\Microsoft\Windows\C
urrentVersion\Policies\Attachments!S
aveZoneInformation

HKCU\Software\Microsoft\Windows\C
urrentVersion\Policies\Attachments!Hi
deZoneInfoOnProperties

HKCU\Software\Microsoft\Windows\C
urrentVersion\Policies\Attachments!Sc
anWithAntiVirus
HKCU\Software\Microsoft\Windows\C Not applicable to XP.
urrentVersion\Policies\Explorer!NoInpl
aceSharing
CCE ID v5   CCE ID v5                               Policy Path
IE8         IE7           CCE ID v4
CCE-10638-5 CCE-4147-5    CCE-471     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer


CCE-10235-0 CCE-3744-0    CCE-708     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer




CCE-9870-7   CCE-3201-1   CCE-693     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer
CCE-10522-1 CCE-3993-3    CCE-495     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer




CCE-10641-9 CCE-3207-8    CCE-1006    Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer




CCE-10394-5 CCE-3929-7    CCE-146     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer




CCE-10037-0 CCE-3933-9    CCE-833     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer
CCE-10096-6 CCE-4017-0     CCE-5         Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer




CCE-10594-0 CCE-3894-3     CCE-753       Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer




CCE-9973-9   CCE-3866-1    CCE-1032      Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer

CCE-10607-0 CCE-3875-2     CCE-1054      Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer



CCE-10603-9 (Not           (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Templates\Windows Components\Internet
                                         Explorer\Compatibility View


CCE-10590-8 (Not           (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Templates\Windows Components\Internet
                                         Explorer\Delete Browsing History

CCE-10387-9 CCE-4001-4     CCE-66        Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer\Delete Browsing History



CCE-10110-5 (Not           (Not          Computer Configuration\Administrative
            Applicable)    Applicable)   Templates\Windows Components\Internet
                                         Explorer\Delete Browsing History
CCE-9885-5   (Not          (Not          Computer Configuration\Administrative
             Applicable)   Applicable)   Templates\Windows Components\Internet
                                         Explorer\InPrivate
CCE-10293-9 CCE-4174-9    CCE-964    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Advanced
                                     Page


CCE-10052-9 CCE-3941-2    CCE-449    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Advanced
                                     Page
CCE-9905-1   CCE-4192-1   CCE-598    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Advanced
                                     Page


CCE-10581-7 CCE-3584-0    CCE-1008   Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Advanced
                                     Page
CCE-10074-3 CCE-3976-8    CCE-690    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Advanced
                                     Page
CCE-10055-2 CCE-4026-1    CCE-1025   Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Advanced
                                     Page



CCE-9660-2   CCE-4175-6   CCE-876    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security Page




CCE-10380-4 CCE-3853-9    CCE-47     Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Internet Zone



CCE-10002-4 CCE-4109-5    CCE-49     Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Internet Zone
CCE-10033-9 CCE-3998-2    CCE-685      Computer Configuration\Administrative
                                       Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone

CCE-10403-4 CCE-3888-5    CCE-491      Computer Configuration\Administrative
                                       Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone
CCE-9790-7   CCE-3906-5   CCE-355      Computer Configuration\Administrative
                                       Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone
CCE-9779-0   CCE-18394-7 (Not          Computer Configuration\Administrative
                         Applicable)   Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone
CCE-9882-2   CCE-4099-8   CCE-280      Computer Configuration\Administrative
                                       Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone




CCE-10685-6 CCE-3601-2    CCE-439      Computer Configuration\Administrative
                                       Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone
CCE-9750-1   CCE-3249-0   CCE-914      Computer Configuration\Administrative
                                       Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone

CCE-10389-5 CCE-4139-2    CCE-16       Computer Configuration\Administrative
                                       Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone




CCE-9917-6   CCE-3927-1   CCE-1013     Computer Configuration\Administrative
                                       Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone
CCE-10433-1 CCE-3945-3    CCE-176      Computer Configuration\Administrative
                                       Templates\Windows Components\Internet
                                       Explorer\Internet Control Panel\Security
                                       Page\Internet Zone
CCE-10646-8 CCE-18552-0 (Not             Computer Configuration\Administrative
                        Applicable)      Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone

CCE-10561-9 CCE-4068-3     CCE-586       Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone
CCE-10182-4 CCE-3963-6     CCE-132       Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone
CCE-9821-0   CCE-4104-6    CCE-689       Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone




CCE-10650-0 CCE-18467-1 (Not             Computer Configuration\Administrative
                        Applicable)      Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone

CCE-10472-9 CCE-3623-6     CCE-720       Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone




CCE-10672-4 CCE-3751-5     CCE-126       Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone

CCE-9865-7   CCE-4143-4    CCE-245       Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone
CCE-9599-2   (Not          (Not          Computer Configuration\Administrative
             Applicable)   Applicable)   Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone
CCE-10107-1 CCE-4161-6     CCE-910       Computer Configuration\Administrative
                                         Templates\Windows Components\Internet
                                         Explorer\Internet Control Panel\Security
                                         Page\Internet Zone
CCE-10515-5 CCE-18731-0 (Not            Computer Configuration\Administrative
                        Applicable)     Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Internet Zone
CCE-10625-2 CCE-18230-3 (Not            Computer Configuration\Administrative
                        Applicable)     Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Internet Zone
CCE-9869-9   CCE-3553-5   CCE-359       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Internet Zone



CCE-10434-9 CCE-3378-7    CCE-863       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Internet Zone

CCE-10276-4 (Not          (Not          Computer Configuration\Administrative
            Applicable)   Applicable)   Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Internet Zone
CCE-10676-5 CCE-4643-3    CCE-281       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Internet Zone


CCE-10486-9 CCE-3619-4    CCE-1002      Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Internet Zone
CCE-10200-4 CCE-3914-9    CCE-425       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Internet Zone



CCE-10622-9 CCE-3570-9    CCE-724       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Internet Zone


CCE-10566-8 CCE-4652-4    CCE-218       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Intranet Zone
CCE-10319-2 CCE-3891-9    CCE-138       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Local Machine Zone
CCE-10095-8 CCE-4793-6    CCE-308    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Locked-Down Internet Zone
CCE-10597-3 CCE-4692-0    CCE-781    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Locked-Down Internet Zone
CCE-10342-4 CCE-3754-9    CCE-320    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Locked-Down Intranet Zone
CCE-10535-3 CCE-4160-8    CCE-1045   Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Locked-Down Local Machine Zone
CCE-10275-6 CCE-3902-4    CCE-1088   Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Locked-Down Restricted Sites Zone
CCE-10654-2 CCE-4564-1    CCE-140    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Locked-Down Trusted Sites Zone
CCE-10525-4 CCE-3905-7    CCE-636    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Restricted Sites Zone



CCE-10393-7 CCE-4050-1    CCE-292    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Restricted Sites Zone
CCE-10547-8 CCE-4196-2    CCE-178    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Restricted Sites Zone
CCE-10539-5 CCE-4013-9    CCE-1031   Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Restricted Sites Zone
CCE-9667-7   CCE-3337-3   CCE-41     Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Restricted Sites Zone

CCE-10466-1 CCE-4150-9    CCE-970    Computer Configuration\Administrative
                                     Templates\Windows Components\Internet
                                     Explorer\Internet Control Panel\Security
                                     Page\Restricted Sites Zone
CCE-9982-0   CCE-4062-6   CCE-882     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone
CCE-10475-2 CCE-4079-0    CCE-763     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone
CCE-10664-1 CCE-4084-0    CCE-680     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone


CCE-10725-0 CCE-18912-6 (Not          Computer Configuration\Administrative
                        Applicable)   Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone
CCE-9814-5   CCE-4119-4   CCE-208     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone




