win2k8 - CCE

Document Sample
win2k8 - CCE Powered By Docstoc
					  CCE ID        CCE Description           CCE Parameters



             Auditing of "Security
             System Extension" events
             on success should be
             enabled or disabled as
CCE-1841-6   appropriate.                (1) enabled/disabled

             Auditing of "System
             Integrity" events on success
             should be enabled or
CCE-2348-1   disabled as appropriate.     (1) enabled/disabled
             Auditing of "IPsec Driver"
             events on success should
             be enabled or disabled as
CCE-2608-8   appropriate.                 (1) enabled/disabled

             Auditing of "Other System
             Events" events on success
             should be enabled or
CCE-2022-2   disabled as appropriate.  (1) enabled/disabled

             Auditing of "Security State
             Change" events on success
             should be enabled or
CCE-2414-1   disabled as appropriate.    (1) enabled/disabled
             Auditing of "Logon" events
             on success should be
             enabled or disabled as
CCE-2441-4   appropriate.                (1) enabled/disabled
             Auditing of "Logoff" events
             on success should be
             enabled or disabled as
CCE-2569-2   appropriate.                (1) enabled/disabled

             Auditing of "Account
             Lockout" events on success
             should be enabled or
CCE-2110-5   disabled as appropriate.   (1) enabled/disabled
             Auditing of "IPsec Main
             Mode" events on success
             should be enabled or
CCE-2260-8   disabled as appropriate.   (1) enabled/disabled
             Auditing of "IPsec Quick
             Mode" events on success
             should be enabled or
CCE-2064-4   disabled as appropriate.      (1) enabled/disabled

             Auditing of "IPsec Extended
             Mode" events on success
             should be enabled or
CCE-2350-7   disabled as appropriate.    (1) enabled/disabled

             Auditing of "Special Logon"
             events on success should
             be enabled or disabled as
CCE-2610-4   appropriate.                (1) enabled/disabled
             Auditing of "Other
             Logon/Logoff Events"
             events on success should
             be enabled or disabled as
CCE-2615-3   appropriate.                (1) enabled/disabled

             Auditing of "Network Policy
             Server" events on success
             should be enabled or
CCE-2373-9   disabled as appropriate.    (1) enabled/disabled
             Auditing of "File System"
             events on success should
             be enabled or disabled as
CCE-2531-2   appropriate.                (1) enabled/disabled
             Auditing of "Registry"
             events on success should
             be enabled or disabled as
CCE-2553-6   appropriate.                (1) enabled/disabled

             Auditing of "Kernel Object"
             events on success should
             be enabled or disabled as
CCE-2417-4   appropriate.                  (1) enabled/disabled

             Auditing of "SAM" events on
             success should be enabled
CCE-2465-3   or disabled as appropriate. (1) enabled/disabled

             Auditing of "Certification
             Services" events on
             success should be enabled
CCE-2095-8   or disabled as appropriate. (1) enabled/disabled

             Auditing of "Application
             Generated" events on
             success should be enabled
CCE-2368-9   or disabled as appropriate. (1) enabled/disabled
             Auditing of "Handle
             Manipulation" events on
             success should be enabled
CCE-2408-3   or disabled as appropriate.   (1) enabled/disabled
             Auditing of "File Share"
             events on success should
             be enabled or disabled as
CCE-2601-3   appropriate.                  (1) enabled/disabled
             Auditing of "Filtering
             Platform Packet Drop"
             events on success should
             be enabled or disabled as
CCE-2482-8   appropriate.                  (1) enabled/disabled
             Auditing of "Filtering
             Platform Connection"
             events on success should
             be enabled or disabled as
CCE-2504-9   appropriate.                  (1) enabled/disabled

             Auditing of "Other Object
             Access Events" events on
             success should be enabled
CCE-2033-9   or disabled as appropriate. (1) enabled/disabled

             Auditing of "Sensitive
             Privilege Use" events on
             success should be enabled
CCE-2205-3   or disabled as appropriate. (1) enabled/disabled

             Auditing of "Non Sensitive
             Privilege Use" events on
             success should be enabled
CCE-2104-8   or disabled as appropriate. (1) enabled/disabled

             Auditing of "Other Privilege
             Use Events" events on
             success should be enabled
CCE-2386-1   or disabled as appropriate. (1) enabled/disabled

             Auditing of "Process
             Termination" events on
             success should be enabled
CCE-2518-9   or disabled as appropriate. (1) enabled/disabled

             Auditing of "DPAPI Activity"
             events on success should
             be enabled or disabled as
CCE-2522-1   appropriate.                 (1) enabled/disabled
             Auditing of "RPC Events"
             events on success should
             be enabled or disabled as
CCE-2544-5   appropriate.                (1) enabled/disabled

             Auditing of "Process
             Creation" events on
             success should be enabled
CCE-2002-4   or disabled as appropriate. (1) enabled/disabled

             Auditing of "Audit Policy
             Change" events on success
             should be enabled or
CCE-2433-1   disabled as appropriate.  (1) enabled/disabled


             Auditing of "Authentication
             Policy Change" events on
             success should be enabled
CCE-2566-8   or disabled as appropriate. (1) enabled/disabled

             Auditing of "Authorization
             Policy Change" events on
             success should be enabled
CCE-2570-0   or disabled as appropriate. (1) enabled/disabled

             Auditing of "MPSSVC Rule-
             Level Policy Change"
             events on success should
             be enabled or disabled as
CCE-2464-6   appropriate.              (1) enabled/disabled
             Auditing of "Filtering
             Platform Policy Change"
             events on success should
             be enabled or disabled as
CCE-2614-6   appropriate.              (1) enabled/disabled

             Auditing of "Other Policy
             Change Events" events on
             success should be enabled
CCE-2385-3   or disabled as appropriate. (1) enabled/disabled

             Auditing of "User Account
             Management" events on
             success should be enabled
CCE-2394-5   or disabled as appropriate. (1) enabled/disabled
             Auditing of "Computer
             Account Management"
             events on success should
             be enabled or disabled as
CCE-2288-9   appropriate.                (1) enabled/disabled
             Auditing of "Security Group
             Management" events on
             success should be enabled
CCE-2443-0   or disabled as appropriate. (1) enabled/disabled
             Auditing of "Distribution
             Group Management" events
             on success should be
             enabled or disabled as
CCE-1642-8   appropriate.                (1) enabled/disabled
             Auditing of "Application
             Group Management" events
             on success should be
             enabled or disabled as
CCE-2468-7   appropriate.                (1) enabled/disabled

             Auditing of "Other Account
             Management Events"
             events on success should
             be enabled or disabled as
CCE-2485-1   appropriate.                 (1) enabled/disabled

             Auditing of "Directory
             Service Access" events on
             success should be enabled
CCE-2367-1   or disabled as appropriate. (1) enabled/disabled
             Auditing of "Directory
             Service Changes" events
             on success should be
             enabled or disabled as
CCE-2635-1   appropriate.                (1) enabled/disabled
             Auditing of "Directory
             Service Replication" events
             on success should be
             enabled or disabled as
CCE-2534-6   appropriate.                (1) enabled/disabled

             Auditing of "Detailed
             Directory Service
             Replication" events on
             success should be enabled
CCE-2556-9   or disabled as appropriate. (1) enabled/disabled
             Auditing of "Kerberos
             Authentication Service"
             events on success should
             be enabled or disabled as
CCE-2586-6   appropriate.                (1) enabled/disabled

             Auditing of " Credential
             Validation" events on
             success should be enabled
CCE-2463-8   or disabled as appropriate. (1) enabled/disabled
             Auditing of "Kerberos
             Service Ticket Operations"
             events on success should
             be enabled or disabled as
CCE-2405-9   appropriate.                   (1) enabled/disabled

             Auditing of "Other Account
             Logon Events" events on
             success should be enabled
CCE-1678-2   or disabled as appropriate.    (1) enabled/disabled
             Auditing of "Security
             System Extension" events
             on failure should be
             enabled or disabled as
CCE-2545-2   appropriate.                   (1) enabled/disabled
             Auditing of "System
             Integrity" events on failure
             should be enabled or
CCE-2440-6   disabled as appropriate.       (1) enabled/disabled
             Auditing of "IPsec Driver"
             events on failure should be
             enabled or disabled as
CCE-2351-5   appropriate.                   (1) enabled/disabled

             Auditing of "Other System
             Events" events on failure
             should be enabled or
CCE-2193-1   disabled as appropriate.       (1) enabled/disabled

             Auditing of "Security State
             Change" events on failure
             should be enabled or
CCE-2448-9   disabled as appropriate.       (1) enabled/disabled
             Auditing of "Logon" events
             on failure should be
             enabled or disabled as
CCE-2470-3   appropriate.                   (1) enabled/disabled
             Auditing of "Logoff" events
             on failure should be
             enabled or disabled as
CCE-2616-1   appropriate.                   (1) enabled/disabled
             Auditing of "Account
             Lockout" events on failure
             should be enabled or
CCE-1889-5   disabled as appropriate.       (1) enabled/disabled
             Auditing of "IPsec Main
             Mode" events on failure
             should be enabled or
CCE-2409-1   disabled as appropriate.       (1) enabled/disabled
             Auditing of "IPsec Quick
             Mode" events on failure
             should be enabled or
CCE-2536-1   disabled as appropriate.      (1) enabled/disabled

             Auditing of "IPsec Extended
             Mode" events on failure
             should be enabled or
CCE-2267-3   disabled as appropriate.    (1) enabled/disabled
             Auditing of "Special Logon"
             events on failure should be
             enabled or disabled as
CCE-2558-5   appropriate.                (1) enabled/disabled
             Auditing of "Other
             Logon/Logoff Events"
             events on failure should be
             enabled or disabled as
CCE-1968-7   appropriate.                (1) enabled/disabled

             Auditing of "Network Policy
             Server" events on failure
             should be enabled or
CCE-2575-9   disabled as appropriate.      (1) enabled/disabled
             Auditing of "File System"
             events on failure should be
             enabled or disabled as
CCE-2488-5   appropriate.                  (1) enabled/disabled
             Auditing of "Registry"
             events on failure should be
             enabled or disabled as
CCE-2505-6   appropriate.                  (1) enabled/disabled
             Auditing of "Kernel Object"
             events on failure should be
             enabled or disabled as
CCE-2195-6   appropriate.                  (1) enabled/disabled