CCE-10630-2 CCE-3639-2    CCE-838     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone
CCE-10431-5 CCE-4031-1    CCE-129     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone

CCE-9959-8   CCE-4053-5   CCE-175     Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone




CCE-10470-3 CCE-4057-6    CCE-52      Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone
CCE-10461-2 CCE-3564-2    CCE-1012    Computer Configuration\Administrative
                                      Templates\Windows Components\Internet
                                      Explorer\Internet Control Panel\Security
                                      Page\Restricted Sites Zone
CCE-9781-6   CCE-18738-5 (Not           Computer Configuration\Administrative
                         Applicable)    Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone

CCE-10347-3 CCE-4101-2    CCE-26        Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-10620-3 CCE-3996-6    CCE-925       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-10360-6 CCE-4066-7    CCE-339       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone




CCE-10744-1 CCE-18137-0 (Not            Computer Configuration\Administrative
                        Applicable)     Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-10651-8 CCE-3696-2    CCE-128       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone




CCE-10178-2 CCE-3590-7    CCE-639       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone

CCE-10642-7 CCE-4110-3    CCE-995       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-10004-0 (Not          (Not          Computer Configuration\Administrative
            Applicable)   Applicable)   Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-10277-2 CCE-4132-7    CCE-409       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-9898-8   CCE-3400-9   CCE-678       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-9673-5   CCE-4158-2   CCE-563       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-9792-3   CCE-4163-2   CCE-841       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-10554-4 CCE-4202-8    CCE-973       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-10083-4 CCE-3216-9    CCE-1000      Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-9669-3   CCE-3855-4   CCE-520       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone



CCE-10420-8 CCE-4153-3    CCE-200       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone

CCE-10105-5 (Not          (Not          Computer Configuration\Administrative
            Applicable)   Applicable)   Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-9945-7   CCE-3909-9   CCE-1211      Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone


CCE-10094-1 CCE-4018-8    CCE-660       Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-9760-0   CCE-4040-2   CCE-28        Computer Configuration\Administrative
                                        Templates\Windows Components\Internet
                                        Explorer\Internet Control Panel\Security
                                        Page\Restricted Sites Zone
CCE-10609-6 CCE-4215-0    CCE-698   Computer Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer\Internet Control Panel\Security
                                    Page\Restricted Sites Zone


CCE-10696-3 CCE-4845-4    CCE-675   Computer Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer\Internet Control Panel\Security
                                    Page\Trusted Sites Zone
CCE-10595-7 CCE-3204-5    CCE-946   Computer Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer\Internet Settings\Component
                                    Updates\Periodic check for updates to
                                    Internet Explorer and Internet Tools
CCE-9776-6   CCE-4098-0   CCE-237   Computer Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer\Internet Settings\Component
                                    Updates\Periodic check for updates to
                                    Internet Explorer and Internet Tools
CCE-10138-6 CCE-4047-7    CCE-382   Computer Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer\Security Features\Consistent Mime
                                    Handling




CCE-10635-1 CCE-4149-1    CCE-985   Computer Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer\Security Features\Mime Sniffing
                                    Safety Feature
CCE-10265-7 CCE-3338-1   CCE-591   Computer Configuration\Administrative
                                   Templates\Windows Components\Internet
                                   Explorer\Security Features\MK Protocol
                                   Security Restriction




CCE-10574-2 CCE-4043-6   CCE-347   Computer Configuration\Administrative
                                   Templates\Windows Components\Internet
                                   Explorer\Security Features\Protection From
                                   Zone Elevation




CCE-10405-9 CCE-3924-8   CCE-119   Computer Configuration\Administrative
                                   Templates\Windows Components\Internet
                                   Explorer\Security Features\Restrict ActiveX
                                   Install
CCE-10578-3 CCE-4122-8   CCE-668    Computer Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer\Security Features\Restrict File
                                    Download




CCE-10604-7 CCE-4162-4   CCE-827    Computer Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer\Security Features\Scripted Window
                                    Security Restrictions




CCE-10388-7 CCE-4246-5   CCE-478    User Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer



CCE-10829-0 CCE-4237-4   CCE-1051   User Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer


CCE-10291-3 CCE-3647-5   CCE-721    User Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer




CCE-10701-1 CCE-4056-8   CCE-71     User Configuration\Administrative
                                    Templates\Windows Components\Internet
                                    Explorer\Internet Control Panel\Advanced
                                    settings\Browsing
 Policy Setting Name       Internet Explorer 8 Internet Explorer 7 Rationale
                               USGCB 1.2           USGCB 2.0
Disable changing          Enabled              Enabled             To prevent machines from
Automatic Configuration                                            automatically acquiring
settings                                                           proxy server settings from
                                                                   malicious servers.

Do not allow users to     Enabled                Disabled               To prevent users from
enable or disable add-                                                  installing malware or
ons                                                                     unauthorized software.




Make proxy settings per- Disabled                Disabled               To allow users to
machine (rather than per-                                               configure their own proxy
user)                                                                   settings.
Prevent participation in  Enabled                Enabled                To prevent users from
the Customer Experience                                                 unknowingly sending
Improvement Program                                                     sensitive data to Microsoft.




Prevent performance of    Enabled: Go directly   Enabled: Go directly   When users open Internet
First Run Customize       to home page           to home page           Explorer for the first time
settings                                                                they will be directed to
                                                                        their homepage rather
                                                                        than the Customize
                                                                        Settings dialog box.

Security Zones: Do not    Enabled                Enabled                Prevent users from adding
allow users to add/delete                                               or removing sites from
sites                                                                   security zones.




Security Zones: Do not    Enabled                Enabled                To prevent users from
allow users to change                                                   changing the settings for
policies                                                                any security zone.
Security Zones: Use only Enabled             Enabled            To ensure the zone
machine settings                                                security settings are
                                                                applied uniformly to all
                                                                users.




Turn off Crash Detection Enabled             Enabled            To prevent the Crash
                                                                Detection feature from
                                                                operating.




Turn off Managing          Enabled:Off       Enabled:Off        To ensure that users
SmartScreen Filter                                              cannot change the state of
                                                                the SmartScreen filter.

Turn off the Security      Disabled          Disabled           To prevent users from
Settings Check feature                                          seeing messages that the
                                                                Internet Explorer security
                                                                settings have been
                                                                changed to a risky
                                                                configuration.
Include updated Web site Disabled            (Not Applicable)   To prevent users from
lists from Microsoft                                            seeing the list of
                                                                compatibility Web sites
                                                                available on Windows
                                                                Update.
Configure Delete           Disabled          (Not Applicable)   To retain browsing history
Browsing History on exit                                        data for forensics or
                                                                investigations.

Disable "Configuring       Enabled:40 days   Enabled:40 days    To retain browsing history
History"                                                        data for forensics or
                                                                investigations.



Prevent Deleting Web       Enabled           (Not Applicable)   To retain browsing history
sites that the User has                                         data for forensics or
Visited                                                         investigations.
Turn off InPrivate         Enabled           (Not Applicable)   To retain data about the
Browsing                                                        user's use of Internet
                                                                Explorer for forensics or
                                                                investigations.
Allow active content from Disabled           Disabled          To prevent users from
CDs to run on user                                             installing malware or
machines                                                       unauthorized software.



Allow software to run or   Disabled          Disabled          To prevent users from
install even if the                                            installing malware or
signature is invalid                                           unauthorized software.

Allow third-party browser Disabled           Disabled          To prevent users from
extensions                                                     installing malware or
                                                               unauthorized software.