             Auditing of "SAM" events on
             failure should be enabled or
CCE-1961-2   disabled as appropriate.     (1) enabled/disabled

             Auditing of "Certification
             Services" events on failure
             should be enabled or
CCE-2358-0   disabled as appropriate.      (1) enabled/disabled

             Auditing of "Application
             Generated" events on
             failure should be enabled or
CCE-2622-9   disabled as appropriate.     (1) enabled/disabled
             Auditing of "Handle
             Manipulation" events on
             failure should be enabled or
CCE-2503-1   disabled as appropriate.       (1) enabled/disabled
             Auditing of "File Share"
             events on failure should be
             enabled or disabled as
CCE-2402-6   appropriate.                   (1) enabled/disabled
             Auditing of "Filtering
             Platform Packet Drop"
             events on failure should be
             enabled or disabled as
CCE-2292-1   appropriate.                   (1) enabled/disabled
             Auditing of "Filtering
             Platform Connection"
             events on failure should be
             enabled or disabled as
CCE-2437-2   appropriate.                   (1) enabled/disabled

             Auditing of "Other Object
             Access Events" events on
             failure should be enabled or
CCE-2583-3   disabled as appropriate.     (1) enabled/disabled

             Auditing of "Sensitive
             Privilege Use" events on
             failure should be enabled or
CCE-2349-9   disabled as appropriate.     enabled/disabled

             Auditing of "Non Sensitive
             Privilege Use" events on
             failure should be enabled or
CCE-2605-4   disabled as appropriate.     (1) enabled/disabled

             Auditing of "Other Privilege
             Use Events" events on
             failure should be enabled or
CCE-2371-3   disabled as appropriate.     (1) enabled/disabled

             Auditing of "Process
             Termination" events on
             failure should be enabled or
CCE-2389-5   disabled as appropriate.     (1) enabled/disabled
             Auditing of "DPAPI Activity"
             events on failure should be
             enabled or disabled as
CCE-2604-7   appropriate.                 (1) enabled/disabled
             Auditing of "RPC Events"
             events on failure should be
             enabled or disabled as
CCE-2498-4   appropriate.                 (1) enabled/disabled
             Auditing of "Process
             Creation" events on failure
             should be enabled or
CCE-2375-4   disabled as appropriate.      (1) enabled/disabled
             Auditing of "Audit Policy
             Change" events on failure
             should be enabled or
CCE-2269-9   disabled as appropriate.      (1) enabled/disabled

             Auditing of "Authentication
             Policy Change" events on
             failure should be enabled or
CCE-2151-9   disabled as appropriate.     (1) enabled/disabled

             Auditing of "Authorization
             Policy Change" events on
             failure should be enabled or
CCE-2459-6   disabled as appropriate.     (1) enabled/disabled
             Auditing of "MPSSVC Rule-
             Level Policy Change"
             events on failure should be
             enabled or disabled as
CCE-2353-1   appropriate.                 (1) enabled/disabled
             Auditing of "Filtering
             Platform Policy Change"
             events on failure should be
             enabled or disabled as
CCE-2490-1   appropriate.                 (1) enabled/disabled

             Auditing of "Other Policy
             Change Events" events on
             failure should be enabled or
CCE-1759-0   disabled as appropriate.     (1) enabled/disabled

             Auditing of "User Account
             Management" events on
             failure should be enabled or
CCE-2411-7   disabled as appropriate.     (1) enabled/disabled
             Auditing of "Computer
             Account Management"
             events on failure should be
             enabled or disabled as
CCE-2415-8   appropriate.                 (1) enabled/disabled

             Auditing of "Security Group
             Management" events on
             failure should be enabled or
CCE-2560-1   disabled as appropriate.     (1) enabled/disabled
             Auditing of "Distribution
             Group Management" events
             on failure should be
             enabled or disabled as
CCE-2273-1   appropriate.                (1) enabled/disabled
             Auditing of "Application
             Group Management" events
             on failure should be
             enabled or disabled as
CCE-2542-9   appropriate.                (1) enabled/disabled
             Auditing of "Other Account
             Management Events"
             events on failure should be
             enabled or disabled as
CCE-2062-8   appropriate.                (1) enabled/disabled

             Auditing of "Directory
             Service Access" events on
             failure should be enabled or
CCE-1926-5   disabled as appropriate.     (1) enabled/disabled
             Auditing of "Directory
             Service Changes" events
             on failure should be
             enabled or disabled as
CCE-2445-5   appropriate.                 (1) enabled/disabled
             Auditing of "Directory
             Service Replication" events
             on failure should be
             enabled or disabled as
CCE-1718-6   appropriate.                 (1) enabled/disabled

             Auditing of "Detailed
             Directory Service
             Replication" events on
             failure should be enabled or
CCE-2489-3   disabled as appropriate.     (1) enabled/disabled
             Auditing of "Kerberos
             Authentication Service"
             events on failure should be
             enabled or disabled as
CCE-2511-4   appropriate.                 (1) enabled/disabled

             Auditing of " Credential
             Validation" events on failure
             should be enabled or
CCE-2516-3   disabled as appropriate.      (1) enabled/disabled

             Auditing of "Kerberos
             Service Ticket Operations"
             events on failure should be
             enabled or disabled as
CCE-2291-3   appropriate.                (1) enabled/disabled
             Auditing of "Other Account
             Logon Events" events on
             failure should be enabled or
CCE-2564-3   disabled as appropriate.     (1) enabled/disabled

             Auditing of "Audit account
             logon events" events on
             sucess should be enabled
CCE-2251-7   or disabled as appropriate.    (1) enabled/disabled

             Auditing of "Audit account
             management" events on
             sucess should be enabled
CCE-2211-1   or disabled as appropriate.    (1) enabled/disabled

             Auditing of "Audit directory
             service access" events on
             sucess should be enabled
CCE-2215-2   or disabled as appropriate.    (1) enabled/disabled
             Auditing of "Audit logon
             events" events on sucess
             should be enabled or
CCE-2242-6   disabled as appropriate.       (1) enabled/disabled

             Auditing of "Audit object
             access" events on sucess
             should be enabled or
CCE-2136-0   disabled as appropriate.       (1) enabled/disabled

             Auditing of "Audit policy
             change" events on sucess
             should be enabled or
CCE-2268-1   disabled as appropriate.       (1) enabled/disabled

             Auditing of "Audit privilege
             use" events on sucess
             should be enabled or
CCE-2035-4   disabled as appropriate.       (1) enabled/disabled

             Auditing of "Audit process
             tracking" events on sucess
             should be enabled or
CCE-2295-4   disabled as appropriate.       (1) enabled/disabled
             Auditing of "Audit system
             events" events on sucess
             should be enabled or
CCE-1837-4   disabled as appropriate.       (1) enabled/disabled
             Auditing of "Audit account
             logon events" events on
             failure should be enabled or
CCE-1779-8   disabled as appropriate.     (1) enabled/disabled

             Auditing of "Audit account
             management" events on
             failure should be enabled or
CCE-2538-7   disabled as appropriate.     (1) enabled/disabled

             Auditing of "Audit directory
             service access" events on
             failure should be enabled or
CCE-2582-5   disabled as appropriate.       (1) enabled/disabled
             Auditing of "Audit logon
             events" events on failure
             should be enabled or
CCE-2574-2   disabled as appropriate.       (1) enabled/disabled
             Auditing of "Audit object
             access" events on failure
             should be enabled or
CCE-2217-8   disabled as appropriate.       (1) enabled/disabled
             Auditing of "Audit policy
             change" events on failure
             should be enabled or
CCE-2512-2   disabled as appropriate.       (1) enabled/disabled

             Auditing of "Audit privilege
             use" events on failure
             should be enabled or
CCE-2265-7   disabled as appropriate.       (1) enabled/disabled

             Auditing of "Audit process
             tracking" events on failure
             should be enabled or
CCE-1895-2   disabled as appropriate.     (1) enabled/disabled
             Auditing of "Audit system
             events" events on failure
             should be enabled or
CCE-1939-8   disabled as appropriate.     (1) enabled/disabled
             The "Access credential
             Manager as a trusted caller"
             setting should be configured
CCE-2026-3   correctly.

             The "Access this computer
             from the network
             (SeNetworkLogonRight)"
             setting should be configured
CCE-2075-0   correctly.
             The "Act as part of the
             operating system
             (SeTcbPrivilege)" setting
             should be configured
CCE-2079-2   correctly.
             The "Add workstations to
             domain" setting should be
CCE-2246-7   configured correctly.
             The "Adjust memory quotas
             for a process
             (SeIncreaseQuotaPrivilege)
             " setting should be
CCE-2004-0   configured correctly.
             The "Allow log on locally"
             setting should be configured
CCE-2286-3   correctly.
             The "Allow log on through
             Terminal Services
             (SeRemoteInteractiveLogon
             Right)" setting should be
CCE-2308-5   configured correctly.
             The "Back up files and
             directories
             (SeBackupPrivilege)"
             setting should be configured
CCE-1321-9   correctly.
             The "Bypass traverse
             checking
             (SeChangeNotifyPrivilege)"
             setting should be configured
CCE-2285-5   correctly.
             The "Change the system
             time
             (SeSystemTimePrivilege)"
             setting should be configured
CCE-2290-5   correctly.
             The "Change the time zone"
             setting should be configured
CCE-2171-7   correctly.
             The "Create a pagefile
             (SeCreatePagefilePrivilege)
             " setting should be
CCE-1328-4   configured correctly.

             The "Create a token object
             (SeCreateTokenPrivilege)"
             setting should be configured
CCE-1491-0   correctly.
             The "Create global objects
             (SeCreateGlobalPrivilege)"
             setting should be configured
CCE-2226-9   correctly.
             The "Create permanent
             shared objects" setting
             should be configured
CCE-1341-7   correctly.
             The "Create symbolic links"
             setting should be configured
CCE-2305-1   correctly.
             The "Debug programs
             (SeDebugPrivilege)" setting
             should be configured
CCE-2310-1   correctly.

             The "Deny access to this
             computer from the network
             (SeDenyNetworkLogonRigh
             t)" setting should be
CCE-2314-3   configured correctly.
             The "Deny log on as a
             batch job
             (SeDenyBatchLogonRight)"
             setting should be configured
CCE-1834-1   correctly.
             The "Deny log on locally
             (SeDenyInteractiveLogonRi
             ght)" setting should be
CCE-2296-2   configured correctly.
             The "Deny log on as a
             service
             (SeDenyServiceLogonRight
             )" setting should be
CCE-1944-8   configured correctly.

             The "Deny log on through
             Terminal Services
             (SeDenyRemoteInteractive
             LogonRight)" setting should
CCE-2102-2   be configured correctly.
             The "Enable computer and
             user accounts to be trusted
             for delegation
             (SeEnableDelegationPrivile
             ge)" setting should be
CCE-1481-1   configured correctly.
             The "Force shutdown from
             a remote system
             (SeRemoteShutdownPrivile
             ge)" setting should be
CCE-1750-9   configured correctly.
             The "Generate security
             audits (SeAuditPrivilege)"
             setting should be configured
CCE-2129-5   correctly.
             The "Impersonate a client
             after authentication" setting
             should be configured
CCE-1346-6   correctly.

             The "Increase a process
             working set" setting should
CCE-2306-9   be configured correctly.
             The "Increase scheduling
             priority
             (SeIncreaseBasePriorityPriv
             ilege)" setting should be
CCE-2328-3   configured correctly.
             The "Load and unload
             device drivers
             (SeLoadDriverPrivilege)"
             setting should be configured
CCE-1455-5   correctly.

             The "Lock pages in memory
             (SeLockMemoryPrivilege)"
             setting should be configured
CCE-2332-5   correctly.
             The "Log on as a batch job
             (SeBatchLogonRight)"
             setting should be configured
CCE-1975-2   correctly.
             The "Log on as a service
             (SeServiceLogonRight)"
             setting should be configured
CCE-2270-7   correctly.
             The "Manage auditing and
             security log
             (SeSecurityPrivilege)"
             setting should be configured
CCE-1843-2   correctly.
             The "Modify an object label"
             setting should be configured
CCE-2142-8   correctly.
             The "Modify firmware
             environment values
             (SeSystemEnvironmentPrivi
             lege)" setting should be
CCE-2257-4   configured correctly.
             The "Perform volume
             maintenance tasks
             (SeManageVolumePrivilege
             )" setting should be
CCE-1383-9   configured correctly.

             The "Profile single process
             (SeProfileSingleProcessPriv
             ilege)" setting should be
CCE-2360-6   configured correctly.
             The "Profile system
             performance
             (SeSystemProfilePrivilege)"
             setting should be configured
CCE-2113-9   correctly.
             The "Remove computer
             from docking station
             (SeUndockPrivilege)"
             setting should be configured
CCE-2382-0   correctly.
             The "Replace a process
             level token
             (SeAssignPrimaryTokenPriv
             ilege)" setting should be
CCE-1527-1   configured correctly.
             The "Restore files and
             directories
             (SeRestorePrivilege)"
             setting should be configured
CCE-2294-7   correctly.

             The "Shut down the system
             (SeShutdownPrivilege)"
             setting should be configured
CCE-2078-4   correctly.

             The "Synchronize directory
             service data" setting should
CCE-2137-8   be configured correctly.     (1) enabled/disabled
             The "Take ownership of
             files or other objects
             (SeTakeOwnershipPrivilege
             )" setting should be
CCE-2506-4   configured correctly.
             The "Accounts:
             Administrator account
             status" setting should be
CCE-2337-4   configured correctly.        (1) enabled/disabled
             The "Accounts: Guest
             account status" setting
             should be configured
CCE-2342-4   correctly.                   (1) enabled/disabled


             The "Accounts: Limit local
             account use of blank
             passwords to console logon
             only" setting should be
CCE-2364-8   configured correctly.        (1) enabled/disabled
             The "Accounts: Rename
             administrator account"
             setting should be configured
CCE-2227-7   correctly.                   (1) enabled/disabled
             The "Accounts: Rename
             guest account" setting
             should be configured
CCE-2372-1   correctly.                   (1) enabled/disabled


             The "Audit: Audit the
             access of global system
             objects" setting should be
CCE-1751-7   configured correctly.        (1) enabled/disabled


             The "Audit: Audit the use of
             Backup and Restore
             privilege" setting should be
CCE-1773-1   configured correctly.        (1) enabled/disabled
             The "Audit: Force audit
             policy subcategory settings
             (Windows Vista or later) to
             override audit policy
             category settings" setting
             should be configured
CCE-2276-4   correctly.                   (1) enabled/disabled

             The "Audit: Shut down
             system immediately if
             unable to log security
             audits" setting should be
CCE-2315-0   configured correctly.        (1) enabled/disabled
             The "DCOM: Machine
             access restrictions in
             Security Descriptor
             Definition Language (SDDL)
             syntax" setting should be
CCE-2196-4   configured correctly.      (1) enabled/disabled

             The "DCOM: Machine
             launch restrictions in
             Security Descriptor
             Definition Language (SDDL)
             syntax" setting should be
CCE-2201-2   configured correctly.      (1) enabled/disabled


             The "Devices: Allow undock
             without having to log on"
             setting should be configured
CCE-2249-1   correctly.                   (1) enabled/disabled

             The "Devices: Allowed to
             format and eject removable
             media" setting should be
CCE-2377-0   configured correctly.      (1) enabled/disabled


             The "Devices: Prevent
             users from installing printer
             drivers" setting should be
CCE-2152-7   configured correctly.           (1) enabled/disabled
             The "Devices: Restrict CD-
             ROM access to locally
             logged-on user only" setting
             should be configured
CCE-1390-4   correctly.                      (1) enabled/disabled
             The "Devices: Restrict
             floppy access to locally
             logged-on user only" setting
             should be configured
CCE-2383-8   correctly.                      (1) enabled/disabled
             The "Domain Controller:
             Allow server operators to
             schedule tasks" setting
             should be configured
CCE-2049-5   correctly.                      (1) enabled/disabled
             The "Domain Controller:
             LDAP server signing
             requirements" setting
             should be configured
CCE-2317-6   correctly.
             The "Domain Controller:
             Refuse machine account
             password changes" setting
             should be configured
CCE-1934-9   correctly.                (1) enabled/disabled

             The "Domain member:
             Digitally encrypt or sign
             secure channel data
             (always)" setting should be
CCE-2203-8   configured correctly.         (1) enabled/disabled

             The "Domain member:
             Digitally encrypt secure
             channel data (when
             possible)" setting should be
CCE-1868-9   configured correctly.        (1) enabled/disabled

             The "Domain member:
             Digitally sign secure
             channel data (when
             possible)" setting should be
CCE-2362-2   configured correctly.        (1) enabled/disabled

             The "Domain member:
             Disable machine account
             password changes" setting
             should be configured
CCE-2256-6   correctly.

             The "Domain member:
             Maximum machine account
             password age" setting
             should be configured
CCE-2278-0   correctly.

             The "Domain member:
             Require strong (Windows
             2000 or later) session key"
             setting should be configured
CCE-1802-8   correctly.                   (1) enabled/disabled


             The "Interactive logon: Do
             not display last user name"
             setting should be configured
CCE-2199-8   correctly.                   (1) enabled/disabled
             The "Interactive logon: Do
             not require
             CTRL+ALT+DEL" setting
             should be configured
CCE-2331-7   correctly.                      (1) enabled/disabled

             The "Interactive logon:
             Message text for users
             attempting to log on" setting
             should be configured
CCE-2225-1   correctly.

             The "Interactive logon:
             Message title for users
             attempting to log on" setting
             should be configured
CCE-2037-0   correctly.
             The "Interactive logon:
             Number of previous logons
             to cache (in case domain
             controller is not available)"
             setting should be configured
CCE-2297-0   correctly.
             The "Interactive logon:
             Prompt user to change
             password before expiration"
             setting should be configured
CCE-2324-2   correctly.                    (1) enabled/disabled

             The "Interactive logon:
             Require Domain Controller
             authentication to unlock
             workstation" setting should
CCE-2346-5   be configured correctly.    (1) enabled/disabled
             The "Interactive logon:
             Require smart card" setting
             should be configured
CCE-2223-6   correctly.                  (1) enabled/disabled

             The "Interactive logon:
             Smart card removal
             behavior" setting should be
CCE-1448-0   configured correctly.

             The "Microsoft network
             client: Digitally sign
             communications (always)"
             setting should be configured
CCE-2356-4   correctly.                   (1) enabled/disabled
             The "Microsoft network
             client: Digitally sign
             communications (if server
             agrees)" setting should be
CCE-2378-8   configured correctly.         (1) enabled/disabled


             The "Microsoft network
             client: Send unencrypted
             password to third-party
             SMB servers" setting should
CCE-2272-3   be configured correctly.    (1) enabled/disabled


             The "Microsoft network
             server: Amount of idle time
             required before suspending
             session" setting should be
CCE-2236-8   configured correctly.

             The "Microsoft network
             server: Digitally sign
             communications (always)"
             setting should be configured
CCE-2381-2   correctly.                   (1) enabled/disabled


             The "Microsoft network
             server: Digitally sign
             communications (if client
             agrees)" setting should be
CCE-2263-2   configured correctly.         (1) enabled/disabled


             The "Microsoft network
             server: Disconnect clients
             when logon hours expire"
             setting should be configured
CCE-2029-7   correctly.                   (1) enabled/disabled
             The "MSS:
             (AutoAdminLogon) Enable
             Automatic Logon (not
             recommended)" setting
             should be configured
CCE-2307-7   correctly.                   (1) enabled/disabled
             The "MSS:
             (DisableIPSourceRouting)
             IP source routing protection
             level (protects against
             packet spoofing)" setting
             should be configured
CCE-1826-7   correctly.                   (1) enabled/disabled
             The "MSS:
             (EnableDeadGWDetect)
             Allow automatic detection of
             dead network gateways
             (could lead to DoS)" setting
             should be configured
CCE-1967-9   correctly.                   (1) enabled/disabled

             The "MSS:
             (EnableICMPRedirect)
             Allow ICMP redirects to
             override OSPF generated
             routes" setting should be
CCE-1470-4   configured correctly.       (1) enabled/disabled

             The "MSS: (Hidden) Hide
             Computer From the Browse
             List (not recommended
             except for highly secure
             environments)" setting
             should be configured
CCE-2241-8   correctly.               (1) enabled/disabled