Automatically check for Disabled             Disabled          Internet Explorer will not
Internet Explorer updates                                      check for new versions
                                                               online.

Check for server           Enabled           Enabled           To prevent browsing to
certificate revocation                                         secure websites which
                                                               have revoked certificates.

Check for signature on     Enabled           Enabled           To ensure that Internet
downloaded programs                                            Explorer confirms the
                                                               validity of signatures on
                                                               downloaded programs,
                                                               lowering the risk of
                                                               malware infecting the
                                                               computer.
Intranet Sites: Include all Disabled         Disabled          To lower the risk of an
network paths (UNCs)                                           unauthorized server being
                                                               mapped to the Intranet
                                                               Zone and therefor causing
                                                               the browser to download
                                                               content with less rigorous
                                                               security settings in force.


Access data sources        Enabled:Disable   Enabled:Disable   To lower the risk of a user
across domains                                                 unknowingly accessing
                                                               MSXML or ADO data from
                                                               a different server than the
                                                               one they believe they are
                                                               viewing.

Allow cut, copy or paste   Enabled:Disable   Enabled:Disable   To lower the risk of a user
operations from the                                            unknowingly exposing
clipboard via script                                           sensitive data.
Allow drag and drop or    Enabled:Disable     Enabled:Disable   Content in this zone is
copy and paste files                                            more likely to contain
                                                                malicious code.


Allow font downloads      Enabled:Disable     Enabled:Disable   To prevent users from
                                                                installing malware
                                                                embedded in downloaded
                                                                fonts.
Allow installation of     Enabled:Disable     Enabled:Disable   To prevent users from
desktop items                                                   installing malware or
                                                                unauthorized software.

Allow scripting of Internet Enabled:Disable   Enabled:Disable   To prevent malicious
Explorer web browser                                            scripts from accessing the
control                                                         WebBrowser Control.

Allow script-initiated    Enabled:Disable     Enabled:Disable   To prevent scripts from
windows without size or                                         opening and resizing
position constraints                                            additional browser
                                                                windows without and limits
                                                                on size or position,
                                                                attackers have used this
                                                                technique to trick users
                                                                into clicking on dangerous
                                                                links.
Allow Scriptlets          Enabled:Disable     Enabled:Disable   To prevent the execution
                                                                of potentially malicious
                                                                scriptlets.

Allow status bar updates Enabled:Disable      Enabled:Disable   To prevent scripts from
via script                                                      updating the status bar
                                                                with bogus information that
                                                                may confuse the user.

Automatic prompting for   Enabled:Enable      Enabled:Enable    To lower the risk of users
file downloads                                                  from unknowingly
                                                                downloading potentially
                                                                malicious files.




Download signed ActiveX Enabled:Disable       Enabled:Disable   To prevent users from
controls                                                        installing malware or
                                                                unauthorized software.

Download unsigned         Enabled:Disable     Enabled:Disable   To prevent users from
ActiveX controls                                                installing malware or
                                                                unauthorized software.
Include local directory   Enabled:Disable      Enabled:Disable      To prevent users from
path when uploading files                                           unknowingly revealing
to a server                                                         information about the
                                                                    directory structure of their
                                                                    local computer.
Initialize and script     Enabled:Disable      Enabled:Disable      To prevent users from
ActiveX controls not                                                installing malware or
marked as safe                                                      unauthorized software.

Java permissions          Enabled:Disable Java Enabled:Disable Java To prevent users from
                                                                    installing malware or
                                                                    unauthorized software.

Launching applications    Enabled:Disable      Enabled:Disable      To prevent users from
and files in an IFRAME                                              unknowingly loading
                                                                    malicious content, past
                                                                    exploits leveraged this
                                                                    feature to trick the browser
                                                                    into loading malicious
                                                                    code disguised as an
                                                                    embedded audio or video
                                                                    clip.

Launching programs and Enabled:Prompt          Enabled:Prompt       To lower the risk users
unsafe files                                                        from unknowingly installing
                                                                    malware.


Logon options             Enabled: Prompt for Enabled: Prompt for To prevent the local
                          Username/Password Username/Password caching of passwords for
                                                                  online accounts.




Loose XAML files          Enabled:Disable      Enabled:Disable      To lower the risk of
                                                                    malicious code being
                                                                    delivered to the user by
                                                                    disabling the loading of
                                                                    XAML files.
Navigate windows and      Enabled:Disable      Enabled:Disable      To lower the risk of users
frames across different                                             unknowingly viewing
domains                                                             content from other
                                                                    domains.
Only allow approved       Enabled:Enable       (Not Applicable)     To prevent users from
domains to use ActiveX                                              installing malware or
controls without prompt                                             unauthorized software.

Open files based on         Enabled:Disable    Enabled:Disable      To lower the risk of users
content, not file extension                                         running malicious code.
Run .NET Framework-      Enabled:Disable        Enabled:Disable       To prevent users from
reliant components not                                                installing malware or
signed with Authenticode                                              unauthorized software.

Run .NET Framework-      Enabled:Disable        Enabled:Disable       To prevent users from
reliant components                                                    installing malware or
signed with Authenticode                                              unauthorized software.

Software channel          Enabled:High Safety   Enabled:High Safety   To prevent users from
permissions                                                           installing malware or
                                                                      unauthorized software.




Turn Off First-Run Opt-In Enabled:Disable       Enabled:Disable       To reduce the risk of users
                                                                      unknowingly executing
                                                                      new controls.


Turn on Cross-Site        Enabled:Enable        (Not Applicable)      To reduce the risk of users
Scripting (XSS) Filter                                                being exploited by cross-
                                                                      site scripting attacks.

Turn on Protected Mode Enabled:Enable           Enabled:Enable        To reduce the risk of users
                                                                      being exploited by
                                                                      malicious content that
                                                                      attempts to write to certain
                                                                      locations the registry or file
                                                                      system.
Use Pop-up Blocker        Enabled:Enable        Enabled:Enable        To reduce the number of
                                                                      unwanted pop-up
                                                                      windows.

Userdata persistence      Enabled:Disable       Enabled:Disable       To reduce the risk of users
                                                                      unknowingly storing or
                                                                      exposing sensitive data.




Web sites in less         Enabled:Disable       Enabled:Disable       To reduce the risk of
privileged Web content                                                malicious websites
zones can navigate into                                               navigating to other sites
this zone                                                             that may contain additional
                                                                      dangerous content.

Java permissions          Enabled:High Safety   Enabled:High Safety   To prevent users from
                                                                      installing malware or
                                                                      unauthorized software.

Java permissions          Enabled:Disable Java Enabled:Disable Java To prevent users from
                                                                    installing malware or
                                                                    unauthorized software.
Download signed ActiveX Enabled:Disable         Enabled:Disable      To prevent users from
controls                                                             installing malware or
                                                                     unauthorized software.

Java permissions           Enabled:Disable Java Enabled: Disable     To prevent users from
                                                Java                 installing malware or
                                                                     unauthorized software.

Java permissions           Enabled:Disable Java Enabled: Disable     To prevent users from
                                                Java                 installing malware or
                                                                     unauthorized software.

Java permissions           Enabled:Disable Java Enabled: Disable     To prevent users from
                                                Java                 installing malware or
                                                                     unauthorized software.

Java permissions           Enabled:Disable Java Enabled:Disable Java To prevent users from
                                                                     installing malware or
                                                                     unauthorized software.

Java permissions           Enabled:Disable Java Enabled:Disable Java To prevent users from
                                                                     installing malware or
                                                                     unauthorized software.