             The "MSS: (KeepAliveTime)
             How often keep-alive
             packets are sent in
             milliseconds" setting should
CCE-2399-4   be configured correctly.
             The "MSS:
             (NoDefaultExempt)
             Configure IPSec
             exemptions for various
             types of network traffic."
             setting should be configured
CCE-2404-2   correctly.                   (1) enabled/disabled

             The "MSS:
             (NoDriveTypeAutoRun)
             Disable Autorun for all
             drives (recommended)"
             setting should be configured
CCE-2298-8   correctly.                   (1) enabled/disabled
             The "MSS:
             (NoNameReleaseOnDema
             nd) Allow the computer to
             ignore NetBIOS name
             release requests except
             from WINS servers" setting
             should be configured
CCE-2320-0   correctly.                 (1) enabled/disabled



             The automatic generation of
             8.3 file names for NTFS
             should be enabled or
CCE-2156-8   disabled as appropriate.    (1) enabled/disabled

             The "MSS:
             (PerformRouterDiscovery)
             Allow IRDP to detect and
             configure Default Gateway
             addresses (could lead to
             DoS)" setting should be
CCE-1800-2   configured correctly.          (1) enabled/disabled

             The "MSS:
             (SafeDllSearchMode)
             Enable Safe DLL search
             mode (recommended)"
             setting should be configured
CCE-2447-1   correctly.                   (1) enabled/disabled
             The "MSS:
             (ScreenSaverGracePeriod)
             The time in seconds before
             the screen saver grace
             period expires (0
             recommended)" setting
             should be configured         (1) number of
CCE-2183-2   correctly.                   seconds

             The "MSS:
             (SynAttackProtect) Syn
             attack protection level
             (protects against DoS)"
             setting should be configured
CCE-1460-5   correctly.
             The "MSS:
             (TCPMaxConnectResponse
             Retransmissions) SYN-ACK
             retransmissions when a
             connection request is not
             acknowledged" setting
             should be configured
CCE-2384-6   correctly.                   (1) enabled/disabled
             The "MSS:
             (TCPMaxDataRetransmissi
             ons) How many times
             unacknowledged data is
             retransmitted (3
             recommended, 5 is default)"
             setting should be configured
CCE-2424-0   correctly.

             The "MSS: (WarningLevel)
             Percentage threshold for
             the security event log at
             which the system will
             generate a warning" setting
             should be configured
CCE-2442-2   correctly.

             The "Network access: Allow
             anonymous SID/Name
             translation" setting should
CCE-2318-4   be configured correctly.    (1) enabled/disabled

             The "Network access: Do
             not allow anonymous
             enumeration of SAM
             accounts" setting should be
CCE-1962-0   configured correctly.       (1) enabled/disabled

             The "Network access: Do
             not allow anonymous
             enumeration of SAM
             accounts and shares"
             setting should be configured
CCE-2340-8   correctly.                   (1) enabled/disabled
             The "Network access: Do
             not allow storage of
             credentials or .NET
             Passports for network
             authentication" setting
             should be configured
CCE-2111-3   correctly.                   (1) enabled/disabled
             The "Network access: Let
             Everyone permissions apply
             to anonymous users"
             setting should be configured
CCE-1824-2   correctly.                   (1) enabled/disabled

             The "Network access:
             Named Pipes that can be
             accessed anonymously"
             setting should be configured
CCE-2089-1   correctly.

             The "Network access:
             Remotely accessible
             registry paths" setting
             should be configured
CCE-1521-4   correctly.

             The "Network access:
             Remotely accessible
             registry paths and sub
             paths" setting should be
CCE-2357-2   configured correctly.

             The "Network access:
             Restrict anonymous access
             to Named Pipes and
             Shares" setting should be
CCE-2361-4   configured correctly.     (1) enabled/disabled

             The "Network access:
             Shares that can be
             accessed anonymously"
             setting should be configured
CCE-2507-2   correctly.

             The "Network access:
             Sharing and security model
             for local accounts" setting
             should be configured
CCE-2406-7   correctly.

             The "Network security: Do
             not store LAN Manager
             hash value on next
             password change" setting
             should be configured
CCE-2304-4   correctly.                     (1) enabled/disabled
             The "Network security:
             Force logoff when logon
             hours expire" setting should
CCE-2432-3   be configured correctly.     (1) enabled/disabled


             The "Network security: LAN
             Manager authentication
             level" setting should be
CCE-2454-7   configured correctly.

             The "Network security:
             LDAP client signing
             requirements" setting
             should be configured
CCE-2327-5   correctly.

             The "Network security:
             Minimum session security
             for NTLM SSP based
             (including secure RPC)
             clients" setting should be
CCE-1767-3   configured correctly.          (1) enabled/disabled

             The "Network security:
             Minimum session security
             for NTLM SSP based
             (including secure RPC)
             servers" setting should be
CCE-2410-9   configured correctly.         (1) enabled/disabled
             The "Recovery console:
             Allow automatic
             administrative logon" setting
             should be configured
CCE-2309-3   correctly.                    (1) enabled/disabled

             The "Recovery console:
             Allow floppy copy and
             access to all drives and all
             folders" setting should be
CCE-1553-7   configured correctly.          (1) enabled/disabled

             The "Shutdown: Allow
             system to be shut down
             without having to log on"
             setting should be configured
CCE-2403-4   correctly.                   (1) enabled/disabled
             The "Shutdown: Clear
             virtual memory pagefile"
             setting should be configured
CCE-2416-6   correctly.                   (1) enabled/disabled

             The "System cryptography:
             Force strong key protection
             for user keys stored on the
             computer" setting should be
CCE-2319-2   configured correctly.       (1) enabled/disabled

             The "System cryptography:
             Use FIPS compliant
             algorithms for encryption,
             hashing, and signing"
             setting should be configured
CCE-2261-6   correctly.                   (1) enabled/disabled

             The "System objects:
             Require case insensitivity
             for non-Windows
             subsystems" setting should
CCE-2429-9   be configured correctly.    (1) enabled/disabled
             The "System objects:
             Strengthen default
             permissions of internal
             system objects (e.g.
             Symbolic Links)" setting
             should be configured
CCE-2451-3   correctly.                  (1) enabled/disabled
CCE-1598-2   DEPRECATED.
             The "System settings: Use
             Certificate Rules on
             Windows Executables for
             Software Restriction
             Policies" setting should be
CCE-2421-6   configured correctly.       (1) enabled/disabled


             The "User Account Control:
             Admin Approval Mode for
             the Built-in Administrator
             account" setting should be
CCE-2302-8   configured correctly.

             The "User Account Control:
             Allow UIAccess applications
             to prompt for elevation
             without using the secure
             desktop" setting should be
CCE-2434-9   configured correctly.       (1) enabled/disabled
             The "User Account Control:
             Behavior of the elevation
             prompt for administrators in
             Admin Approval Mode"
             setting should be configured
CCE-2474-5   correctly.


             The "User Account Control:
             Behavior of the elevation
             prompt for standard users"
             setting should be configured
CCE-2355-6   correctly.


             The "User Account Control:
             Detect application
             installations and prompt for
             elevation" setting should be
CCE-2487-7   configured correctly.        (1) enabled/disabled


             The "User Account Control:
             Only elevate executables
             that are signed and
             validated" setting should be
CCE-2509-8   configured correctly.        (1) enabled/disabled

             The "User Account Control:
             Only elevate UIAccess
             applications that are
             installed in secure
             locations" setting should be
CCE-2473-7   configured correctly.        (1) enabled/disabled

             The "User Account Control:
             Run all administrators in
             Admin Approval Mode"
             setting should be configured
CCE-2478-6   correctly.                   (1) enabled/disabled


             The "User Account Control:
             Switch to the secure
             desktop when prompting for
             elevation" setting should be
CCE-2500-7   configured correctly.        (1) enabled/disabled
             The "User Account Control:
             Virtualize file and registry
             write failures to per-user
             locations" setting should be
CCE-2266-5   configured correctly.        (1) enabled/disabled




             The application log
             maximum size should be
CCE-2539-5   configured correctly.          (1) size of file




             The security log maximum
             size should be configured
CCE-2244-2   correctly.                     (1) size of file




             The system log maximum
             size should be configured
CCE-2262-4   correctly.                     (1) size of file
             The "Prevent local guests
             group from accessing
             application log" setting
             should be configured
CCE-1622-0   correctly.                     (1) enabled/disabled

             The "Prevent local guests
             group from accessing
             system log" setting should
CCE-2189-9   be configured correctly.       (1) enabled/disabled

             The "Prevent local guests
             group from accessing
             security log" setting should
CCE-2149-3   be configured correctly.       (1) enabled/disabled
             The "Retain old events"
             setting should be configured
             correctly for the application
CCE-2541-1   log.                          (1) enabled/disabled




             The "Retain old events"
             setting should be configured
CCE-2435-6   correctly for the security log. (1) enabled/disabled




             The "Retain old events"
             setting should be configured
CCE-2581-7   correctly for the system log. (1) enabled/disabled
             The "Retention method for
             application log" setting
             should be configured
CCE-1819-2   correctly.

             The "Retention method for
             security log" setting should
CCE-1836-6   be configured correctly.

             The "Retention method for
             system log" setting should
CCE-2607-0   be configured correctly.

             The "Enforce password
             history" setting should be
CCE-2237-6   configured correctly.          (1) enabled/disabled

             The "Maximum password
             age" setting should be
CCE-2200-4   configured correctly.

             The "Minimum password
             age" setting should be
CCE-1861-4   configured correctly.

             The "Minimum password
             length" setting should be
CCE-2240-0   configured correctly.
             The "Password must meet
             complexity requirements"
             setting should be configured
CCE-2126-1   correctly.                   (1) enabled/disabled

             The "Store passwords using
             reversible encryption"
             setting should be configured
CCE-2289-7   correctly.                   (1) enabled/disabled

             The "Account lockout
             duration" setting should be
CCE-1317-7   configured correctly.

             The "Account lockout
             threshold" setting should be
CCE-1872-1   configured correctly.

             The "Reset account lockout
             counter after" setting should
CCE-2311-9   be configured correctly.