Access data sources        Enabled:Disable      Enabled:Disable      To lower the risk of a user
across domains                                                       unknowingly accessing
                                                                     MSXML or ADO data from
                                                                     a different server than the
                                                                     one they believe they are
                                                                     viewing.

Allow active scripting     Enabled:Disable      Enabled:Disable      To lower the risk of the
                                                                     user being exploited by
                                                                     malicious content.

Allow binary and script    Enabled:Disable      Enabled:Disable      To lower the risk of the
behaviors                                                            user being exploited by
                                                                     malicious content.

Allow cut, copy or paste   Enabled:Disable      Enabled:Disable      To lower the risk of a user
operations from the                                                  unknowingly exposing
clipboard via script                                                 sensitive data.

Allow drag and drop or     Enabled:Disable      Enabled:Disable      Content in this zone is
copy and paste files                                                 more likely to contain
                                                                     malicious code.


Allow file downloads       Enabled:Disable      Enabled:Disable      To prevent users from
                                                                     installing malware or
                                                                     unauthorized software.
Allow font downloads      Enabled:Disable     Enabled:Disable   To prevent users from
                                                                installing malware
                                                                embedded in downloaded
                                                                fonts.
Allow installation of     Enabled:Disable     Enabled:Disable   To prevent users from
desktop items                                                   installing malware or
                                                                unauthorized software.

Allow META REFRESH        Enabled:Disable     Enabled:Disable   To lower the risk of users
                                                                unknowingly viewing
                                                                content from other pages.



Allow scripting of Internet Enabled:Disable   Enabled:Disable   To prevent malicious
Explorer web browser                                            scripts from accessing the
control                                                         WebBrowser Control.

Allow script-initiated    Enabled:Disable     Enabled:Disable   To prevent scripts from
windows without size or                                         opening and resizing
position constraints                                            additional browser
                                                                windows without and limits
                                                                on size or position,
                                                                attackers have used this
                                                                technique to trick users
                                                                into clicking on dangerous
                                                                links.
Allow Scriptlets          Enabled:Disable     Enabled:Disable   To prevent the execution
                                                                of potentially malicious
                                                                scriptlets.

Allow status bar updates Enabled: Disable     Not Configured    To prevent scripts from
via script                                                      updating the status bar
                                                                with bogus information that
                                                                may confuse the user.

Automatic prompting for   Enabled:Disable     Enabled:Enable    To lower the risk of users
file downloads                                                  from unknowingly
                                                                downloading potentially
                                                                malicious files.




Download signed ActiveX Enabled:Disable       Enabled:Disable   To prevent users from
controls                                                        installing malware or
                                                                unauthorized software.

Download unsigned         Enabled:Disable     Enabled:Disable   To prevent users from
ActiveX controls                                                installing malware or
                                                                unauthorized software.
Include local directory   Enabled:Disable      Enabled:Disable      To prevent users from
path when uploading files                                           unknowingly revealing
to a server                                                         information about the
                                                                    directory structure of their
                                                                    local computer.
Initialize and script     Enabled:Disable      Enabled:Disable      To prevent users from
ActiveX controls not                                                installing malware or
marked as safe                                                      unauthorized software.

Java permissions          Enabled:Disable Java Enabled:Disable Java To prevent users from
                                                                    installing malware or
                                                                    unauthorized software.

Launching applications    Enabled:Disable      Enabled:Disable      To prevent users from
and files in an IFRAME                                              unknowingly loading
                                                                    malicious content, past
                                                                    exploits leveraged this
                                                                    feature to trick the browser
                                                                    into loading malicious
                                                                    code disguised as an
                                                                    embedded audio or video
                                                                    clip.

Launching programs and Enabled:Disable         Enabled:Disable      To prevent users from
unsafe files                                                        installing malware or
                                                                    unauthorized software.

Logon options             Enabled:Anonymous Enabled:Anonymous To prevent users from
                          logon             logon             submitting credentials to
                                                              untrustworthy sites.




Loose XAML files          Enabled:Disable      Enabled:Disable      To lower the risk of
                                                                    malicious code being
                                                                    delivered to the user by
                                                                    disabling the loading of
                                                                    XAML files.
Navigate windows and      Enabled:Disable      Enabled:Disable      To lower the risk of users
frames across different                                             unknowingly viewing
domains                                                             content from other
                                                                    domains.
Only allow approved       Enabled:Enable       (Not Applicable)     To prevent users from
domains to use ActiveX                                              installing malware or
controls without prompt                                             unauthorized software.

Open files based on         Enabled:Disable    Enabled:Disable      To lower the risk of users
content, not file extension                                         running malicious code.
Run .NET Framework-      Enabled:Disable       Enabled:Disable       To prevent users from
reliant components not                                               installing malware or
signed with Authenticode                                             unauthorized software.

Run .NET Framework-      Enabled:Disable       Enabled:Disable       To prevent users from
reliant components                                                   installing malware or
signed with Authenticode                                             unauthorized software.

Run ActiveX controls and Enabled:Disable       Enabled:Disable       To prevent users from
plugins                                                              installing malware or
                                                                     unauthorized software.

Script ActiveX controls   Enabled:Disable      Enabled:Disable       To prevent users from
marked safe for scripting                                            installing malware or
                                                                     unauthorized software.

Scripting of Java applets Enabled:Disable      Enabled:Disable       To prevent users from
                                                                     installing malware or
                                                                     unauthorized software.

Software channel         Enabled:High Safety   Enabled:High Safety   To prevent users from
permissions                                                          installing malware or
                                                                     unauthorized software.




Turn Off First-Run Opt-In Enabled:Disable      Enabled:Disable       To reduce the risk of users
                                                                     unknowingly executing
                                                                     new controls.


Turn on Cross-Site       Enabled:Enable        (Not Applicable)      To reduce the risk of users
Scripting (XSS) Filter                                               being exploited by cross-
                                                                     site scripting attacks.

Turn on Protected Mode Enabled:Enable          Enabled:Enable        To reduce the risk of users
                                                                     being exploited by
                                                                     malicious content that
                                                                     attempts to write to certain
                                                                     locations the registry or file
                                                                     system.
Use Pop-up Blocker       Enabled:Enable        Enabled:Enable        To reduce the number of
                                                                     unwanted pop-up
                                                                     windows.

Userdata persistence     Enabled:Disable       Enabled:Disable       To reduce the risk of users
                                                                     unknowingly storing or
                                                                     exposing sensitive data.
Web sites in less         Enabled:Disable       Enabled:Disabled      To reduce the risk of
privileged Web content                                                malicious websites
zones can navigate into                                               navigating to other sites
this zone                                                             that may contain additional
                                                                      dangerous content.

Java permissions          Enabled:High Safety   Enabled:High Safety   To prevent users from
                                                                      installing malware or
                                                                      unauthorized software.

Turn off changing the     Enabled:blank         Enabled:blank         To prevent users from
URL to be displayed for                                               changing the update
checking updates to                                                   settings.
Internet Explorer and
Internet Tools
Turn off configuring the Enabled:30             Enabled:30            To prevent users from
update check interval (in                                             changing the update
days)                                                                 settings.


Internet Explorer         Enabled               Enabled               To minimize the risk of
Processes                                                             malicious software
                                                                      exploiting MIME file type
                                                                      spoofing to compromise
                                                                      the computer.




Internet Explorer         Enabled               Enabled               To minimize the risk of
Processes                                                             malicious software
                                                                      exploiting MIME file type
                                                                      spoofing to compromise
                                                                      the computer.
Internet Explorer   Enabled   Enabled   To minimize the risk of an
Processes                               attacker exploiting the MK
                                        protocol.