                                          (1) 0 = No additional
                                          protection, source
                                          routed packets are
                                          allowed | 1 =
                                          Medium, source
             The "MSS:                    routed packets
             (DisableIPSourceRouting) ignored when IP
             IPv6 source routing          forwarding is enabled
             protection level (protects   | 2 = Highest
             against packet spoofing)"    protection, source
             setting should be configured routing is completely
CCE-5229-0   correctly.                   disabled
             The "MSS:
             (TCPMaxDataRetransmissi
             ons) IPv6, how many times
             unacknowledged data is
             retransmitted (3
             recommended, 5 is default)"
             setting should be configured
CCE-5263-9   correctly.                   (1) Numeric value

             The "Always Prompt Client
             for Password upon
             Connection" policy should
             be set correctly for Terminal (1) 0 = Enabled | 1 =
CCE-7636-4   Services.                     Disabled
             The "Configure Automatic
             Updates" setting should be
             enabled or disabled as     (1) 0 = Enabled | 1 =
CCE-8478-0   appropriate.               Disabled

                                           (1) Enabled: Do not
                                           execute any autorun
                                           commands /
                                           Enabled:
             The default behavior for      Automatically
             AutoRun should be properly execute autorun
CCE-7639-8   configured.                   commands / Disabled
                                           (1) Silently succeed |
             The "Unsigned Driver          Warn but allow
             Installation Behavior" policy installation | Do not
CCE-8125-7   should be set correctly.      allow installation
             The "Disable remote
             Desktop Sharing" setting
             should be enabled or          (1) 0 = Enabled | 1 =
CCE-8178-6   disabled as appropriate.      Disabled

             The startup type of the
             NetMeeting Remote              (1)
             Desktop Sharing service       disabled/manual/auto
CCE-8504-3   should be correct.            matic


             The "Do Not Allow Windows
             Messenger to be Run"
             policy should be set          (1) 0 = Enabled | 1 =
CCE-8596-9   correctly.                    Disabled
             The "Enforce user logon
             restrictions" policy should   (1) 0 = Enabled | 1 =
CCE-8594-4   be set correctly.             Disabled

             The "Enumerate
             administrator accounts on
             elevation" setting should be
             enabled or disabled as       (1) 0 = Enabled | 1 =
CCE-8568-8   appropriate.                 Disabled

             The maximum lifetime for
             Kerberos service tickets     (1) Number of
CCE-8585-2   should be set appropriately. minutes

             The maximum lifetime for
             Kerberos user tickets
CCE-8409-5   should be set appropriately. (1) Number of hours
             The maximum lifetime for
             Kerberos user ticket
             renewal should be set
CCE-8000-2   appropriately.            (1) Number of days
             The maximum tolerance for
             computer clock
             synchronization for
             Kerberos should be set    (1) Number of
CCE-8268-5   appropriately.            minutes



             Automatic Reboot After
             System Crash should be
             enabled or disabled as        (1) 0 = Enabled | 1 =
CCE-8378-2   appropriate.                  Disabled




             Disable saving of dial-up
             passwords should be           (1) 0 = Enabled | 1 =
CCE-7893-1   properly configured.          Disabled


             The "No auto-restart for
             scheduled Automatic
             Updates installations" policy (1) 0 = Enabled | 1 =
CCE-8598-5   should be set correctly.      Disabled

             The "Allow Unsolicited
             Remote Assistance" policy
             should be set correctly for   (1) 0 = Enabled | 1 =
CCE-7643-0   Terminal Services.            Disabled


             The "Registry policy
             processing" policy should
             be enabled or disabled as     (1) 0 = Enabled | 1 =
CCE-8492-1   appropriate.                  Disabled


             The "Reschedule Automatic
             Updates scheduled
             installations" setting should
             be enabled or disabled as (1) 0 = Enabled | 1 =
CCE-7646-3   appropriate.                  Disabled


             Authentication requirements (1) Authenticated,
             for RPC clients should be   Authenticated without
CCE-7658-8   configured appropriately.   exceptions, None
             RPC Endpoint Mapper
             Client Authentication should
             be enabled or disabled as (1) 0 = Enabled | 1 =
CCE-8572-0   appropriate.                 Disabled

                                           (1) Enabled:Client
             The "Set Client connection    Compatible |
             Encryption Level" policy      Enabled:High level |
             should be set correctly for   Enabled:Low level |
CCE-7667-9   Terminal Services.            Disabled



             The "Turn off Autoplay"
             policy should be enabled or (1) 0 = Enabled | 1 =
CCE-8634-8   disabled as appropriate.    Disabled
               CCE Technical Mechanisms




(1) via auditpol




(1) via auditpol



(1) via auditpol




(1) via auditpol




(1) via auditpol



(1) via auditpol



(1) via auditpol




(1) via auditpol



(1) via auditpol
(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol



(1) via auditpol



(1) via auditpol




(1) via auditpol



(1) via auditpol




(1) via auditpol




(1) via auditpol
(1) via auditpol



(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol
(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol
(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol
(1) via auditpol




(1) via auditpol




(1) via auditpol



(1) via auditpol



(1) via auditpol




(1) via auditpol




(1) via auditpol



(1) via auditpol



(1) via auditpol



(1) via auditpol



(1) via auditpol
(1) via auditpol




(1) via auditpol



(1) via auditpol




(1) via auditpol




(1) via auditpol



(1) via auditpol



(1) via auditpol



(1) via auditpol



(1) via auditpol




(1) via auditpol




(1) via auditpol
(1) via auditpol



(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol



(1) via auditpol



(1) via auditpol
(1) via auditpol



(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol
(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol




(1) via auditpol
(1) via auditpol



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit account logon events



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit account management


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit directory service
access


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit logon events



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit object access



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit policy change



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit privilege use


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit process tracking (2)
Audit Policy security settings are not registry keys.


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit system events
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit account logon events



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit account management


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit directory service
access


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit logon events


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit object access


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit policy change



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit privilege use



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit process tracking


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit system events

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Access
credential Manager as a trusted caller



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Access this
computer from the network (SeNetworkLogonRight)
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Act as part of
the operating system (SeTcbPrivilege)
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Add
workstations to domain


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Adjust memory
quotas for a process (SeIncreaseQuotaPrivilege)
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Allow log on
locally


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Allow log on
through Terminal Services (SeRemoteInteractiveLogonRight)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Back up files
and directories (SeBackupPrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Bypass
traverse checking (SeChangeNotifyPrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Change the
system time (SeSystemTimePrivilege)
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Change the
time zone

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create a
pagefile (SeCreatePagefilePrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create a token
object (SeCreateTokenPrivilege)
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create global
objects (SeCreateGlobalPrivilege)

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create
permanent shared objects
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create
symbolic links

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Debug
programs (SeDebugPrivilege)



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny access to
this computer from the network (SeDenyNetworkLogonRight)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny log on as
a batch job (SeDenyBatchLogonRight)

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny log on
locally (SeDenyInteractiveLogonRight)

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny log on as
a service
(SeDenyServiceLogonRight)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny log on
through Terminal Services
(SeDenyRemoteInteractiveLogonRight)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Enable
computer and user accounts to be trusted for delegation
(SeEnableDelegationPrivilege)
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Force
shutdown from a remote system (SeRemoteShutdownPrivilege)

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Generate
security audits (SeAuditPrivilege)

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Impersonate a
client after authentication

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Increase a
process working set


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Increase
scheduling priority (SeIncreaseBasePriorityPrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Load and
unload device drivers (SeLoadDriverPrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Lock pages in
memory (SeLockMemoryPrivilege)

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Log on as a
batch job (SeBatchLogonRight)

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Log on as a
service (SeServiceLogonRight)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Manage
auditing and security log (SeSecurityPrivilege)
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Modify an
object label
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Modify firmware
environment values (SeSystemEnvironmentPrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Perform
volume maintenance tasks (SeManageVolumePrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Profile single
process (SeProfileSingleProcessPrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Profile system
performance (SeSystemProfilePrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Remove
computer from docking station (SeUndockPrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Replace a
process level token (SeAssignPrimaryTokenPrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Restore files
and directories (SeRestorePrivilege)


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Shut down the
system (SeShutdownPrivilege)

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Synchronize
directory service data


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Take ownership
of files or other objects (SeTakeOwnershipPrivilege)
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts:
Administrator account status

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts: Guest
account status

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts: Limit local
account use of blank passwords to console logon only
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPa
sswordUse

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts: Rename
administrator account

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts: Rename
guest account
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Audit: Audit the access
of global system objects
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObj
ects
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Audit: Audit the use of
Backup and Restore privilege
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeA
uditing
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Audit: Force audit
policy subcategory settings (Windows Vista or later) to override
audit policy category settings
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApply
LegacyAuditPolicy
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Audit: Shut down
system immediately if unable to log security audits
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAudi
tFail
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/DCOM: Machine
access restrictions in Security Descriptor Definition Language
(SDDL) syntax



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/DCOM: Machine
launch restrictions in Security Descriptor Definition Language
(SDDL) syntax
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Allow undock
without having to log on
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\UndockWithoutLogon
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Allowed to
format and eject removable media
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateDASD
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Prevent users
from installing printer drivers
(2)
MACHINE\System\CurrentControlSet\Control\Print\Providers\La
nMan Print Services\Servers\AddPrinterDrivers
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Restrict CD-
ROM access to locally logged-on user only
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateCDRoms
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Restrict floppy
access to locally logged-on user only
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AllocateFloppies


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain Controller:
Allow server operators to schedule tasks


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain Controller:
LDAP server signing requirements
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain Controller:
Refuse machine account password changes
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain member:
Digitally encrypt or sign secure channel data (always)
(2)
MACHINE\System\CurrentControlSet\Services\Netlogon\Param
eters\RequireSignOrSeal
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain member:
Digitally encrypt secure channel data (when possible)
(2)
MACHINE\System\CurrentControlSet\Services\Netlogon\Param
eters\SealSecureChannel
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain member:
Digitally sign secure channel data (when possible)
(2)
MACHINE\System\CurrentControlSet\Services\Netlogon\Param
eters\SignSecureChannel
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain member:
Disable machine account password changes
(2)
MACHINE\System\CurrentControlSet\Services\Netlogon\Param
eters\DisablePasswordChange
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain member:
Maximum machine account password age
(2)
MACHINE\System\CurrentControlSet\Services\Netlogon\Param
eters\MaximumPasswordAge
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain member:
Require strong (Windows 2000 or later) session key
(2)
MACHINE\System\CurrentControlSet\Services\Netlogon\Param
eters\RequireStrongKey
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon: Do
not display last user name
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\DontDisplayLastUserName
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon: Do
not require CTRL+ALT+DEL
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\DisableCAD
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Message text for users attempting to log on
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\LegalNoticeText
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Message title for users attempting to log on
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\LegalNoticeCaption
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Number of previous logons to cache (in case domain controller
is not available)
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\CachedLogonsCount
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Prompt user to change password before expiration
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\PasswordExpiryWarning