Internet Explorer   Enabled   Enabled   To minimize the risk of
Processes                               compromise from
                                        malicious content located
                                        in less secure security
                                        zones.




Internet Explorer   Enabled   Enabled   To prevent users from
Processes                               installing malware or
                                        unauthorized software.
Internet Explorer        Enabled     Enabled    To prevent websites from
Processes                                       silently sending files to the
                                                computer's disk drive.




Internet Explorer        Enabled     Enabled    To prevent Web sites from
Processes                                       displaying unwanted pop-
                                                up Windows.




Disable AutoComplete     Enabled     Enabled    To prevent users from
for forms                                       using the AutoComplete
                                                feature and to prevent the
                                                caching of potentially
                                                sensitive information.

Disable external branding Enabled    Enabled    To prevent third parties
of Internet Explorer                            such as Internet service
                                                providers from altering the
                                                branding for Internet
                                                Explorer.
Turn on the auto-         Disabled   Disabled   To prevent users from
complete feature for user                       using the AutoComplete
names and passwords                             feature and to prevent the
on forms                                        caching of potentially
                                                sensitive information.


Turn off page transitions Enabled    Enabled    To disable page
                                                transitions.
Impact                         Category   800-53      Registry Info
                                          Mapping
Proxy server settings will                CM-5        HKLM\Software\Policies\Microsoft\Inte
not be detected                                       rnet Explorer\Control
automatically.                                        Panel!Autoconfig


Administrators will have to               CM-5 CM-7 HKLM\Software\Policies\Microsoft\Inte
manage authorized                                   rnet
Internet Explorer add-ons                           Explorer\Restrictions!NoExtensionMa
with a software                                     nagement
management application
or via group policy using
the 'Add-on List' setting
located at Computer
Configuration\Administrativ
e Templates\Windows
Components\Internet
Explorer\Security
Features\Add-on
Management
Users will be able to                     AC-4        HKLM\Software\Policies\Microsoft\Wi
configure their own proxy                             ndows\CurrentVersion\Internet
settings.                                             Settings!ProxySettingsPerUser
Users will not be able to                 SC-7        HKLM\Software\Policies\Microsoft\Inte
contribute to the CEIP and                            rnet
the "Customer Feedback                                Explorer\SQM!DisableCustomerImpro
Options" menu item will no                            vementProgram
longer appear on the Help
menu.

Users will not see the                    SI-3 CM-3   HKLM\Software\Policies\Microsoft\Inte
Customize Settings dialog                             rnet
box.                                                  Explorer\Main!DisableFirstRunCustom
                                                      ize



The site management                       AC-3 AC-6   HKLM\Software\Policies\Microsoft\Wi
settings for security zones               CM-5        ndows\CurrentVersion\Internet
will be disabled, they will                           Settings!Security_zones_map_edit
have to be managed
centrally using group
policy or some other tool.

The Custom Level button                   AC-3 AC-6   HKLM\Software\Policies\Microsoft\Wi
and the security-level                    CM-5        ndows\CurrentVersion\Internet
slider on the Security tab                            Settings!Security_options_edit
of the Internet Options
dialog box will be disabled.
Normally, if this policy is     CM-2 CM-6 HKLM\Software\Policies\Microsoft\Wi
enabled changes to zone                   ndows\CurrentVersion\Internet
security settings made by                 Settings!Security_HKLM_only
a user will apply to all
users, however CCE-
10037-0 prevents users
from changing the settings
so all users will receive the
same settings through
group policy.

When Internet Explorer          CM-4        HKLM\Software\Policies\Microsoft\Inte
crashes it will invoke                      rnet
Windows Error Reporting,                    Explorer\Restrictions!NoCrashDetecti
all policy settings for                     on
Windows Error Reporting
will continue to apply.

Users will not be prompted      SI-3 CM-7   HKLM\Software\Policies\Microsoft\Inte
to enable the SmartScreen                   rnet
filter.                                     Explorer\PhishingFilter!EnabledV8

The security settings           CM-6        HKLM\Software\Policies\Microsoft\Inte
check will not be                           rnet
performed.                                  Explorer\Security!DisableSecuritySetti
                                            ngsCheck


The Microsoft Web site list     AC-6        HKLM\Software\Policies\Microsoft\Inte
will not be used.                           rnet
                                            Explorer\BrowserEmulation!MSComp
                                            atibilityMode

Delete Browsing History         AU-9        HKLM\Software\Policies\Microsoft\Inte
on exit will be turned off.                 rnet
                                            Explorer\Privacy!ClearBrowsingHistor
                                            yOnExit
Browsing history data will      CM-6        HKLM\Software\Policies\Microsoft\Inte
be retained for 40 days                     rnet Explorer\Control Panel!History,
and users will be unable to                 HKLM\Software\Policies\Microsoft\Wi
delete it.                                  ndows\CurrentVersion\Internet
                                            Settings\Url History!DaysToKeep

Users will be unable to         CM-6 AU-9   HKLM\Software\Policies\Microsoft\Inte
delete their browsing                       rnet Explorer\Privacy!CleanHistory
history data.
InPrivate Browsing will be      SI-4 AU-9   HKLM\Software\Policies\Microsoft\Inte
disabled.                                   rnet
                                            Explorer\Privacy!EnableInPrivateBrow
                                            sing
Users will be prompted          CM-5 SI-7    HKLM\Software\Policies\Microsoft\Inte
about active content on         MP-2         rnet
CDs before running.                          Explorer\Main\FeatureControl\FEATU
                                             RE_LOCALMACHINE_LOCKDOWN\
                                             Settings!LOCALMACHINE_CD_UNL
                                             OCK
Users will not be able to       CM-5 SI-7    HKLM\Software\Policies\Microsoft\Inte
install or run files with       SC-18        rnet
invalid signatures.                          Explorer\Download!RunInvalidSignatu
                                             res
Browser helper objects will     CM-5 SI-3    HKLM\Software\Policies\Microsoft\Inte
not launch causing line-of-                  rnet Explorer\Main!Enable Browser
business applications that                   Extensions
rely on Internet Explorer
add-ons to fail.

Administrators will have to     SI-2         HKLM\Software\Policies\Microsoft\Inte
manage deploying                             rnet Explorer\Main!NoUpdateCheck
updated versions of
Internet Explorer.
Internet Explorer will check    IA-5 SC-17   HKLM\Software\Policies\Microsoft\Wi
to see if server certificates                ndows\CurrentVersion\Internet
have been revoked.                           Settings!CertificateRevocation

Internet Explorer will check    IA-5 SC-17   HKLM\Software\Policies\Microsoft\Inte
the digital signatures of                    rnet
executable files and                         Explorer\Download!CheckExeSignatur
display their identities                     es
before downloading them.


Network paths will not be       AC-4         HKLM\Software\Policies\Microsoft\Wi
automatically mapped to                      ndows\CurrentVersion\Internet
the Intranet Zone, other                     Settings\ZoneMap!UNCAsIntranet
rules may affect which
zone they are mapped to.




Users will not be able to       AC-4         HKLM\Software\Policies\Microsoft\Wi
load a page in the zone                      ndows\CurrentVersion\Internet
that uses MSXML or ADO                       Settings\Zones\3!1406
to access data from
another site in the zone.


Scripts will not be able to     SC-4         HKLM\Software\Policies\Microsoft\Wi
perform clipboard                            ndows\CurrentVersion\Internet
operations in this security                  Settings\Zones\3!1407
zone..
Users will not be able to        SC-4         HKLM\Software\Policies\Microsoft\Wi
drag files or perform                         ndows\CurrentVersion\Internet
clipboard operations with                     Settings\Zones\3!1802
files in this security zone.