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Require Domain Controller authentication to unlock workstation
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ForceUnlockLogon

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Require smart card
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Smart card removal behavior
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScRemoveOption
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft network
client: Digitally sign communications (always)
(2)
MACHINE\System\CurrentControlSet\Services\LanmanWorksta
tion\Parameters\RequireSecuritySignature
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft network
client: Digitally sign communications (if server agrees)
(2)
MACHINE\System\CurrentControlSet\Services\LanmanWorksta
tion\Parameters\EnableSecuritySignature

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft network
client: Send unencrypted password to third-party SMB servers
(2)
MACHINE\System\CurrentControlSet\Services\LanmanWorksta
tion\Parameters\EnablePlainTextPassword

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft network
server: Amount of idle time required before suspending session
(2)
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\AutoDisconnect
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft network
server: Digitally sign communications (always)
(2)
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\RequireSecuritySignature

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft network
server: Digitally sign communications (if client agrees)
(2)
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\EnableSecuritySignature

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft network
server: Disconnect clients when logon hours expire
(2)
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\EnableForcedLogOff
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(AutoAdminLogon) Enable Automatic Logon (not
recommended)
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\AutoAdminLogon
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(DisableIPSourceRouting) IP source routing protection level
(protects against packet spoofing)
(2)
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter
s\DisableIPSourceRouting
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(EnableDeadGWDetect) Allow automatic detection of dead
network gateways (could lead to DoS)
(2)
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter
s\EnableDeadGWDetect
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(EnableICMPRedirect) Allow ICMP redirects to override OSPF
generated routes
(2)
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter
s\EnableICMPRedirect

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS: (Hidden) Hide
Computer From the Browse List (not recommended except for
highly secure environments)
(2)
MACHINE\System\CurrentControlSet\Services\Lanmanserver\P
arameters\Hidden

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS: (KeepAliveTime)
How often keep-alive packets are sent in milliseconds
(2)
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter
s\KeepAliveTime
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(NoDefaultExempt) Configure IPSec exemptions for various
types of network traffic.
(2)
MACHINE\System\CurrentControlSet\Services\IPSEC\NoDefaul
tExempt
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(NoDriveTypeAutoRun) Disable Autorun for all drives
(recommended)
(2)
MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Poli
cies\Explorer\NoDriveTypeAutoRun
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(NoNameReleaseOnDemand) Allow the computer to ignore
NetBIOS name release requests except from WINS servers
(2)
MACHINE\System\CurrentControlSet\Services\Netbt\Parameter
s\NoNameReleaseOnDemand
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(NtfsDisable8dot3NameCreation) Enable the computer to stop
generating 8.3 style filenames (recommended)
(2)
MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDi
sable8dot3NameCreation

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(PerformRouterDiscovery) Allow IRDP to detect and configure
Default Gateway addresses (could lead to DoS)
(2)
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter
s\PerformRouterDiscovery

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(SafeDllSearchMode) Enable Safe DLL search mode
(recommended)
(2) MACHINE\SYSTEM\CurrentControlSet\Control\Session
Manager\SafeDllSearchMode


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(ScreenSaverGracePeriod) The time in seconds before the
screen saver grace period expires (0 recommended)
(2) MACHINE\SYSTEM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(SynAttackProtect) Syn attack protection level (protects against
DoS)
(2)
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter
s\SynAttackProtect
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(TCPMaxConnectResponseRetransmissions) SYN-ACK
retransmissions when a connection request is not
acknowledged
(2)
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter
s\TcpMaxConnectResponseRetransmissions
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(TCPMaxDataRetransmissions) How many times
unacknowledged data is retransmitted (3 recommended, 5 is
default)
(2)
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameter
s\TcpMaxDataRetransmissions

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS: (WarningLevel)
Percentage threshold for the security event log at which the
system will generate a warning
(2)
MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Secu
rity\WarningLevel


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access: Allow
anonymous SID/Name translation
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access: Do
not allow anonymous enumeration of SAM accounts
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnon
ymousSAM

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access: Do
not allow anonymous enumeration of SAM accounts and shares
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnon
ymous
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access: Do
not allow storage of credentials or .NET Passports for network
authentication
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDoma
inCreds
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access: Let
Everyone permissions apply to anonymous users
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncl
udesAnonymous
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Named Pipes that can be accessed anonymously
(2)
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\NullSessionPipes
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Remotely accessible registry paths
(2)
MACHINE\System\CurrentControlSet\Control\SecurePipeServe
rs\Winreg\AllowedPaths\Machine
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Remotely accessible registry paths and sub paths
(2)
MACHINE\System\CurrentControlSet\Control\SecurePipeServe
rs\Winreg\AllowedPaths\Machine
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Restrict anonymous access to Named Pipes and Shares
(2)
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\NullSessionShares
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Shares that can be accessed anonymously
(2)
MACHINE\System\CurrentControlSet\Services\LanManServer\
Parameters\NullSessionShares

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Sharing and security model for local accounts
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security: Do
not store LAN Manager hash value on next password change
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security: Force
logoff when logon hours expire
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security: LAN
Manager authentication level
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibil
ityLevel
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security: LDAP
client signing requirements
(2)
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClie
ntIntegrity
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security:
Minimum session security for NTLM SSP based (including
secure RPC) clients
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTL
MMinClientSec
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security:
Minimum session security for NTLM SSP based (including
secure RPC) servers
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTL
MMinServerSec
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Recovery console:
Allow automatic administrative logon
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Recovery console:
Allow floppy copy and access to all drives and all folders
(2) MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Setup\RecoveryConsole\SetCommand
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Shutdown: Allow
system to be shut down without having to log on
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\ShutdownWithoutLogon
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Shutdown: Clear virtual
memory pagefile
(2) MACHINE\System\CurrentControlSet\Control\Session
Manager\Memory Management\ClearPageFileAtShutdown


(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System cryptography:
Force strong key protection for user keys stored on the
computer
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System cryptography:
Use FIPS compliant algorithms for encryption, hashing, and
signing
(2)
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorith
mPolicy

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System objects:
Require case insensitivity for non-Windows subsystems
(2) MACHINE\System\CurrentControlSet\Control\Session
Manager\Kernel\ObCaseInsensitive

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System objects:
Strengthen default permissions of internal system objects (e.g.
Symbolic Links)
(2) MACHINE\System\CurrentControlSet\Control\Session
Manager\ProtectionMode



(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System settings: Use
Certificate Rules on Windows Executables for Software
Restriction Policies

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Admin Approval Mode for the Built-in Administrator account
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\FilterAdministratorToken
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Allow UIAccess applications to prompt for elevation without
using the secure desktop
(2)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\System\EnableUIADesktopToggle
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Behavior of the elevation prompt for administrators in Admin
Approval Mode
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\ConsentPromptBehaviorAdmin

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Behavior of the elevation prompt for standard users
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\ConsentPromptBehaviorUser

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Detect application installations and prompt for elevation
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\EnableInstallerDetection

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Only elevate executables that are signed and validated
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\ValidateAdminCodeSignatures
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Only elevate UIAccess applications that are installed in secure
locations
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\EnableSecureUIAPaths
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Run all administrators in Admin Approval Mode
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\EnableLUA

(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Switch to the secure desktop when prompting for elevation
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\PromptOnSecureDesktop
(1) Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account Control:
Virtualize file and registry write failures to per-user locations
(2)
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
\System\EnableVirtualization
(1) Computer Configuration/Windows Settings/Security
Settings/Event Log//Maximum application log size
(2) Computer Configuration\Administrative
Templates\Windows Components\Event Log
Service\Application\Maximum Log Size
(3)
HKLM\Software\Policies\Microsoft\Windows\EventLog\Applicati
on!MaxSize

(1) Computer Configuration/Windows Settings/Security
Settings/Event Log//Maximum security log size
(2) Computer Configuration\Administrative Templates\Windows
Components\Event Log Service\Security\Maximum Log Size
(3)
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!
MaxSize

(1) Computer Configuration/Windows Settings/Security
Settings/Event Log//Maximum system log size
(2) Computer Configuration\Administrative Templates\Windows
Components\Event Log Service\System\Maximum Log Size
(3)
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!
MaxSize

(1) Computer Configuration/Windows Settings/Security
Settings/Event Log//Prevent local guests group from accessing
application log
(2) Event Log security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security
Settings/Event Log//Prevent local guests group from accessing
system log
(2) Event Log security settings are not registry keys.