HTML fonts will not be           CM-3         HKLM\Software\Policies\Microsoft\Wi
downloaded in this zone.                      ndows\CurrentVersion\Internet
                                              Settings\Zones\3!1604

Users will not be able to        SI-3         HKLM\Software\Policies\Microsoft\Wi
install desktop items in this                 ndows\CurrentVersion\Internet
zone.                                         Settings\Zones\3!1800

Script access to the             SI-3 CM-7    HKLM\Software\Policies\Microsoft\Wi
WebBrowser Control will                       ndows\CurrentVersion\Internet
not be allowed in this                        Settings\Zones\3!1206
zone.
Potentially harmful script-      SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
initiated pop-up windows                      ndows\CurrentVersion\Internet
cannot be run in this zone.                   Settings\Zones\3!2102




Scriptlets cannot be run in      SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
this zone.                                    ndows\CurrentVersion\Internet
                                              Settings\Zones\3!1209

Scripts will not be able to      SC-8 SI-3    HKLM\Software\Policies\Microsoft\Wi
update the status bar in                      ndows\CurrentVersion\Internet
this zone.                                    Settings\Zones\3!2103


File downloads that are          SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
not initiated by the user will                ndows\CurrentVersion\Internet
be blocked in this zone,                      Settings\Zones\3!2200
and users will see the
Information Bar instead of
the download dialog box,
users can click on the
Information Bar to display
the download dialog box.

Signed ActiveX controls          SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
will not be downloaded.in                     ndows\CurrentVersion\Internet
this zone.                                    Settings\Zones\3!1001

Unsigned ActiveX controls        SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
will not be downloaded.in                     ndows\CurrentVersion\Internet
this zone.                                    Settings\Zones\3!1004
Path information will be        SC-28        HKLM\Software\Policies\Microsoft\Wi
removed when uploading                       ndows\CurrentVersion\Internet
files via Web forms in this                  Settings\Zones\3!160A
zone.

ActiveX controls not            SC-18        HKLM\Software\Policies\Microsoft\Wi
marked as save will not be                   ndows\CurrentVersion\Internet
executed in this zone.                       Settings\Zones\3!1201

Java applets will not run in    SC-18        HKLM\Software\Policies\Microsoft\Wi
this zone.                                   ndows\CurrentVersion\Internet
                                             Settings\Zones\3!1C00

Users will be unable to run     SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
applications or download                     ndows\CurrentVersion\Internet
files from IFRAMEs on                        Settings\Zones\3!1804
pages in this zone.




Users will see the Open         SC-18 SI-3 HKLM\Software\Policies\Microsoft\Wi
File Security Warning                      ndows\CurrentVersion\Internet
prompt when launching                      Settings\Zones\3!1806
executables and other
unsafe files in this zone.
Users will always be            CM-6 IA-2    HKLM\Software\Policies\Microsoft\Wi
prompted to enter their                      ndows\CurrentVersion\Internet
username and password                        Settings\Zones\3!1A00
when logging into websites
in this zone, after providing
their credentials they can
be used silently for the
remainder of that session.


XAML files will not be          SC-18        HKLM\Software\Policies\Microsoft\Wi
loaded in Internet Explorer                  ndows\CurrentVersion\Internet
in this zone.                                Settings\Zones\3!2402


Users will not be able to       AC-4         HKLM\Software\Policies\Microsoft\Wi
open windows and frames                      ndows\CurrentVersion\Internet
from different domains in                    Settings\Zones\3!1607
this zone.
Users will not see per-site     SC-18        HKLM\Software\Policies\Microsoft\Wi
ActiveX controls in this                     ndows\CurrentVersion\Internet
zone.                                        Settings\Zones\3!120b

MIME sniffing to determine      SI-3         HKLM\Software\Policies\Microsoft\Wi
file type will be disabled in                ndows\CurrentVersion\Internet
this zone.                                   Settings\Zones\3!2100
Unsigned .NET                   SI-3 CM-7   HKLM\Software\Policies\Microsoft\Wi
Framework managed code                      ndows\CurrentVersion\Internet
will be disabled in this                    Settings\Zones\3!2004
zone.
Signed .NET Framework           SI-3 CM-7   HKLM\Software\Policies\Microsoft\Wi
managed code will be                        ndows\CurrentVersion\Internet
disabled in this zone.                      Settings\Zones\3!2001

Users will not be notified of   CM-5        HKLM\Software\Policies\Microsoft\Wi
software updates by e-mail                  ndows\CurrentVersion\Internet
and software packages will                  Settings\Zones\3!1E05
not be automatically
downloaded or installed in
this zone.

Users will see the Gold         CM-3        HKLM\Software\Policies\Microsoft\Wi
Bar prompt when they                        ndows\CurrentVersion\Internet
encounter controls that                     Settings\Zones\3!1208
have not been run
previously in this zone.
The XSS filter will be          SC-18 SI-3 HKLM\Software\Policies\Microsoft\Wi
enabled for sites in this                  ndows\CurrentVersion\Internet
zone.                                      Settings\Zones\3!1409

Protected Mode will be          CM-6 CM-7 HKLM\Software\Policies\Microsoft\Wi
turned on in this zone.                   ndows\CurrentVersion\Internet
                                          Settings\Zones\3!2500



Most unwanted pop-ups           SI-3        HKLM\Software\Policies\Microsoft\Wi
will be blocked in this                     ndows\CurrentVersion\Internet
zone.                                       Settings\Zones\3!1809

Users cannot preserve           SC-4        HKLM\Software\Policies\Microsoft\Wi
information in the                          ndows\CurrentVersion\Internet
browser's memory, their                     Settings\Zones\3!1606
favorites list, in an XML
store, or in Web pages
saved to disk in this zone.

Potentially harmful             CM-7 SI-3   HKLM\Software\Policies\Microsoft\Wi
navigation will be blocked                  ndows\CurrentVersion\Internet
in this zone.                               Settings\Zones\3!2101



Java applets will not run in                HKLM\Software\Policies\Microsoft\Wi
this zone.                                  ndows\CurrentVersion\Internet
                                            Settings\Zones\1!1C00

Java applets will not run in    SC-18       HKLM\Software\Policies\Microsoft\Wi
this zone.                                  ndows\CurrentVersion\Internet
                                            Settings\Zones\0!1C00
Signed ActiveX controls        SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
will not be downloaded.in                   ndows\CurrentVersion\Internet
this zone.                                  Settings\Lockdown_Zones\3!1001

Java applets will not run in   SC-18        HKLM\Software\Policies\Microsoft\Wi
this zone.                                  ndows\CurrentVersion\Internet
                                            Settings\Lockdown_Zones\3!1C00

Java applets will not run in   SC-18        HKLM\Software\Policies\Microsoft\Wi
this zone.                                  ndows\CurrentVersion\Internet
                                            Settings\Lockdown_Zones\1!1C00

Java applets will not run in                HKLM\Software\Policies\Microsoft\Wi
this zone.                                  ndows\CurrentVersion\Internet
                                            Settings\Lockdown_Zones\0!1C00

Java applets will not run in   SC-18        HKLM\Software\Policies\Microsoft\Wi
this zone.                                  ndows\CurrentVersion\Internet
                                            Settings\Lockdown_Zones\4!1C00

Java applets will not run in   SC-18        HKLM\Software\Policies\Microsoft\Wi
this zone.                                  ndows\CurrentVersion\Internet
                                            Settings\Lockdown_Zones\2!1C00

Users will not be able to      AC-4         HKLM\Software\Policies\Microsoft\Wi
load a page in the zone                     ndows\CurrentVersion\Internet
that uses MSXML or ADO                      Settings\Zones\4!1406
to access data from
another site in the zone.


Script code on pages in        SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
this security zone will be                  ndows\CurrentVersion\Internet
disabled.                                   Settings\Zones\4!1400

Binary and script              SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
behaviors will not be                       ndows\CurrentVersion\Internet
available in this security                  Settings\Zones\4!2000
zone.
Scripts will not be able to    SI-3         HKLM\Software\Policies\Microsoft\Wi
perform clipboard                           ndows\CurrentVersion\Internet
operations in this security                 Settings\Zones\4!1407
zone.
Users will not be able to      SI-3         HKLM\Software\Policies\Microsoft\Wi
drag files or perform                       ndows\CurrentVersion\Internet
clipboard operations with                   Settings\Zones\4!1802
files in this security zone.

File downloads will be         CM-3         HKLM\Software\Policies\Microsoft\Wi
disabled in this security                   ndows\CurrentVersion\Internet
zone.                                       Settings\Zones\4!1803
HTML fonts will not be           SI-3         HKLM\Software\Policies\Microsoft\Wi
downloaded in this zone.                      ndows\CurrentVersion\Internet
                                              Settings\Zones\4!1604

Users will not be able to        CM-3         HKLM\Software\Policies\Microsoft\Wi
install desktop items in this                 ndows\CurrentVersion\Internet
zone.                                         Settings\Zones\4!1800

Pages in this security zone      SI-3         HKLM\Software\Policies\Microsoft\Wi
that contain an active Meta                   ndows\CurrentVersion\Internet
Refresh setting cannot be                     Settings\Zones\4!1608
redirected to another
page.

Script access to the             CM-6         HKLM\Software\Policies\Microsoft\Wi
WebBrowser Control will                       ndows\CurrentVersion\Internet
not be allowed in this                        Settings\Zones\4!1206
zone.
Potentially harmful script-      SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
initiated pop-up windows                      ndows\CurrentVersion\Internet
cannot be run in this zone.                   Settings\Zones\4!2102




Scriptlets cannot be run in      SC-18        HKLM\Software\Policies\Microsoft\Wi
this zone.                                    ndows\CurrentVersion\Internet
                                              Settings\Zones\4!1209

Scripts will not be able to      SC-18        HKLM\Software\Policies\Microsoft\Wi
update the status bar in                      ndows\CurrentVersion\Internet
this zone.                                    Settings\Zones\4!2103


File downloads that are          SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
not initiated by the user will                ndows\CurrentVersion\Internet
be blocked in this zone,                      Settings\Zones\4!2200
and users will see the
Information Bar instead of
the download dialog box,
users can click on the
Information Bar to display
the download dialog box.

Signed ActiveX controls          SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
will not be downloaded.in                     ndows\CurrentVersion\Internet
this zone.                                    Settings\Zones\4!1001

Unsigned ActiveX controls        SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
will not be downloaded.in                     ndows\CurrentVersion\Internet
this zone.                                    Settings\Zones\4!1004
Path information will be        CM-6         HKLM\Software\Policies\Microsoft\Wi
removed when uploading                       ndows\CurrentVersion\Internet
files via Web forms in this                  Settings\Zones\4!160A
zone.

ActiveX controls not            SC-18        HKLM\Software\Policies\Microsoft\Wi
marked as save will not be                   ndows\CurrentVersion\Internet
executed in this zone.                       Settings\Zones\4!1201

Java applets will not run in    SC-18        HKLM\Software\Policies\Microsoft\Wi
this zone.                                   ndows\CurrentVersion\Internet
                                             Settings\Zones\4!1C00

Users will be unable to run     SC-18 SI-3   HKLM\Software\Policies\Microsoft\Wi
applications or download                     ndows\CurrentVersion\Internet
files from IFRAMEs on                        Settings\Zones\4!1804
pages in this zone.




Users will not be able          SC-18 SI-3 HKLM\Software\Policies\Microsoft\Wi
launch executables and                     ndows\CurrentVersion\Internet
other unsafe files in this                 Settings\Zones\4!1806
zone.
Users will always be            CM-6 IA-2    HKLM\Software\Policies\Microsoft\Wi
authenticated as an                          ndows\CurrentVersion\Internet
anonymous user when                          Settings\Zones\4!1A00
visiting sites in this zone
that require logons,
typically this will prevent
the user from accessing
the site further.
XAML files will not be          SC-18        HKLM\Software\Policies\Microsoft\Wi
loaded in Internet Explorer                  ndows\CurrentVersion\Internet
in this zone.                                Settings\Zones\4!2402


Users will not be able to       AC-4         HKLM\Software\Policies\Microsoft\Wi
open windows and frames                      ndows\CurrentVersion\Internet
from different domains in                    Settings\Zones\4!1607
this zone.
Users will not see per-site     SC-18        HKLM\Software\Policies\Microsoft\Wi
ActiveX controls in this                     ndows\CurrentVersion\Internet
zone.                                        Settings\Zones\4!120b

MIME sniffing to determine      SI-3         HKLM\Software\Policies\Microsoft\Wi
file type will be disabled in                ndows\CurrentVersion\Internet
this zone.                                   Settings\Zones\4!2100
Unsigned .NET                   SI-3        HKLM\Software\Policies\Microsoft\Wi
Framework managed code                      ndows\CurrentVersion\Internet
will be disabled in this                    Settings\Zones\4!2004
zone.
Signed .NET Framework           SI-3        HKLM\Software\Policies\Microsoft\Wi
managed code will be                        ndows\CurrentVersion\Internet
disabled in this zone.                      Settings\Zones\4!2001

Controls and plug-ins will      SC-18       HKLM\Software\Policies\Microsoft\Wi
be blocked in this zone.                    ndows\CurrentVersion\Internet
                                            Settings\Zones\4!1200

ActiveX controls marked         SC-18       HKLM\Software\Policies\Microsoft\Wi
safe for scripting will be                  ndows\CurrentVersion\Internet
blocked in this zone.                       Settings\Zones\4!1405

Scripts will be prevented       SC-18       HKLM\Software\Policies\Microsoft\Wi
from accessing Java                         ndows\CurrentVersion\Internet
applets in this zone.                       Settings\Zones\4!1402

Users will not be notified of   CM-5        HKLM\Software\Policies\Microsoft\Wi
software updates by e-mail                  ndows\CurrentVersion\Internet
and software packages will                  Settings\Zones\4!1E05
not be automatically
downloaded or installed in
this zone.