(1) Computer Configuration/Windows Settings/Security
Settings/Event Log//Prevent local guests group from accessing
security log
(2) Event Log security settings are not registry keys.
(1) Computer Configuration\Administrative Templates\Windows
Components\Event Log Service\Application\Retain old events
(2)
HKCU\Software\Policies\Microsoft\Windows\EventLog\Applicati
on\Retention
(3) Computer Configuration/Windows Settings/Security
Settings/Event Log//Retain application log

(1) Computer Configuration\Administrative Templates\Windows
Components\Event Log Service\Security\Retain old events
(2)
HKCU\Software\Policies\Microsoft\Windows\EventLog\Security\
Retention
(3) Computer Configuration/Windows Settings/Security
Settings/Event Log//Retain security log

(1) Computer Configuration\Administrative Templates\Windows
Components\Event Log Service\System\Retain old events
(2)
HKCU\Software\Policies\Microsoft\Windows\EventLog\System\
Retention
(3) Computer Configuration/Windows Settings/Security
Settings/Event Log//Retain system log


(1) Computer Configuration/Windows Settings/Security
Settings/Event Log//Retention method for application log


(1) Computer Configuration/Windows Settings/Security
Settings/Event Log//Retention method for security log


(1) Computer Configuration/Windows Settings/Security
Settings/Event Log//Retention method for system log

(1) Computer Configuration/Windows Settings/Security
Settings/Account Policies/Password Policy (Settings included in
Domain Policies)

(1) Computer Configuration/Windows Settings/Security
Settings/Account Policies/Password Policy (Settings included in
Domain Policies)

(1) Computer Configuration/Windows Settings/Security
Settings/Account Policies/Password Policy (Settings included in
Domain Policies)

(1) Computer Configuration/Windows Settings/Security
Settings/Account Policies/Password Policy (Settings included in
Domain Policies)
(1) Computer Configuration/Windows Settings/Security
Settings/Account Policies/Password Policy (Settings included in
Domain Policies)


(1) Computer Configuration/Windows Settings/Security
Settings/Account Policies/Password Policy (Settings included in
Domain Policies)

(1) Computer Configuration/Windows Settings/Security
Settings/Account Policies/Account Lockout Policy (Settings
included in Domain Policies)

(1) Computer Configuration/Windows Settings/Security
Settings/Account Policies/Account Lockout Policy (Settings
included in Domain Policies)

(1) Computer Configuration/Windows Settings/Security
Settings/Account Policies/Account Lockout Policy (Settings
included in Domain Policies)




(1) Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options\MSS:
(DisableIPSourceRouting) IPv6 source routing protection level
(protects against packet spoofing)
(2)
HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\
DisableIPSourceRouting
(1) Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options\MSS:
(TCPMaxDataRetransmissions) IPv6, how many times
unacknowledged data is retransmitted (3 recommended, 5 is
default)
(2)
HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\
TcpMaxDataRetransmissions

(1) HKLM\ SOFTWARE\Policies\Microsoft\Windows
NT\Terminal Services\fPromptForPassword
(2) Computer Configuration\Administrative Templates\Windows
Components\Terminal Services\Terminal
Server\Security\Always prompt for password upon connection
(1)
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\AUOptions
(2) Computer Configuration\Administrative Templates\Windows
Components\Windows Update\Configure Automatic Updates



(1)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
\Explorer\NoAutoRun
(2) Computer Configuration\Administrative Templates\Windows
Components\Autoplay Policies\Default behavior for AutoRun
(1) HKLM\Software\Microsoft\Driver Signing\Policy
(2) Computer Configuration\Windows Settings\Local
Policies\Security Options\Devices: Unsigned driver installation
behavior

(1) HKLM\Software\Policies\Microsoft\Conferencing\NoRDS,
Computer Configuration\Administrative Templates\Windows
Components\NetMeeting
 (1)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Service
s\mnmsrvc\Start
(2) defined by the Services Administrative Tool
(3) definied by Group Policy
(1)
HKLM\Software\Policies\Microsoft\Messenger\Client\PreventRu
n
(2) Computer Configuration\Administrative Templates\Windows
Components\Windows Messenger\Do not allow Windows
Messenger to be run
(1) Computer Configuration\Windows Settings\Security
Settings\Account Policies\Kerberos Policy\Enforce user logon
restrictions
(1)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Cre
dUI\EnumerateAdministrators
(2) Computer Configuration\Administrative Templates\Windows
Components\Credential User Interface\Enumerate administrator
accounts on elevation

(1) Computer Configuration\Windows Settings\Security
Settings\Account Policies\Kerberos Policy\Maximum lifetime for
service ticket

(1) Computer Configuration\Windows Settings\Security
Settings\Account Policies\Kerberos Policy\Maximum lifetime for
user ticket
(1) Computer Configuration\Windows Settings\Security
Settings\Account Policies\Kerberos Policy\Maximum lifetime for
user ticket renewal


(1) Computer Configuration\Windows Settings\Security
Settings\Account Policies\Kerberos Policy\Maximum tolerance
for computer clock synchronization
(1)
HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\AutoR
eboot
(2) Computer Configuration\Windows Settings\Local
Policies\Security Options\MSS: (AutoReboot) Allow Windows to
automatically restart after a system crash (recommended
except for highly secure environments)

(1)
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Paramete
rs\DisableSavePassword
(2) Computer Configuration\Windows Settings\Local
Policies\Security Options\MSS: (DisableSavePassword) Prevent
the dial-up passsword from being saved (recommended)
(1)
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\NoAutoRebootWithLoggedOnUsers
(2) Computer Configuration\Administrative Templates\Windows
Components\Windows Update\No auto-restart for scheduled
Automatic Updates installations

(1) HKLM\Software\policies\Microsoft\Windows NT\Terminal
ServicesfAllowUnsolicited
(2) Computer Configuration\Administrative
Templates\System\Remote Assistance

(1) HKLM\Software\Policies\Microsoft\Windows\Group
Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\
NoBackgroundPolicy
(2) Computer Configuration\Administrataive
Templates\System\Group Policy\Registry policy processing

(1)
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\A
U\RescheduleWaitTimeEnabled
(2) Computer Configuration\Administrative Templates\Windows
Components\Windows Update\Reschedule Automatic Updates
scheduled installations
(1) HKLM\Software\Policies\Microsoft\Windows
NT\Rpc\RestrictRemoteClients
(2) Computer Configuration\Administrative
Templates\System\Remote Procedure Call\Restrictions for
Unauthenticated RPC clients
(1) HKLM\Software\Policies\Microsoft\Windows
NT\Rpc\EnableAuthEpResolution
(2) Computer Configuration\Administrative
Templates\System\Remote Procedure Call\RPC Endpoint
Mapper Client Authentication

(1) HKLM\SOFTWARE\Policies\Microsoft\Windows
NT\Terminal Services\MinEncryptionLevel
(2) Computer Configuration\Administrative Templates\Windows
Components\Terminal Services\Terminal Server\Security\Set
client connection encryption level

(1)
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ex
plorer\NoDriveTypeAutoRun
(2) Computer Configuration\Administrative Templates\Windows
Components\Autoplay Policies\Turn off Autoplay
    Windows Server 2008 Security Guide
    Spreadsheet (Windows Server 2008
        Security Guide Settings.xls)




System / Security System Extension




System / System Integrity



System / IPsec Driver




System / Other System Events




System / Security State Change



Logon/Logoff / Logon



Logon/Logoff / Logoff




Logon/Logoff / Account Lockout



Logon/Logoff / IPsec Main Mode
Logon/Logoff / IPsec Quick Mode




Logon/Logoff / IPsec Extended Mode




Logon/Logoff / Special Logon




Logon/Logoff / Other Logon/Logoff Events




Logon/Logoff / Network Policy Server



Object Access / File System



Object Access / Registry




Object Access / Kernel Object



Object Access / SAM




Object Access / Certification Services




Object Access / Application Generated
Object Access / Handle Manipulation



Object Access / File Share




Object Access / Filtering Platform Packet Drop




Object Access / Filtering Platform Connection




Object Access / Other Object Access Events




Privilege Use / Sensitive Privilege Use




Privilege Use / Non Sensitive Privilege Use




Privilege Use / Other Privilege Use Events




Detailed Tracking / Process Termination




Detailed Tracking / DPAPI Activity
Detailed Tracking / RPC Events




Detailed Tracking / Process Creation




Policy Change / Audit Policy Change




Policy Change / Authentication Policy Change




Policy Change / Authorization Policy Change




Policy Change / MPSSVC Rule-Level Policy Change




Policy Change / Filtering Platform Policy Change




Policy Change / Other Policy Change Events




Account Management / User Account Management




Account Management / Computer Account Management
Account Management / Security Group Management




Account Management / Distribution Group Management




Account Management / Application Group Management




Account Management / Other Account Management
Events




DS Access / Directory Service Access




DS Access / Directory Service Changes




DS Access / Directory Service Replication




DS Access / Detailed Directory Service Replication




Account Logon / Kerberos Authentication Service




Account Logon / Credential Validation
Account Logon / Kerberos Service Ticket Operations




Account Logon / Other Account Logon Events




System / Security System Extension



System / System Integrity



System / IPsec Driver




System / Other System Events




System / Security State Change



Logon/Logoff / Logon



Logon/Logoff / Logoff



Logon/Logoff / Account Lockout



Logon/Logoff / IPsec Main Mode
Logon/Logoff / IPsec Quick Mode




Logon/Logoff / IPsec Extended Mode



Logon/Logoff / Special Logon




Logon/Logoff / Other Logon/Logoff Events




Logon/Logoff / Network Policy Server



Object Access / File System



Object Access / Registry



Object Access / Kernel Object



Object Access / SAM




Object Access / Certification Services




Object Access / Application Generated
Object Access / Handle Manipulation



Object Access / File Share




Object Access / Filtering Platform Packet Drop




Object Access / Filtering Platform Connection




Object Access / Other Object Access Events




Privilege Use / Sensitive Privilege Use




Privilege Use / Non Sensitive Privilege Use




Privilege Use / Other Privilege Use Events




Detailed Tracking / Process Termination



Detailed Tracking / DPAPI Activity



Detailed Tracking / RPC Events
Detailed Tracking / Process Creation



Policy Change / Audit Policy Change




Policy Change / Authentication Policy Change




Policy Change / Authorization Policy Change




Policy Change / MPSSVC Rule-Level Policy Change




Policy Change / Filtering Platform Policy Change




Policy Change / Other Policy Change Events




Account Management / User Account Management




Account Management / Computer Account Management




Account Management / Security Group Management
Account Management / Distribution Group Management




Account Management / Application Group Management



Account Management / Other Account Management
Events




DS Access / Directory Service Access




DS Access / Directory Service Changes




DS Access / Directory Service Replication




DS Access / Detailed Directory Service Replication




Account Logon / Kerberos Authentication Service




Account Logon / Credential Validation




Account Logon / Kerberos Service Ticket Operations
Account Logon / Other Account Logon Events


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit account logon
events


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit account
management


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit directory service
access


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit logon events



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit object access



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit policy change



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit privilege use


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit process
tracking


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit system events
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit account logon
events


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit account
management


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit directory service
access


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit logon events


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit object access


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit policy change



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit privilege use


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit process
tracking


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Audit Policy/Audit system events

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Access
credential Manager as a trusted caller



Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Access
this computer from the network (SeNetworkLogonRight)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Act as
part of the operating system (SeTcbPrivilege)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Add
workstations to domain


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Adjust
memory quotas for a process (SeIncreaseQuotaPrivilege)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Allow log
on locally

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Allow log
on through Terminal Services
(SeRemoteInteractiveLogonRight)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Back up
files and directories (SeBackupPrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Bypass
traverse checking (SeChangeNotifyPrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Change
the system time (SeSystemTimePrivilege)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Change
the time zone