Users will see the Gold         CM-3        HKLM\Software\Policies\Microsoft\Wi
Bar prompt when they                        ndows\CurrentVersion\Internet
encounter controls that                     Settings\Zones\4!1208
have not been run
previously in this zone.
The XSS filter will be          SC-18 SI-3 HKLM\Software\Policies\Microsoft\Wi
enabled for sites in this                  ndows\CurrentVersion\Internet
zone.                                      Settings\Zones\4!1409

Protected Mode will be          CM-6 CM-7 HKLM\Software\Policies\Microsoft\Wi
turned on in this zone.                   ndows\CurrentVersion\Internet
                                          Settings\Zones\4!2500



Most unwanted pop-ups           SI-3        HKLM\Software\Policies\Microsoft\Wi
will be blocked in this                     ndows\CurrentVersion\Internet
zone.                                       Settings\Zones\4!1809

Users cannot preserve           CM-6 CM-7 HKLM\Software\Policies\Microsoft\Wi
information in the                        ndows\CurrentVersion\Internet
browser's memory, their                   Settings\Zones\4!1606
favorites list, in an XML
store, or in Web pages
saved to disk in this zone.
Potentially harmful            CM-7 SI-3   HKLM\Software\Policies\Microsoft\Wi
navigation will be blocked                 ndows\CurrentVersion\Internet
in this zone.                              Settings\Zones\4!2101



Java applets will not run in   SC-18       HKLM\Software\Policies\Microsoft\Wi
this zone.                                 ndows\CurrentVersion\Internet
                                           Settings\Zones\2!1C00

Users will not be able to      SI-3        HKLM\Software\Policies\Microsoft\Inte
configure the update URL.                  rnet
                                           Explorer\Main!Update_Check_Page


Users will not be able to      CM-6 SI-2   HKLM\Software\Policies\Microsoft\Inte
configure the update                       rnet
interval.                                  Explorer\Main!Update_Check_Interval


Internet Explorer will         CM-6        HKLM\Software\Policies\Microsoft\Inte
enforce consistent MIME                    rnet
data for all downloaded                    Explorer\Main\FeatureControl\FEATU
files.                                     RE_MIME_HANDLING!(Reserved),
                                           HKLM\Software\Policies\Microsoft\Inte
                                           rnet
                                           Explorer\Main\FeatureControl\FEATU
                                           RE_MIME_HANDLING!explorer.exe,
                                           HKLM\Software\Policies\Microsoft\Inte
                                           rnet
                                           Explorer\Main\FeatureControl\FEATU
                                           RE_MIME_HANDLING!iexplore.exe



Internet Explorer will not     CM-6        HKLM\Software\Policies\Microsoft\Inte
promote files from one                     rnet
type to a more dangerous                   Explorer\Main\FeatureControl\FEATU
type based on MIME                         RE_MIME_SNIFFING!(Reserved),
sniffing information.                      HKLM\Software\Policies\Microsoft\Inte
                                           rnet
                                           Explorer\Main\FeatureControl\FEATU
                                           RE_MIME_SNIFFING!explorer.exe,
                                           HKLM\Software\Policies\Microsoft\Inte
                                           rnet
                                           Explorer\Main\FeatureControl\FEATU
                                           RE_MIME_SNIFFING!iexplore.exe
Applications that require       CM-6   HKLM\Software\Policies\Microsoft\Inte
the MK protocol will fail,             rnet
the protocol is not widely             Explorer\Main\FeatureControl\FEATU
used so the impact should              RE_DISABLE_MK_PROTOCOL!(Res
be small, nevertheless                 erved),
agencies should test their             HKLM\Software\Policies\Microsoft\Inte
browser-based business                 rnet
applications.                          Explorer\Main\FeatureControl\FEATU
                                       RE_DISABLE_MK_PROTOCOL!expl
                                       orer.exe,
                                       HKLM\Software\Policies\Microsoft\Inte
                                       rnet
                                       Explorer\Main\FeatureControl\FEATU
                                       RE_DISABLE_MK_PROTOCOL!iexpl
                                       ore.exe
All zones will be protected     CM-6   HKLM\Software\Policies\Microsoft\Inte
from zone elevation.                   rnet
                                       Explorer\Main\FeatureControl\FEATU
                                       RE_ZONE_ELEVATION(Reserved),
                                       HKLM\Software\Policies\Microsoft\Inte
                                       rnet
                                       Explorer\Main\FeatureControl\FEATU
                                       RE_ZONE_ELEVATION!explorer.exe,
                                       HKLM\Software\Policies\Microsoft\Inte
                                       rnet
                                       Explorer\Main\FeatureControl\FEATU
                                       RE_ZONE_ELEVATION!iexplore.exe



Prompts for ActiveX             CM-6   HKLM\Software\Policies\Microsoft\Inte
control installations will be          rnet
blocked and controls will              Explorer\Main\FeatureControl\FEATU
not be installed. Agencies             RE_RESTRICT_ACTIVEXINSTALL!(
should establish an                    Reserved),
alternative method for                 HKLM\Software\Policies\Microsoft\Inte
deploying authorized                   rnet
ActiveX controls and                   Explorer\Main\FeatureControl\FEATU
Windows security updates.              RE_RESTRICT_ACTIVEXINSTALL!e
                                       xplorer.exe,
                                       HKLM\Software\Policies\Microsoft\Inte
                                       rnet
                                       Explorer\Main\FeatureControl\FEATU
                                       RE_RESTRICT_ACTIVEXINSTALL!ie
                                       xplore.exe
Web sites will not be able    CM-6        HKLM\Software\Policies\Microsoft\Inte
to initiate file transfers                rnet
without the user                          Explorer\Main\FeatureControl\FEATU
specifically requesting it.               RE_RESTRICT_FILEDOWNLOAD!(R
                                          eserved),
                                          HKLM\Software\Policies\Microsoft\Inte
                                          rnet
                                          Explorer\Main\FeatureControl\FEATU
                                          RE_RESTRICT_FILEDOWNLOAD!ex
                                          plorer.exe,
                                          HKLM\Software\Policies\Microsoft\Inte
                                          rnet
                                          Explorer\Main\FeatureControl\FEATU
                                          RE_RESTRICT_FILEDOWNLOAD!ie
                                          xplore.exe
Pop-up windows will not       CM-6        HKLM\Software\Policies\Microsoft\Inte
display in Internet                       rnet
Explorer.                                 Explorer\Main\FeatureControl\FEATU
                                          RE_WINDOW_RESTRICTIONS!(Res
                                          erved),
                                          HKLM\Software\Policies\Microsoft\Inte
                                          rnet
                                          Explorer\Main\FeatureControl\FEATU
                                          RE_WINDOW_RESTRICTIONS!expl
                                          orer.exe,
                                          HKLM\Software\Policies\Microsoft\Inte
                                          rnet
                                          Explorer\Main\FeatureControl\FEATU
                                          RE_WINDOW_RESTRICTIONS!iexpl
                                          ore.exe
Users will not be             CM-5        HKCU\Software\Policies\Microsoft\Int
presented with possible                   ernet Explorer\Main!Use
matches when filling out                  FormSuggest,
forms.                                    HKCU\Software\Policies\Microsoft\Int
                                          ernet Explorer\Control
                                          Panel!FormSuggest
Customization of the Web                  HKCU\Software\Policies\Microsoft\Int
browser will be prevented.                ernet
                                          Explorer\Restrictions!NoExternalBran
                                          ding

Users will not be             CM-6 IA-5   HKCU\Software\Policies\Microsoft\Int
presented with possible                   ernet Explorer\Main!FormSuggest
matches when filling out                  Passwords,
forms and they will not be                HKCU\Software\Policies\Microsoft\Int
prompted to save                          ernet Explorer\Control
passwords.                                Panel!FormSuggest Passwords

Page transitions will be                  HKCU\Software\Policies\Microsoft\Int
disabled.                                 ernet Explorer\Main!Page_Transitions
Comments
Not applicable to IE7.


Not applicable to IE7.
New for IE7.




New for IE7.
New for IE7.




New for IE7.




Not applicable to IE7.
New for IE7.



New for IE7.




Not applicable to IE7.
New for IE7.




This is new for IE7
New for IE7.




New for IE7.




Not applicable to IE7.
Not applicable to IE7.
New for IE7.

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:623
posted:11/22/2011
language:English
pages:566