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create a
pagefile (SeCreatePagefilePrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create a
token object (SeCreateTokenPrivilege)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create
global objects (SeCreateGlobalPrivilege)

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create
permanent shared objects
Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Create
symbolic links

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Debug
programs (SeDebugPrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny
access to this computer from the network
(SeDenyNetworkLogonRight)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny log
on as a batch job (SeDenyBatchLogonRight)

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny log
on locally (SeDenyInteractiveLogonRight)

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny log
on as a service
(SeDenyServiceLogonRight)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Deny log
on through Terminal Services
(SeDenyRemoteInteractiveLogonRight)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Enable
computer and user accounts to be trusted for delegation
(SeEnableDelegationPrivilege)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Force
shutdown from a remote system
(SeRemoteShutdownPrivilege)

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Generate
security audits (SeAuditPrivilege)

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights
Assignment/Impersonate a client after authentication

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Increase
a process working set


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Increase
scheduling priority (SeIncreaseBasePriorityPrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Load and
unload device drivers (SeLoadDriverPrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Lock
pages in memory (SeLockMemoryPrivilege)

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Log on
as a batch job (SeBatchLogonRight)

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Log on
as a service (SeServiceLogonRight)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Manage
auditing and security log (SeSecurityPrivilege)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Modify
an object label
Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Modify
firmware environment values
(SeSystemEnvironmentPrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Perform
volume maintenance tasks (SeManageVolumePrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Profile
single process (SeProfileSingleProcessPrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Profile
system performance (SeSystemProfilePrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Remove
computer from docking station (SeUndockPrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Replace
a process level token (SeAssignPrimaryTokenPrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Restore
files and directories (SeRestorePrivilege)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Shut
down the system (SeShutdownPrivilege)

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights
Assignment/Synchronize directory service data

Computer Configuration/Windows Settings/Security
Settings/Local Policies/User Rights Assignment/Take
ownership of files or other objects
(SeTakeOwnershipPrivilege)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts:
Administrator account status

Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts: Guest
account status



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts: Limit
local account use of blank passwords to console logon
only

Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts:
Rename administrator account

Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Accounts:
Rename guest account



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Audit: Audit the
access of global system objects



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Audit: Audit the
use of Backup and Restore privilege



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Audit: Force
audit policy subcategory settings (Windows Vista or later)
to override audit policy category settings



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Audit: Shut down
system immediately if unable to log security audits
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/DCOM: Machine
access restrictions in Security Descriptor Definition
Language (SDDL) syntax



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/DCOM: Machine
launch restrictions in Security Descriptor Definition
Language (SDDL) syntax



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Allow
undock without having to log on


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Allowed
to format and eject removable media



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Prevent
users from installing printer drivers


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Restrict
CD-ROM access to locally logged-on user only


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Devices: Restrict
floppy access to locally logged-on user only


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain
Controller: Allow server operators to schedule tasks


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain
Controller: LDAP server signing requirements
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain
Controller: Refuse machine account password changes


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain
member: Digitally encrypt or sign secure channel data
(always)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain
member: Digitally encrypt secure channel data (when
possible)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain
member: Digitally sign secure channel data (when
possible)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain
member: Disable machine account password changes



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain
member: Maximum machine account password age


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Domain
member: Require strong (Windows 2000 or later) session
key



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Do not display last user name
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Do not require CTRL+ALT+DEL



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Message text for users attempting to log on



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Message title for users attempting to log on


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Number of previous logons to cache (in case domain
controller is not available)


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Prompt user to change password before expiration


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Require Domain Controller authentication to unlock
workstation

Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Require smart card


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Interactive logon:
Smart card removal behavior



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft
network client: Digitally sign communications (always)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft
network client: Digitally sign communications (if server
agrees)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft
network client: Send unencrypted password to third-party
SMB servers



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft
network server: Amount of idle time required before
suspending session



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft
network server: Digitally sign communications (always)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft
network server: Digitally sign communications (if client
agrees)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Microsoft
network server: Disconnect clients when logon hours
expire


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(AutoAdminLogon) Enable Automatic Logon (not
recommended)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(DisableIPSourceRouting) IP source routing protection
level (protects against packet spoofing)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(EnableDeadGWDetect) Allow automatic detection of
dead network gateways (could lead to DoS)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(EnableICMPRedirect) Allow ICMP redirects to override
OSPF generated routes




Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS: (Hidden)
Hide Computer From the Browse List (not recommended
except for highly secure environments)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(KeepAliveTime) How often keep-alive packets are sent
in milliseconds



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(NoDefaultExempt) Configure IPSec exemptions for
various types of network traffic.



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(NoDriveTypeAutoRun) Disable Autorun for all drives
(recommended)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(NoNameReleaseOnDemand) Allow the computer to
ignore NetBIOS name release requests except from
WINS servers



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(NtfsDisable8dot3NameCreation) Enable the computer to
stop generating 8.3 style filenames (recommended)




Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(PerformRouterDiscovery) Allow IRDP to detect and
configure Default Gateway addresses (could lead to DoS)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(SafeDllSearchMode) Enable Safe DLL search mode
(recommended)




Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(ScreenSaverGracePeriod) The time in seconds before
the screen saver grace period expires (0 recommended)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(SynAttackProtect) Syn attack protection level (protects
against DoS)
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(TCPMaxConnectResponseRetransmissions) SYN-ACK
retransmissions when a connection request is not
acknowledged



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(TCPMaxDataRetransmissions) How many times
unacknowledged data is retransmitted (3 recommended,
5 is default)




Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/MSS:
(WarningLevel) Percentage threshold for the security
event log at which the system will generate a warning


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Allow anonymous SID/Name translation



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Do not allow anonymous enumeration of SAM accounts



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Do not allow anonymous enumeration of SAM accounts
and shares



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Do not allow storage of credentials or .NET Passports for
network authentication
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Let Everyone permissions apply to anonymous users



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Named Pipes that can be accessed anonymously



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Remotely accessible registry paths



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Remotely accessible registry paths and sub paths



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Restrict anonymous access to Named Pipes and Shares



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Shares that can be accessed anonymously



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network access:
Sharing and security model for local accounts



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security:
Do not store LAN Manager hash value on next password
change
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security:
Force logoff when logon hours expire



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security:
LAN Manager authentication level



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security:
LDAP client signing requirements



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security:
Minimum session security for NTLM SSP based
(including secure RPC) clients



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Network security:
Minimum session security for NTLM SSP based
(including secure RPC) servers


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Recovery
console: Allow automatic administrative logon


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Recovery
console: Allow floppy copy and access to all drives and all
folders



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Shutdown: Allow
system to be shut down without having to log on
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/Shutdown: Clear
virtual memory pagefile


Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System
cryptography: Force strong key protection for user keys
stored on the computer



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System
cryptography: Use FIPS compliant algorithms for
encryption, hashing, and signing



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System objects:
Require case insensitivity for non-Windows subsystems



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System objects:
Strengthen default permissions of internal system objects
(e.g. Symbolic Links)



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/System settings:
Use Certificate Rules on Windows Executables for
Software Restriction Policies



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Admin Approval Mode for the Built-in
Administrator account



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Allow UIAccess applications to prompt for
elevation without using the secure desktop
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Behavior of the elevation prompt for standard
users



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Detect application installations and prompt for
elevation



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Only elevate executables that are signed and
validated



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Only elevate UIAccess applications that are
installed in secure locations



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Run all administrators in Admin Approval Mode



Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Switch to the secure desktop when prompting for
elevation
Computer Configuration/Windows Settings/Security
Settings/Local Policies/Security Options/User Account
Control: Virtualize file and registry write failures to per-
user locations




Computer Configuration\Administrative
Templates\Windows Components\Event Log
Service\Application\Maximum Log Size




Computer Configuration\Administrative
Templates\Windows Components\Event Log
Service\Security\Maximum Log Size




Computer Configuration\Administrative
Templates\Windows Components\Event Log
Service\System\Maximum Log Size


Computer Configuration/Windows Settings/Security
Settings/Event Log//Prevent local guests group from
accessing application log


Computer Configuration/Windows Settings/Security
Settings/Event Log//Prevent local guests group from
accessing system log


Computer Configuration/Windows Settings/Security
Settings/Event Log//Prevent local guests group from
accessing security log
Computer Configuration/Windows Settings/Security
Settings/Event Log//Retain application log




Computer Configuration/Windows Settings/Security
Settings/Event Log//Retain security log




Computer Configuration/Windows Settings/Security
Settings/Event Log//Retain system log


Computer Configuration/Windows Settings/Security
Settings/Event Log//Retention method for application log


Computer Configuration/Windows Settings/Security
Settings/Event Log//Retention method for security log


Computer Configuration/Windows Settings/Security
Settings/Event Log//Retention method for system log

GPO Settings: Computer Configuration/Windows
Settings/Security Settings/Account Policies/Password
Policy (Settings included in Domain Policies)

GPO Settings: Computer Configuration/Windows
Settings/Security Settings/Account Policies/Password
Policy (Settings included in Domain Policies)

GPO Settings: Computer Configuration/Windows
Settings/Security Settings/Account Policies/Password
Policy (Settings included in Domain Policies)

GPO Settings: Computer Configuration/Windows
Settings/Security Settings/Account Policies/Password
Policy (Settings included in Domain Policies)
GPO Settings: Computer Configuration/Windows
Settings/Security Settings/Account Policies/Password
Policy (Settings included in Domain Policies)


GPO Settings: Computer Configuration/Windows
Settings/Security Settings/Account Policies/Password
Policy (Settings included in Domain Policies)

GPO Settings: Computer Configuration/Windows
Settings/Security Settings/Account Policies/Account
Lockout Policy (Settings included in Domain Policies)

GPO Settings: Computer Configuration/Windows
Settings/Security Settings/Account Policies/Account
Lockout Policy (Settings included in Domain Policies)

GPO Settings: Computer Configuration/Windows
Settings/Security Settings/Account Policies/Account
Lockout Policy (Settings included in Domain Policies)




Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options\MSS:
(DisableIPSourceRouting) IPv6 source routing protection
level (protects against packet spoofing)



Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options\MSS:
(TCPMaxDataRetransmissions) IPv6, how many times
unacknowledged data is retransmitted (3 recommended,
5 is default)

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:168
posted:12/1/2011
language:English
pages:99